Recover Master Boot Record (MBR) and Data from Hard Disk Drives

• Understanding the MBR
• Save and restore a MBR - Bootable Floppy
• Rebuild a MBR
  • Fixing the Partition Table
  • Replacing the Initial Program Loader (IPL)
  • Replacing the Boot Manager in a Multi-boot System
• Recover data from a hard disk drive
• Bootable floppy info
• Installing floppy disk images
• Brief tips to data recovery
• Recover deleted files
• Wipe Data From Disks

• Boot Control: alternative MBR software
• How It Works: Master Boot Record (MBR)
• Understanding and Working with the MBR

• mbrdisk.img (1474560 bytes) MD5 sum: 75c25222d351cb8eef454492fde432f2
  This is an image of a bootable Linux floppy disk that simply saves the MBR of a hard disk, and gives the option to restore the MBR to a hard disk from a previously saved MBR. Simple. Easy. Effective.
  
  
• mbrdisk.zip (1465351 bytes) MD5 sum: 5271fddb919021bc552f8cbf6cf4b581
  This is the same disk, but with a DOS and Linux installer. Unzip the file, put a blank floppy disk in the drive then change directory to where the files have been extracted to. In DOS, type install.bat and as the root user in Linux type install.sh to build the bootable floppy.

• part_fix.img (1474560 bytes) MD5 sum: 09fa492f177435bc85ad2896cad57afe
  This is a companion disk to the bootable floppy, containing Linux utilities for guessing and rebuilding partition tables. Has copies of fixdisktable, gpart, parted and rescuept, along with some resources for understanding/working out partition tables and MBRs.
  
  
• part_fix.tar.gz (293638 bytes) MD5 sum: 77cd2fdfb5db514140e337f66a9b08ab
  These are the individual files from the part_fix companion disk.
  
  
• Have a read of the Partition-Rescue Mini HOWTO
  
  

• For DOSish systems (ie. not suitable for Linux systems) try:
  
  
  • Ranish Partition Manager has an option to install a boot manager in the MBR. You'll need to make your own DOS boot disk ie. under DOS, format a: /s), copy the Ranish Partition Manager onto it and go from there. Here's a local copy of version 2.43 (172,675 bytes)
    MD5 sum: 42e1a5487ad339132f92bffc4296d520
    
    If you don't have DOS, install a boot floppy image of FreeDOS and go from there. Here's a local copy of Beta 7 ("SPEARS" Mini Distribution) (1,474,560 bytes)
    MD5 sum: da26032a9f96cdd2cd45f4bdebb7df79
    
    
  • From a DOS boot disk which has a copy of FDISK on it, issue the command FDISK /MBR
    
    CAUTION: This commonly-used but undocumented DOS fdisk switch may or may not work. On a multi-boot system, there is a high likelyhood that non-Win systems will become unavailable if you don't have a boot floppy for those systems, or some way of booting them from DOS eg. LOADLIN.
    
    
• Linux systems: To re-install LILO or GRUB into the MBR, read the LILO-crash-rescue-HOWTO (removed for review Nov 2003, local copy here) or GNU GRUB Boot Loader.
  
  

• There are a number of different MBR options available in the DOS based Boot Control. Here's a local copy of build 041 (30,222 bytes)
  MD5 sum: f828a96bfa059be0ac6a2b36bdb81af4
  
  
• The Graphical Boot Manager (GAG) can boot up to 9 different operating systems, including Linux and FreeBSD. Here's a local copy of version 4.3 (12,268 bytes)
  MD5 sum: c6a478f73605c5652793a1e28333f6e6
  
  
• Smart Boot Manager comes in both Linux and DOS flavours, is light-weight and suitable for any operating system. Here's a local copy of version 3.7 release 1:
  
  
  • Linux (statically linked - 132,702 bytes)
    MD5 sum: 9274f633de782a2421ea5943cb579a37
  • DOS (69,612 bytes)
    MD5 sum: aad50c2ab753a668e39af88f84a75b43
    and support file (20,473 bytes)
    MD5 sum: da922d33e83c4ca711a92e59f2c6a9fc

• hdd_fix.img (1474560 bytes) MD5 sum: 5192f3971af5e730fa4dc2cde32e92d9
  This is a companion disk to the bootable floppy with focus on data recovery. Has copies of fixdisktable, gpart, parted and rescuept (but not the text resources) and lde, the Linux Disk Editor.
  
  
• hdd_fix.tar.gz (496748 bytes) MD5 sum: 378305e27fecd1968ed530073ebd440e
  These are the individual files from the hdd_fix companion disk.
  
  
• File Summary:
  • fixdisktable
    (Scans a disk and attempts to recover the partition table)
  • gpart
    (Makes excellent guesses at the partition table for a disk. Option to write the guessed table back to disk)
  • lde
    (Linux Disk Editor - Low level edit or dump data on a disk)
  • parted
    (For creating, destroying, resizing, checking and copying partitions, and the filesystems on them)
  • rescuept
    (Prints out information that can be used with fdisk or sfdisk to reconstruct the partition table)
    
    

• Format as many 3.5inch floppies as you need, one per image, formatted to 1.44Mb:
  DOS: format a: /f:1.44
  Linux: superformat /dev/fd0 hd
  
  
• Write the image to a disk:
  DOS: Get rawrite2.exe (17863 bytes)
  Type rawrite2, then the name of the image eg. file.img, then the destination drive eg. a:
  Linux: dd if=file.img of=/dev/fd0 bs=1k or cat file.img > /dev/fd0
  
  NOTE: Theoretically it's not really necessary to format floppies before writing images to them, however I've found disk-image writes to formatted floppies to be more reliable. Of course, YMMV.
  
  

• Data and file recovery is never guaranteed. If you don't know what you're doing (and even when you do) data may be irreparably damaged or lost. Consider the use of professional data recovery services. If you want to proceed, do so at your own risk. There. I feel better now.
  
  
• Have a second hard disk device, large enough to store recovered sections of the target disk's partitions, mounted on a suitable mount point
  
  
• If you know roughly where on the target drive the data you want is, then dump chunks of raw target partition to the recovery disk using dd or lde eg.
  
  dd skip=7000000000 ibs=1 count=10000000 if=/dev/hda1 of=/path/outfile
  This dumps 10MB of raw data from the first partition on hda, starting at byte-offset 7GB into the hda device.
  
  lde -D start_block -N how_many_blocks+1 /dev/hda1 > /path/outfile
  This dumps by block rather than byte-offset.
  
  
• If you don't know where the data is, you'll need to go a huntin' using something like:
  
  cat /dev/hda1 | grep --text -b "target words" > /path/outfile
  This reads hda1 as if it were a text file, recording the byte-offset of the start of the key word(s) in the outfile. Use dd or lde to start dumping on the basis of this information.
  
  
• Inspect the outfile using strings /path/outfile | more to make sure the data you want has been captured
  
  
• Use grep to save the data you want out of the captured file eg.
  
  grep -A 20 -B 20 "target words" /path/outfile > /path/final_file
  This saves the 20 lines before and after the line of the outfile which contains the target key word(s) to final_file.

1. Do not write anything to the disk containing the deleted files.
   
   
2. Do not boot from that disk.
   
   
3. It bears repeating: Data and file recovery is never guaranteed. If you don't know what you're doing (and even when you do) data may be irreparably damaged or lost. Consider the use of professional data recovery services. If you want to proceed, do so at your own risk.
   
   
4. Under Linux, as the root (super)user, unmount the partition containing the deleted files as soon as possible. eg. umount /dev/hda7 NOTE: You can discover what partition is associated with the part of the file system you're interested in by typing mount at the command line. For a formatted list of devices, associated file system mount points, and file system types, copy and paste the following to the command line and press Enter:
   
   echo "DEVICE DIRECTORY FS-TYPE" > tmp; mount | cut -d" " -f1,3,5 | \
   sort >> tmp; cat tmp | column -t | sed -e "1s/.*/`tput smso`&`tput rmso`/"
   
   (Acknowledgements to Tom Pycke for that little gem)
   
   
5. If the data is really important, make a copy of the whole disk, or the partition containing the deleted files using dd or cat. You'll need a spare hard disk or partition on the same disk larger than the original. Issue something like eg. dd if=/dev/hda10 of=/dev/hda14 or cat /dev/hda > /dev/hdb then attempt recovery using the copy. That way you have the original to go back to and make another copy of if your first attempt doesn't work out.
   
   
6. SIDE NOTE: To undelete files on an NTFS partition ie. MS Windows NT/2000/XP use something like TestDisk (see below) or Restoration:
   "Restoration is an easy to use and straight forward tool to undelete files that were removed from the recycle bin or directly deleted from within Windows, and we were also able to recover photos from a Flash card that had been formatted. Upon start, you can scan for all files that may be recovered and also limit the results by entering a search term or extension. In addition, it also provides the option to wipe the found files beyond simple recovery. The program is small and standalone, it does not require installation and can also run from a Floppy disk. Restoration works with FAT and NTFS as well as digital cameras cards."
   Local copy: REST2514.EXE (193 kbytes) MD5 sum: 7ab26cdabb688889b017d49d1d75fd70

• Using Linux to undelete vfat files:
  On DOS type file systems, the first letter of the deleted file's name is replaced by a "sigma" character in the File Allocation Table (FAT). To undelete a deleted file (assuming none of the file has been overwritten in the mean-time) use the above hunt-n-grep method to find the truncated filename on the partition. Use lde to change the "sigma" character to something readable, say, an "x" (the original letter would be even better if you know it!). Hopefully, the file is now undeleted.
  
  
• On Linux ext2 file systems, use one (or more) of the following tools or techniques:
  
  
  • Recover (CLI local copy GUI local copy)
    
    
  • The Coroner's Toolkit
    
    
  • debugfs(8) - see the article "Tales from the Abyss: UNIX File Recovery" at Sys Admin Magazine for details.
    
    
  • lde. Here are some notes from the author of lde on unerasing files.
    
    
  • Midnight Commander has an Undelete files (ext2fs only) option under Command. Note that undelfs support needs to be compiled into MC first, which requires e2fsprogs and libext2fs (usually provided as part of the e2fsprogs package) to be installed prior to compilation. You may check for undelfs support using mc -V at the commend line. With undelfs supported in MC:
    
    
    • make sure that the partition on which files need to be recovered is not mounted
    • select "Undelete files (ext2fs only)" from the "Command" menu
    • enter the partition name when prompted eg. hda10
    • you should now see a list of files with weird names. Use the MC viewer and "Find File" to identify the files that need to be recovered. Copy them to a safe location.
    
    More information about MC may be found in An Introduction to the Midnight Commander
    
    
  • e2retrieve "e2retrieve is a data recovery tool for Ext2 filesystem. This means that e2retrieve will not try to repair the filesystem but will extract data to "copy" it to another place (another disk, NFS, Samba, ...)." Local copy (42 kbytes) MD5 sum: 539a66c3e87ebb836f52c00e8ad2497f
    
    
  • Foremost "Foremost is a console program to recover files based on their headers and footers. Foremost can work on image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive. The headers and footers are specified by a configuration file, so you can pick and choose which headers you want to look for." Local copy (15 kbytes) MD5 sum: e9ef82662e2bdbc10158b455d40a0545
    
    
  • TestDisk "Tool to check and undelete partitions. Works with the following partitions: FAT12 FAT16 FAT32, Linux EXT2/EXT3, Linux SWAP (version 1 and 2), NTFS (Windows NT/W2K/XP), BeFS (BeOS), UFS (BSD), Netware, ReiserFS"
    Local copies: Linux static (953 kbytes) MD5 sum: 148fd416fc9b611076e0825fd6f68200
    Windows (1,297 kbytes) MD5 sum: aa372865837c2671af04b4941f555227
    RPM (484 kbytes) MD5 sum: cf79fb0fc58fb56d1f9e775a0c9ddf5b
    
    
  • myrescue "myrescue is a program to rescue the still-readable data from a damaged harddisk. It is similiar in purpose to dd_rescue, but it tries to quickly get out of damaged areas to first handle the not yet damaged part of the disk and return later." Local copy (16 kbytes) MD5 sum: 1fa60e20f6885ff36500ba9257eddfee
    
    
  • recoverdm "This program will help you recover disks with bad sectors. You can recover files as well complete devices. In case if finds sectors which simply cannot be recoverd, it writes an empty sector to the outputfile and continues. If you're recovering a CD or a DVD and the program cannot read the sector in "normal mode", then the program will try to read the sector in "RAW mode" (without error-checking etc.)." Local copy (10 kbytes) MD5 sum: 78226539d13d433a6fc4a89bdb38e988
    
    
  • e2undel "e2undel is an interactive console tool that recovers the data of deleted files on an ext2 file system under Linux. Included is a library that allows to recover deleted files by name. It does not require any knowledge about the secrets of the ext2 file system and should be useable by everyone." Local copy (54 kbytes) MD5 sum: 5a23c78e00216f5e4664664b6ef0f059
    
    
  • e2extract The e2extract toolkit "extracts lost files and recreates directory structure from information obtained by the directory inodes, such as the original file name and location. recurses through type 1 files (normal files) and type 2 files (directories), recreating them in a directory somewhere else."
    
    
  • Also check the Linux Ext2fs Undeletion mini-HOWTO and the Ext2fs Undeletion of Directory Structures mini-HOWTO.