Working complete PC
Student Diskette, "New Boot A Ver 2.0+"
Student CD-ROM, "Room 6359"
The student will become familiar with:
The Microsoft Extended DOS Partition type,
The Microsoft Extended Master Boot Record Sector's location, function, and layout,
Basic usage of Norton DiskEdit.
Searching for EMBR's using DiskEdit,
Designing an Extended DOS Partition table entry in the MBR,
Using DEBUG to write the Extended DOS Partition table into the MBR.
The student will continue learning how to use the BIOS INT 13h interface for the purposes of data recovery including routine acquisition of the MBR of BIOS drive 80h. The student will begin learning how to use other low level disk access tools specifically Norton DiskEdit, to search the drive for EMBR sectors. Once found, the student will learn how to design and implement an Extended DOS Partition table in DEBUG and develop the INT 13h call to write the table to the MBR reestablishing contact to the logical drives.
The student should GHOST DOS onto the hard drive into a 600MB Primary DOS partition. Boot to the C: drive and run FDISK and create an Extended DOS Partition as large as FDISK offers, then create a D: Drive of 250MB, and an E: Drive of 500MB. Exit FDISK properly and reboot.
The student should then format the two logical drives and copy or create at least one data file into the root of each logical drive for ultimate recovery at the end of this exercise.
Once the drive has been prepared, run DEBUG and execute the following, which will completely zero out the MBR effectively making all drive letters inaccessible:
-f 100 2ff 0 -a 300 242C:0300 mov ax, 301 242C:0303 mov bx, 100 242C:0306 mov cx, 1 242C:0309 mov dx, 80 242C:030C int 13 242C:030E int 3 242C:030F (press [Enter] here to exit the assembler) -g=300
Reboot the PC and BIOS will report "DISK BOOT FAILURE". Reboot to the "New Boot A" diskette to begin the recovery procedures.
When booting to New Boot A, bear in mind that this diskette's version of DOS is Windows 98 Second Edition. As such it is not truly suitable for data recovery operations due to the internal architecture of the Windows 98 SE version of the DOS kernel which DOES write constantly to the target drive even when using passive commands such as DIR. It will be used for our laboratory exercises until the module on constructing a similar DOS 6.22 based diskette is developed and done in class.
For now select the menu option #2 from the diskette's boot menu to fully deploy without CD-ROM support. This choice will cause the creation of a RAM Drive letter K: and unpack all compressed utilities and commands on the diskette into it and change to the K: prompt.
Starting New Boot A... 1) Full Deploy w/CD-ROM support as Drive Q: 2) Full deploy w/o CD-ROM support 3) Fast Deploy (no SETs or Copies) 4) Rapid Deploy w/CD-ROM support as Drive Q: 5) Rapid Deploy w/no extraction 6) No deploy Enter Selection: [1,2,3,4,5,6]?2
From the K: prompt run Norton DiskEdit:
Inflating: k:ˇUNSET.EXE Inflating: k:SMARTDRV.EXE Inflating: k:ˇMBR.EXE Inflating: k:INTERSVR.EXE Inflating: k:INTERLNK.EXE Inflating: k:LISTDEV.COM Inflating: k:UNDELETE.EXE Inflating: k:XCOPY32.MOD Inflating: k:CHKDSK.EXE Copying files. . . Setting environmental variables. . . K:\>diskedit
When it opens it will warn the user that it is currently running in "Read-Only" mode. In this mode it will refuse all attempts to write to the drives. This is acceptable for the current intended operation but, the student should learn how to change DiskEdit to full drive access mode (allowing both read and write operations.)
Open the TOOLS main menu option of DiskEdit by pressing [Alt]+[T].
Then press [O] (letter Oh) to open the Configuration window.
In the Configuration window, with the Read-Only option highlighted, press the [Spacebar] key to uncheck the Read-Only checkbox, then press [Enter] to close the Configuration window.
The configuration change was saved to a file named NORTON.INI on the K: drive. This is only read when DiskEdit first opens which is why it had to be closed and then opened again.
Press [Alt]+[Q] to open the Quit menu and then press [Enter] to quit DiskEdit.
Execute DiskEdit again and this time the Read-Only warning will not be displayed meaning that it is now in full disk access mode.
The default disk access mode is file system mode, meaning that DiskEdit is reading the current directory, the root of the K: drive. DiskEdit must be instructed to instead go to physical drive mode which will display the contents of the raw sectors like DEBUG does. Press [Alt]+[O] to open the Object menu.Then press [D] or [Enter] to open the Objects window.
Then press [D] or [Enter] to open the Disks window.
With the disks window open, press [Tab] to move to the drive types selection pane within the window.
Press the down arrow to put the cursor on the "Physical Drives" radio button.
Press the [Spacebar] to select it.
Press the [Enter] key to accept the choice. Notice that since the RAM drive is not a physical disk, once the objects choice was changed to physical disks, the default moved to the hard drive which was the desired physical disk choice. The first physical sector of the hard drive is currently displayed on screen and it is empty as expected from the preparation steps taken above.
Due to the large number of byte combinations involved in searching sectors for a specific binary string, searching the entire drive for a long string can take hours. To shorten the time the process will take for the purposes of making effective use of class time, the starting sector will be purposely chosen near to the expected location of the EMBR. Obviously in the actual recovery operation, this will not be known and the search will have to start from the first physical sector and be allowed to scan for hours across the entire drive. It should also be noted that the version of Norton DiskEdit being used in this exercise is old and not LBA capable meaning that the data recovery specialist will need to purchase Norton SystemWorks or System Suite 2003. This is the last version that included DOS executable utilities including the latest LBA capable version of DiskEdit suitable for these data recovery operations.
Press [Alt]+[O] to open the object menu and then press [P] to open the physical Sector selection window. With this window open, type in Cylinder number 75, then press [Enter].
Now open the tools menu ([Alt]+[T]) and press [Enter] opening the Find window. Press [Tab] to move the cursor into the Hexadecimal search string box and enter the value "00 00 55 AA" thus searching for the exact four bytes expected at the end of an EMBR. False hits can occur in the search where this series of four bytes occurs in sectors that are not EMBR's, but such false hits will most likely not be found at the end of a sector like these will be in a real EMBR sector. Press [Tab] to highlight the "Ignore Case" checkbox and press the [Spacebar] to uncheck it. Press [Enter] to initiate the search.
When the Find dialog finds a false hit press [Ctrl]+[G] to continue the search from the current location. When the real EMBR is found, the four bytes will be highlighted and found at the end of the sector.
Use the up arrow to bring more of the bottom of the sector into view on screen and note that the partition tables are present and the rest is zeros, indicating that this is the EMBR sector. Note the physical CHS address listed in the lower right hand corner of the status bar.
At this point the first EMBR has been found. Close DiskEdit ([Alt]+[Q], [Enter]) and get out a partition table worksheet and begin the process of designing the Extended DOS Partition table.
Since only the logical drives are being recovered in this exercise, the first partition table of the MBR will be used. Normally however, the data recovery specialist will at least attempt to recover the C: drive meaning that this Extended DOS Partition table would usually be built in the second partition table of the MBR because the first table would hold the reconstructed partition table of the Primary DOS Partition.
Extended DOS Partitions are never bootable so the partition table will require a 00 in the field at offset 00h indicating that it is not an active partition.
The starting sector's geometry is that of the sector just located with the Find function of DiskEdit. Cyl = 77 (4Dh), H = 0, S = 1. These values go into the partition table fields as: offset 01 = 00, offset 02 = 01 and offset 03 = 4D.
The PID is that of a Microsoft Extended DOS Partition. The field at offset 04 = 05.
The ending sector of ANY Extended DOS Partition entry in the MBR is irrelevant as long as all data fields of the partition table are consistent. IO.SYS is mainly interested in the starting sector of the Extended DOS Partition since this is an EMBR defining the first logical drive and pointing to the next EMBR if one exists which will in turn define the next logical drive and so on. Because of this, the last physical sector of the hard drive may be arbitrarily chosen and used. The last physical sector on the hard drives used in class is the sector at Cyl = 1023 (3FFh), H = 254 (FEh), S = 63 (3F). These values go into the fields of the partition table as offset 05 = FE, offset 06 = FF, offset 07 = FF. REMEMBER: the field at offset 06 holds the top two bits of the cylinder number and the SIX bit sector number. The top two bits of the cylinder number are the top single hex digit of the cylinder number: 3h =b=> 1 1 and the sector number 3Fh =b=> 1 1 1 1 1 1. Writing these across starting with the cylinder number bits: 1 1 1 1 1 1 1 1 =h=> FFh.
The field at offset 08 is the LBA offset to the starting sector. In the special case of the MBR ONLY, this is the same as the LBA address of the sector. Apply the CHS-to-LBA formula:
C(TH x TS) + H(TS) + (S - 1) = LBA 77(255 x 63) + 0(63) + (1 - 1) = LBA 1,237,005 + 0 + 0 = 1,237,005 1,237,005 =32bithex=> 0012E00D
Reverse the hex bytes and the field at offset 08 = 0D E0 12 00.
The partition size must be accurate or the boot strap loader might reject the partition table as "Invalid." First find the LBA address of the ending sector:
C(TH x TS) + H(TS) + (S - 1) = LBA 1023(255 x 63) + 254(63) + (63 - 1) = LBA 16,434,495 + 16,002 + 62 = 16,450,559
Now subtract the LBA address of the starting sector from it, then add one thereby using the universal formula for the size of a multisector structure:
ESLBA - SSLBA + 1 = StrucSize 16,450,559 - 1,237,005 + 1 = 15,213,555 15,213,555 =32bithex=> 00E823F3
Reverse the hex bytes and the field at offset 0C = F3 23 E8 00.
The completed partition table worksheet:
Partition Table #1 (at offset 1BEh of the MBR)
|08h||0D E0 12 00 (already reversed)|
|0Ch||F3 23 E8 00 (already reversed)|
Now open DEBUG and fill the RAM workspace from offset 100 to 2FF with zeros. Then fill in the new partition table. Fill in the boot signature at the end of the sector as well:
-f 100 2ff 0 -e 2be 00 00 01 4D 05 FE FF FF 0D E0 12 00 F3 23 E8 00 -e 2fe 55 AA -_
Create the program code that will write the RAM from offset 100 to 2FF to the first physical sector of the hard drive and execute it:
-a 300 242C:0300 mov ax, 301 242C:0303 mov bx, 100 242C:0306 mov cx, 1 242C:0309 mov dx, 80 242C:030C int 13 242C:030E int 3 242C:030F (press [Enter] here to exit the assembler) -g=300
At this point the new MBR holding the Extended DOS Partition table has been written into the MBR sector of the HDD. Like all partition changes, the PC must be rebooted for the changes to take effect, or more precisely, the system must reboot so that IO.SYS will scan the MBR and find the EMBR's and set up the drive letters and be able to access them. Since the original C: drive has not been restored, the first logical drive will be the C: drive and the second will be the D: drive. Other than that, the two logical drives will be fully restored and accessible after the reboot to the diskette.
This concludes the restoration of logical drives module. In the next module, a similar restoration process will be undertaken but for the Primary DOS Partition.
CopyrightŠ2000-2006 Brian Robinson ALL RIGHTS RESERVED