When All Appears Lost

Only when your computer suddenly gives up the ghost or goes crazy do you realise how dependent upon it you have become. Of course there are constant reminders to "Back up your Hard Disk", but this story is not designed to question that advice. It does not deal with physical damage to, or failure of the hard disk or other storage medium. It is about the map or index on the hard disk that is essential to finding and accessing data that still exists, but is invisible. Corruption of this information is probably the cause of more data loss than one could blame upon hardware failure.

This is a description of a single episode of loss of data, and it is also singular, in that it's an example of only one cause of data loss. Therefore, it will necessarily not be identical with similar incidents on other computers. Nevertheless, the account may be of value to others using Windows 95/98/Me, because of the tools used to enable recovery. It also has many features that can be used with Win NT/2000/XP."

A Pentium II 233 MHz computer running Windows 98SE and Red Hat Linux 6.2 on a dual-boot 20 GB hard disk worked well for two years. The disk had been partitioned with Partition Magic 5.0, the boot manager being Boot Magic. Windows 98 was the default operating system. After neglecting to use the Linux OS for some time, interest was regenerated after reading the May 2003 issue of PC Update, which featured many articles on that operating system.

When the machine was instructed to boot into RH Linux, it did so, but the mouse was not working. Not knowing how to exit using the keyboard, the reset button was used on two occasions, apparently without ill-effect, but on a subsequent startup the Windows boot sequence was aborted inadvertently, and this probably caused the problem. The computer could then not be booted into either OS, and the C: drive (first partition) became inaccessible ("invalid media" was being reported).

Booting from a Windows 98 boot disk enabled reading of all partitions except C:, encouraging the belief that only the boot sector and/or partition information of drive C was lost or corrupt. Partition Magic bootable floppy disks and a Partition Magic Rescue Disk had been prepared at the time of installation. Using the floppy disks it was possible to see all the remaining partitions, but C: "could not be checked". The Rescue Disk also could not access the C: drive, and therefore could not reach the Boot Manager. To exclude the possibility of a boot sector virus, an up-to-date DOS-based antivirus program (Vet for DOS) was downloaded on another machine, and run after booting with a DOS disk. This was unsuccessful, "invalid media drive C:" being returned. Norton Disk Doctor would not work for the same reason.

Tools Discovered

A search for help on the Internet discovered two recovery tools and much information at DIY Data Recovery, http://www.diydatarecovery.nl. The tools are MBRtool and DiskPatch. The manuals downloaded with them were extremely helpful in understanding what could be wrong. There is also an online forum and searchable FAQ database at http://www.diydatarecovery.nl/~tkuurstra/support.htm. This forum is moderated during daylight hours (Central European Time). Questions can also be sent by e-mail, and a reply can be expected within 24 hours.

It is very helpful to attach the partition information collected from the crippled computer by a small free program called partinfo (371kb), part of Partition Magic by PowerQuest. Instructions on how to obtain this are at http://www.kuurstra.cistron.nl/, or failing that try ftp://ftp.powerquest.com/pub/utilities/partinfo.zip. (Note there is another data recovery utility on the site called iRecover, to recover lost Windows files. It offers FAT, FAT32 and NTFS file system support, and supports all current Microsoft Windows versions (including 2000 and XP, server and workstation).

DiskPatch is designed to indicate (in demo mode) how likely it would be to recover data in activated mode. It is emphasised that a 100% guarantee of success CANNOT be given. In the case in point, the partinfo.txt file mailed to the support line indicated that the most likely scenario was corruption of the boot sector of the first partition (C:). DiskPatch demo had also demonstrated that the backup boot sector of that partition (there are 2 boot sectors for every Fat32 partition) was probably intact, and could be used to replace the first sector. It should be mentioned here that DiskPatch is able to write a new boot sector, based on its examination of the characteristics of the partition, if the backup copy is also corrupt or lost. But the chances of recovering the partition are then lessened.

So the advice from the support line was to activate the program and follow the instructions (on page 36 of the manual). The demo program had already been downloaded, but another visit to the site was required to purchase it, using a credit card on a secure connection. Two responses were received within about 20 minutes, one being a receipt for the money (AUD 64.00), the other the code needed to activate the program. Choosing a time free of interruptions, the task was commenced with feelings of mixed trepidation and
excitement, trying not to have unrealistic expectations. But 10 days of resisting the temptation to "do something", instead making enquiries and searching for solutions, was rewarded with complete recovery of the affected drive (C:).

A list of the steps followed appears below:

Selected Comments On The Software

1. DiskPatch (then Repoman) was used by NASA in November, 2002 to recover a graphical program, see: http://www.diydatarecovery.nl/~tkuurstra/repoman_comments.htm.

2. Comparing DiskPatch with Norton Disk Doctor by Joep van Steen (author of Diskpatch)

NDD is designed to replace and go beyond what SCANDISK does. SCANDISK does NOT care about your data ... it cares about a consistent file system, so if something is inconsistent it will try to restore the file system to a consistent state. If this can be done by `deleting' data it will often do so. It should be able to repair a corrupt boot sector, but I feel the problem with NDD is that it will inspect everything ... the MBR, partition tables, boot sectors etc.. Problem with that is, that when you (the program) are presented with loads of info it gets more difficult to decide what's wrong or right. Problem increases when you see things that you (the program) are not programmed for (like mixed Windows/Linux drives).

DiskPatch leaves a lot of the decisions with the end user and it concentrates only on the MBR, partition table and boot sector(s). It does not really diagnose to the extent that NDD does; in a way NDD is more intelligent. If one uses DiskPatch the conclusion that something is wrong has often already been taken.

NDD can be used as a diagnostic/maintenance tool as well. I have planned some diagnostic features for DiskPatch as well though; it may be useful to see if the boot sector matches the FATs, and vice versa. But even then DiskPatch will not start automatically fixing thing. I have learned that standards do exist to be broken. Detecting a non-standard situation does not mean by definition it needs fixing, in my experience

System Requirements

486 or higher or compatible CPU
PCI bus
300 Kb free conventional (DOS) memory
BIOS support for int13h extended disk access
1.44 Mb diskette drive
MS-DOS 6.22 or higher or compatible DOS ( DOS is NOT included!).
Supports large IDE and SCSI hard disks (larger than 8 GB)
Supports hardware RAID 0 and 5 (NOT software based RAID!)

In general, any 486 or higher PC will do.
(Roughly, DiskPatch will run on any PC that was manufactured in 1998 or later)

Reprinted from the October 2003 issue of PC Update, the magazine of Melbourne PC User Group, Australia

[ About Melbourne PC User Group ]