TestDisk - Menu Analyse

Analyse

TestDisk 6.2-WIP, Data Recovery Utility, November 2005
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org

Disk /dev/sda - 120 GB / 111 GiB - CHS 14593 255 63
Current partition structure:
     Partition                  Start        End    Size in sectors
 1 * FAT32                    0   1  1  1010 254 63   16241652 [NO NAME]
 2 P Linux                 1011   0  1  1023 254 63     208845 [/boot]
 3 E extended LBA          1024   0  1 14592 254 63  217985985
 5 L Linux RAID            1024   1  1  3573 254 63   40965687 [md0]
   X extended              3574   0  1  4210 254 63   10233405
 6 L Linux RAID            3574   1  1  4210 254 63   10233342 [md1]
   X extended              4211   0  1 14592 254 63  166786830
 7 L Linux                 4211   1  1 14592 254 63  166786767






*=Primary bootable  P=Primary  L=Logical  E=Extended  D=Deleted
[Proceed ]  [  Save  ]

                            Try to locate partition

Analyzes a drive's current partition structure and seeks partitions, making it possible to recover lost partitions.

Partition checks

TestDisk's Analyse does a quick check of the partition structure. TestDisk can handle several type of partitions:

Intel
Mac
None (ie: small media without partition)
Sun
XBox

Intel partition structure is composed of the MBR table and extended partitions. The MBR is limited to four entries. One of the entries can be an extended partition allowing several logical partitions. Each logical partition is contained by an extended partition/container. The MBR and each extended partition must end with the two bytes 0x55 and 0xAA, in that order; which make up the Hex Word 0xAA55 (since x86 CPU systems are 'little-endian'). A partition entry is composed of:

start of partition in CHS
end of partition in CHS
filesystem type
logical start
size in sectors
boot flag

Only one primary partition can have the boot flag set. CHS information storage is limited to a maximum of 1024 cylinders (0-1023), that's why we have the famous 8 GB limitation (1024*255*63 = 16450560 sectors = 8422686720 bytes).

Modern operating systems and BIOS chips use LBA mode to access the data, but FAT12/16/32 boot sectors still make reference to CHS geometry. TestDisk checks that each value is in the authorized range: i.e., no sector value less than 1 nor higher than the number of sectors per head. The partition entries are read using logical start and size in sectors, then TestDisk checks if the logical values match the CHS values. TestDisk also checks that no partition data shows a partition as ending after the end of the disk, and that none of them are overlapping each other.

Sun label can have up to 8 partition entries. Entrie number 2 is reserved for the whole disk.

Filesystem checks

Following the filesystem type, TestDisk runs some basic checks on the boot sector/superblock of each filesystem. As ext2/ext3/reiserfs/jfs share the same filesystem type: 0x83, TestDisk has to check for each filesystem. The checks are the same as those used when TestDisk is searching for partitions:

presence of magic value or signature (i.e., 0xAA55 at offset 0x1FE of either FAT or NTFS boot sectors).
coherent values (i.e., free_blocks_count lower than blocks_count for ext2)

This phase is very quick as the checks are minimal.

Partition recovery

In a second step, TestDisk searches for 'lost partitions' without making use of any results from the previous step. This is the heart of TestDisk's powerful capabilities! TestDisk assumes the existence of partitions and scans all relevant drive cylinders for them. A primary partition starts at the beginning of a cylinder (head=0, sector=1), while a logical partition starts a little further along (head=1, sector=1). For each possible partition starting location, TestDisk can search for the presence of a filesystem header (FAT or NTFS boot sector, EXT2/EXT3 superblock, BSD disklabel...), which confirms the presence of a known partition type. Thus, the size of a partition is determined directly from its structure on the disk. Each partition that TestDisk discovers is added to a list of found partitions.

To detect a FAT32 partition, TestDisk searchs for a 0xAA55 endmark and the signature "FAT32", it also runs the corresponding FAT filesystem checks:

jump signature must be of the form "0xeb 0xXX 0x90" or
"0xe9 0xXX 0xXX"

where "0xXX" could be any byte, and...

0xeb: A Short Jump, displacement relative to next instruction (only 8 bit).
0x90: NOP (do nothing).
0xe9: A Near Jump, displacement relative to next instruction (32 or 16 bit).

sector size is 512
cluster size must be 1, 2, 4, 8, 16, 32, 64 or 128
there must be 2 FAT copies
the media must be 0xF8 (no other value is seen, it's an obsolete feature)
If you follow MS guidelines, the signature "FAT32" is meaningless but your filesystem should have it. Following the number of cluster, TestDisk determine the kind of FAT (number of cluster is more or equal to 65525 for a FAT32).

Some specific checks for FAT32 are done:

the root cluster number must be between 2 and the maximum cluster number,
some obsolete values (number of directory entries, 16-bit partition size) must be set to 0,
FAT32 version (unused) must be 0.0

To detect an NTFS partition, TestDisk searchs for an 0xAA55 endmark and the signature "NTFS", it also checks that some FAT specific values are all set to zero (0): The number of reserved sectors, number of FATs, number of directory entries, 16-bit size of filesystem, 32-bit size of filesystem, Sectors per FAT. The number of Sectors per Cluster must be greater than zero.

For FAT and NTFS filesystem, the size of the partition will be read in the bootsector itself.

TestDisk 6.2-WIP, Data Recovery Utility, November 2005
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org

Disk /dev/sda - 120 GB / 111 GiB - CHS 14593 255 63
Analyse cylinder   1011/14592: 00%


  FAT32                    0   1  1  1010 254 63   16241652 [NO NAME]













  Stop

Once the analysis is complete, TestDisk generates a report of found partitions.

TestDisk 6.2-WIP, Data Recovery Utility, November 2005
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org

Disk /dev/sda - 120 GB / 111 GiB - CHS 14593 255 63
     Partition               Start        End    Size in sectors
* FAT32                    0   1  1  1010 254 63   16241652 [NO NAME]
P Linux                 1011   0  1  1023 254 63     208845 [/boot]
D Linux                 1024   1  1  3573 254 63   40965687
D Linux RAID            1024   1  1  3573 254 63   40965687 [md0]
D Linux                 3574   1  1  4210 254 63   10233342
D Linux RAID            3574   1  1  4210 254 63   10233342 [md1]
L Linux                 4211   1  1 14592 254 63  166786767






Structure: Ok.  Use Up/Down Arrow keys to select partition.
Use LEFT/RIGHT Arrow keys to CHANGE partition characteristics:
*=Primary bootable  P=Primary  L=Logical  E=Extended  D=Deleted
Keys A: add partition, L: load backup, T: change type, P: list files,
     ENTER: to continue
FAT32, 8315 MB / 7930 MiB

You can list files of NTFS, FAT, EXT2/EXT3 and ReiserFS partition by pressing P (FAT directory listing is limited to 5 clusters, some files may not appears).

TestDisk 6.2-WIP, Data Recovery Utility, November 2005
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org

   * FAT32                    0   1  1  1010 254 63   16241652 [NO NAME]
Use right arrow to change directory, q to quit
Directory /

-rwxr-xr-x     0     0   805306368 20-Jul-2005 10:35 PAGEFILE.SYS
drwxr-xr-x     0     0         0 14-Feb-2005 22:41 WINDOWS
-r-xr-xr-x     0     0      4952 28-Aug-2001 15:00 Bootfont.bin
-r-xr-xr-x     0     0    251712  3-Aug-2004 22:59 NTLDR
-r-xr-xr-x     0     0     47564  3-Aug-2004 22:38 NTDETECT.COM
-rwxr-xr-x     0     0       212 14-Feb-2005 22:51 BOOT.INI
drwxr-xr-x     0     0         0 14-Feb-2005 22:47 Documents and Settings
dr-xr-xr-x     0     0         0 14-Feb-2005 22:55 Program Files
-rwxr-xr-x     0     0         0 14-Feb-2005 22:56 CONFIG.SYS
-rwxr-xr-x     0     0         0 14-Feb-2005 22:56 AUTOEXEC.BAT
-r-xr-xr-x     0     0         0 14-Feb-2005 22:56 IO.SYS
-r-xr-xr-x     0     0         0 14-Feb-2005 22:56 MSDOS.SYS
drwxr-xr-x     0     0         0 14-Feb-2005 23:02 System Volume Information
-rwxr-xr-x     0     0   536399872 20-Jul-2005 10:36 HIBERFIL.SYS

Using the list of found partitions, you can edit the partition table.

There are three kinds of edits:

You can change the partition type with T
You can add a new partition with A.
You can change the status of the selected partition using the left/right arrow key. The available statuses are Primary, * bootable, Logical, Deleted.

As you make edits, watch the status of the partition table's structure. It will be either "Ok" or "Bad".

Structure: Ok should appear if everything is ok, i.e., no primary partition between two extended partitions, only one or no bootable partitions, no partitions using the same disk space.

When you are satisfied with the edited partition table, press Enter. If you've made any edits, TestDisk gives you a choice of writing that data to the drive's Partition Table, or of running a more detailed analysis.

Quit

Quits (exits) from the TestDisk program without making any changes (unless you pressed the ENTER key while Write was 'highlighted').
Search!

The quick first scan may have miss some partitions. Search! will also search for FAT32 backup boot sector, NTFS backup boot superblock, EXT2/EXT3 backup superblock to detect more partitions, it will scan each cylinder.
Write

Writes the changes that have been made in TestDisk's memory buffer to the hard drive. If you are unsure of the changes (often to the MBR's Partition Table), then don't use this function!
Extd Part

If there is logical partition, this flag lets you decide if the extended partition will used all avaible disk space or only the required (minimal) space.

TestDisk 6.2-WIP, Data Recovery Utility, November 2005
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org

Disk /dev/sda - 120 GB / 111 GiB - CHS 14593 255 63

     Partition                  Start        End    Size in sectors
 1 * FAT32                    0   1  1  1010 254 63   16241652 [NO NAME]
 2 P Linux                 1011   0  1  1023 254 63     208845 [/boot]
 3 E extended LBA          1024   0  1 14592 254 63  217985985
 5 L Linux RAID            1024   1  1  3573 254 63   40965687 [md0]
 6 L Linux RAID            3574   1  1  4210 254 63   10233342 [md1]
 7 L Linux                 4211   1  1 14592 254 63  166786767









[  Quit  ]  [Search! ]  [ Write  ]

                       Return to main menu

Here TestDisk asks you to confirm the Write operation; so you have the final choice over what TestDisk will actually do.

TestDisk 6.2-WIP, Data Recovery Utility, November 2005
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org

Write partition table, confirm ? (Y/N)

Back to Running the TestDisk Program