I needed to watch the character count. 25,000 characters is the limit per post. If I smooth out the post with some transitions, I'll have to remove some existing content because of this size limitation.

There are many good resources currently available for computer forensics. I may consider writing another one, but that is a daunting prospect.

Hi,

Everyone wants something that is condensed. They don't want to dig to find the jewels. I like the post/thread as it is. One for the way queries leading to solutions plus the added facets which form a better cut.

Great post! Thanks for detailed descriptions.

Q: are my assumptions about restore the MBR correct??

To backup the MBR and the tables to a floppy:

# dd if=/dev/sda of=/dev/fd0 bs=512 count=1

I have a sata system and sda is my first HD.

To Restore:

# dd if=/dev/fd0 of=/dev/sda bs=512 count=1

This will restore the bootloader with the partition table as indicated in this thread before.

# dd if=/dev/fd0 of=/dev/sda bs=446 count=1

Is this correct? The intention is to restore the bootloader without the partition table from a backup that includes the partition table.

Great thread!!

-=terry=-

Hello, folks! I was trying to install Mac OSX; but en route there, I accidentally did the following to my lacie external hard drive with my pictures and data (was trying to boot from a USB stick):

sudo dd if=boot1h of=/dev/rdisk2s2

where rdisk2s2 was not what I intended; I intended rdisk3s1. Now that partition isn’t see on Windows nor Mac. On Windows, it prompts me to format it which I say no to each time. Is there anything that you think might work to get back this partition?

Thank You!

-=terry=-,

You've got it right.

The only change I'd make to your post is to put the code in [code]
blocks. If you decide to do that, you can edit the original rather than repost.

How large was this boot1h file?

If it is less than 32k, you may be able to reconstruct the partition table using Linux. I don't know if the equivalent can be done on a Mac. For Linux & Windows at least, the first partition probably starts on block 63.

First attach a loop device to the disk.
sudo /sbin/losetup -fs /dev/<devicenode> -o $((63*512))

It should respond with the loop device used. Let's say that is loop0.

Next look at the filesystem on the loop device:
sudo file -s /dev/loop0

If it indicates the filesystem, you know this is where the filesystem starts. Next determine the size of the filesystem. This can give us the size of the partition:
df -lu /dev/loop0

Now you can use fdisk to recreate the entries for the first partition.

Terry,
Bs=512 is the default for dd. If one is going to use bs=512 or bs=1b, the bs parameter may be omitted.

I'm not a stickler for details. Yes I am. But I'm not trying to get on your case or anything. The first 446 bytes of the the MBR is called the bootstrap code, not the bootloader code.

The bootloader is something different. I know the word bootloader can sometimes be seen in the MBR, but that's part of a message to be displayed in the case of no bootloader.

Other than that you're right on.

-Awesome

If the partition was visible to Windows and Mac before you messed with it, it's probably formatted as fat32. Depending on how large boot1h is, you essentially overwrote that much space.

It would help to know what boot1h is. Is it a boot sector image? Is it a partition image file? Is it a partition itself.

In any event, here's a page of partition recovery tools:

http://www.thefreecountry.com/utilit...recovery.shtml.

Thxs and Thxs!

-=terry=-

Thanks for that one .

Thanks Terry, I GOT IT to WORK!

Thanks for the recovery info helped a lot.

the manual is great

Thanks for an article that shows just how useful and powerful a command can be.