summaryrefslogtreecommitdiffstats
path: root/doc/menu_analyse.html
diff options
context:
space:
mode:
Diffstat (limited to 'doc/menu_analyse.html')
-rw-r--r--doc/menu_analyse.html354
1 files changed, 0 insertions, 354 deletions
diff --git a/doc/menu_analyse.html b/doc/menu_analyse.html
deleted file mode 100644
index 10ce703..0000000
--- a/doc/menu_analyse.html
+++ /dev/null
@@ -1,354 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
- <head>
- <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
- <meta name="keywords" content="Menu Analyse,Running TestDisk" />
-<link rel="shortcut icon" href="favicon.ico" />
-<link rel="search" type="application/opensearchdescription+xml" href="opensearch_desc.php" title="CGSecurity (English)" />
-
-<link rel="copyright" href="http://www.gnu.org/copyleft/fdl.html" />
- <title>Menu Analyse - CGSecurity</title>
- <style type="text/css" media="screen,projection">/*<![CDATA[*/ @import "main.css"; /*]]>*/</style>
- <link rel="stylesheet" type="text/css" media="print" href="commonprint.css" />
- <!--[if lt IE 5.5000]><style type="text/css">@import "ie50fixes.css";</style><![endif]-->
- <!--[if IE 5.5000]><style type="text/css">@import "ie55fixes.css";</style><![endif]-->
- <!--[if IE 6]><style type="text/css">@import "ie60fixes.css";</style><![endif]-->
- <!--[if IE 7]><style type="text/css">@import "ie70fixes.css";</style><![endif]-->
- <!--[if lt IE 7]><script type="text/javascript" src="iefixes.js"></script>
- <meta http-equiv="imagetoolbar" content="no" /><![endif]-->
-
- <script type= "text/javascript">
- var skin = "monobook";
- var stylepath = "/mw/skins";
-
- var wgArticlePath = "/wiki/$1";
- var wgScriptPath = "/mw";
- var wgServer = "http://www.cgsecurity.org";
-
- var wgCanonicalNamespace = "";
- var wgNamespaceNumber = 0;
- var wgPageName = "Menu_Analyse";
- var wgTitle = "Menu Analyse";
- var wgArticleId = 1298;
- var wgIsArticle = true;
-
- var wgUserName = null;
- var wgUserLanguage = "en";
- var wgContentLanguage = "en";
- </script>
-
- <script type="text/javascript" src="wikibits.js"><!-- wikibits js --></script>
- <script type="text/javascript" src="dyn.js"><!-- site js --></script>
- <style type="text/css">/*<![CDATA[*/
-@import "http://www.cgsecurity.org/mw/index.php?title=MediaWiki:Common.css&usemsgcache=yes&action=raw&ctype=text/css&smaxage=18000";
-@import "http://www.cgsecurity.org/mw/index.php?title=MediaWiki:Monobook.css&usemsgcache=yes&action=raw&ctype=text/css&smaxage=18000";
-@import "dyn.css";
-/*]]>*/</style>
- <!-- Head Scripts -->
- </head>
-<body class="mediawiki ns-0 ltr">
- <div id="globalWrapper">
- <div id="column-content">
- <div id="content">
- <a name="top" id="top"></a>
- <h1 class="firstHeading">Menu Analyse</h1>
- <div id="bodyContent">
- <h3 id="siteSub">From CGSecurity</h3>
- <div id="contentSub"></div>
- <div id="jump-to-nav">Jump to: <a href="#column-one">navigation</a>, <a href="#searchInput">search</a></div> <!-- start content -->
- <p>TestDisk queries the BIOS or the OS in order to find the Hard Disks and their characteristics ( LBA size and CHS geometry). TestDisk does a quick check of your disk's structure and compares it with your Partition Table for entry errors. If the Partition Table has entry errors, TestDisk can repair them. If you have missing partitions or a completely empty Partition Table, TestDisk can search for partitions and create a new Table or even a new MBR if necessary.
-</p><p>However, it's up to the user to look over the list of possible partitions found by TestDisk and to select the one(s) which were being used just before the drive failed to boot or the partition(s) were lost. In some cases, especially after initiating a detailed search for lost partitions, TestDisk may show partition data which is simply from the remnants of a partition that had been deleted and overwritten long ago.
-</p>
-<table id="toc" class="toc" summary="Contents"><tr><td><div id="toctitle"><h2>Contents</h2></div>
-<ul>
-<li class="toclevel-1"><a href="#Analyse"><span class="tocnumber">1</span> <span class="toctext">Analyse</span></a></li>
-<li class="toclevel-1"><a href="#Partition_checks"><span class="tocnumber">2</span> <span class="toctext">Partition checks</span></a></li>
-<li class="toclevel-1"><a href="#Filesystem_checks"><span class="tocnumber">3</span> <span class="toctext">Filesystem checks</span></a></li>
-<li class="toclevel-1"><a href="#Partition_recovery"><span class="tocnumber">4</span> <span class="toctext">Partition recovery</span></a></li>
-</ul>
-</td></tr></table><script type="text/javascript"> if (window.showTocToggle) { var tocShowText = "show"; var tocHideText = "hide"; showTocToggle(); } </script>
-<a name="Analyse"></a><h3> <b>Analyse</b></h3>
-<pre>
-TestDisk 6.5-WIP, Data Recovery Utility, October 2006
-Christophe GRENIER &lt;grenier@cgsecurity.org&gt;
-http://www.cgsecurity.org
-
-Disk /dev/sda - 120 GB / 111 GiB - CHS 14593 255 63
-Current partition structure:
- Partition Start End Size in sectors
- 1 * FAT32 0 1 1 1010 254 63 16241652 [NO NAME]
- 2 P Linux 1011 0 1 1023 254 63 208845 [/boot]
- 3 E extended LBA 1024 0 1 14592 254 63 217985985
- 5 L Linux RAID 1024 1 1 3573 254 63 40965687 [md0]
- X extended 3574 0 1 4210 254 63 10233405
- 6 L Linux RAID 3574 1 1 4210 254 63 10233342 [md1]
- X extended 4211 0 1 14592 254 63 166786830
- 7 L Linux 4211 1 1 14592 254 63 166786767
-
-
-
-
-
-
-*=Primary bootable P=Primary L=Logical E=Extended D=Deleted
-[Proceed ] [ Backup ]
-
- Try to locate partition
-</pre>
-<p>Analyzes a drive's current partition structure and seeks partitions, making it possible to recover lost partitions.
-</p>
-<a name="Partition_checks"></a><h2> Partition checks</h2>
-<p>TestDisk's Analyse does a quick check of the partition structure. TestDisk can handle several type of partitions:
-- Intel
-- Mac
-- None (ie: small media without partition)
-- Sun
-- XBox
-</p><p>Intel partition structure is composed of the MBR table and extended partitions. The MBR is limited to four entries. One of the entries can be an extended partition allowing several logical partitions. Each logical partition is contained by an extended partition/container. The MBR and each extended partition must end with the two bytes 0x55 and 0xAA, in that order; which make up the Hex Word 0xAA55 (since x86 CPU systems are 'little-endian').
-A partition entry is composed of:
-- start of partition in CHS
-- end of partition in CHS
-- filesystem type
-- logical start
-- size in sectors
-- boot flag
-Only one primary partition can have the boot flag set.
-CHS information storage is limited to a maximum of 1024 cylinders
-(0-1023), that's why we have the famous 8 GB limitation (1024*255*63 = 16450560 sectors = 8422686720 bytes).
-</p><p>Modern operating systems and BIOS chips use LBA mode to access the data, but FAT12/16/32 boot sectors still make reference to CHS geometry. TestDisk checks that each value is in the authorized range: i.e., no sector value less than 1 nor higher than the number of sectors per head. The partition entries are read using logical start and size in sectors, then TestDisk checks if the logical values match the CHS values. TestDisk also checks that no partition data shows a partition as ending after the end of the disk, and that none of them are overlapping each other.
-</p><p>Sun label can have up to 8 partition entries. Entrie number 2 is reserved for the whole disk.
-</p><p><br />
-</p>
-<a name="Filesystem_checks"></a><h2> Filesystem checks</h2>
-<p>Following the filesystem type, TestDisk runs some basic checks on the boot sector/superblock of each filesystem. As ext2/ext3/reiserfs/jfs share the same filesystem type: 0x83, TestDisk has to check for each filesystem. The checks are the same as those used when TestDisk is searching for partitions:
-- presence of magic value or signature (i.e., 0xAA55 at offset 0x1FE of either FAT or NTFS boot sectors).
-- coherent values (i.e., free_blocks_count lower than blocks_count for ext2)
-This phase is very quick as the checks are minimal.
-</p>
-<a name="Partition_recovery"></a><h2> Partition recovery</h2>
-<p>In a second step, TestDisk searches for 'lost partitions' without making use of any results from the previous step. This is the heart of TestDisk's powerful capabilities!
-TestDisk assumes the existence of partitions and scans all
-relevant drive cylinders for them. A primary partition starts at the beginning of a cylinder (head=0, sector=1), while a logical partition starts a little further along (head=1, sector=1). For each possible partition starting location, TestDisk can search for the presence of a filesystem header (FAT or NTFS boot sector, EXT2/EXT3 superblock, BSD disklabel...), which confirms the presence of a known partition type. Thus, the size of a partition
-is determined directly from its structure on the disk. Each partition that TestDisk discovers is added to a list of found partitions.
-</p><p>To detect a FAT32 partition, TestDisk searches for a 0xAA55 endmark
-and the signature <code>FAT32</code>, it also runs the corresponding FAT filesystem checks:
-- jump signature must be of the form <code>0x<b>eb</b> 0xXX 0x<b>90</b></code> or<br /><code>0x<b>e9</b> 0xXX 0xXX</code><br />
-where <code>0xXX</code> could be any byte, and...<br />
-</p>
-<pre> 0x<b>eb</b>: A Short Jump, displacement relative to next instruction (only 8 bit).<br />
- 0x<b>90</b>: NOP (do nothing).<br />
- 0x<b>e9</b>: A Near Jump, displacement relative to next instruction (32 or 16 bit).
-</pre>
-<p>- sector size is 512
-- cluster size must be 1, 2, 4, 8, 16, 32, 64 or 128
-- there must be 2 FAT copies
-- the media must be 0xF8 (no other value is seen, it's an obsolete feature)
-- If you follow MS guidelines, the signature <code>FAT32</code> is meaningless but your filesystem should have it.
-</p>
-<pre> Following the number of cluster, TestDisk determine the kind of FAT (number of cluster is more or equal to 65525 for a FAT32).
-</pre>
-<p>Some specific checks for FAT32 are done:
-- the root cluster number must be between 2 and the maximum cluster number,
-- some obsolete values (number of directory entries, 16-bit partition size) must be set to 0,
-- FAT32 version (unused) must be 0.0
-</p><p>To detect an NTFS partition, TestDisk searches for an 0xAA55 endmark and the signature <code>NTFS</code>, it also checks that some FAT specific values are all set to zero (0): The number of reserved sectors, number of FATs, number of directory entries, 16-bit size of filesystem, 32-bit size of filesystem, Sectors per FAT.
-The number of Sectors per Cluster must be greater than zero.
-</p><p>For FAT and NTFS filesystem, the size of the partition will be read
-in the bootsector itself.
-</p>
-<pre>
-TestDisk 6.5-WIP, Data Recovery Utility, October 2006
-Christophe GRENIER &lt;grenier@cgsecurity.org&gt;
-http://www.cgsecurity.org
-
-Disk /dev/sda - 120 GB / 111 GiB - CHS 14593 255 63
-Analyse cylinder 1011/14592: 00%
-
-
- FAT32 0 1 1 1010 254 63 16241652 [NO NAME]
-
-
-
-
-
-
-
-
-
-
-
-
-
- Stop
-</pre>
-<p>Once the analysis is complete, TestDisk generates a report of found partitions.
-</p>
-<pre>
-TestDisk 6.5-WIP, Data Recovery Utility, November 2006
-Christophe GRENIER &lt;grenier@cgsecurity.org&gt;
-http://www.cgsecurity.org
-
-Disk /dev/sda - 120 GB / 111 GiB - CHS 14593 255 63
- Partition Start End Size in sectors
-* FAT32 0 1 1 1010 254 63 16241652 [NO NAME]
-P Linux 1011 0 1 1023 254 63 208845 [/boot]
-D Linux 1024 1 1 3573 254 63 40965687
-D Linux RAID 1024 1 1 3573 254 63 40965687 [md0]
-D Linux 3574 1 1 4210 254 63 10233342
-D Linux RAID 3574 1 1 4210 254 63 10233342 [md1]
-L Linux 4211 1 1 14592 254 63 166786767
-
-
-
-
-
-
-Structure: Ok. Use Up/Down Arrow keys to select partition.
-Use LEFT/RIGHT Arrow keys to CHANGE partition characteristics:
-*=Primary bootable P=Primary L=Logical E=Extended D=Deleted
-Keys A: add partition, L: load backup, T: change type, P: list files,
- ENTER: to continue
-FAT32, 8315 MB / 7930 MiB
-</pre>
-<p>You can list files of NTFS, FAT, EXT2/EXT3 and ReiserFS partition by pressing <b>P</b>.<br />
-Notes:
-</p>
-<ul><li> FAT directory listing is limited to 10 clusters, some files may not appears but it doesn't affect recovery.
-</li><li> For NTFS, it's possible to copy files by pressing *<b>c</b>*.
-</li></ul>
-<pre>
-TestDisk 6.5-WIP, Data Recovery Utility, October 2006
-Christophe GRENIER &lt;grenier@cgsecurity.org&gt;
-http://www.cgsecurity.org
-
- * FAT32 0 1 1 1010 254 63 16241652 [NO NAME]
-Use right arrow to change directory, q to quit
-Directory /
-
--rwxr-xr-x 0 0 805306368 20-Jul-2005 10:35 PAGEFILE.SYS
-drwxr-xr-x 0 0 0 14-Feb-2005 22:41 WINDOWS
--r-xr-xr-x 0 0 4952 28-Aug-2001 15:00 Bootfont.bin
--r-xr-xr-x 0 0 251712 3-Aug-2004 22:59 NTLDR
--r-xr-xr-x 0 0 47564 3-Aug-2004 22:38 NTDETECT.COM
--rwxr-xr-x 0 0 212 14-Feb-2005 22:51 BOOT.INI
-drwxr-xr-x 0 0 0 14-Feb-2005 22:47 Documents and Settings
-dr-xr-xr-x 0 0 0 14-Feb-2005 22:55 Program Files
--rwxr-xr-x 0 0 0 14-Feb-2005 22:56 CONFIG.SYS
--rwxr-xr-x 0 0 0 14-Feb-2005 22:56 AUTOEXEC.BAT
--r-xr-xr-x 0 0 0 14-Feb-2005 22:56 IO.SYS
--r-xr-xr-x 0 0 0 14-Feb-2005 22:56 MSDOS.SYS
-drwxr-xr-x 0 0 0 14-Feb-2005 23:02 System Volume Information
--rwxr-xr-x 0 0 536399872 20-Jul-2005 10:36 HIBERFIL.SYS
-
-
-
-
-
-</pre>
-<p>Using the list of found partitions, you can edit the partition table.
-</p><p>There are three kinds of edits:
-</p>
-<ol><li> You can change the partition type with *<b>T</b>*
-</li><li> You can add a new partition with *<b>A</b>*.
-</li><li> You can change the status of the selected partition using the left/right arrow key. The available statuses are <b>P</b>rimary, <b>*</b> bootable, <b>L</b>ogical, <b>D</b>eleted.
-</li></ol>
-<p>As you make edits, watch the status of the partition table's structure. It will be either <code>Ok</code> or <code>Bad</code>.
-</p><p><b>Structure: Ok</b> should appear if everything is ok, i.e., no primary partition between two extended partitions, only one or no bootable partitions, no partitions using the same disk space.
-</p><p>When you are satisfied with the edited partition table, press Enter. If you've made any edits, TestDisk gives you a choice of writing that data to the drive's Partition Table, or of running a more detailed analysis.
-</p>
-<ul><li><b>Quit</b>
-</li></ul>
-<p>Quits (exits) from the TestDisk program without making any changes (unless you pressed the ENTER key while <b>Write</b> was 'highlighted').
-</p><p><br />
-</p>
-<ul><li><b>Search!</b>
-</li></ul>
-<p>The quick first scan may have miss some partitions. Search! will also search for FAT32 backup boot sector, NTFS backup boot superblock, EXT2/EXT3 backup superblock to detect more partitions, it will scan each cylinder.
-</p><p><br />
-</p>
-<ul><li><b>Write</b>
-</li></ul>
-<p>Writes the changes that have been made in TestDisk's memory buffer to the hard drive. If you are unsure of the changes (often to the MBR's Partition Table), then don't use this function!
-</p>
-<ul><li><b>Extd Part</b>
-</li></ul>
-<p>If there is logical partition, this flag lets you decide if the extended partition will used all available disk space or only the required (minimal) space.
-</p>
-<pre>
-TestDisk 6.5-WIP, Data Recovery Utility, October 2006
-Christophe GRENIER &lt;grenier@cgsecurity.org&gt;
-http://www.cgsecurity.org
-
-Disk /dev/sda - 120 GB / 111 GiB - CHS 14593 255 63
-
- Partition Start End Size in sectors
- 1 * FAT32 0 1 1 1010 254 63 16241652 [NO NAME]
- 2 P Linux 1011 0 1 1023 254 63 208845 [/boot]
- 3 E extended LBA 1024 0 1 14592 254 63 217985985
- 5 L Linux RAID 1024 1 1 3573 254 63 40965687 [md0]
- 6 L Linux RAID 3574 1 1 4210 254 63 10233342 [md1]
- 7 L Linux 4211 1 1 14592 254 63 166786767
-
-
-
-
-
-
-
-
-
-[ Quit ] [Search! ] [ Write ]
-
- Return to main menu
-</pre>
-<p>Here TestDisk asks you to confirm the Write operation; so you have the final choice over what TestDisk will actually do.
-</p>
-<pre>
-TestDisk 6.5-WIP, Data Recovery Utility, October 2006
-Christophe GRENIER &lt;grenier@cgsecurity.org&gt;
-http://www.cgsecurity.org
-
-Write partition table, confirm&nbsp;? (Y/N)
-
-
-
-</pre>
-<p>Back to <a href="running_testdisk.html" title="Running TestDisk">Running the TestDisk Program </a>
-</p>
-<!-- Saved in parser cache with key cg_mw-mw_:pcache:idhash:1298-0!1!0!!en!2 and timestamp 20070522155740 -->
- <div id="catlinks"><p class='catlinks'><a href="http://www.cgsecurity.org/mw/index.php?title=Special:Categories&amp;article=Menu_Analyse" title="Special:Categories">Category</a>: <span dir='ltr'><a href="http://www.cgsecurity.org/wiki/Category:Data_Recovery" title="Category:Data Recovery">Data Recovery</a></span></p></div> <!-- end content -->
- <div class="visualClear"></div>
- </div>
- </div>
- </div>
- <div id="column-one">
-
- <div class="portlet" id="p-logo">
- <a style="background-image: url(logo.png);" href="http://www.cgsecurity.org/" title="Main Page"></a>
- </div>
- <script type="text/javascript"> if (window.isMSIE55) fixalpha(); </script>
- <div class='portlet' id='p-DataRecovery'>
- <h5>Data Recovery</h5>
- <div class='pBody'>
- <ul>
- <li id="n-TestDisk"><a href="testdisk.html">TestDisk</a></li>
- <li id="n-PhotoRec"><a href="photorec.html">PhotoRec</a></li>
- <li id="n-Download"><a href="testdisk_download.html">download</a></li>
- </ul>
- </div>
- </div>
- </div><!-- end of the left (by default at least) column -->
- <div class="visualClear"></div>
- <div id="footer">
- <div id="f-copyrightico"><a href="http://www.gnu.org/copyleft/fdl.html"><img src="gnu_fdl.png" alt='GNU Free Documentation License 1.2' /></a></div>
- <ul id="f-list">
- <li id="lastmod"> This page was last modified 21:06, 9 May 2007.</li>
- <li id="copyright">Content is available under <a href="http://www.gnu.org/copyleft/fdl.html" class="external " title="http://www.gnu.org/copyleft/fdl.html" rel="nofollow">GNU Free Documentation License 1.2</a>.</li>
- </ul>
- </div>
-
-
- <script type="text/javascript">if (window.runOnloadHook) runOnloadHook();</script>
-</div>
-</body><!-- Cached 20070522163235 -->
-</html>