Data recovery. Computers and laptop repairs.

Raiders of the lost partition


Why do partitions disappear?


A partition, also known as a logical drive, is at its simplest a logically separated area of a physical drive. Usually on a single physical drive we may have one or more partitions, some of which may have special significance. These may be partitions reserved for the operating system or the system recovery partitions popular in laptops. It is also possible that one partition will be on several physical media. This is the solution we most commonly encounter with RAID arrays. But why do partitions happen to chasm without news?
There can be many reasons for partitions going missing. Among the most common are user errors such as failed experiments with logical disk partitioning, accidentally formatting the wrong disk as needed, plugging an external drive into a TV. The second major group of causes of lost access to partitions are viruses and all kinds of malware. The third category of causes of lost partitions are those of a physical nature, which are worth paying more attention to.
Errors of a physical nature can be accidental - such as a sudden loss of mains power while writing data, but most often they are symptoms or harbingers of media failure. A common cause of write errors on hard disk drives is surface magnetisation errors caused by unstable power supply. This problem particularly affects drives in desktop computers where the drives are connected directly to the power supply. If the power supply operates unstably, provides voltages that fluctuate over a wide range or significantly deviate from the nominal voltage, it is only a matter of time before the drive connected to the power supply fails.
In the case of external, USB-connected drives, the disappearance of a partition, the appearance of a RAW partition or the operating system's suggestion to format the drive can spell a really serious problem. USB to SATA adapters often have their own BIOS, which allows the operating system to detect the drive under a name chosen by the enclosure manufacturer regardless of the actual model of the drive in the enclosure.
Such an adapter can also report in the system if the drive connected through it is faulty, or even if no drive is connected to it. This is when a partition access problem is most likely to occur. If the problem is physical in nature, attempts to scan the drive with data recovery software not only cannot be successful, but may also lead to degradation of the magnetic surface to an extent that makes it impossible to recover the information contained on the disk.
USB-SATA adapters sometimes also contain encryption keys. The loss of such an adapter may make it impossible to decrypt the data on the drive. It is important to remember that if an adapter has the ability to encrypt data, it will encrypt the data even if no password is set on the drive. And since adapters fail extremely rarely, if a hardware failure is suspected, do not start by replacing the adapter, but by diagnosing the drive by plugging it directly into the SATA interface.

Logical organisation of a disc - some theory


The first sector of the disk (LBA 0 - because sectors are numbered starting from 0) is the boot sector. Often this sector is also referred to as MBR - for Master Boot Record. This sector stores the partition table - information about the partitions stored on the drive. This does not necessarily have to be information about all partitions on the drive, and it does not always have to refer directly to each partition. A record in the partition table may, for example, refer to the GPT (GUID Partition Table) records in subsequent sectors or to an extended partition containing its own its own table of logical disks.
After reading the contents of the Master Boot Sector, the first sectors of the individual partitions are determined and read. These sectors have different names depending on the type of file system, e.g. Boot Sector for FAT and NTFS partitions, Volume Header for HFS partitions or Superblock for Ext, XFS, UFS or ReiserFS partitions. Based on the information contained in these sectors, the basic parameters of the partition are determined, such as the size of the clusters, and the location of other metadata such as File Allocation Table and directories in FAT partitions, MFT (Master File Table) records in NTFS partitions, or i-nodes (index nodes) in Ext partitions, etc.
Based on the metadata read, it is possible to determine the location and attributes of the files stored in a partition. If any of the metadata elements are corrupted, building a correct image of the logical structure of the disc by means of the operating system usually becomes impossible. Preventive measures, which usually consist of duplicating the most important metadata elements, usually prove to be ineffective. However, for a data recovery specialist, even fragments of damaged metadata can provide valuable information about the logical structure of a file system. Therefore, in situations of logical damage, disks should not be formatted. Even if this is suggested by the more primitive data recovery software or advised by amateurs on internet forums.
Automatic file system repair programs such as chkdsk or fsck should also not be trusted. It is essential to make a binary copy before running such a program, as such programs make uncontrolled writes directly to the disk and there will be no way to return to the initial state if the situation deteriorates.

Practice searching for lost partitions


Without MBR


If the contents of the Master Boot Sector are lost or corrupted, the operating system cannot find the partitions on the drive. Typically, the drive will show up in Device Manager and Disk Management as empty and uninitialised. In this case, it is a good idea to start the search for partitions from the sectors where they usually begin - e.g. LBA 63, LBA 2048. You can also check successive powers of two - LBA 128, LBA 256, LBA 512 ....
By checking the first sectors after the MBR, GPT arrays can often be found. Since it is not possible to address disks larger than 2 TB using the MBR partition table, it is almost certain that the largest disks use GPT. Further down the line, it is worth checking the areas towards the end of the drive. There you can discover e.g. NTFS Boot-Sector copy.
Based on the metadata found in this way, it is often possible to determine the size and location of at least some partitions. Subsequently, the search can be repeated in a similar way for the remaining "free" disk space by finding further metadata. This is how data recovery software performs a quick scan. If the damage to logical structures is limited to the MBR sector only, this procedure is sufficient to recover all partitions on the disc.
This method is based on the fact that metadata (including copies) are usually placed at the beginning or end of the disc and individual partitions, and on the assumption that partitions are usually created one by one, with no gaps and occupy practically the entire disc space. Using this approach, recovery time can be reduced and the focus can be on searching the potentially most important and promising parts of the drive right away. In addition, for unstable or damaged drives, scanning relatively small areas reduces the load on the drive and increases the chances of copying the most important data before it definitively refuses to cooperate.

You Need to Format the Disk in Drive Before You Can Use It


This is the message the user often sees instead of their data. This message indicates that, although the partition probably exists, its metadata is corrupted in a way that makes it impossible to access the information on it. A request to format the drive may occur e. g. if the boot sector of a partition is damaged or lost. In such a situation, you can find the copy and, if it is also damaged, try to recreate the partition parameters manually using fragments from both copies.
If both copies are lost or damaged to such an extent that it is not possible to recreate the partition parameters, you can determine these parameters using fragments of logical structures found, such as FAT tables, directories, MFT records, etc. Of course, if there is important data on such a partition, it should under no circumstances be formatted.
Formatting a partition involves the creation of new logical structures, which will overwrite the old ones and seriously impede further data recovery. Even if formatting does not destroy the files themselves, it will make even a piecemeal reconstruction of the logical structure difficult and may result in the loss of names and other file attributes.

So can there be life after formatting?


Quick formatting of a disc involves creating and writing new metadata to the disc corresponding to the specified type and parameters of the new partition. In practice, this is usually equivalent to irrevocably destroying by overwriting the information of the old partition located there, but it does not overwrite all the partitions located on the on it files on it.
In such cases, you can try to find the files by their signatures. Each type of file contains distinctive structures that allow it to be identified on the disk surface even when information about its name, location and other attributes has been lost. Most data recovery software includes a database of predefined signatures for the most popular files. A specialised image recovery programme often differs from a general-purpose data recovery programme in that it contains a poorer signature database, allowing only the recovery of image files. Professional programmes allow you to add signatures yourself, developed on the basis of an analysis of the files of a given type.
The result of signature recovery (RAW recovery) can be not only files, but also fragments of logical structures, FAT directories, MFT records, inodes, etc. Finding fragments of old metadata allows at least partial reconstruction of the logical structure of the previous partition. If the newly created partition has not been used, in many cases enough metadata of the old partition can be found to reconstruct the logical structure almost 100 %, but each write overwrites and irretrievably loses further fragments of the previous content. Therefore, if a drive is formatted by mistake, nothing should be written to it. Otherwise, what remains is to manually browse through the often thousands of files with names automatically assigned by the data recovery software (usually the sector number of the LBA in which this file begins) sorted only by their extension. In addition, without any guarantee that the ones that are really important can be recovered at all.
Much more serious consequences of formatting partitions may occur in the case of hard drives using SMR technology and SSD drives. Most of them (significant enough that it is safest to assume that all of them) support the TRIM function. This feature allows the operating system to inform the disk controller about free areas in logical structures. Thanks to this information, the disk does not have to physically store the contents of these sectors, and in response to the command to retrieve them, it can return only zeros. Following such information, the data is also physically destroyed very quickly, making their recovery impossible even in laboratory conditions. Therefore, regardless of operating system messages and stupid advice on Internet forums, never format partitions where you have important data, and before attempting to recover data, disable the TRIM function in the operating system.