Data recovery classification: hard recovery and soft recovery. The so-called hard recovery is physical damage to the hard disk, such as disk bad sectors, circuit board chip burnout, abnormal disk sound, etc., so the ordinary users are not easy to take out the data, then we fix it, and at the same time Also retain the data inside or later restore the data inside, these are called data recovery, but these faults have easy and difficult points; the so-called soft recovery, that is, the hard disk itself has no physical damage, but due to human or virus damage The resulting data loss (such as misformatting, mispartitioning), then such data recovery is called soft recovery. Here, we mainly introduce soft recovery, because hard recovery also needs to buy some tools and equipment (such as pc3000, soldering iron, various chips, circuit boards), but also need to understand a little circuit foundation, all the things we talk about here. Knowledge, covering a wide range, deep level, has the principle of data structure, provides a basis for us to accurately recover data manually, and has various methods and techniques for data recovery software, which facilitates our rapid recovery of data, and all software are Download online and don't need us to invest a penny. The premise of data recovery: data can not be destroyed and covered twice! About digital and code system: I don't want to say more about conversion between binary, hexadecimal, and octal, because he doesn't help us with data recovery, and it's easy to stun us. If you are interested in learning more, you can go to Baidu to search for it. There is a lot of information in this area, so I don't need to say more. Data Recovery We mainly use hex editor: Winhex (data recovery preferred software) Let's first understand the data structure: The following is a data structure of the entire hard disk divided into three zones MBR C disk EBR D disk EBR E disk MBR That is, the master boot record is located on the 0 cylinder 0 track 1 sector of the entire hard disk, occupying a total of 63 sectors, but actually only uses 1 sector (512 bytes). In a total of 512 bytes of the master boot record, the MBR can be divided into three parts: the first part: the boot code, which takes up 446 bytes; the second part: the partition table, which occupies 64 bytes; the third part: 55AA , the end flag, takes up two bytes. Later we will talk about using winhex software to recover the wrong partition, mainly to restore the second part: partition table. The role of the boot code is to make the hard drive have a bootable function. If the boot code is lost and the partition table is still there, then the hard disk is still in the same partition as the slave disk, but the hard disk itself cannot be used to boot into the system. If you want to restore the boot code, you can use the command under DOS: FDISK /MBR; this command is only used to restore the boot code, will not cause partition changes, lost data. In addition, you can also use tool software, such as DISKGEN, WINHEX, etc. But if the partition table is lost, the consequence is that there is no partition in the whole hard disk, just as if you just bought a new hard disk without dividing the zone. It is an area that many viruses like to destroy. EBR, also known as Extended MBR. Because the master boot record MBR can only describe up to 4 partition items, if you want to divide more than 4 areas on a hard disk, you should use the extended MBR method. MBR and EBR are generated by partitioning. For example, MBR and EBR each occupy 63 sectors, C disk occupies 1435329 sectors … … then the data structure is as follows: 63 1435329 63 1435329 63 1253889 MBR C disk EBR D disk EBR E disk Extended partition and each partition It is also composed of DBR, FAT1, FAT2, DIR, DATA5: such as C disk data structure: C disk DBR FAT1 FAT2 DIR DATA Winhex Winhex is the most used tool software, is a hex editor running under Windows Software, this software is very powerful, has a complete partition management function and file management function, can automatically analyze the partition chain and file cluster chain, can be different ways of different ways of the hard disk Even entire hard disk clone; it is possible to edit any type of binary file contents (shown in hexadecimal) which can edit any disk editor disk sector physical or logical disk, manual data recovery tool of choice. First, you need to install Winhex. After the installation is complete, you can start winhex. The startup screen is as follows: The startup dialog box appears first. Here we have to operate on the disk, select "Open disk", and the "Edit Disk" dialog box appears: In this dialog box, we can choose to open a single partition, or open the entire hard disk, HD0 is I am currently using the Western Digital 40G system disk, HD1 is the hard disk we want to analyze, Maxtor 2G. Here we choose to open the HD1 hard disk, and then click OK. Then we will see the entire working interface of Winhex. At the top is the menu bar and toolbar. The largest window below is the workspace. Now you see the contents of the first sector of the hard disk, displayed in hexadecimal, and the corresponding ASCII code is displayed on the right. On the right is the detailed resource panel, which is divided into five sections: status, capacity, current location, window status, and clipboard status. These situations are very helpful in grasping the situation of the entire hard disk. In addition, right-click on it to swap the detailed resource panel with the window, or close the resource panel. (If you close the resource panel, you can open it by “View“Menu——“Show”Command——“Detailed Resource Panel”.) The bottom column is very useful auxiliary information, such as the current sector /total sector number … … etc. Pull down the scroll bar, you can see a gray bar, each bar is a sector, A sector has a total of 512 bytes, and each two digits is one byte, such as 00. Let's analyze MBR, because we said earlier that the first 446 bytes are boot code, which is meaningless to us. Here we only analyze 64 bytes in the partition table. The partition table is 64 bytes, and a total of four partition entries can be described. Each partition table entry can describe a primary partition or an extended partition (such as the above partition table, the first partition table entry describes the primary partition C disk, the first Two partition table entries describe the extended partition, and the third and fourth partition table entries are zero-filled. Each partition table entry has 16 bytes each. The meaning of each byte is as follows: (H indicates hexadecimal) Byte position Content and meaning 1st byte Boot mark. A value of 80H indicates an active partition; a value of 00H indicates an inactive partition. 2nd, 3rd, and 4th bytes The starting head number, sector number, and cylinder number of the partition. 5th byte. The partition type character: 00H—— indicates that the partition is not used. 06H——FAT16 basic partition 0BH—— FAT32 basic partition 05H—— extended partition 07H——NTFS partition 0FH——(LBA mode) extended partition 83H—— Linux partition 6,7,8 bytes End head number, sector number, column of this partition Face number No. 9, 10, 11, 12 bytes Number of sectors used before this partition No. 13, 14, 15, 16 bytes Total number of sectors of this partition