On many disks there is often a critical sector. On a Macintosh HFS disk it is often located at sector 0x40042, it starts with "H+" and points to the equally critical Catlog and Extents area of the disk. It is known as the Volume header. On a 'good' day there is a duplicate at the end of the disk.
A recent disk I received was missing both the 0x40042 sector and the one at the end of the disk and so recovery became a rather more manual process than normally happens. The disk was a 1TB drive containing over 900 GB of data, mainly music related. Various areas of the disk had failed and so I started with an incremental image.
The incremental image had a problem that when some sectors were attempted to be read, the drive failed in a way that only a power off and on reset would kick it back into life. This was tedious, but overall probably more than 98% of the disk was imaged.
The next problem was to reconstruct the parameters that sector 0x40042 would have provided. The area where the catalog is often found was searched, and a catalog could be found there, with a length of 0x2000 bytes (ie 16 sectors long). A Mac catalog entry starts with two pointers, pointing the entry before and after as a linked list chain. By looking for pointers that were different by the value of 2, it is a good guess that the one being looked at is the value in the middle. For example, pointers 0x12bb and 0x12bd were found which indicates that the actual catalog value is 0x12bc, and this was in sector 0x8ecf0. By subtracting 0x12bc0 sectors from 0x8ecf0 the location 0x7c130 was established as the catlog start location (in sectors).
By examining the disk, a few Volume header sectors were found, and these indicated that the catalog should start at cluster 0x781e. With a typical 8 sectors per cluster, this maps to offset 0x3c0c0. When this value is added to 0x40040 (the volume start location) we get to 0x7c130 and good assumption that the Volume header has senible values. The rather harder to determine extents map was then used from the dummy Volume header.
Once these values were entered by hand into the CnW Mac recovery option screen, data was recovered
No comments:
Post a Comment