July 11th 2000

Added the /MBRSIG switch to allow for the search for partition table signatures 0x55aa in the last two bytes of each sector of the disk. Mutually exclusive with /STRING. May help people who've had their partition tables blown away by something from Redmond...

This option lists all sectors that are found which have 0x55aa in the last two bytes. This is the signature of a partition table. You'll find that any sectors that have this could be partition tables and mark where partitions used to start. By convention partitions start on whole cylinder boundaries so look for sectors listed on head 0, sector 1, eg, c:h:s 65:0:1. Logical drives will have two of them one after another on c:h:s x:0:1 and x:1:1. Ignore any sectors listed that aren't on x:0:1.

How you use it.

SEARCHRAW /STRING:string | /MBRSIG [/DISK:n /STARTCYL:s /ENDCYL:e /DUMP]

November 30th 1998

This is a quick'n'dirty program that I knocked together the last time my Windows NT system decided to nuke itself! NT has a boot loader that looks for a boot.ini file on its boot partition that contains lines designating which disk and partition it is to boot from. For some unknown reason, about every two months on my system, NT decides at random to count the partitions differently and then refuses to boot up with the dreaded "missing ntoskrnl.exe" error message. There are several solutions to this - one is to preprepare your boot.ini file to contain the entire list of all disks and partitions it's ever likely to use :-(, two is to boot up off the install diskettes and either do a repair or a new install into a temporary directory. Either way let's you boot up and edit the file so it's got the correct disk(x)partition(y) in it. On my system, with four physical disks and partitions ranging up to drive letter J: and with two C: drives, option one isn't really a solution since I'd end up with a boot.ini menu about two screens long to cater for them all. Option two doesn't work either since NT has another bug that means that it sees my two 2940UW controllers the wrong way around - it sees the one with the boot disk on it as #2 so the "repair" picks up my J HPFS drive and "repairs" it with an NTFS control block format! It also won't let me install because of this either. To save ripping the system apart and removing one of the 2940UW controllers....

Well the result is this program. It searches through raw disk for character strings and reports the cylinder/head/sector at which it finds them. It can optionally create files in the current directory called S0000000n.SEC containing the 512 byte sector which contained the specified string (where 0000000n is an incrementing number for each sector found). If you know where your NT partition starts and ends (PowerQuest's PARTINFO.EXE will tell you this, downloadable from http://www.powerquest.com) then you can use this program to search your NT partition from end to end to locate copies of the boot.ini file. There's likely to be more than one of them so make sure you find the right one. Now you need a disk editor to patch the right information into the file - I use Graham Utilities for OS/2 which includes a DISKEDIT program. Given this lot then you can hack your boot.ini file so that NT boots again (until the next time this pile of $h!t decides to bollix itself up again).

How you use it.

SEARCHRAW /STRING:string [/DISK:n /STARTCYL:s /ENDCYL:e /DUMP]

Everything in capital letters is a keyword and is required as it is. The lower case stuff is variable. 

"string" is the character string you want to search for - the search is case insensitive so "AbC" will find ABC and abc and aBc. There is no default value for this parameter - it must be specified or you get an error message. The "string" must be enclosed in quotes if it includes any special characters like blanks etc.

/DISK:n specifies the disk number to search. This is the physical disk, not the partition - this program deals with disks not partitions. Disk numbers start at 1 for the first physical disk in the system and work upwards ;-) The default for this parameter if it isn't specified is 1.

/STARTCYL:s specifies the physical cylinder on the disk that marks the beginning of the search area. Cylinder numbering starts at 0 and this is the default.

/ENDCYL:e specifies the physical cylinder on the disk that marks the end of the search area. If a disk has 1106 cylinders then the highest this number can be is 1105 (0 to 1105 is 1106 cylinders). The default for this parameter is the last cylinder on the disk. The end cylinder must be greater than or equal to the start cylinder.

/DUMP tells the program to create a series of 512 byte files called S00000001.SEC through Snnnnnnnn.SEC, one for each disk sector that it finds containing the character string you gave it. BEWARE of using this parameter if the physical disk you are searching contains the current directory of the program - it will LOOP once it starts finding the files it has just created itself and fill up your entire disk. Care MUST be exercised here. The data recovered using this method will probably contain random padding at the end of the last sector - how many of your files are an exact multiple of 512 bytes in size?

If you specify neither /STARTCYL nor /ENDCYL then the entire disk will be searched from end to end. This _will_ take some time! If you make a mistake then you can Ctrl-Break out of it and it'll just stop.

Example 1:
[F:\]searchraw /string:"disk(0)rdisk(0)" /startcyl:66 /endcyl:66
Searchraw filesystems 1.0.0 Copyright 1998 Trevor Hemsley
Info: Disk 1: cylinders 1106, heads 255, sectors/track 63
Info: Reading tracks of 32256 bytes from disk 1, cylinder 66 --> 66
Info: Found "disk(0)rdisk(0)" at c:h:s 66:115:2 4 times
Info: Found "disk(0)rdisk(0)" at c:h:s 66:115:3 3 times

Searches cylinder 66 only (start==end) for the string disk(0)rdisk(0) and reports which sectors contained it or gives an error.

Example 2:
[F:\]searchraw /string:"disk(0)rdisk(0)" /startcyl:66 /endcyl:66 /dump
Searchraw filesystems 1.0.0 Copyright 1998 Trevor Hemsley
Info: Disk 1: cylinders 1106, heads 255, sectors/track 63
Info: Reading tracks of 32256 bytes from disk 1, cylinder 66 --> 66
Info: Found "disk(0)rdisk(0)" at c:h:s 66:115:2 4 times
Info: Found "disk(0)rdisk(0)" at c:h:s 66:115:3 3 times

Does the same thing but creates two files, one for each sector located, containing the contents of those two sectors.

Example 3:
[F:\]searchraw /string:rubbishthatisnt /startcyl:66 /endcyl:66 /dump
Searchraw filesystems 1.0.0 Copyright 1998 Trevor Hemsley
Info: Disk 1: cylinders 1106, heads 255, sectors/track 63
Info: Reading tracks of 32256 bytes from disk 1, cylinder 66 --> 66
Info: string "rubbishthatisnt" not found

Didn't find it!


**** WARNING **** WARNING **** WARNING ****
This program could be used by unscruplous people to gain access to "secure" data. The author accepts no responsibility for and does not condone acts carried out by vandals and or thieves. 

This program is distributed as-is and no warranty is expressed or implied. Usage of this program is at the user's own risk.

Trevor Hemsley
London, UK
30th November 1998
Trevor-Hemsley@dial.pipex.com
