The ByteBack Data Recovery Investigative Suite Disk Editor

Introduction

This chapter describes the use and functionality of the ByteBack D.R.I.S.^TM built-in disk editor.

Important: this chapter is not meant to invite you to start editing your disk at your leisure! The disk-editor is provided to help you perform advanced recovery and as such is tied in with other ByteBack D.R.I.S.^TM functions. The ByteBack D.R.I.S.^TM disk-editor is not a fully outfitted diskeditor but is geared towards ByteBack D.R.I.S.^TM recovery operations. Having said this, it is entirely possible to perform sector based hexedits, just as you would with most other diskeditors. Just make sure you understand what you're doing.
This guide is not meant as a comprehensive introduction to diskediting!

A disk editor is a powerful tool that enables you to alter the contents of your hard disk without an operating system 'interfering'. This process is also called 'patching'. Editing hard disks requires expertise: you need to be familiar with the hexadecimal notation, and more importantly you need to be aware of disk structures. When viewing data on your hard disk using any disk editor, all data looks alike. Regardless of whether data is part of a Word document, an executable file or some file system structure such as the $MFT file in the NTFS file system, it is up to you, the user,  to recognize the data that is displayed.

For example, the primary partition table on a hard disk consists of a 64 bytes structure in sector 0 (the very first sector on the hard disk, also known as the MBR). If you have the expertise to locate the partition table, convert hex data to decimal values and interpret the different fields in a partition table entry, the disk editor is an extremely powerful tool allowing you to manipulate the hard disk contents without having to rely on the operating system. At the same time this makes a disk editor a potentially destructive tool if you don't know exactly what you are doing.

To make patching a disk more comfortable, ByteBack D.R.I.S.^TM can interpret a sector's data as if it were a partition table, or a FAT, FAT23 or NTFS boot sector. By doing so it allows you to edit structures that are important for our purpose, being  data recovery, using decimal values and plain ascii ('normal' characters from the alphabet).

Please note: in all Disk Editor screens a partition size is always defined by the number of sectors it occupies, unless it is explicitly stated that the size is displayed using other measurements such as GigaBytes.

For more information on the partition table and boot sector specifications click here.

To start the Disk Editor, from the main menu select [Tools], [Disk Editor].

Navigation

The following navigation options are always available:

• To go to the next or previous sector use the <Page Down> / <Page Up keys>

• To go to the first or last sector on the disk use the <Home> and <End> keys

• To jump one head forward or back use the <right> and <left> cursor keys

• To jump one cylinder forward or back use the < down> and <up> cursor keys

The following navigation options are available after a disk has been scanned:

• Use the < [ > and < ] > keys to display all 'significant sectors' (boot sectors, partition tables etc.) that ByteBack D.R.I.S.^TM has collected in the 'Data Collection Array' during the disk analysis. This is a convenient way to browse all the significant sectors that ByteBack D.R.I.S.^TM has found during the diskscan.

• Use the < { > and < } > keys to jump to the first and last sector in the Data Collection Array

• Use the < , > and < . > keys to find all locations that, according to the diskscan, should contain boot sectors. This is a convenient way to browse through all the possible bootsector locations, and quickly see which bootsectors are damaged or missing. Please note that all bootsector locations are shown, so there might be some false positives among them, like leftovers from old partitions.

The information bar at the top of the disk editor screen displays information relevant to the browse option you use, on the right side of the screen:

• Example :  Item: 1/28 PTE1/FAT32 
  when browsing using the < [ > and < ] > keys, the type of sector that you are browsing is displayed. The information consists of 4 elements: the number of the item in the database, the total number of items in the database, the sector type and the partition type. The example would be read as follows: you are viewing a partition table entry sector for a FAT32 type partition, and it's the first item in the database, which contains 28 items in total. The following types of sectors are identified:
  PTE for partition Table / BS for BootSector / BBS for Backup BootSector / F8FF for FAT sector.

• Example :  BS for PL entry 4 
  when browsing using the < , > and < . > keys, details for the partition that is connected to the bootsector location you are viewing, are displayed. The information bar at the top of the diskedit screen will display (on the right side) for which partition list entry you are viewing a bootsector (a partition list entry in this context is an entry in the ByteBack D.R.I.S.^TM partition list. This list is shown when you select partitions for recovery during the automatic repair. The partition list can also be found in the ByteBack D.R.I.S.^TM logfile, after a diskscan or 'verify EPBR chain'). The example would be read as follows: you are looking at the bootsector location for entry 4 in the ByteBack D.R.I.S.^TM partition list. This information will be displayed in black when the location is indeed a correct possible bootsector location, and will be displayed in red when the location does not conform to bootsector standards (when it's not at a location where a bootsector normally resides).
  During browsing the status bar at the bottom of the screen will display relevant information for the partition that is connected to the bootsector location you are viewing, such as partition type and size.

Another convenient way to 'reach' partition tables and boot sectors is by displaying sector 0 (the MBR) as 'partition table sector': <F10>, [Show as PartList], or press <F5>. Once the PartList is displayed you can use the entry number (1 to 4) to jump immediately to the LBA start location for that entry's item (either a partition or an Extended Partition Table Sector). Press the corresponding number to jump to that partition entry's startlocation (bootsector) or the next EPBR (in case of an extended partition table entry). Using the 'PartList View' to navigate the disk should only be used when the partition tables are intact.

To jump to any LBA address of your choice, press <F4> and enter the LBA address.

While navigating you can observe the current location at the information bar at the top of the Disk Editor screen. ByteBack D.R.I.S.^TM displays the LBA address and between parenthesis the current location is displayed in "Cylinder, Head, Sector" format. 

Common keys :

<F10> : will open the menu for the editing mode you are currently using
<Esc> : will abort the current operation (will not save the changes!)

The Disk Editor Main Menu

Please note: when you have finished editing any sector using the editor you must explicitly save the modifications to disk; pressing escape to leave any edit screen will not save any changes you made to disk. Saving the contents after editing always requires you to press <F10> and select the 'exit & save' option.

By pressing <F10> from the Disk Editor's main screen you bring up the Disk Editor Main menu:

[Goto] allows you to jump to a specified LBA address.

[Show as PartList] allows the current sector to be interpreted as if it were a sector containing a partition table. If you actually are at a Partition Table Sector, the PartList view allows you to easily jump to the start sector for a specific partition.

[Edit as PartList] starts the Partition Table Editor. While it is possible to edit a partition table in raw HEX, it is advised (and much more convenient) to use the Partition Table Editor instead. To edit a partition table you must have knowledge regarding the partition table format, partition table specifications and 'disk addressing'. 

[Edit as BootSector] allows for FAT, FAT32 and NTFS Boot Sectors to be edited using a template. While it is possible to edit a boot sector in raw HEX you're advised not to do so. By using templates there is less room for error. You must specify if the current sector should be interpreted and edited as a FAT, FAT32 or NTFS boot sector. Once the bootsector editor has started, press <F10> for the bootsector editor menu. Select the appropriate action from the menu; edit, clear all fields, revert changes, exit & save.

[Start Advanced BS repair] will try to rebuild a FAT or FAT32 boot sector from scratch. This option is only available if the disk has been scanned (Scan Complete in the Status screen should say "Yes"). The current LBA location should be detected by ByteBack D.R.I.S.^TM as a potential FAT or FAT32 boot sector location. Use the earlier described browse keys < , > and < . > to easily locate bootsector locations, or select the appropriate sector using <F4> or other browse keys. Start the advanced BS repair when you are at the sector location that should contain the (to be created) bootsector.
ByteBack D.R.I.S.^TM will scan your disk and try to determine the parameters required to rebuild the boot sector. Once the scan has finished the Boot Sector Editor will be displayed. Either accept the values ByteBack D.R.I.S.^TM determined and save the boot sector (<F10>, [Exit & Save]) or first modify values if required. You can for example change the default volume label that ByteBack D.R.I.S.^TM generates ("BYTEBACK").
Note: this operation will not add bootcode to the bootsector. Bootsector bootcode is operating system specific, adding bootcode must be done by the user if necessary.

[Edit Sector] allows you to edit the current sector in raw HEX or ASCII (text). Use the <Up>, <Down>, <Left>, <Right>, <Home> and <End> keys to navigate the sector. The byte that's currently hilited by the cursor is displayed in the bottom statusbar in various formats: Hex, ASCII, Decimal and Binary format.

Press <F10> to bring up the menu. From the menu you can exit the editor, revert any changes you made, clear the sector or switch the 'edit mode'. When switching edit mode, you alternate between the Hex edit mode or the Text edit mode.
When changing bytes in the Hex edit mode, you must always type the 2 characters that make up the byte value; to change a byte value to "A" you must type "0A". If you start typing the first of the 2 characters, you can abort by pressing <Esc>. A byte value that has been changed is displayed in yellow, making it easy to see where you left off when performing complex edits.

[Dump PartList to Log] dumps the current sector to the logfile as if it were a sector containing a partition table.

[Dump BootSector to Log] will try to determine if the current sector is containing a FAT, FAT32 or NTFS type boot sector and will dump the interpreted information to the logfile.

[Dump Sector to Log] allows you to dump the current sector to the logfile in Hex format.

[Export Sector(s)] creates a binary file image of one or more sectors (999 max.). This is very useful for backing up sectors before editing or patching them.

Enter the number of sectors you want to back up to file, and enter a filename. The default filename suggested by ByteBack D.R.I.S.^TM will always be associated with the selected sector's address! This makes it easier to restore the 'backup' without you having to remember the backup's filename: when restoring the sector to it's original location, ByteBack D.R.I.S.^TM will again suggest the default filename that is associated with this sector address automatically. You can however use any filename you desire, but since ByteBack D.R.I.S.^TM runs in DOS, DOS file naming conventions apply (8 characters for the filename, the 3 character extension is reserved for use by ByteBack D.R.I.S.^TM).

[Import Sector(s)] allows you restore sector images ('backups') to the current location. Enter the filename for the backup. The default filename suggested by ByteBack D.R.I.S.^TM will always be associated with the selected sector's address, but you can enter a different filename if you typed a filename when creating the backup. ByteBack D.R.I.S.^TM will then ask you to enter the number of sectors you wish to import (restore to the disk). The default value is all sectors that are present in the imagefile, but you can change this if you would like to restore less sectors. The import always starts with the first sector in the imagefile, so entering a value of 3 would restore the first 3 sectors from the imagefile.

[Sector to Clipboard] allows you to copy the current sector to the clipboard.

[Sector from Clipboard] writes the sector in the clipboard to the current sector.

[Wipe Sector] allows you to write zeros to the current sector.

[Calculator] allows for simple calculations and conversions: CHS address to LBA address or vice versa, and Decimal to Hexadecimal or vice versa.

[Help] displays the Disk Editor navigation keys.

[Exit] closes the disk editor and returns you to the previous menu (Tools).

[Return] Close the Disk Editor main menu.