WD 2TB Elite with Corrupted MBR

[blachole]

I have a friends WD 2TB MyBook Elite that had it's HW die in the casing. I am trying to recover the data, but I am afraid it might be too late. Running the commands to view the boot sector tables should the typical:

bh@ubuntu:~/Documents$ sudo file -s /dev/sdb /dev/sdb: DOS/MBR boot sector MS-MBR Windows 7 english at offset 0x163 "Invalid partition table" at offset 0x17b "Error loading operating system" at offset 0x19a "Missing operating system", disk signature 0x485f11c2; partition 1 : ID=0x7, active, start-CHS (0x0,32,33), end-CHS (0xc,223,19), startsector 2048, 204800 sectors; partition 2 : ID=0x7, start-CHS (0xc,223,20), end-CHS (0x3ff,254,63), startsector 206848, 3906820096 sectors

I have run variations of the different commands and also @themaddoctor script to search the boot sector for the lines to try and get the keyblock, but nothing is turning up with the right information. Before I go wasting hours on this, is this a lost cause? Thanks.

[andlabs]

Can you dump the boot sector (reallymine dumpfirst) and post a hexdump?

[blachole]

00000000  33 c0 8e d0 bc 00 7c 8e  c0 8e d8 be 00 7c bf 00  |3.....|......|..|
00000010  06 b9 00 02 fc f3 a4 50  68 1c 06 cb fb b9 04 00  |.......Ph.......|
00000020  bd be 07 80 7e 00 00 7c  0b 0f 85 0e 01 83 c5 10  |....~..|........|
00000030  e2 f1 cd 18 88 56 00 55  c6 46 11 05 c6 46 10 00  |.....V.U.F...F..|
00000040  b4 41 bb aa 55 cd 13 5d  72 0f 81 fb 55 aa 75 09  |.A..U..]r...U.u.|
00000050  f7 c1 01 00 74 03 fe 46  10 66 60 80 7e 10 00 74  |....t..F.f`.~..t|
00000060  26 66 68 00 00 00 00 66  ff 76 08 68 00 00 68 00  |&fh....f.v.h..h.|
00000070  7c 68 01 00 68 10 00 b4  42 8a 56 00 8b f4 cd 13  ||h..h...B.V.....|
00000080  9f 83 c4 10 9e eb 14 b8  01 02 bb 00 7c 8a 56 00  |............|.V.|
00000090  8a 76 01 8a 4e 02 8a 6e  03 cd 13 66 61 73 1c fe  |.v..N..n...fas..|
000000a0  4e 11 75 0c 80 7e 00 80  0f 84 8a 00 b2 80 eb 84  |N.u..~..........|
000000b0  55 32 e4 8a 56 00 cd 13  5d eb 9e 81 3e fe 7d 55  |U2..V...]...>.}U|
000000c0  aa 75 6e ff 76 00 e8 8d  00 75 17 fa b0 d1 e6 64  |.un.v....u.....d|
000000d0  e8 83 00 b0 df e6 60 e8  7c 00 b0 ff e6 64 e8 75  |......`.|....d.u|
000000e0  00 fb b8 00 bb cd 1a 66  23 c0 75 3b 66 81 fb 54  |.......f#.u;f..T|
000000f0  43 50 41 75 32 81 f9 02  01 72 2c 66 68 07 bb 00  |CPAu2....r,fh...|
00000100  00 66 68 00 02 00 00 66  68 08 00 00 00 66 53 66  |.fh....fh....fSf|
00000110  53 66 55 66 68 00 00 00  00 66 68 00 7c 00 00 66  |SfUfh....fh.|..f|
00000120  61 68 00 00 07 cd 1a 5a  32 f6 ea 00 7c 00 00 cd  |ah.....Z2...|...|
00000130  18 a0 b7 07 eb 08 a0 b6  07 eb 03 a0 b5 07 32 e4  |..............2.|
00000140  05 00 07 8b f0 ac 3c 00  74 09 bb 07 00 b4 0e cd  |......<.t.......|
00000150  10 eb f2 f4 eb fd 2b c9  e4 64 eb 00 24 02 e0 f8  |......+..d..$...|
00000160  24 02 c3 49 6e 76 61 6c  69 64 20 70 61 72 74 69  |$..Invalid parti|
00000170  74 69 6f 6e 20 74 61 62  6c 65 00 45 72 72 6f 72  |tion table.Error|
00000180  20 6c 6f 61 64 69 6e 67  20 6f 70 65 72 61 74 69  | loading operati|
00000190  6e 67 20 73 79 73 74 65  6d 00 4d 69 73 73 69 6e  |ng system.Missin|
000001a0  67 20 6f 70 65 72 61 74  69 6e 67 20 73 79 73 74  |g operating syst|
000001b0  65 6d 00 00 00 63 7b 9a  c2 11 5f 48 00 00 80 20  |em...c{..._H... |
000001c0  21 00 07 df 13 0c 00 08  00 00 00 20 03 00 00 df  |!.......... ....|
000001d0  14 0c 07 fe ff ff 00 28  03 00 00 58 dd e8 00 00  |.......(...X....|
000001e0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000001f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 55 aa  |..............U.|
00000200  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00008000

``

[andlabs]

Nothing seems to be wrong there. The text strings are standard (they're the error messages reported when something usually is wrong with the hard disk), and the drive is listed as having two partitions, one that's 100MB big (usually a boot partition or service partition or something like that), and one that's roughly 2TB big; both are NTFS. Does that seem correct?

[blachole]

That's right, but none of the other steps provide the feedback or information to find the dekkey or to decrypt.

cat /proc/partitions | grep sdb
   8       16 1953514584 sdb
   8       17     102400 sdb1
   8       18 1953410048 sdb2

sudo fdisk -l /dev/sdb
Disk /dev/sdb: 1.8 TiB, 2000398934016 bytes, 3907029168 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 4096 bytes / 33553920 bytes
Disklabel type: dos
Disk identifier: 0x485f11c2

Device     Boot  Start        End    Sectors  Size Id Type
/dev/sdb1  *      2048     206847     204800  100M  7 HPFS/NTFS/exFAT
/dev/sdb2       206848 3907026943 3906820096  1.8T  7 HPFS/NTFS/exFAT

[andlabs]

You are probably not encrypted then. You can try mounting /dev/sdb2 and seeing if that works.

[blachole]

I tried this, but it just seems to do nothing when I try to mount it. It just processes forever it seems. I don't think there is anything wrong with the disk because I can see if processing every few seconds, it just never seems to complete.

[blachole]

actually now it's kicking back an error.

Error mounting /dev/sdb2 at /media/rye/62AC997AAC994985: Command-line `mount -t "ntfs" -o "uhelper=udisks2,nodev,nosuid,uid=1000,gid=1000" "/dev/sdb2" "/media/rye/62AC997AAC994985"' exited with non-zero exit status 13: ntfs_attr_pread_i: ntfs_pread failed: Input/output error
Failed to read NTFS $Bitmap: Input/output error
NTFS is either inconsistent, or there is a hardware fault, or it's a
SoftRAID/FakeRAID hardware. In the first case run chkdsk /f on Windows
then reboot into Windows twice. The usage of the /f parameter is very
important! If the device is a SoftRAID/FakeRAID then first activate
it and mount a different device under the /dev/mapper/ directory, (e.g.
/dev/mapper/nvidia_eahaabcc1). Please see the 'dmraid' documentation
for more details.
 (udisks-error-quark, 0)

[themaddoctor]

Try sudo file -s /dev/sdb? to see if there really is a filesystem on those partitions.

On 2/2/18, Rye notifications@github.com wrote:

actually now it's kicking back an error.

Error mounting /dev/sdb2 at /media/rye/62AC997AAC994985: Command-line `mount
-t "ntfs" -o "uhelper=udisks2,nodev,nosuid,uid=1000,gid=1000" "/dev/sdb2"
"/media/rye/62AC997AAC994985"' exited with non-zero exit status 13:
ntfs_attr_pread_i: ntfs_pread failed: Input/output error
Failed to read NTFS $Bitmap: Input/output error
NTFS is either inconsistent, or there is a hardware fault, or it's a
SoftRAID/FakeRAID hardware. In the first case run chkdsk /f on Windows
then reboot into Windows twice. The usage of the /f parameter is very
important! If the device is a SoftRAID/FakeRAID then first activate
it and mount a different device under the /dev/mapper/ directory, (e.g.
/dev/mapper/nvidia_eahaabcc1). Please see the 'dmraid' documentation
for more details.
 (udisks-error-quark, 0)

-- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: https://github.com/andlabs/reallymine/issues/62#issuecomment-362750003

-- Thomas Kaeding

my public key: http://pgp.mit.edu/pks/lookup?op=get&search=0x81B0FCA32599BE6F

[blachole]

I ran that and got the following:

sudo file -s /dev/sdb
/dev/sdb: DOS/MBR boot sector MS-MBR Windows 7 english at offset 0x163 "Invalid partition 
table" at offset 0x17b "Error loading operating system" at offset 0x19a "Missing operating 
system", disk signature 0x485f11c2; partition 1 : ID=0x7, active, start-CHS (0x0,32,33), end-CHS (0xc,223,19), startsector 2048, 204800 sectors; partition 2 : ID=0x7, start-CHS (0xc,223,20), 
end-CHS (0x3ff,254,63), startsector 206848, 3906820096 sectors

sudo file -s /dev/sdb1
/dev/sdb1: DOS/MBR boot sector, code offset 0x52+2, OEM-ID "NTFS    ", sectors/cluster 8, Media
 descriptor 0xf8, sectors/track 63, heads 255, hidden sectors 2048, dos < 4.0 BootSector (0x80), 
FAT (1Y bit by descriptor); NTFS, sectors/track 63, sectors 204799, $MFT start cluster 8533, 
$MFTMirror start cluster 2, bytes/RecordSegment 2^(-1*246), clusters/index block 1, serial 
number 082568e3a568e2f4b; contains Microsoft Windows XP/VISTA bootloader BOOTMGR

sudo file -s /dev/sdb2
/dev/sdb2: DOS/MBR boot sector, code offset 0x52+2, OEM-ID "NTFS    ", sectors/cluster 8, Media
 descriptor 0xf8, sectors/track 63, heads 255, hidden sectors 206848, dos < 4.0 BootSector (0x80),
 FAT (1Y bit by descriptor); NTFS, sectors/track 63, sectors 3906820095, $MFT start cluster 
786432, $MFTMirror start cluster 2, bytes/RecordSegment 2^(-1*246), clusters/index block 1, 
serial number 062ac997aac994985; contains Microsoft Windows XP/VISTA bootloader BOOTMGR

[andlabs]

Okay, I'm going to try something based on my past experience. If this works, I'll ask the other people who have have I/O errors before...

With what specific hardware are you connecting the drive to your computer?

[blachole]

I have the drive hooked up to a external SATA drive reader (Thermaltake BlacX Deut 5G) connected into an instance of Ubuntu 16.04 running in VMware fusion v11. It's possible it's throwing I/O errors, but the logs aren't showing that.

[andlabs]

Okay then my prediction is wrong, because that's the exact same thing I use and I have had no issues with it spitting IO errors so far, hm... That common mystery is still open then :\

[themaddoctor]

You can try ntfsfix. I've never used it, but I hear that it helps, since Windows sometimes shuts down with filesystems in unsafe states. Don't ask me what that means, but ntfsfix can reset journals and resolve inconsistencies.

[blachole]

Oddly sdb1 mounts, but now sdb2 is throwing errors after I let it process forever. Everything in linux including ntfsfix is saying its a good disk even when I throw tags at it to check the disks. I am running a chkdsk on a windows OS and it's finding inconsistencies now. I will try again once this is finished checking the disk. Thanks guys.

[JRavi2]

Hey @blachole, did you manage to fix this?