How to Recover Lost / Deleted Partitions:

The Problem:

The partition table is located in the very first sector on the hard drive, and can be easily accessed by any program including a virus. Some programs alter the partition table sector, and this can go wrong, even the most trustworthy software programs can damage the partition table.

How to Recover Your Partition Table:

If you do not have backup copy of your partition table data, then you will have to search for patterns that identify the partitions on the hard drive. If the data in your partitions are damaged recovery will be more difficult.

You must know the system in how partitions are defined, and then search for patterns that match. All drives start with a boot sector, which to some extent can be identified. When the location of all boot records are known, the partition table can be re-constructed and written to the disk. The only thing remaining is the initial boot loader which can usually be fixed by running fdisk /mbr

FDISK in DOS/Windows can cause problems since it writes outside the partition table. The message "Checking drive integrity" displayed when creating partitions is where the problem occurs. If you deleted your C: drive with FDISK and just re-create it with the same size as before (with FDISK), then it won't work. FDISK has checked the drive integrity and trashed your boot record, FAT tables and other data. It hasn't trashed it all, so as there are two FAT copies, you can be lucky and restore them from each other.

How to Search for Boot Records:

A boot record has various fields at fixed positions, these fields can have specific values. Thus boot records can be identified among other data. You can read from anywhere on the hard drive, so if you start from the beginning and read to the end, you should be able to find the boot records. It might take an hour to complete the search, but you only need to do it once. There might be backup copies of the boot record(s), so don't be surprised if you find two FAT32 boot records close to each other. To identify a boot record, use a statement like this for each sector read:

int search_for_pattern( unsigned char *buf, int PATT )
{

switch ( PATT )
{
case PATT_000055AA:
if ( *(buf + 508) != 0x00 ) break;
if ( *(buf + 509) != 0x00 ) break;
if ( *(buf + 510) != 0x55 ) break;
if ( *(buf + 511) != 0xAA ) break;
return 1;

case PATT_BRECFAT32:
if ( *(buf + 82) != 'F' ) break;
if ( *(buf + 83) != 'A' ) break;
if ( *(buf + 84) != 'T' ) break;
if ( *(buf + 85) != '3' ) break;
if ( *(buf + 86) != '2' ) break;
return 1;

case PATT_DIRECTORY:
break;

default:
break;
}

return 0;
}

The above statement shows the general principle, and can be enhanced. A boot record contains a file system identifier, which can be FAT32 or FAT16 or just FAT for various DOS/Windows versions. Other file systems have similar patterns to search for, and you can alter the statement above accordingly. You might have to make some quite complex sanity checks to filter out the noise. However, you can rely on the fact, that partitions always start on a partition boundary, so the head value should be 0 or 1, and the sector value should also be low. The file system itself can use the partition as it likes, but you should expect to find the boot record near the start.