User Guide for 3.

www.toolsthatwork.com
www.datarecoverysoftware.com

Byte Back was designed to easily manipulate and recover many types of media. It gives you the low-level control you need
to handle failing or damaged media. Clean Room Engineers have designed Byte Back, and now you can use some of the
same basic functions. It will be difficult, if not impossible, to find another program on the market with the same low-level
capability. We want you to understand the proper way to handle any media before attempting any reconstruction, as this is
one of the biggest problems we see.
Many individuals will try to recover data themselves before sending it out for professional data recovery services. This action
can create more damage, and in some cases can make recovery of any data impossible. There are many times that we will not
only have to bypass the original problem with the media but also the further damage created by the user from an attempted
recovery. If you are going to attempt recovery yourself, you should have a tool that will allow you the greatest safety and
control, such as Byte Back.
Safety is the most important thing. Never try to repair files or reconstruct the file system on the original, corrupt or damaged,
media. The first step is to extract the raw data from all of the sectors of the media. You can do this in the form of an image
file or create an exact copy (clone) to the same type of media. You can make an exact copy of a hard drive to another hard
drive and then copy the raw data to a compressed file. Store the image file on a local drive, server or removable media. Once
this has been completed, you can attempt any file system reconstruction needed to the copy of the media. If the repair or
reconstruction does not work or makes matters worse you still have the original media and the image file to restore to another
media.
Byte Back is a data recovery tool that works at the sector level directly with the hardware containing the data. It looks at the
physical media and enables you to repair the file system components and also will allow you to recover files.
Byte Back consists of 5 modules and some modules have sub-modules: Clone/Imaging (Clone Drive to Drive, Create Image
File, Restore Image File), Analyze Layout (Tree FAT/NTFS Drive, Mount in Media Editor, Repair Boot Sector and Partition
Table), Media Editor, Media Wipe and Surface Test. Each module will be discussed in detail.

Table of Contents
Introduction
Program Registration
Transferring the Registration
Preparing the Bootable Floppy Disk
Windows
DOS
SCSI Device Drivers
Iomega Zip and Jaz Drives
MD5 (Message Digest 5)
Context Sensitive Help
Running the Program
User Setup Window
Selecting Media
Selecting the Operation
Cloning and Imaging
Clone Drive to Drive
Process Delay & Read Retries
Skip Mode
Create Image File Volume
Restore Image File Volume
Analyze Layout
Select Valid File System
Tree FAT/NTFS Drive
Mount in Media Editor
Repair Boot Sector and Partition Table
Making the Drive Bootable
Media Editor
View the Sector As
Hex/ASCII View
Text View
Partition View
Boot Sector View
File Allocation Table (FAT) View
Directory View
Search the Media For
Look For Hex/ASCII
Look For Boot Sector
Look For Partition Table
Look For FAT Tables
2

Look For Directory Entries

Look For Files
Save Sectors
Restore Sectors
Fill Current Sector
Media Wipe
DOD Security Wipe
Surface Test
Warning
Data Recovery Coupon
Appendix
License Agreement

Introduction
Byte Back will only run from a floppy diskette. You should boot the system from a DOS/Windows bootable floppy
diskette. See below to prepare a bootable floppy diskette. Byte Back is not limited to working with only certain
operating systems. It does not matter what operating system the media was formatted with because it is looking at
the media from the physical aspect. As an example, you can work on a physical drive with the UNIX file system,
even though you are booting with a DOS/Windows diskette. There are certain functions within Byte Back that are
focused towards FAT12, FAT16, FAT32, and NTFS file systems but in no way are you limited to only working with
these file system formats.
Byte Back has different operating methods - BIOS Access, IDE Access, SCSI Access and Floppy Access. In BIOS
Access, the computer system controls the communication to the media. If the BIOS or computer system cannot find
any IDE drives, run Byte Back in IDE Access method. IDE Access talks directly to the media. Use SCSI Access to
use SCSI hard drives, Iomega Zip, Jaz drives, SyQuest, and other removable media.

Program Registration
In order to use all the functions in Byte Back, you must purchase a registration key for the program. This can be
accomplished over the phone for immediate use (Priority Unlock), or you may receive a packaged, pre-registered
diskette through normal shipping methods. When using an unregistered version of the program, it works as a demo
only. You will be able to access all parts of the program but will not make any repairs or write any changes to the
disk.
To Priority Unlock Byte Back first call us at 800-274-3785 and speak with a Sales Associate. Once the sales
process is complete, follow these instructions.
Make sure the following Byte Back files reside on a floppy diskette.
BB.exe
BB.cfg
BB.hlp
Readme.txt
License.txt
Cp.zip
Now start the program with the command BB from the floppy diskette. As you enter the unregistered version of
the program it will prompt you to register the program or continue. Press enter on the Registration button. Once you
are in the registration window, a Public Key will be displayed. The Public Key is what you will need to give us in
order to register the program. Every time you enter the registration window, a different Public Key will be
generated. Once you give us the Public Key, DO NOT close this window until we have given you the User Key to
input into the appropriate field. If you give us the Public Key and then close this window, the User Key we give
back to you will not register the program. You will have to give us a new Public Key to get the correct User Key.
Transferring the Registration
You CANNOT use the Transfer Registration function to upgrade to a more current version of the program. You will
need to contact us for the upgrade procedures.
If the floppy disk starts to go bad you can transfer the registration to a new unregistered version of Byte Back on
another floppy diskette. To do this, start the unregistered version of the software from a new floppy disk and enter
the registration window. Press the button Transfer Registration. It will ask you to insert the registered floppy and
then the unregistered floppy again. At that point the registration has been transferred to the new floppy. The old
floppy will no longer be a registered version of the program and can be disposed.

Preparing the Bootable Floppy Disk

Before running Byte Back, the system needs to be started from a bootable DOS/Windows boot floppy. We suggest
that you create a clean bootable floppy diskette. We also suggest having the boot disk and the Byte Back disk
separate. This will preserve the life of the Byte Back floppy disk. You will need to load DOS ASPI SCSI drivers if
you are going to be working with SCSI devices. Do not load any memory managers.
Windows
You can make a bootable floppy diskette from within Windows.
On your desktop, there should be an icon "My Computer". Double click this icon to open My Computer. It should
display your floppy drives, hard drives, CD-ROM and any other storage devices on your system.
Click once on the floppy drive that contains the floppy diskette you are preparing. Now click once with the right
mouse button on the floppy drive, which will bring up a menu. Follow the menu down to "Format" Now click on
the format menu option. This will bring up the floppy format program. Before you click on start, make sure to
choose the radio button, "copy system files only". Now click start. Once the floppy diskette is bootable and the Byte
Back program files have been copied to the floppy diskette, you are ready to run the program.
DOS
If you are preparing a floppy diskette from the DOS level, use the following command to transfer bootable system
files to the floppy.

Format /S A: (Where A: is the floppy drive)

SCSI Device Drivers

If you have SCSI devices, the DOS ASPI SCSI device drivers should be loaded from your config.sys file. You will
need to modify the config.sys file to load the correct SCSI device driver.

Device=A:\aspi8dos.sys /D (Example)

This command is assuming you are loading the device driver for an Adaptec 2940UW. You can download Adaptec
SCSI Controller drivers from their website (http://www.adaptec.com). If there are other SCSI driver websites that
should be listed, please let us know.

Iomega Zip and Jaz Drives

If you have Zip or Jaz drives, the Iomega DOS "Guest" program must be run prior to starting Byte Back. This is for
both the Parallel Port and SCSI Iomega drives. The Guest program can be found on the original floppy diskette that
came with the Iomega drive or you can download this DOS program from Iomega's website
(http://www.iomega.com).

MD5 (Message Digest 5)

Most all processes that are performed in the program will automatically create a report. Each report records a MD5
fingerprint.
Developed in 1994 by Professor Ronald L. Rivest of MIT, MD5 (Message Digest 5) is a one-way hash algorithm
that takes any length of binary data and produces a 128 bit "fingerprint" or "message digest". This fingerprint is
"non-reversible". In other words, it is impossible to compute the binary data based on the fingerprint. This means
someone cannot figure out your data based on its MD5 fingerprint. Everytime you run the MD5 hash algorithm on
5

the binary data, you should get the exact same fingerprint. If you get a different fingerprint, then the binary data has
been changed.
In Byte Back, this fingerprint is computed from the area of the media or image file that a function is being
performed (Tree, Surface Test, Wipe, Clone, and Imaging). MD5 is an industry standard in the world of forensics.
As an example, it is imperative that any copy (Clone) of the media be identical to the original media. The program
will record the cloning MD5 fingerprint in a report and enable you to compare the fingerprint against any copy of
the original media to show that it is an exact copy. So far to date, the MD5 standard has not been cracked and is
accepted in our legal system as a valid authentication process.
If you are in doubt, try this experiment. Perform a Surface Test on the entire surface of a hard drive. There will be a
report produced at the end of the scanning that will record the fingerprint of the drive. It will look something like
this (A3B34260EF41B62376E1524B96766644). Now enter the Media Editor and go to any random sector on
the drive. Change any one byte on this sector to whatever you want. Then run the Surface Test again. You will see
that the fingerprint has changed. Now go back and change that one byte back to its original value in the sector and
run the Surface Test again. This time you will see that the fingerprint matches the fingerprint from the original scan.

Context Sensitive Help

Press F1 to access the Context Sensitive On-Line help at anytime from any screen in the program. Most of this
manual has been implemented into the program. Use both the manual, along with the on-line help, to gain a better
understanding of the functions and philosophy of the program.

Running the Program

If at all possible, we recommend having only the media you will be working with attached to the system. Byte Back
has different access methods, BIOS Access, IDE Access, SCSI Access and Floppy Access.
Start Byte Back with the command BB from the floppy diskette.

(A)
As you enter the program, the above screen (A) will appear with five different options. The "Continue" button will
move you on to the select media screen (C). Notice the bottom left and right hand corners of the screen. From
anywhere in the program you can access the online help by pressing F1. To exit the program, use the keyboard
shortcut ALT-X.

Continue Enter the drive selection screen.

About Copyright information.
User Options Configuration & Registration
More Information Information on new and upcoming products and services.
Data Recovery Services How to contact Tech Assist. for Data Recovery Services.

User Setup Window

(B)
The User Setup Window is the control center for Byte Back. If you are working with drives that are failing, this
window will be your best friend. Immediately after entering the program, use CTRL-S to access this window. You
have access to this window at anytime, from anywhere in the program, just by using CTRL-S on the keyboard. As
drives start to fail, communicating with the media will be the challenge. Sometimes you will find that increasing the
timeout variable is all that is needed to effectively communicate with the drive. On a good working system, the
timeout is very short. There is no need to wait for anything. Increasing the timeout variable gives the drive more
time to decide when it wants to respond. Many times you will also have to slow down the entire processing
procedure. This gives patience to the system in not demanding information from the drive this very moment, as it
does for a good working drive. When the program encounters read errors, it will start the low-level read functions.
As you can see from this window it will try to read the damaged sector 32 times before moving on to the next sector.
There will be times that by increasing the read retries you will also be able to read the sector. It is all of these
variables together that will give you better access control to the drive.
The Access Method is nothing more than how Byte Back addresses and communicates with any media in the
system. The type of media on the system will depend on how you want to access the media. By default all access
methods are displayed. You will need to uncheck an access method to keep it from being displayed.

IDE DRIVE The program controls all of the communication to any IDE drives found on the system. We
recommend using this access method when working with IDE drives. It has direct access and does not rely
on the system to communicate with any media. Here you will be able to see the entire capacity to any IDE
drives that are above the 8.4GB barrier, regardless of whether the system BIOS has the ability to see the
entire drive. The media is displayed as "IDE HDD 000, ...001, ...002, etc".
BIOS DRIVE The system BIOS handles all of the communication to the media. Here you will see what
the system BIOS is reporting. The media will be displayed as either BIOS or EBIOS. Most new systems
have the ability to handle extended int13 calls. If so, the media will be displayed as EBIOS Drive 80h,
81h, 82h, etc. and you will see the entire capacity of any drive above the 8.4GB barrier. Otherwise it
will be displayed as BIOS Drive 80h, 81h, ...82h, etc" and only a maximum of 8.4GB will be
accessible.
8

SCSI DRIVE Communicate with any SCSI devices on the system. We recommend using this access
method when working with SCSI drives. If you have SCSI hard drives on the system, they will also show
up in BIOS Access but will only give access to 8.4GB of the drive. In SCSI Access you will be able to see
the entire capacity of any SCSI drives that are above the 8.4GB DOS barrier. You must have the SCSI
device driver loaded to be able to see any media in SCSI Access Method. This includes running the Iomega
"Guest" program for Zip and Jaz drives before running Byte Back. The media is displayed as "SCSI device
0/0, 0/1, 0/2, etc".
FLOPPY DRIVE Gives access to any floppy drives on the system.

Select Media

(C)
When you have selected Continue you will be taken to the Select Drive Screen (C). The Select Drive Window will
display all the different drives on the system and the different access methods for each. Use the arrow keys on the
keyboard to move up and down between the different pieces of media. Use the tab key to move between the
different buttons. By default, all the drives are in Write Protected Mode, except for the floppy disks. A checkmark
next to each media indicates it is in protected mode. Unless you are working on a floppy disk, do not write protect
the program floppy disk. Notice that the <Spacebar> will toggle the media from protected mode to edit mode and
vice versa. Before proceeding further into the program, make sure that any drive that will be written to (destination
drive) is not in write protected mode. Press enter on a piece of media to advance to the select operation window.
There are four different access methods (IDE, BIOS, SCSI and Floppy). You will notice that most media have two
different access methods. If you do not see the media on this screen, then you have a more serious mechanical
problem and should contact us for our in-house services. You can hide or display whatever access method you prefer
by pulling up the User Setup window (CTRL-S). Each media will have the Current Geometry and Original
Geometry information. The program will use whatever is being displayed in the Current Geometry settings as the
parameters to run the different functions. Most of the time you can accept the default settings. Use the Change
Geometry button to alter the Current Geometry settings as shown below. For IDE Drives, the current geometry is an
interpretation of how the BIOS sees any media on the system. It is a calculated combination of what the BIOS sees
and the original geometry. This is why the current geometry and the original geometry can be different for IDE
Drives. For EBIOS/BIOS Drives, the current geometry and original geometry are the same
Here is one example as to why you want to have different means to access any media. If you have an IDE drive that
is failing and makes the system hang, you can take the drive out of the system BIOS. This way when the system
boots it will not hang, but you will still gain access to the drive through the IDE Drive access method.

10

(D)
Byte Back consists of 5 modules. Cloning will create an exact sector-by-sector copy of the media to a different
media at the bit level. Imaging creates a sector-by-sector image of the media and stores it in a compressed or
uncompressed file to be saved to another local drive, network drive or removable media. Restore will take the image
file and create an exact duplicate copy of the original media to another media. Analyzing the media layout will allow
you to automatically Tree any FAT/NTFS file system and recovery the files and directories to another destination,
mount the drive logically in the Media Editor, or repair the boot sector and partition table. The Media Editor will
allow you to make changes to the sectors, manually repair the boot sector or directory entries, recover individual
files and copy off to another drive. Next, Media Wipe will sanitize your media. All data will be destroyed! Lastly,
Surface Test will verify the physical viability of your media. For most operations performed, reports are produced.
The reports are standard text files and can be opened in any program that will view text files. Make a selection and
enter the operation you want to perform.

11

Cloning Drive to Drive and Imaging

Cloning will allow you to create an exact copy of the media to another like media, even if it is failing. This will give you the
control to get below unreadable sectors and extract any remaining data. As a new feature, Reverse Cloning has been inserted
into the program. This will allow you to start at the end of the drive and clone backward to the beginning. This feature is
absolutely irreplaceable The Cloning process can take anywhere from minutes to hours to complete. This will depend if there
are media errors and what type of failure is involved.
Imaging any media will create a sector-by-sector copy of the original media and be saved in the form of a file. This file can
be saved to another local drive, network drive, or removable media. This image file can then be restored to another media so
you can run other utilities without the concern of creating any further damage to the original media. We do recommend first
Cloning the original media to another like media and then create an Image File. There will be situations where a failing piece
of media will only be accessible if it is in a system all by itself. In this case, you will have no choice but to create an image
file. There is no way to determine how long the original media will allow you to have access.
You really need to use common sense when Cloning or Imaging. If every sector of the media is unreadable, you have a more
serious problem than any software can handle. If you notice that the media continues to get worse and unusual noises are
coming from the media, you are probably experiencing the growth of a head crash. In these instances, you will need the
assistance of Data Recovery professionals. This is a very powerful tool but also can be a destructive tool. You do not want to
create so much damage that even Data Recovery professionals are unable to recover anything.

(E)
When you select Clone/Imaging from the Select Operation window you will see the above screen (E). From here,
select which cloning/imaging operation to perform.

12

Clone Drive to Drive

(F)
The Cloning screen (F) is divided into the Source (top half of the screen) and the Destination (bottom half of
screen). In the middle, the time remaining, number of errors and progress bar will be displayed during the cloning
process. Select the Source and Destination buttons to change your choice. When selecting a destination, you will see
that the source drive is grayed out and not allowed as a choice. You are not able to clone to the same drive. This is a
safety precaution. The Start, Modify, Stop, Exit and Compare buttons perform the same functions as in the Surface
Test and Media Wipe.
Now lets discuss the source and destination drives. It is not necessary to have the source and destination drives with
the same geometry (Cylinders, Heads and Sectors). Make sure that the destination drive is the same size or larger
when cloning. If not, only a partial clone will be made. Sometimes you will find that the Heads and Sectors will be
the same in BIOS Access and different in IDE Access. This is because of the way the system BIOS interprets the
Cylinders, Heads and Sectors. There are other programs that will clone, sector by sector, from one drive to another
but they also require that you have the same cylinder, head and sector geometry for both drives. Byte Back does not
require this. You even have the ability to clone a source drive that is in IDE Access to a destination drive that is in
BIOS Access. The program works with the LBA of both drives when cloning. LBA stands for logical block
addressing. Using the LBA on each drive will create an exact duplicate even if the CHS are different. We will
continue to refer to CHS throughout this manual. It stands for Cylinders, Heads and Sectors. The combination of any
CHS point on a drive creates the LBA. Example: (CHS 0,0,1 = LBA 0), (CHS 0,0,2 = LBA 1), (CHS 0,0,3 = LBA
2), etc. It is best to start thinking in terms of LBA, not just CHS. You will see in the Media Editor the use of LBA.
If you are going to run other file system reconstruction programs on the cloned drive, you need to make sure the
system BIOS sees the destination drive the same way as the source drive. The reason for this is because any other
file reconstruction program will rely on the system BIOS for interpreting the CHS and communication with any
media. It is specifically the Heads and Sectors that needs to be the same. Lets use an example. I clone a drive in
IDE Mode with CHS 13328,15,63 to another drive of CHS 16278,16,63. Here you can see that the CHS is different.
If you look, the system BIOS will auto-detect the source drive as CHS of 784,255,63 and the destination drive CHS
of 1021,255,63. The heads and sectors are the same in the BIOS. It is because of the way the BIOS interprets the
CHS. It is all right to have more cylinders on the destination than the source drive. In this example, we are cloning a
13

6.4GB drive to an 8GB drive. The FAT file system is most sensitive to having the heads and sectors the same. This
is because the way the file system writes to the drive. It is relying on the CHS in the BIOS to match the file system
layout on the drive.
If this is too confusing and you just dont understand, then it is best to make sure that at least the Heads and Sectors
on both drives are the same. The Cylinders may be larger on the destination, but not less than the source media. If
the destination cylinders are less than the source cylinders, you will not be able to clone the entire source media.
It is also best to Clone failing IDE drives in IDE Access. Byte Back has direct communication with the media.
Cloning or imaging any failing media in BIOS Access mode can give you a false sense of security that any hard to
read sectors are truly being read. You are relying on the BIOS to do error correcting for the sector. It might tell you
that it read the sector but what information is it receiving from the BIOS. The BIOS error correcting does not have
the ability to work on a very low-level basis. Typically if the BIOS were really able to read the sectors it would be
because there are very minor or no read errors. This is why we always say to clone or image failing media in IDE or
SCSI Access. If the media is not failing, then Cloning or Imaging in BIOS Access should not be a problem.

(G)
The User Setup window (G) is the control center for Cloning and Imaging. Activate this screen by pressing the
keyboard shortcut CTRL-S. If you are encountering sector read errors, changing these variables can help to by-pass
errors and read the data. Increase the Timeout variable to 50,000ms and the Process Delay to 200ms. Then decrease
the process delay in increments of 25ms until a comfortable level is reached while the sectors can still be read. If
you have sector errors and increment up to about 75,000ms for Timeouts and 1,000ms for the delay, it means the
sector is probably truly unreadable by any means. For any sector that is unreadable, the destination media will show
"(unreadable)" in the corresponding sector.
Whenever a sector is encountered that cannot be read, the low-level read functions are set in motion. Notice in the
above image (G), the read retries are set by default to 32. This means that the low-level functions will attempt to
access the damaged sector 32 times before categorizing the sector as unreadable. By default, this function has strict
rules. When the damaged sector is accessed but not all bytes in the sector can be read, the sector is still categorized
as unreadable. There is an option to relax the strictness to this function by checking the Last Read Retry Error
Control Disabled. This means that when a damaged sector is accessed it will get whatever bytes can be read.
Depending on what type of file that is associated with the partially read sector will determine whether the file will be
corrupt. This is why, by default, this function is strict on categorizing a sector as read or unreadable.
14

You can also set the read retries to 0 and put the program into Skip Mode. This will disable the low-level retries
and skip over the bad sectors if it cannot be read the first time. This will speed up the process considerably. There
may be times when you may want to run the program a first time to clone the good sectors at a faster rate and then
go back a second time to spend more time on the damaged sectors. So you would set the retries to 0 for the first pass
and then go back for a second pass just to the areas that are bad. On the second pass you will increase the delay and
retries to dig deeper into the damaged sectors. You will know where these bad areas are because of the report that is
generated during the first Skip Mode pass.
These default variables do not need to be changed if the media does not encounter sector errors. Increasing these
values will cause the program to run slower and to be able to focus on the sectors with problems. The focus is to get
the data from the sectors, not speed.
Reverse Cloning has been somewhat of a guarded secret in the data recovery industry. Mark the checkbox Reverse
processing. to enable the reverse cloning function. Reverse Cloning will start at the very end of the media and
clone backward to the beginning of the media. It will write in reverse mode to the destination drive, creating an
exact duplicate at the bit level. On mechanically failing drives, you will find that reverse cloning will clone the drive
more efficiently than normal forward cloning. This is because drives are enhanced to read faster in normal forward
reading. They have built in cache and buffering to read ahead to increase the speed of the drive. When a drive starts
to mechanically fail it are these enhanced bells and whistles that can cause a drive to have problems reading
correctly. Drives are not made to use these enhanced capabilities when reading backwards. So you will have better
control in accessing damaged sectors.
The User Setup window (CTRL-S) can be accessed at anytime, even in the middle of the cloning or imaging
process, by pressing CTRL-S. This is very important to understand. You can pull up the User Setup window during
any function that is in process. As time goes by, without any sector errors, access the User Setup window again and
lower these values to speed up the processing.

15

Create Image File

(H)
Enter the Imaging screen from the Select Clone/Image Process window. The User Setup window (CTRL-S) can also
be accessed during imaging. Creating an image file is fairly simple (H). You have a few different options when
creating an image file. First, select the destination where the image file is to be written using the keyboard shortcut
ALT-F (I). You can create a single file volume or multiple file volumes. Byte Back will automatically create
multiple file volumes if there is not enough available space on whatever destination drive you are writing to. When
the destination gets full, the program will ask you to locate another destination drive or to insert new media if you
are writing to a removable drive such as an Iomega Jaz drive.
The program could possibly choose to create multiple file volumes on its own, even is there is plenty of space on the
destination. This is to eliminate any file volume corruption due to DOS limitations.

16

File Volumes start with the extension of *.v00 and then the next file volume will be *.v01, *.v02, etc. You can also
predetermine the size of the file volume you want to create (I). By default, File Volumes are a maximum of 2GB
(2097MB). Change the size of the file volume in the Volume File Size field. This can be useful if you want to write
the image files to CD after creating them. So you could pre-determine that you want each file volume a maximum of
640mb.

(I)
It will default to writing the raw sector data uncompressed. This will be the fastest way to create file volumes. Make
sure you have enough available logical drive space to accommodate the size of the file. Compression will create
highly compressed file volumes. When compression is used on the media, the more time the process will take. In the
top field, type the path and file name that is to be written. You can record information about this image file by
pressing the Input Image File Description button. In here you can write a paragraph, if needed, about this image
file. This can be very useful when restoring the image file. You will be able to view this information and make sure
it is the correct image file. This information is imbedded into a special header file, which records other basic
information about the image file and media.

17

If you are not sure of the path, press the browse button to pull up the Select File window (J). Use the tab key to jump
between the fields and buttons. Press the Drive button (ALT-D) to select a different logical drive letter. Press enter
on a directory name to enter that directory. If the directory does not exist, press the MkDir button to enter the name
of the directory you want to create. Now enter the name of the file you want to create in the File Name field and
press enter or the OK button.

(J)
You will be taken back to the imaging screen. The path and file name will appear in the Destination File field at the
bottom of the screen. The Start, Modify, Stop, and Exit buttons operate the same as on the Surface Test and Media
Wipe procedures. After the image file has been created, press the Compare button to make sure the sector data in the
file is the same as on the media.
** WARNING** - If the media gets worse during the imaging process, you might want to stop and Clone the media
to another media. We recommend to first Clone the media to another like media and then image the media. Most of
the time, there is more sector control in the Cloning process than the imaging process. Sometimes you will only have
one shot at accessing the media. It is best to clone the drive first if the media is deteriorating.

18

Restore Image File

(K)
Restoring an image file works similar to creating an image file (K). Select the File button to locate the file volume(s)
that will be restored. View information on the selected file volume by pressing the View Image File Information
button from the Select File window.

19

(L)
When restoring data from an image file there is much flexibility. You can restore the entire image or only partially.
You can select the starting/finishing CHS within the image to restore and where to restore it to the media. By default
it will restore the image to the original LBA that it came from. Lets look at a simple example. I want to restore only
LBA sector 63 (CHS = 0,1,1). This address is typically the boot sector for the FAT file system but not always. So
lets say that I made changes to this sector but now I want to restore the original boot sector to the media. I press
Modify and then make the Starting and Finishing CHS 0,1,1. It will only restore this one sector from the image.
Another example would be where I want to restore LBA sectors 315-566 from the image file volume but I want to
restore them to the media starting at LBA 64. I press Modify and make the starting LBA 64 and ending 314. I then
press the Starting Position in Volume button. Notice that it defaults to the same starting LBA 64 as on the media
but we are going to make the starting LBA 315. This type of procedure you will find useful when working in the
Media Editor and different parts of the file system.

20

Analyze Layout
Searching for file system components is the main function of this module. Do not run this function on mechanically failing
drives or you run the risk of creating further damage. You will need to Clone the drive first and then work on the Clone.
From the components that are found during the search, it will allow you to automatically create a Directory Tree Structure of
any FAT12, FAT16, FAT32, and NTFS file system and recover any and all directories and files to another destination. It
will allow you to mount any FAT12, FAT16, FAT32 and NTFS file system logically in memory. Also repair the boot sector
and partition table for FAT12, FAT16, FAT32 and NTFS formatted hard drives and removable media.
Once the scanning is complete you will be presented with choices to either Tree FAT/NTFS Drive, Mount in Media Editor,
or Repair Boot Partition. If there are no File Systems found at the end of the search, then this is usually an indication that
there is extremely severe damage to the file system. Contact us for more information on our in-house Data Recovery
Services.

(M)
As the program scans the media you will notice at the bottom of the screen that the Possible Found System
Components will increase. It is gathering all the different possible components it can find on the media to be able to
rebuild a File System. A File System has many parts and the type of components will vary from one file system to
another such as FAT16, FAT32 and NTFS. Keep in mind that these are possible components. The program is
looking for different signatures in the sectors to classify it as a possible component. After the scanning is completed
it will analyze all the components that were found and decide what to disregard. 99% of what it finds will be thrown
away as garbage.

21

(N)
You can stop the scanning at anytime without loosing the current scan position. There might be times you want to
stop the search scan and look at a component in the INFO button. Then press the START button again and you will
be prompted to either continue the search where you left off or to start over.

22

(O)
The INFO button (O) gives detailed information on every component that was found during the search. When a file
system is being rebuilt it will not necessarily use everything it finds but you will be able to see everything that was
found during the scan. These components may assist you in manually mounting a partition if it isnt showing up the
list.
Here is where you restore the backup file that was created when repairing the boot sector and partition table.
Another new feature is the ability to save all the components that were found during the scan to a file for future use.
Scanning the entire drive can sometimes take hours with these new large drives and its nice to be able to load the
components again from a file versus having to scan the entire drive all over for hours. When exiting the program you
will also be prompted to save the components to a file.

Analyze Found SC will build valid file systems from all the system components that were found during
the scan.
Save/Load Found Components will allow you to save all the components that were found during the scan
to a file. This way if you need to leave the program you do not have to scan the entire media all over again.
Simply load the components from the saved file and then choose the Analyze Found SC. This file should be
small enough to fit on the floppy disk. Make sure to remember where you saved this file.
Show ?? buttons the show buttons will let you see all the individual components that were found during
the scan. You will notice that there can be garbage among the valid components. This can be expected.
Restore Backup File if you had previously made repairs to the boot sector and partition table, this will
allow you to restore the boot sector and partition table back to its original state before you made the repairs.

23

(P)
Now the scanning has completed you will be prompted with another smaller window to either Tree FAT/NTFS
drive, Mount in Media Editor or Repair the Boot / Partition.

24

(Q)
When you choose to either Tree, Mount or Repair, you are presented with the above Select File System screen. This
is a list of partitions that can be selected as part of the rebuilding process. The Partition LBA column shows the
starting location of a particular partition (File System). LBA stands for Logical Block Address. Every combination
of cylinder, head and sector creates a unique LBA (Cylinder 0, Head 0, Sector 1 = LBA 0). The information box to
the right of the Partition LBA will display all the components to that particular file system.
The Information box will also tell you what type of file system this partition is and how large the partition. Make
sure it looks correct in size and type. If the drive you are working on is a 6GB drive and you know it had only one
FAT32 partition but the information box says the partition is a 2GB partition then it is probably not the correct
partition you are looking for.
You want to also make sure the Root Directory looks correct. Use the shortcut ALT-R to view the Root Directory,
or tab to the Root Directory button. If the file system is FAT32 and the Root Directory does not look correct, you
have the option to manually choose another Root Directory.

25

(R)
You have three choices at this point. First you can continue with the default option and use the partition list to Tree
FAT/NTFS Drive. The other two are to Mount a Partition logically in the Media Editor and next is to Repair
Boot/Partition.

26

Tree FAT/NTFS Drive

(S)
Choosing the Tree function will create a hierarchal directory tree structure of the particular file system you selected.
As you enter, the program will read through the components that were found during the scan to be able to create the
tree.
After the Tree has been built it will look similar to the one above. The screen is divided into 3 columns. The far left
column is the structure tree of the directories. Notice that some directories have the plus sign next to the directory
name. This indicates that there are also more directories within that directory. Move the cursor to a directory and use
the arrow key to the right to expand the directory. Use the arrow key to the left to collapse the directory.
As you move the cursor to different directories, the two other columns will change. This is because these two
columns will display whatever files and directories that are in a directory that is currently highlighted in the far left
column. There is color-coding in the Tree to indicate the status of files and directories.

WHITE indicates a good valid directory entry. This does not mean the files in that directory are valid, only
that the directory entry is good.
BLUE indicates a good valid file.
RED indicates a file or directory that has invalid chains or has been deleted. This does not mean the file is not
recoverable. It means that the programs algorithms will kick in to rebuild the chains to the file.
YELLOW indicates a file or directory has been tagged for recovery.

Use the tab key to move between the far-left column and the other columns. If you press enter on any file or
directory, another window will appear with more details.
Use the <Spacebar> to select or unselect directories or files to recover. To tag the entire drive press the spacebar on
the top Root. Any directories or files that are tagged for recovery will then turn yellow.

27

(T)
Now that you are in the Tree lets talk about the menu options at the top of the screen. The first menu option, FILE,
will allow you to bring up the User Setup Window and open reports.
The next item, Look For, will allow you to look for files within the Tree. You can search for exact names or use the
asterisk (*) to add a wildcard in the search. The more wildcard asterisks that are used in the search will cause more
invalid results to show up in the search. Lets say you want to locate all MS-Word documents. Enter the wildcard
asterisk (*) into the first field and doc into the extension field, (*. doc). Another example would be where you are
not sure of the exact file name but know part of it. Lets say the part you know is bank. So put (*bank*) in the first
field and (doc) in the extension field. This means the program will look for files that have the extension of doc and
have the word bank somewhere in the first part of the file name.

28

(U)
The next item on the menu, Utils, has many functions. The Files/Directories Information item will display a window
and show you how many files, directories and bytes are in the Tree. It will also tell you the same for what has been
tagged for recovery. Get use to using the shortcuts that are shown to the right of the menu items. At any time, you
can jump between the Tree and mounting the drive in the Media Editor by pressing F12.

29

(V)
Then we go to Files/Directories Display Filters (ALT-D). This will bring up a window that will allow you to choose
what filter you want to apply to the Tree. You can apply any combination of the filters together or individually. Lets
look at each filter. The above screen reflects a FAT file system. The filters for a NTFS file system are slightly
different.

Show Files with Valid FAT This filter will display all files that have verified and valid FAT chains. This
basically means the file is intact and you can expect a good recovery of this file. If you hit enter on any file it
will bring up a window that will give more information. One piece of information that will be displayed is the
validity of the file. These types of files will show up as BLUE.
Show files with Invalid FATs This is just the opposite from the filter above. It will display all files that do not
have valid FAT chains. This does not mean the files are not recoverable. It means that the program will kick in
is algorithm to rebuild the FAT chain for the file. Whether the file will be valid will depend on the type of file,
size and fragmentation of the drive. Some files will be valid and others invalid after being recovered. These
types of files will show up as RED.
Show Deleted Files and Directories This filter will display all files and directories that have been deleted in a
FAT file system. These types of files will show up as RED.
Show Empty Valid Directories The name of the filter should be self-explanatory.

30

(W)
Once you have used the <Spacebar> to tag the files for recovery, use the Recover Selected Files (ALT-R) item to
bring up the above window. Type the destination path where you want the files to be recovered or browse your drive
for the destination. Notice the above destination file name, recover.zip. The program will recover all the selected
files and directories to a ZIP file. You name the zip whatever you want. This is done for a few reasons. First, it will
quarantine any viruses so they will not spread. Next it will keep the integrity of the files. The entire path and long
file name will be intact in the zip file. If you are performing a forensic investigation of the files, you will want to
check the above Calculate MD5 for Recovered Files. This will produce a report with each file having a unique MD5
signature. By default, any files being recovered that are deleted files will have a beginning character of #. You can
change this to whatever you want. When a zip file reaches 1000MB (1GB) in size it will automatically start a new
zip file. You can change the size of the zip file for when it will start a new zip file. As an example, if you want to
create a zip file that you can burn to CD, then change the size to 640mb.
The recovered zip file supports spanning of files between the different zip files. You will need to use WinZip
version 8.1 or later or another archiving program that support spanning of files. To unzip the files, find the file with
the extension ZIP and open it with WinZip. You may tag certain files to extract or the entire list. WinZip will ask
you to locate the 1st archive in the series (recover.z01) and any subsequent archive files after that. Continue with this
until all the selected files have been extracted.

31

(X)
Once you have applied the filters you want, press ALT-C to create a structure report as above. This report will
display all directories and files that match one of filter criteria. The report will also tell you what filters were applied
to create the report.

32

(Y)
The Show Cluster/LBA Map item is for technicians. This will create a report that shows the status of each file. It
will also show you where the file is located on the drive from the Cluster/LBA location.

33

Mount in Media Editor

(Z)
In the Select File System to Mount window you will notice any Partition Table or Boot Sector that was Not Found
will now be either CREATED or CHANGED. It does not actually create or change the boot sector or partition table
in this window. It is showing what they should be changed to. The buttons at the bottom are used to view the
changed or created components if needed. Use the arrow keys to move to the partition that you want to mount and
continue on in the mounting process by pressing the <OK> button. This will not write anything to the drive. It will
simply mount the partition logically in memory.
This will take you to the Select Working Area window (aa) in the Media Editor.

34

(aa)
When you enter the Media Editor, the Select Working Area window is not expanded like the above screen until you
have chosen Mount from the menu. Mounting a logical drive turns the focus of the Media Editor from looking at the
drive from a straight physical sector level to a logical file system level (FAT16, FAT32 and NTFS). The program
will do the calculations for you and will link all the components together that make up the file system. It will make it
easy to jump directly to the different components. You will have to first enter the basic FAT parameters to be able to
mount the drive logically. You can enter these values manually or you can have the program analyze the drive
layout and give you a list to choose from.
After the program has analyzed the drive and presented the partition list, you can either mount the drive logically,
repair the boot sector and partition table and tree FAT/NTFS drives without knowing any of the values or doing any
of the calculations.

35

(bb)
The FAT/NTFS Parameters are the basic values that enable the drive to be mounted logically as a FAT16, FAT32
and NTFS file system. If you are going to manually mount the drive, you will have to use the Mount FAT/NTFS
items from the menu. When mounting a drive manually there are a few basic approaches you can make. First you
will have to tell the program where the partition begins. The boot sector is the first sector in a FAT/NTFS partition.
If you know where the boot sector is you can set the Starting Position to that location and then go to the Mount
menu. If the starting position you have set is a valid boot sector the program will recognize it as so and prompt you
with the above screen. You can use the Look For menu option to search for a boot sector too.

36

(cc)
It is this window where the basic FAT/NTFS parameters must be entered to be able to mount the drive. Depending
how you answered the previous question will determine what values are automatically entered in these fields. In the
above examples I had answered YES that I want to use the boot sector settings at LBA63 as the default values. What
if there was not a valid boot sector to give these values? You will have to calculate these values and enter them into
the appropriate fields. Press OK to accept these values and return to the previous window, Select Working Area (Z).
Now that the FAT/NTFS Drive Parameters have been entered, the drive is now mounted. Use the shortcut keys to
highlight which Jump To option you want to go to (ALT-B, ALT-1, ALT-2, ALT-T, ALT-R, etc). Whenever you
see a red letter in a word that means it is a shortcut key using a combination of the ALT key and the red letter. So in
the above screen I press ALT-R to highlight the Root Directory choice and then press enter. It will take me to the
Root Directory. Since the drive is mounted I can jump around to different directories from the root directory. I can
go directly to the FATs without knowing where they are located. The program has calculated their location for you.
The sectors are now bound to Clusters and will enable you to maneuver the file system.

37

(dd)
This applies to the FAT file system only. Once the drive has been mounted you need to make sure that the geometry
is correct and the partition is properly aligned. The easiest way to make sure it is correct is locating directories and
comparing the cluster number on the drive to the cluster number that has been virtually mounted, as in the above
screen (nn). You will need to make this comparison over and over with directories. It is when you get many matches
that you will know the alignment is correct.
First make sure the current sector view is Directory View (ALT-D). Then go to the Look For menu item and look
for Directories (F6). When a directory is located, the first line will start with a dot ( . ) and the next line will have
two dots ( . . ), as in the above screen (tt). Highlight the first line and follow over to the Cluster column. The first
cluster number in the cluster column has to match the cluster number at the bottom of the screen in the middle. In
the example above (dd), the cluster is 872 for both and they match. Notice at the bottom of the screen it says
(Cluster 872, Sect. 0). A valid directory will always start at the first sector of a cluster. If the cluster numbers do not
match and the sector is not 0, then the mounted file system does not line up with this directory.

38

Copying Off Files

(ee)
Before any files can be recovered from a mounted FAT drive, you must be in Directory View and the drive must be
mounted as in the above example (ee). DO NOT get this confused from recovering files in the Tree. We are in the
Media Editor and only individual files can be recovered. This function is almost obsolete since we now have the
ability to do the same in the Tree but automatic. Now locate the file that you want by jumping to the directory
cluster, using the Look For Directory or Look For File menu items. Once a file has been located, use the arrow keys
to move the cursor to the line where the file is shown. The entire line will show up in green. In the above screen (ee)
you can see the file PAGEFILE.SYS is highlighted in green. You can also see from the above screen that this file is
in the root directory as it shows at the bottom of the screen.
When you are ready to copy a file off to another drive, use the shortcut (CTRL-O) or go to the Utils menu item and
select the Copy Off Files option. You will then be presented with the above window (vv), Copy Off File Options.
You will need to choose what method is going to be used in copying the file. It will default to using the first FAT
(FAT1). If the first FAT is corrupt, you will receive a Bad Chain error message when you attempt to copy off the
file. You can then try the second FAT (FAT2). If both FATs are corrupt, a Sequential Copy is your only option. A
sequential copy will start at the beginning cluster of the file and proceed to move to each adjacent cluster until the
size of the file has finished copying. If the file was fragmented and the sequential copy is used, there is a chance that
it will be corrupt and not usable. This will also depend on the type of file you are recovering. When you have chosen
which copy option to use and press OK, you will be presented with a save as destination window. It will default to
saving the file with the same name but you can change it if you want to. Then choose the destination drive and
directory and press enter.

39

Repair Boot Sector and Partition Table

(ff)
When you have determined the partition(s) are correct, use the <Spacebar> to select all the partitions that you want
to have access to. A common mistake is to only select the partition(s) that have not been accessible. You MUST
select all partitions that you want to have access to. A checkmark will appear next to each partition that has been
selected. Now move to the <Next> button and press enter, or use the shortcut key SHIFT->, to continue.
If you choose to repair the boot sector and partition table instead of treeing or mounting, it will bring you to the
View Changed File Systems (X).
In the View Changed File Systems window you will notice any Partition Table or Boot Sector that was Not Found
will now be either CREATED or CHANGED. It is not actually changing or creating the boot sector or partition
table here. It is showing what it will be changed to when you continue the repair process. Use the buttons at the
bottom to view the changed or created components if needed. Now continue on in the repair process by pressing the
<Next> button again.

40

(gg)
At this point you will be presented with a Save File window. The purpose of this is to backup the sectors from the
media prior to making the changes. This will allow you to reverse the repair process if necessary. Give a name to the
backup file and press OK. Then you will be presented with the question of whether you want to write the changes to
the drive. After the changes have been written to the drive you will have to reboot the system. If this was originally
the system boot drive, it will not boot by itself. You will have access to the partitions but you will have to slave the
drive behind a good bootable drive and then copy the data off from either a DOS prompt or from within Windows
Explorer. We do this on purpose for data integrity safety. In the situation where the drive is a laptop drive or you do
not have another drive to slave the repaired drive to, there are steps you can take to make the drive bootable again
but we only recommend it as a last resort.

41

Making the Drive Bootable?

If this is a laptop drive or you do not have another drive to slave the repaired drive behind, then there are a few
options. We will always think about safety first and convenience last.
The first option and the safest is to take the laptop drive out and connect it to a desktop system as a slave using a
laptop converter. You can usually get these converters for $5.00-$10.00. We can give you the name of a company
that has these if needed. This option might not be the most convenient but will be the safest.
Another option is to copy the needed files off the repaired drive after booting with a system boot disk. This can take
time and many floppy disks. Some files might be too big to copy off to floppy disks. You could hook an Iomega Zip
or Jaz drive up to the parallel port and copy off the files. You will also loose any long file names doing it this way.
Last is using FDISK and SYS to make the drive bootable after the program has made the repairs to the drive. Do not
use these commands until after Byte Back has made the repairs. You can cause more damage if you do this prior to
Byte Back repairing the drive. This option we only recommend for very technical individuals and only as a last
resort. When Byte Back makes repairs it also takes out the boot code on purpose. You can actually create more
logical corruption by booting from a drive that has damage to the FATs, MFT or directory structures. This is why
you should slave the drive behind another drive whenever possible. If you are going to use this option then we do
suggest cloning the drive to another drive and then performing these procedures on the clone. Proceed at your own
risk.
Follow these steps exactly to make the drive bootable.
1. Use Byte Back to repair the boot sector and partition table.
2. Reboot the system with a bootable floppy disk for the repairs to take effect. The boot floppy needs to be the
same operating system as originally on the hard drive (i.e. - If the hard drive was Windows95B then the boot
floppy needs to have Windows95B as the boot files). You cannot do this procedure if you are using, as example,
a DOS6.22 boot floppy and the drive is a Window98 drive. They have to be the same. If you are not sure then
you should not proceed any further with making the drive bootable.
3. Make sure you copy FDISK.EXE and SYS.COM to the boot floppy. As above, these files need to be from the
same operating system. You cannot use FDISK from DOS6.22 when the hard drive is Windows98.
4. Once the system has been rebooted, type FDISK at the A: prompt. Then you will be presented with 4-5 options
within Fdisk. You want to choose the option that will make one of the partitions Active. It will usually be the
first partition that will be set as active. Once this is done press ESC to exit Fdisk.
5. We will use Fdisk again but will use a command line option this time. At the A: prompt type FDISK / MBR
without any spaces. It will write information to the drive and then go back to the A: prompt.
6. Next type SYS C: and it should tell you that the system was successfully transferred.
7. Remove the boot floppy and reboot the system. As long as there isnt any corruption to the FATs, MFT or
Directory Structure, the drive should boot on its own.
If the drive you are attempting to make bootable is a WindowsNT/Windows2000 NTFS partition, do not do step #6
above.

42

Media Editor
The Media Editor is not just your standard hex editor. It will allow you to search for different file system components and
make any repairs that are needed. After repairing any file system components, we encourage you not to boot with the drive
just repaired but to slave it in behind another drive and copy off the needed data. In the current version of the program, you
will be able to mount FAT12, FAT16, FAT32, and NTFS file systems logically and then copy off files to another drive or
allow the program to calculate the correct values to automatically repair the boot sector and partition table.
View sectors not just as Hex but also as a partition table, boot sector, FAT, directory, and more. There is no need to translate
Hex because the program does it for you.
The best way to get familiar and understand the Media Editor is to setup a similar drive to the one you are having trouble
with. Then you can see what the different components look like (Partition, Boot Sector, FAT, Directory, etc).
As you enter the Media Editor you are asked to define the working area. You will be in read-only mode as you enter
the Media Editor. It will default to the entire capacity of the media as you see below (Z). You will be using the
working area window very often in the Media Editor. It allows you to jump around to different locations on the
drive. Use the shortcut ALT-C to bring up this window. Enter in the CHS (Cylinder, Head, Sector) or just enter the
LBA to jump to a different location. Try getting used to entering the LBA and thinking in terms LBA. When
calculating the location of file system components it will be the LBA locations that help to do this. Mounting a
FAT12, FAT16, FAT32 or NTFS file system will link all the components together for you. Follow the component
links in the file system to find where it is damaged. Allow the program to calculate the correct values to
automatically repair boot sectors and partition tables for FAT12, FAT16, FAT32 and NTFS partitions.
We will start out with an explanation of the different ways you can view any sector. Then we will show you how to
look for and locate the different components (partitions, boot sectors, directories, files, etc) or any text string. We
will finish with applying all of this to mounting a FAT16, FAT32, or NTFS file system logically.

(hh)
43

Hex/ASCII View

(ii)
The hex screen is laid out in three columns. The left most column is the line address, or offset, within the sector. The
middle column is the hex values of the sector and the right column is the corresponding ASCII values of the sector.
Each two characters in the hex (middle) column make one byte. In the above example (ii) the first byte is 33h.
Whenever you are referring to hex you put a lowercase h at the end of the hex value.
Notice at the bottom left corner in the above image (ii) you see (0;0;1;LBA=0). This will always tell the exact
CHS/LBA location you currently are on. As you search for file system components, the LBA will be important to
refer to. Use the Page Up/Down keys on the keyboard to move up or down the sector and to the next sector or
previous sector. Use the combination CTRL-PGUP or CTRL-PGDN to move to the beginning or ending sector of
the working area.
Press the ESC key to leave the editor and go back to the media selection window at anytime.

44

Text View

(jj)
Using Text View is good when reading text within a sector. After searching for a phrase or a string of text, put the
sector in text view to be able to read easier. When viewing a sector that has no visible text, it will look like nothing
more than a screen full of garbage.

45

Partition View

(kk)
You will typically find a partition at 0;0;1;LBA=0. The partition table defines the area on the drive that will make up
the file system. View this sector as a partition with the menu item or ALT-P. Here you can repair the partition values
without having to translate hex. You will need to change from Read Only Mode to Edit Mode. Use the shortcut
CTRL-S to get to the User Setup window and check edit mode at the bottom of the window (CTRL-F10). The top
right corner will change from Read Mode to Edit Mode. Then you can press the numbers 1-4 to modify each
partition line. The partition table has a distinct signature aa55h. This value must be here or your system will not
recognize the partition.

46

(ll)
When you have chosen 1-4 as in the previous screen, the Edit Partition Table Entry window will appear. This is
where you will actually enter the values for each line of the partition table. Check the Sync CHS and LBA field
before entering any values. The program will then do calculations for you. You are able to enter certain values
without knowing other values. Lets say in the above entry that we know the starting position of the partition is at
CHS (0;1;1;LBA=63). We also know the total sectors for the partition but we do not know the finishing position.
You can enter LBA63 into the starting position and the total sectors into the Sectors field. The program will
calculate the finishing position for you. You will also need to choose the File System Code and whether the partition
is a boot partition. There can only be one boot partition in a partition table.

47

Boot Sector View

(mm)
View a sector as a Boot Sector with the View As menu item or the shortcut keys (ALT-1, ALT-3, or ALT-B),
depending if you will be looking at a FAT16, FAT32 or NTFS boot sector. You will be able to enter the appropriate
values without having to translate hex. The boot sector is the next critical component, following the partition table.
1) Jump Code You will be safe if entering ebh 3eh 90h as the default value. These values are the first
three bytes of the boot sector.
2) OEM Name the name of the file system.
3) Bytes per Sector this will usually be 512 for the FAT file system. It can be different for other file
systems.
4) Sectors per Cluster How many sectors make up a cluster?
5) Reserved Sectors FAT16=1, FAT32=32. There are some partition resizing utilities that can alter this
standard.
6) Number of FATs always 2 for FAT File System.
7) Root Entries Using the Microsoft standard, the value is 512 for Fat16. The value is 0 for Fat32. There
are some partition resizing utilities that can alter this standard.
8) Total Sectors (16) 16 bit. For DOS6.X/Win9X this will be 0.
9) Media Descriptor default f8h
10) Sectors per FAT (16) How many sectors are in the FAT table? Count the number of sectors between
the first FAT and the second FAT to determine this number.
11) Sector per Track the number of sectors. Look at the drives CHS
12) Number of Heads - the number of heads. Look at the drives CHS in BIOS Access.
13) Hidden Sectors This is typically the same as the sectors per track.
14) Total Sectors (32) 32 bit. This value will be the same as in the partition table.
15) Drive Number Default 80h
16) Extended Signature Default 29h
17) Volume Serial Number It is not necessary to have anymore than 0 in this field. This is not critical to
gain access.
18) Volume Label Give it any name you want. The volume label is created when you format the drive.
19) File System ID What type of file system? FAT16, FAT32
48

20) Sector Signature as the partition table, the boot sector also requires the signature aa55h as the
ending value to the sector.
There are other variables in the FAT32 and NTFS boot sectors. Also there is another part to the FAT32 boot sector
called the Info Sector. The Info Sector is the next sector following the FAT32 boot sector. So if the FAT32 boot
sector is located at CHS 0,1,1;LBA=63, then the FAT32 Info Sector would be located at CHS 0,1,2;LBA=64. You
can view this sector as an Info Sector with the menu item under the View As Boot Sector FAT32 FS Info
Sector.

49

File Allocation Table (FAT) View

(nn)
The File Allocation Tables give the address to all directories and files within a particular partition. When you find a
FAT table, use ALT-C to make the starting position of the working area at the beginning of the FAT table. In the
above example the starting position would be set to (0;1;33;LBA=95). A FAT16 fat table is usually the first sector
following the boot sector. Locating file system components will allow you to find where other file system
components should be. If the FAT16 fat table starts at (0,1,2;LBA=64) then the boot sector would be located at
(0,1,1;LBA=63). A FAT32 fat table will start 32 sectors after the FAT32 boot sector, as in the above screen. This is
where the Reserved Sector in the Boot Sector comes from. In FAT16 the reserved sectors will be 1 and for FAT32 it
will usually be 32.
In edit mode you are able to change these values.
Follow the FAT chain by placing the cursor on one of the entries. The bottom left corner of the screen will tell you
what cluster you are on in the FAT table. The entry on the screen will tell you where the next chain points. If you are
on cluster 48, the value says that the next entry is 49. Keep following this chain until you hit an EOF (End of File)
entry.

50

Directory View

(oo)

(pp)

51

When you locate a directory, change the view with the shortcut ALT-D. You will see individual file entries, one per
line. Place the cursor on one of the entries and press enter. This will bring up the above window with more detailed
information on the file or directory entry. In edit mode, you can make changes directly to the directory view screen
(oo) or press enter on a file/directory to edit in the more detailed window (pp).

52

Look For Hex/ASCII

(qq)
Use the HEX/ASCII look for option to search the entire media for any Hex or ASCII pattern. You will be able to
investigate the media looking for a phrase as an example. Lets say you are looking for any patterns that have the
words bank account. This will find any entries from any sector with this phrase. The search will stop every time a
match is found unless you run the search in report mode. This will find all matches and write it to a report. When
searching in non-report mode, use the Find Next shortcut ALT-N to continue searching the media for other
matches.

53

Look For Boot Sector

(rr)
There is some flexibility when searching for boot sectors. All boot sectors have the signature aa55h. As you
search and are not finding what you are looking for, start by eliminating the attributes from the bottom up. Take off
the media descriptor first etc. Try different variations. You can even change the values.

54

Look For Partitions

(ss)
Search for many different partition types at the same time or narrow down to just one type. Use the check boxes on
the left to eliminate search choices. Press the numbers 1-6 to bring up the file system type window and choose a
different file system that is not on the default list. Search for a Linux or Netware partition. Refer to the appendix for
a list of different file system types.

55

Look For File Allocation Table (FAT)

(tt)
Depending on the type of FAT you are searching for will depend on what variants will be used in the search. It is
usually the first 4 bytes of the sector that make the distinction that it is a FAT table. By default, the FAT search
attributes are only for the first 2 bytes. There are different variations to the first 4 bytes, depending on what specific
flavor of the operating system it is. A few variations are: (f8h ffh ffh ffh), (f8h ffh ffh 0h), (F8h ffh ffh 7h). We give
6 bytes to search for even though all of them will usually never be used. To search for more than the default values,
change the Number of bytes. to 3, 4, etc. Then change the byte values. If you only change the 0h byte values
without changing the number of bytes to search for, it will still only search for the default values. You will notice
that the fewer bytes used in the search will also cause more false matches to be found.

56

Look For Directory Entries

(uu)
Looking for directories is very simple with no variations. When the search finds a directory, make sure you are in
Directory View (ALT-D).

57

Look For Files

(vv)
Byte Back will search for file names. When it finds a file match, make sure you are in directory view (ALT-D) to be
able to view the file entry. You can search for exact names or use the asterisk (*) to add a wildcard in the search.
The more wildcard asterisks that are used in the search will cause more garbage to show up in the search results. An
extreme example would to use (* . *) in the search. This would cause every single line item to show up in the
results. Lets say you want to locate all MS-Word documents. Enter the wildcard asterisk (*) into the first field and
doc into the extension field, (*. doc). Another example would be where you are not sure of the exact file name but
know part of it. Lets say the part you know is bank. So put (*bank*) in the first field and (doc) in the extension
field. This means the program will look for files that have the extension of doc and have the word bank
somewhere in the first part of the file name.

58

Save/Restore Sector

(ww)
There is the ability to save a range of sectors to a file within the Media Editor, instead of having to go to Imaging.
When you make changes to the boot sector, or any sector, you can make a quick backup of the sector to a file. We
do recommend creating an image file volume of the entire media before making any changes. This menu option will
default to backup whatever sector you are currently on or you select a range. If you save a range of sectors, make
sure there is enough room on the destination. Restoring the file works in reverse. It will restore whatever sector file
you choose to whatever sector you are currently on.
The Fill Current Sector option will wipe out whatever sector you currently are on. If the boot sector is corrupt and
full of garbage, use the Fill option to clear it out before reconstructing. It will default to writing zeros to the sector.
You can choose a different symbol to be written to the sector. Make sure you have a backup of the sector first,
whether it is an image file volume or a single save from the above menu. Clearing the sector will eliminate every
byte in the sector. As an example, if you have a virus that just wont go away, clearing the sector and then rebuilding
the partition or boot sector is very helpful.

59

Media Wipe
Media Wipe will do a full sanitation of hard drives and removable media. Every physical sector of the media will be
overwritten with whatever pattern you choose. Choose the DOD Security Wipe to sanitize the media to the degree that the
Department of Defense requires. The DOD Security Wipe option is not sufficient for categorized Top Secret information.
We have many requests for a tool that will sanitize hard drives and other media. Media Wipe will complete this task in
minutes instead of hours. Many organizations are faced with having to trade in their fleet of leased computers. All these
systems have hard drives with data. Formatting the hard drives will not eliminate the data. Media Wipe is an easy and
efficient way of eliminating all the data.
Once Media Wipe has been run, all data from every sector will have been eliminated. Since the advancement of the World
Wide Web and exchanging of information, security of data has become a challenge for all.

(xx)
The Media Wipe screen (J) looks similar to the surface-testing screen. The buttons on the left control the actions
performed. The buttons Start, Modify, Stop, and Exit are the same as in the surface-testing screen.

Verify Once the wipe operation has completed you can use this button to verify that all sectors have been
wiped with the symbol you have selected.

60

Options (K) This allows you to modify what character you want to write to all sectors of the media and
how many times that this character is written to each sector. Choose the DOD Security Wipe to sanitize at
the level the Department of Defense requires. The DOD Security Wipe option is not sufficient for Top
Secret Classified Information. Refer to the DOD requirements for the elimination and incineration of topsecret information.

(yy)

61

Surface Test
The Surface Test will determine the mechanical status of computer hard drives and removable media. It will test the medias
surface and provide information about the media. It will give you a true picture of your medias current status.
We talk to people everyday and ask the same basic question, "Does your hard drive have a mechanical failure or logical
corruption?" Most of the time, even with seasoned professionals, they are not exactly sure of the answer. You will now be
able to answer this question yourself. If the surface test finds no mechanical problems with the media, then you know it has
to be a logical problem with the file system.

(zz)
Now you are in the surface testing area. Located in the left-hand column, are the buttons that control what you do.
As you move around the screen, the status bar at the bottom of the Surface Test window changes and gives hints as
what to do.

Start Starts the surface test on the media. When you encounter media errors, the screen will display the
number of errors that have occurred. The surface test creates a report and records the location of any errors
encountered during the surface test. It will also record other general information about your system and media
tested. You can stop the process at any time by pressing Enter or the Esc key.
STOP (WARNING) If you encounter more than 30 errors on the surface test or it is running
very slow, we strongly suggest stopping the test and go directly to Cloning and Imaging. If your
media is making strange noises or clicking noises, this can be an indication of serious media
problems such as a head crash. You do not want to create more damage. This would be
considered a serious mechanical failure. If the data is critical, only Data Recovery professionals
should handle the media at this time.

62

Modify Allows you to modify what cylinder, head and sector you can start or end with. Next to the starting
and finishing positions is the total number of Cylinders, Heads and Sector for this particular media. There is a
rule for entering finishing position values. The maximum number of Cylinders that can be entered are one less
than the total number of cylinders. Look below at image (1). This rule applies to Heads also. Use the Tab Key
or Arrow Keys on the keyboard to move between the modifiable fields. When you have finished making
modifications press enter.

(1)
You will find that sometimes the actual values that were inputted in the system BIOS and what are displayed here
are not the same. This will depend on the system BIOS and the format of the media. Most of the time it will be the
same. This can happen when the media was formatted under a different computer system and then moved to a
technician workbench.

Stop Stops the surface scan.

Exit Exits the surface scan screen and takes you back to the Media Selection screen.

63

Info Supplies more detailed information about the drive that you have selected. See the example below (2). This
information will be different for each individual Access Method selected.

(2)

64

Data Recovery Coupon

If Byte Back is not able to help in your recovery attempt from any media (hard drive, removable), you are eligible
for reduced fees on our in-house Data Recovery Services. We will deduct the cost of the software from the recovery
fee. There is a nominal diagnostic fee, which is not covered by this coupon.
Mail or ship coupon, damaged media, and copy of original invoice to:
Tech Assist, Inc.
d-r dept.
18830 US Hwy 19 N
Suite 323
Clearwater, FL. 33764
727-547-0499
Please fill out and submit the below coupon with your initial paperwork, when sending
in your drive to our Data Recovery Center. You must be a registered user to be eligible
for the reduction of recovery fees.
$$ Discount Coupon $$
This entitles the registered user a reduction in recovery fees when sending media
to Tech Assist, Inc. for Standard Data Recovery Services. This reduction in
recovery fees will be equal to the cost of Byte Back at the time user purchased the
software. Coupon will be honored up to one year from the purchase date, per
registered user. User must provide proof of purchase.

Name:
Organization:
Address:
City:
State/Province:
Zip/Postal Code:
Country:
Phone:
Fax:
Email:
Purchase Price:

65

Appendix
File System Types
Hex Value
00h
01h
02h
03h
04h
05h
06h
07h
08h
09h
0ah
0bh
0ch
0eh
0fh
10h
11h
12h
14h
16h
17h
18h
24h
3ch
40h
41h
42h
43h
50h
51h
52h
53h
54h
55h
56h
5ch
61h
61h
61h
64h
65h
75h
77h
78h
79h
80h
81h
82h
83h
84h
85h
86h

Type
Unused
FAT 12
XenixR
XenixU
FAT 16
Extend
BigDOS
NTFS
AIXbt
AIXdt
OS/2BM
FAT32
FAT32X
FAT16X
Win95X
OPUS
FAT12h
Compaq
FAT16h
FAT16h
NTFSh
AstWin
NecDOS
PQrcv
Venix
DR_Mnx
DR_SFS
DR_Lin
DskMng
Nvl1
CP/M
DMAux3
DM6
EzDrv
GldnBw
Priam
SpdStr
HURD
DSKSec
Nvl286
Nvl386
PC/IX
QNX4.x
QNX4x2
QNX4x3
Mnx14a
MnxOld
LinSwp
Linux
OS/2h
LinExt
NTFSv

Description
Empty
DOS 12-bit FAT
XENIX /
XENIX /usr
DOS 16-bit FAT <32M
DOS Extended
DOS 16-bit FAT >=32M
HPFS / NTFS
AIX boot or SplitDrive
AIX data or Coherent
OS/2 Boot Manager
Win95 FAT32
Win95 FAT32 (LBA)
Win95 FAT16 (LBA)
Win95 Extended (LBA)
OPUS
Hidden DOS FAT12
Compaq diagnostics
Hidden DOS FAT16
Hidden DOS FAT16 (big)
Hidden HPFS/NTFS
AST Windows swapfile
NEC DOS
PartitionMagic recovery
Venix 80286
Linux/MINIX (sharing disk with DRDOS)
SFS or Linux swap (sharing disk with DRDOS)
Linux native (sharing disk with DRDOS)
DM (disk manager)
DM6 Aux1 (or Novell)
CP/M or Microport SysV/AT
DM6 Aux3
DM6
EZ-Drive (disk manager)
Golden Bow (disk manager)
Priam Edisk (disk manager)
SpeedStor
GNU HURD or Mach or Sys V/386 (such as ISC UNIX)
DiskSecure Multi-Boot
Novell Netware 286
Novell Netware 386
PC/IX
QNX4.x
QNX4.x 2nd part
QNX4.x 3rd part
MINIX until 1.4a
MINIX / old Linux
Linux swap
Linux native
OS/2 hidden C: drive
Linux extended
NTFS volume set
66

Hex Value
87h
93h
94h
a0h
a5h
a6h
a7h
b7h
b8h
c1h
c4h
c6h
c7h
dbh
e1h
e3h
e4h
Ebh
f1h
f2h
f4h
feh
ffh

Type
NTFSV
Ameoba
AmbBBT
IBMPad
BSD386
OpnBSD
NeXT
BSDI
BSDIsw
DRDOS1
DRDOS2
DRDOS3
Syrinx
CP/M
SpdStr
DOS RO
SpdS16
BeOS
SpdStr
DOS3.3
SpdStr
SpdStr
XnxBBT

Description
(Continued)
NTFS volume set
Amoeba
Amoeba BBT
IBM Thinkpad hibernation
BSD/386
OpenBSD
NeXTSTEP 486
BSDI fs
BSDI swap
DRDOS/sec (FAT-12)
DRDOS/sec (FAT-16, < 32M)
DRDOS/sec (FAT-16, >= 32M)
Syrinx
CP/M or Concurrent CP/M or Concurrent DOS or CTOS
DOS access or SpeedStor 12-bit FAT extended partition
DOS R/O or SpeedStor
SpeedStor 16-bit FAT extended partition < 1024 cyl.
BeOS fs
SpeedStor
DOS 3.3+ secondary
SpeedStor large partition
SpeedStor >1024 cyl. or LANstep
Xenix Bad Block Table

67

Media Worksheet

Model
Serial Number
BIOS Access Cylinder:
IDE Access Cylinder:
Total Physical Sectors
Location For:
Partition Table
Boot Sector
Backup Boot (Fat32)
FAT1
FAT2
Root Directory
Start of Data Area

CHS=LBA
Cyl:
Cyl:
Cyl:
Cyl:
Cyl:
Cyl:
Cyl:

Head:
Head:

Sector:
Sector:

Head:
Head:
Head:
Head:
Head:
Head:
Head:

Sector:
Sector:
Sector:
Sector:
Sector:
Sector:
Sector:

LBA:
LBA:
LBA:
LBA:
LBA:
LBA:
LBA:

Start LBA

Finish CHS

Sectors

Partition Table
Bootable

System

Start CHS

/
/
/
/

/
/
/
/

/
/
/
/

Size

/
/
/
/

Boot Sector
OEM Name
Bytes Per Sector
Sector Signature
Jump Code
Sectors Per Cluster
Media Descriptor
Sectors Per Track
Number of Heads
Volume SN
Reserved Sectors
Number of Fats(Fat16)
Root Entry Count
Total Sectors (16bit)
Sectors Per Fat (16bit)

Hidden Sectors
Total Sectors (32bit)
Drive Number
Extended Signature
Volume Label
File System Type
Sectors Per Fat (Fat32)
Number of Fats (Fat32)
Mirrored Fats (Fat32)
FS Ver (Minor) (Fat32)
FS Ver (Major) (Fat32)
Root Cluster (Fat32)
Info Sector (Fat32)
Backup Sector (Fat32)

68

Byte Back License Agreement

READ THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT CAREFULLY BEFORE
RUNNING THE COMPUTER SOFTWARE HEREIN, AND THE ACCOMPANYING USER
DOCUMENTATION (THE "PROGRAM"). THE PROGRAM IS COPYRIGHTED AND LICENSED (NOT
SOLD). BY RUNNING THE PROGRAM, YOU ARE ACCEPTING AND AGREEING TO THE TERMS OF
THIS LICENSE AGREEMENT. IF YOU ARE NOT WILLING TO BE BOUND BY THE TERMS OF THIS
LICENSE AGREEMENT, YOU SHOULD PROMPTLY DELETE THE SOFTWARE AND ACCOMPANYING
FILES. THIS LICENSE AGREEMENT REPRESENTS THE ENTIRE AGREEMENT CONCERNING THE
PROGRAM BETWEEN YOU AND TECH ASSIST, INC. (REFERRED TO AS "LICENSOR"), AND IT
SUPERSEDES ANY PRIOR PROPOSAL, REPRESENTATION, OR UNDERSTANDING BETWEEN THE
PARTIES.
1. License Grant. Licensor hereby grants to you, and you accept, a nonexclusive license to use the Program
Diskettes and the computer programs contained therein in machine-readable, object code form only (collectively
referred to as the "Software"), and the accompanying User Documentation, only as authorized in this License
Agreement. You agree that you may not reverse assemble, reverse compile, or otherwise translate the Software.
2. Licensor's Rights. You acknowledge and agree that the Software and the User's Manual are proprietary products
of Licensor protected under U.S. and International copyright law. You further acknowledge and agree that all right,
title, and interests in and to the Program, including associated intellectual property rights, are and shall remain with
Licensor. This License Agreement does not convey to you an interest in or to the Program, but only a limited right
of use revocable in accordance with the terms of this License Agreement.
3. License Fees. The license fees paid by you are paid in consideration of the licenses granted under this License
Agreement. If you received the software for demonstration purposes and/or no fee was charged, this in no way
effects the terms of this agreement.
4. Term. This License Agreement is effective upon your receiving the software, either on disk or by electronic
transfer of any type and shall continue until all copies of the software are deleted. You may terminate this License
Agreement at any time by deleting the Program and all copies thereof and extracts therefrom. Licensor may
terminate this License Agreement upon the breach by you of any term hereof. Upon such termination by Licensor,
you agree to return to Licensor the Program and all copies and portions thereof.
5. Limited Warranty. The software is supplied without any warranty. You agree that the foregoing constitutes your
sole and exclusive remedy for breach by Licensor of any warranties made under this Agreement. EXCEPT FOR
THE WARRANTIES SET FORTH ABOVE, THE PROGRAM, AND THE SOFTWARE CONTAINED
THEREIN, ARE LICENSED "AS IS," AND LICENSOR DISCLAIMS ANY AND ALL OTHER WARRANTIES,
WHETHER EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES
OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
6. Limitation of Liability. Licensor's cumulative liability to you or any other party for any loss or damages resulting
from any claims, demands, or actions arising out of or relating to this Agreement shall not exceed the license fee
paid to Licensor for the use of the Program. In no event shall Licensor be liable for any indirect, incidental,
consequential, special, or exemplary damages or lost profits, even if Licensor has been advised of the possibility of
such damages. SOME STATES DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR
INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATION OR EXCLUSION MAY
NOT APPLY TO YOU.
7. Trademark. Byte Back is a registered trademark of Licensor. No right, license, or interest to such trademark is
granted hereunder, and you agree that you shall assert no such right, license, or interest with respect to such
trademark.
8. Governing Law. This License Agreement shall be construed and governed in accordance with the laws of the
State of GEORGIA (USA).
69

9. Costs of Litigation. If any action is brought by either party to this License Agreement against the other party
regarding the subject matter hereof, the prevailing party shall be entitled to recover, in addition to any other relief
granted, reasonable attorney fees and expenses of litigation.
10. Severability. Should any court of competent jurisdiction declare any term of this License Agreement void or
unenforceable, such declaration shall have no effect on the remaining terms hereof.
11. No Waiver. The failure of either party to enforce any rights granted hereunder or to take action against the other
party in the event of any breach hereunder shall not be deemed a waiver by that party as to subsequent enforcement
of rights or subsequent actions in the event of future breaches.
2000-2002 Tech Assist, Inc. All Rights Reserved

70