Backing up and restoring a hard drive’s hidden sectors

A computer hard drive typically contains 63 hidden sectors at the very beginning, the first sector containing the master boot record (MBR) and the remaining sectors being potentially used for a variety of purposes. Linux boot code (GRUB/LILO) may go here, and some Windows programs will sneakily write data to these hidden sectors to hide license information and to prevent abuse of time-limited trial versions. Before messing around with the contents of these sectors, it is recommended to back them up to a file so that you can restore them if things don't work out quite as planned.

Tools you will need:

• A Linux rescue CD (I will use Ubuntu Rescue Remix 10.10 for this example)
• A USB drive
  
  

How to back up the hidden sectors

1. With the USB drive plugged in, insert the rescue CD and reboot your computer.
   
   
2. At the command prompt, find the name of the drive whose sectors you will be backing up. Type the command:

sudo fdisk -l

(Note: the character at the end is the letter ’l’, as in “lettuce”)

You will see a list of connected drives. Find the name of the drive (looking at the drive capacity should give you a hint). The drive name will be something like /dev/sdx. Also take note of the name of your USB drive and its main partition number.

3. Mount the USB drive so you can work with it. Type the following commands:

sudo mkdir /mnt/USBDrive

sudo mount /dev/<USB Drive Partition> /mnt/USBDrive

where <USB Drive Partition> is the USB drive’s main partition, eg. /dev/sdb1.

4. Now we will save the contents of those hidden sectors to a file on the USB drive:

sudo dd if=<Drive Name> of=/mnt/USBDrive/first63sectors.bak bs=512 count=63

where <Drive Name> is the name of the hard drive, eg. /dev/sda. Note that there is no partition number at the end of the drive name; we are copying from the beginning of the drive itself!

5. Reboot the computer:

sudo reboot

If you like, you can now inspect the file you created with a Hex Editor (XVI32 for Windows is a good one) to see what mysterious entries might exist after the MBR.

How to restore the hidden sectors

1. Start by following steps 1, 2 and 3 in the previous example.

2. Now we will restore the backup that you previously made:

sudo dd if=/mnt/USBDrive/first63sectors.bak of=<Drive Name> bs=512 count=63

where <Drive Name> is the name of the hard drive, eg. /dev/sda.

Everything should now be back to where it was before you started messing with it 

NOTE: These examples assume the hard drive has 512-byte sectors. Newer hard drives (1 TB+) may have 4096-byte sectors, in which case you may need to update the “bs=512” parameter accordingly.