Recover files from ...
 
Notifications
Clear all

Recover files from USB RAW partition

18 Posts
5 Users
0 Likes
3,722 Views
(@banderas20)
Posts: 29
Eminent Member
Topic starter
 

Hi all,

I have an SD card with important files on it. Whenever I plug it in windows, it comes up with this message (or st similar)

"The drive cannot be used and must be formatted. ¿Do you want to do so?"

No! I have important files in there, and I want to recover them first!

The drive appears in Device administration. I have dumped the contents to a drive image and tried to analyze its contens with either OSForensics and Autopsy.
No success so far (

Is there any way in which I can dig into the RAW drive, recover the files prior to formatting the card?

Many thanks!

 
Posted : 24/08/2019 7:19 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

You can try a couple file/fiesystem recovery tools on the image, namely Testdisk, Photorec and DMDE.
https://www.cgsecurity.org/wiki/TestDisk
https://www.cgsecurity.org/wiki/PhotoRec
https://dmde.com/

Of course it depends on the contents and the kind of corruption that happened you may be able to either rebuild the filesystem or only recover some files (possibly losing names and metadata or recover nothing.

Since you are not familiar with the tools, try DMDE first, as it is GUI and while needing anyway some knowledge of the working of the tool and of the filesystem structure it should give you at least a good overview of what is there.

If software tools cannot find anything (in the image) there is still the possibility of hardware recovering, but for that you will need to find a specialized laboratory, there are "special" readers (if the actual controller still work) and if really needed an SD card can usually be opened and a direct extraction of the memory be performed, but if you managed to make the image, probably this latter approaches are not needed and software recovery will be enough.

jaclaz

 
Posted : 24/08/2019 8:14 am
(@banderas20)
Posts: 29
Eminent Member
Topic starter
 

You can try a couple file/fiesystem recovery tools on the image, namely Testdisk, Photorec and DMDE.
https://www.cgsecurity.org/wiki/TestDisk
https://www.cgsecurity.org/wiki/PhotoRec
https://dmde.com/

Of course it depends on the contents and the kind of corruption that happened you may be able to either rebuild the filesystem or only recover some files (possibly losing names and metadata or recover nothing.

Since you are not familiar with the tools, try DMDE first, as it is GUI and while needing anyway some knowledge of the working of the tool and of the filesystem structure it should give you at least a good overview of what is there.

If software tools cannot find anything (in the image) there is still the possibility of hardware recovering, but for that you will need to find a specialized laboratory, there are "special" readers (if the actual controller still work) and if really needed an SD card can usually be opened and a direct extraction of the memory be performed, but if you managed to make the image, probably this latter approaches are not needed and software recovery will be enough.

jaclaz

I don't mind losing the filenames. I thought it would be easier to fix the filesystem or the damaged partition. ¿Doesn't it work the usual chkdk or diskpart tools that come with Windows?

As to rebulid the filesystem…do I need these tools or can I use other techniques and tools?

Thank you so much for the info. I'll test the softwares and post the results.

Very appreciated for your help.

Best!

 
Posted : 24/08/2019 9:25 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I don't mind losing the filenames. I thought it would be easier to fix the filesystem or the damaged partition. ¿Doesn't it work the usual chkdk or diskpart tools that come with Windows?

As to rebulid the filesystem…do I need these tools or can I use other techniques and tools?

Thank you so much for the info. I'll test the softwares and post the results.

Very appreciated for your help.

Best!

It greatly depends on the type (and extension) of the corruption.

Testdisk will (should) be able to repair damages to the MBR partition table and possibly also to the VBR and its BPB (which sometimes is enough to have the volume recognized by - say - chkdisk [1]).
Photorec is more like a carving tool and will only recover files (provided that they are contiguous).
DMDE can do both the above, it actually has a couple options for filesystem reconstruction that are usually very handy.

Diskpart and chkdisk are very, very "picky", a single byte corrupted may make the one or the other simply not recognize the disk or the volume(s), as well an assumption made by many forensic tools is that the source is "sound", to each its own, both can be run on a copy of the image, of course, but don't even think of running either before having attempted rcovery with appropriate recovery tools.

The fact that you managed to make an image (of course the image contents have to be seen, if it's all 00 it is a non-image) is a good sign, it should mean that the SD card controller and the flash in the card is fine.

jaclaz

[1] chkdisk, when it recognizes the volume is a very good tool to repair the filesystem, but it is NOT a recovery tool and additionally, since it is essentially a "black box", you will never know if in order to repair the filesystem it will make some otherwise recoverable files go "poof".

 
Posted : 24/08/2019 3:40 pm
(@banderas20)
Posts: 29
Eminent Member
Topic starter
 

So far chkdsk says

Filesystem is RAW.
Chkdsk in not available for RAW drives

Thanks, Chkdsk XD

 
Posted : 24/08/2019 4:13 pm
(@mscotgrove)
Posts: 938
Prominent Member
 

I would start with data carving.

If data carving finds file starts it gives hope there is something to be found and that the chip can still be read. If the chip has failed, or is encrypted, then carving will probably not find anything.

As has been said above, some file are normally continuous - many photos are, so carving works. Many video files are not continuous, and drones/GoPro often have literally hundreds of fragments. However, carving would find a header, and so you know what you have.

A common failure with SD cards and FAT32 is that the start of the chip is overwritten. This can mean that the FAT is also lost, and so you are no better than with carving. If the FAT is intact, file system recovery is worth considering.

 
Posted : 24/08/2019 5:29 pm
(@banderas20)
Posts: 29
Eminent Member
Topic starter
 

Hi!

I'm trying with carving. I have dumped the whole contents of the SD to a big file. Then I have loaded the file in Autopsy, but it doesn't find anything.

¿Am I missing something?

Best!

 
Posted : 24/08/2019 7:10 pm
(@fissa)
Posts: 27
Eminent Member
 

Mount the image with (example) arsenal image mounter. Then run photorec over it?

How did you make the image? Can you check the logs to see if there are errors?

 
Posted : 24/08/2019 7:48 pm
(@banderas20)
Posts: 29
Eminent Member
Topic starter
 

Mount the image with (example) arsenal image mounter. Then run photorec over it?

How did you make the image? Can you check the logs to see if there are errors?

Hi.

I created the image with WinImage 9.0. No errors nor warnings.

No matter which software I use. I doesnt't detect anything.

With Arsenal Image Mounter I get

Id000000
DiskDevice PhysicalDrive1
Signature00000000
Partition Layout None
Disk Size 59,47 GB
Fixed/removable Fixed Disk
Volumes <blank_field>
Mount Points <blank_field>
Thanks!

 
Posted : 24/08/2019 10:07 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I created the image with WinImage 9.0. No errors nor warnings.

Hmmm.

Winimage is like the least suitable tool to make an image of a defective media.

I would not be surprised if your image was all 00's, that could be EITHER an issue with the imaging tool or with the actual device.

You should use a dd of sorts or however a suitable tool.

Under windows you can use

https://www.datarescue.com/photorescue/v3/drdd.htm

But you can also use directly DMDE to make the image.

Try making another image, and try using the suggested tools.

jaclaz

 
Posted : 25/08/2019 8:29 am
Page 1 / 2
Share: