±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36115
New Yesterday: 0 Visitors: 104

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Recover files from USB RAW partition

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2, 3  Next 
  

banderas20
Member
 

Recover files from USB RAW partition

Post Posted: Aug 24, 19 07:19

Hi all,

I have an SD card with important files on it. Whenever I plug it in windows, it comes up with this message (or st similar):

"The drive cannot be used and must be formatted. ¿Do you want to do so?"

No! I have important files in there, and I want to recover them first!

The drive appears in Device administration. I have dumped the contents to a drive image and tried to analyze its contens with either OSForensics and Autopsy.
No success so far Sad

Is there any way in which I can dig into the RAW drive, recover the files prior to formatting the card?

Many thanks!  
 
  

jaclaz
Senior Member
 

Re: Recover files from USB RAW partition

Post Posted: Aug 24, 19 08:14

You can try a couple file/fiesystem recovery tools on the image, namely Testdisk, Photorec and DMDE.
www.cgsecurity.org/wiki/TestDisk
www.cgsecurity.org/wiki/PhotoRec
dmde.com/

Of course it depends on the contents and the kind of corruption that happened you may be able to either rebuild the filesystem or only recover some files (possibly losing names and metadata or recover nothing.

Since you are not familiar with the tools, try DMDE first, as it is GUI and while needing anyway some knowledge of the working of the tool and of the filesystem structure it should give you at least a good overview of what is there.

If software tools cannot find anything (in the image) there is still the possibility of hardware recovering, but for that you will need to find a specialized laboratory, there are "special" readers (if the actual controller still work) and if really needed an SD card can usually be opened and a direct extraction of the memory be performed, but if you managed to make the image, probably this latter approaches are not needed and software recovery will be enough.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

banderas20
Member
 

Re: Recover files from USB RAW partition

Post Posted: Aug 24, 19 09:25

- jaclaz
You can try a couple file/fiesystem recovery tools on the image, namely Testdisk, Photorec and DMDE.
www.cgsecurity.org/wiki/TestDisk
www.cgsecurity.org/wiki/PhotoRec
dmde.com/

Of course it depends on the contents and the kind of corruption that happened you may be able to either rebuild the filesystem or only recover some files (possibly losing names and metadata or recover nothing.

Since you are not familiar with the tools, try DMDE first, as it is GUI and while needing anyway some knowledge of the working of the tool and of the filesystem structure it should give you at least a good overview of what is there.

If software tools cannot find anything (in the image) there is still the possibility of hardware recovering, but for that you will need to find a specialized laboratory, there are "special" readers (if the actual controller still work) and if really needed an SD card can usually be opened and a direct extraction of the memory be performed, but if you managed to make the image, probably this latter approaches are not needed and software recovery will be enough.

jaclaz


I don't mind losing the filenames. I thought it would be easier to fix the filesystem or the damaged partition. ¿Doesn't it work the usual chkdk or diskpart tools that come with Windows?

As to rebulid the filesystem...do I need these tools or can I use other techniques and tools?

Thank you so much for the info. I'll test the softwares and post the results.

Very appreciated for your help.

Best!  
 
  

jaclaz
Senior Member
 

Re: Recover files from USB RAW partition

Post Posted: Aug 24, 19 15:40

- banderas20

I don't mind losing the filenames. I thought it would be easier to fix the filesystem or the damaged partition. ¿Doesn't it work the usual chkdk or diskpart tools that come with Windows?

As to rebulid the filesystem...do I need these tools or can I use other techniques and tools?

Thank you so much for the info. I'll test the softwares and post the results.

Very appreciated for your help.

Best!

It greatly depends on the type (and extension) of the corruption.

Testdisk will (should) be able to repair damages to the MBR partition table and possibly also to the VBR and its BPB (which sometimes is enough to have the volume recognized by - say - chkdisk [1]).
Photorec is more like a carving tool and will only recover files (provided that they are contiguous).
DMDE can do both the above, it actually has a couple options for filesystem reconstruction that are usually very handy.

Diskpart and chkdisk are very, very "picky", a single byte corrupted may make the one or the other simply not recognize the disk or the volume(s), as well an assumption made by many forensic tools is that the source is "sound", to each its own, both can be run on a copy of the image, of course, but don't even think of running either before having attempted rcovery with appropriate recovery tools.

The fact that you managed to make an image (of course the image contents have to be seen, if it's all 00 it is a non-image) is a good sign, it should mean that the SD card controller and the flash in the card is fine.

jaclaz




[1] chkdisk, when it recognizes the volume is a very good tool to repair the filesystem, but it is NOT a recovery tool and additionally, since it is essentially a "black box", you will never know if in order to repair the filesystem it will make some otherwise recoverable files go "poof".
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

banderas20
Member
 

Re: Recover files from USB RAW partition

Post Posted: Aug 24, 19 16:13

So far chkdsk says:

Code:
Filesystem is RAW.
Chkdsk in not available for RAW drives

Thanks, Chkdsk XD  
 
  

mscotgrove
Senior Member
 

Re: Recover files from USB RAW partition

Post Posted: Aug 24, 19 17:29

I would start with data carving.

If data carving finds file starts it gives hope there is something to be found and that the chip can still be read. If the chip has failed, or is encrypted, then carving will probably not find anything.

As has been said above, some file are normally continuous - many photos are, so carving works. Many video files are not continuous, and drones/GoPro often have literally hundreds of fragments. However, carving would find a header, and so you know what you have.

A common failure with SD cards and FAT32 is that the start of the chip is overwritten. This can mean that the FAT is also lost, and so you are no better than with carving. If the FAT is intact, file system recovery is worth considering.
_________________
Michael Cotgrove
www.cnwrecovery.com
www.goprorecovery.co.uk 
 
  

banderas20
Member
 

Re: Recover files from USB RAW partition

Post Posted: Aug 24, 19 19:10

Hi!

I'm trying with carving. I have dumped the whole contents of the SD to a big file. Then I have loaded the file in Autopsy, but it doesn't find anything.

¿Am I missing something?

Best!  
 

Page 1 of 3
Page 1, 2, 3  Next