Recovering data fro...
 
Notifications
Clear all

Recovering data from a flash drive

10 Posts
7 Users
0 Likes
614 Views
 Lain
(@lain)
Posts: 5
Active Member
Topic starter
 

I have a CruiserMini 512MB that might or might not have had a file overwritten (I haven't been able to check yet.) I just want to know if it is at all possible to retrieve that data or not.

 
Posted : 15/06/2006 2:04 am
Troy
 Troy
(@troy)
Posts: 1
New Member
 

I have successfully recovered deleted files from flash drives. I use both open source tools, (Helix, Sleuth Kit, etc.), and ILook Investigator. I used three different flash drives to test various methods of imaging w/ dd, using information from Barry Grundy's document, "A Beginner's Guide to Linux for LE and Forensic Exmainers" from the Helix CD.

http//www.e-fense.com/helix/Docs/Law.Enforcement.Linux.Intro.2.0.5.pdf

I have also recoverd deleted data from suspect flash drives as well. The process will be the same as a standard HDD.

 
Posted : 15/06/2006 3:41 am
iruiper
(@iruiper)
Posts: 145
Estimable Member
 

You can also do it by using EnCase, but you have to make the acquisition in DOS mode.

 
Posted : 15/06/2006 5:01 pm
arashiryu
(@arashiryu)
Posts: 122
Estimable Member
 

the free ftk imager can recognize deleted files on flash/thumb drives as well

http//www.accessdata.com/support/downloads/

 
Posted : 15/06/2006 9:36 pm
 Andy
(@andy)
Posts: 357
Reputable Member
 

You don't necessarily need to make the acquisition in DOS. The Windows XP SP2 registry hack works well. I’ve tried and tested it and never managed to write to any USB removable media using it.

You can invest in a Tableu USB hardware write blocker if you like, that also works quite well.

The Sandisk CruiserMini 512MB will have a FAT32 file system, so just like any device with this file system, deleted files are often recoverable (depending on the amount of use its had since deletion).

Andy

 
Posted : 15/06/2006 11:13 pm
 Lain
(@lain)
Posts: 5
Active Member
Topic starter
 

The Sandisk CruiserMini 512MB will have a FAT32 file system, so just like any device with this file system, deleted files are often recoverable (depending on the amount of use its had since deletion).

Andy

Actually mine is reading at a FAT16. I am running a scan on it at work today. *Ive been busy and lost my drive in my car for a week so I haven't been able to check it out* I will update when i get it all sorted out. I am using Access Data FTW 1.61 Trial version.

 
Posted : 29/06/2006 4:08 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Whether the file system on a particular thumb drive is FAT32 or FAT16 is pretty much irrelevant. Image the device with FTK Imager, dd, ProDiscover/IR, whatever…you'll be able to see the deleted files.

H

 
Posted : 29/06/2006 4:15 pm
 Lain
(@lain)
Posts: 5
Active Member
Topic starter
 

I know its irrelevant -p

I ran the FTK and I can see what I want to extract but it is saying there is no data in it (. Will the imager help that?

 
Posted : 29/06/2006 4:18 pm
 Lain
(@lain)
Posts: 5
Active Member
Topic starter
 

UPDATE!!!

Sadly I was unable to retrieve the data. From what it looks like the file just got overwritten when I lost the data.

So sadly the data I fear is unrecoverable.

 
Posted : 29/06/2006 5:14 pm
steve862
(@steve862)
Posts: 194
Estimable Member
 

Lain,

Any chance the computer you used when creating (or editing) that lost document might still contain parts or much of the document in the swapfile or in a temp file? Or is that overkill? I got the impression from your post the document was pretty valuable and might be worth the time, if you have the PC and it was pretty recent.

Steve

 
Posted : 29/06/2006 5:58 pm
Share: