12GB on 32GB microS...
 
Notifications
Clear all

12GB on 32GB microSD card from Samsung missing  

  RSS
komatsu
(@komatsu)
New Member

re data recovery from microSD card which was being used by Samsung Galaxy S4 phone

User let card fill up to maximum capacity with .jpeg and .mp4 files. ( I suspect this is root-cause of the data loss)

Card is detected by Windows.

Stellar Phoenix can get back around 20 gb but user is convinced that there is anther 12GB of missing photos.

What step should I try next? (would really appreciate any suggestions)

Quote
Posted : 25/01/2015 3:31 am
a.nham
(@a-nham)
Junior Member

I know this sounds completely rudimentary, but have you already looked at the card on a linux or unix based OS. It is possible that you have two, if not more, partitions on the disk, and only one of which is readable by Windows.

A simple "fdisk -l" from the terminal before and after plugging into the computer should be enough. Run the first one to know what you already have plugged in. Plug in and run again. Compare that against the second one, whatever is new is your newly plugged in SD card. If you see that this new device has multiple [email protected]# (where @ is a letter and # is a number) for your newly found device, then there is more data. This command should also be able to give you a hint into the actual size of the SD card.

ReplyQuote
Posted : 25/01/2015 5:28 am
komatsu
(@komatsu)
New Member

Thanks A.

The best troubleshooting always goes back to basics!

I have tried it on a Mac and got the same result.

Would using something like Ubunto be better?

ReplyQuote
Posted : 25/01/2015 5:36 am
a.nham
(@a-nham)
Junior Member

I doubt it will make much of a difference, unless it's one of the new ext formats that mac does not natively recognize. Would it be possible for you to post what you got back from your terminal concerning this device? I want to know if Windows/Mac recognizes all the sectors of the card as total of about 32Gb card.

If it does show as about 32gb, then you might want to file carve one more time with another program, just in case the one you just used missed something (Of course i suggest working of a image of that card, if possible). Most of the forensic suites have one, and the open source scalpel tool works very well too.

You might also want to ask your client if the files he or she is sure the card only contained JPEGs and MP4s, many things like proprietary picture formats and game contents are not currently carvable.

ReplyQuote
Posted : 25/01/2015 6:22 am
komatsu
(@komatsu)
New Member

A, "fdisk -1" did not work. I am not sure if you mean "-1" or "-l"

However, the command "diskutil list" shows

0 fdisk_partition-scheme 33.6GB disk1
1 Windows_FAT_32 NO NAME 33.6GB disk1s1

ReplyQuote
Posted : 25/01/2015 6:44 am
a.nham
(@a-nham)
Junior Member

yes, i meant to say fdisk -l, sry if I confused you on that.

Well, its good news that is shows 32gb; I initially thought it was only recognized by Windows as a 20gb drive.

In this case, I would definitely try doing a file carve on the unallocated and slack space to see if it give you anything more. I would probably go ahead and carve for other video and picture formats, just in case. Other than that, I am really not such there is much else you can do, at least not by yourself.

ReplyQuote
Posted : 25/01/2015 7:40 am
jaclaz
(@jaclaz)
Community Legend

What step should I try next? (would really appreciate any suggestions)

What I would do (which not necessarily is what you should do) would be to try have a second and then a third opinion.
Namely, I would try (of course after having made add-like or "forensic sound" sector-by-sector image of the card) running Photorec
http//www.cgsecurity.org/wiki/PhotoRec
(to recover again what is recoverable)
AND dmde
http//dmde.com/
(to understand if the issue is connected with plain filesystem corruption - like bad FAT tables - or by some other issue - let's say a wrong value in the volume extents or the like).
Then I would double (and triple) check the integrity of the recovered images, and then try using "negative approach".
Once you are sure that the recovered images are "good", I would zero out the sectors occupied by them on the filesystem, and then try running again.

The making of the device image(s), besides allowing to witpe/delete areas without losing original data may also give you a good indication of possible hardware issues, like inaccessible sectors/areas.

jaclaz

ReplyQuote
Posted : 25/01/2015 2:56 pm
komatsu
(@komatsu)
New Member

DMDE (lastest version) imaging freezes at 60 per cent mark…

I will try now imaging using Photorec

ReplyQuote
Posted : 25/01/2015 9:07 pm
jaclaz
(@jaclaz)
Community Legend

DMDE (lastest version) imaging freezes at 60 per cent mark…

This is not a good sign ( , as it implies that there is a hardware issue of some kind, which BTW would be roughly consistent with the 12 Gb missing, as 20/32=62.5 %

I will try now imaging using Photorec

Well, no.
Photorec does not make an image of a device, it attempts to recover files that it believes being of the type selected.

You may want to try using ddrescue or similar to create the device image (or as much as possible out of it).
Some references
http//www.msfn.org/board/topic/170288-lost-partition-and-filesystem-problem-with-adata-sh14-disk/?p=1059909

jaclaz

ReplyQuote
Posted : 25/01/2015 9:29 pm
mscotgrove
(@mscotgrove)
Senior Member

I would want to rule out the possibility of it being a fake memory chip. This is when a small memory chip is modified to look like a big memory chip - I have come across several such micro SD cards, but typically labelled 64GB - with 4GB or 8GB actual memory.

As others have said, data carving should give you an idea is what is on the card.

I also use a program that gives visual display of sector contents, eg compressed, text, file start or blank. ie very 'crude' but a very simple idea of what a memory device is storing.

ReplyQuote
Posted : 25/01/2015 10:29 pm
jaclaz
(@jaclaz)
Community Legend

I would want to rule out the possibility of it being a fake memory chip. This is when a small memory chip is modified to look like a big memory chip - I have come across several such micro SD cards, but typically labelled 64GB - with 4GB or 8GB actual memory.

It is a possibility, but the "around 20 Gb" makes it improbable.
I mean, I can understand making a fake 64 GB out of a 4 (or possibly even 8 ) Gb but making a 32 Gb out of a 20 Gb (a size that AFAIK doesn't exist "in nature") 😯 .

If you are faking it, fake it big. wink

Also, usually issues with fake chips start as soon as the OS attempts to write past the "real" size and it would be uncommon for a microSD card to attempt writing the 12 GB in "one go" (besides possibly being impossible because of the FAT32 4 Gb file size limit)…

jaclaz

ReplyQuote
Posted : 25/01/2015 10:38 pm
komatsu
(@komatsu)
New Member

Ok, this is all making sense now.

I deal with these alot and have never ever seen the brand name used.

In addition, it's sticker has been applied in a real amateurish way i.e. not in alignment with the
card.

This probably is a fake.

I will keep you guyz updated.

ReplyQuote
Posted : 26/01/2015 12:50 am
mscotgrove
(@mscotgrove)
Senior Member

I agree that 20GB OK out of 32GB is not what you expect from a fake memory chip. However, it is not clear if the recovered 20GB files are good files, or just ones that have a valid file name and size. As the FAT is normally at the start of the memory chip, everything looks good until one tries to read the 'saved' data. Files will read without errors, but are then invalid.

With data carving, I have often seen patterns where there are lots of files, but there may also be a repeating pattern in hash values, showing that data is all from the same memory lock.

ReplyQuote
Posted : 26/01/2015 1:13 am
jaclaz
(@jaclaz)
Community Legend

However, it is not clear if the recovered 20GB files are good files, or just ones that have a valid file name and size. As the FAT is normally at the start of the memory chip, everything looks good until one tries to read the 'saved' data. Files will read without errors, but are then invalid.

I guess it largely depends on the "quality" of the fake 😯 , just like it happens with fake watches, there are the 20-50 € ones that are really fake and show as such but the - say - 200-500 € are so well manufactured that even experts from the "real" watch manufacturing companies have difficulties in recognizing one (or need to carry some more advanced examinations to make sure).

At least when it comes to fake USB sticks, usually the fake is just an altered filesystem (low quality fake) though it is possible I believe to use the controller "MP Tool" to change parameters in the firmware and thums make a "higher quality" fake.

Still the 20 Gb vs 32 Gb sounds improbable and as said the error/issue normally happens as soon as the OS attempts to write beyond a given address, not when the "whole label capacity" is hit. ?

jaclaz

ReplyQuote
Posted : 26/01/2015 2:36 pm
mscotgrove
(@mscotgrove)
Senior Member

Still the 20 Gb vs 32 Gb sounds improbable and as said the error/issue normally happens as soon as the OS attempts to write beyond a given address, not when the "whole label capacity" is hit. ?

jaclaz

I have seen chips where the 'overrun data' is just written to the final 1MB (or similar). Thus it does not actually overrun to the start after the good area has been used. Reading therefore looks good, unless the content is checked.

However, almost anything can happen and so my comments must be treated as educated speculation rather than facts.

Cameras/ phones can also 'screw' up perfectly good data without any hardware errors.

ReplyQuote
Posted : 26/01/2015 5:25 pm
Share: