Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account



Photo

USB Access Problem

- - - - -

  • Please log in to reply
81 replies to this topic

#1
ngpc

ngpc

    Newbie

  • Member
  • 21 posts
  • Joined 17-May 09
Hi,

Recently, I got a problem, and see if anyone and expert can help !

When I tried to access my usb finger, I found that my computer cannot read the data although the usb drive No. can be seem on the computer, say G:
As I click on the usb drive icon, the computer told me that my usb drive is not formatted yet and ask if I want to format it .
Then sure I click "No" , all my data is inside.

When I use DOS mode to access the usb G: drive, the computer replied that the "Disk sector do not contain the system file "

I afraid that the boot sector has been damaged by some virus infection.

Can anyone advise how can I save my USB and retrieve the data, any tools and method can help ???

Would appreciate if anyone can offer the help !
Thanks in advance!
ngpc


How to remove advertisement from MSFN

#2
puntoMX

puntoMX

    n00b of Masters and Vice Versa

  • Super Moderator
  • 4,852 posts
  • Joined 28-June 04
  • OS:Windows 8.1 x64
  • Country: Country Flag
Welcome to the forum ngpc, I see that you use a translator but we understand you except for one thing:

Then sure I click "No" , all my data is inside.

So, you say no and you can enter the thumb drive? or you can't access it at all?

Seems that your flash memory has gone bad. Normally those thumb drives are build out of 2 components: The USB controller ship that makes the bridge between the USB connector and the Flash ROM, and the flash ROM itself. In this case I think it's the flash ROM.

#3
ngpc

ngpc

    Newbie

  • Member
  • 21 posts
  • Joined 17-May 09
What I mean is my computer can recognise the drive No., but when I click on the icon of the USB, it prompt me to format the USB...

Do you have any software which can help to retrieve the data or recover the data...

Thanks !
ngpc

#4
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,677 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

What I mean is my computer can recognise the drive No., but when I click on the icon of the USB, it prompt me to format the USB...

Do you have any software which can help to retrieve the data or recover the data...

Thanks !
ngpc

When you double click on a drive letter, a mechanism inside Windows called filesystem recognizer, tries to identify the filesystem and load the appropriate driver (NTFS.SYS, FASTFAT.SYS, etc.).

Possibly "something" misrepresents the filesystem and thus, since no known filesystem is recognized, Windows "assumes" that it is an unformatted partition and prompts for formatting it.

It may be something as trivial as a a missing "55AA" signature in the bootsectors up to a serious case of data /filesystem structure corruption.

You may want to try first TESTDISK:
http://www.cgsecurit...g/wiki/TestDisk
to check if the error is solvable by correcting a few values in MBR or bootsector or use PHOTOREC:
http://www.cgsecurit...g/wiki/PhotoRec
to attempt recovering the data "directly".

jaclaz

#5
puntoMX

puntoMX

    n00b of Masters and Vice Versa

  • Super Moderator
  • 4,852 posts
  • Joined 28-June 04
  • OS:Windows 8.1 x64
  • Country: Country Flag
Indeed, you could give it a try, but mostly it's a hardware problem.




I still wish that you can recover your data ngpc.

#6
ngpc

ngpc

    Newbie

  • Member
  • 21 posts
  • Joined 17-May 09
Dear Jaclaz,

Thanks very much for your help and resources!

I have tried the TestDisk to scan my problematic USB, TD reported there is a "Invalid FAT Boot sector" after I performed the [Analyse] function.
Then I proceed to do the [Quick Search] and [Deeper Search] function, TD reported structure OK..... I think this is expected as I haven't made any partition for this USB, I just use it for data storage...

Can you further advise what I should do next to solve the problem.... ?

I have also attached the screen of the TD report for reference... Would appreciate if you can further advise......

As the total upload cap. only allow 200k... , so I upload the remaining file in the separate email....

Thanks !
ngpc

Attached Files



#7
ngpc

ngpc

    Newbie

  • Member
  • 21 posts
  • Joined 17-May 09
Hi Jaclaz,

Here is the second captured screen of TD result...

Thanks !
ngpc

Attached Files



#8
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,677 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag
From what you posted (second screenshot), it seems to me that you have a "direct" partition i.e. the stick is formattted as super-floppy with no MBR/partition table.

Which usually happens with "brand new" sticks, that are however:
  • formatted as FAT32
  • have 0/0/1 as start sector

From the other screenshot, on the contrary it seems like you you have a single partition FAT16 starting from sector 33 (which would carry as a consequence that you have 32 hidden sectrs and thus a MBR).
It also tells me that you used some formatting utility/method to re-partition/re-format the stick.

Only you can now how the stick was before partitioned/formatted, please post as much information on how the stick it was before (when working) as you can remember.

Also you should read this:
http://www.cgsecurit...sk_Step_By_Step

Try the deeper search, and next time, instead of the screenshots, post testdisk.log (of course you should ALWAYS create a Log at the beginning of each seesion with Testdisk)

Cannot say how much you are familiar with PC/filesystems and more precisely with command lines app, but before starting with the "difficult things" do the following:
Get HD hacker:
http://dimio.altervista.org/eng/
and:
  • save first 1 sector of PhysicalDrive to a file named MBR.bin
  • save first sector of LogicalDrive to a file called BS.bin
make sure to select theright drive!

Compress the two files in a .zip archive and post it as an attachment, I'll have a look at them.


jaclaz

#9
ngpc

ngpc

    Newbie

  • Member
  • 21 posts
  • Joined 17-May 09
HI Jaclaz,

I have used HDHacker to save the MBR of my USB for your analysis...
They are attached...

Here is my USB History:
I bought this USB drive at about year 2006, only for data storage, it is 1G in size.
Due to my work, I always use this USB in other computers for presentation... So sometimes, virus will be detected, while every time, I use Virus Cleaner to scan and clean the virus. It seems work...

From the scanning history, this virus has attacked my USB before
Trojan-GameThief.Win32.Magania.ahrz G:\yfmqo.cmd
And I think Autorun.ini has also infected my USB also... The infection has been occured several times...

As far as I remember, after one virus cleaning operation, I found that I cannot click-to-open the USB directly, a window pop up to ask me " Which software you are going to use to open the file" , I found that this is strange and different from what I have performed in the past....Then I mostly click IE Explorer to open the access the USB and it worked. Therefore, I ignored what happen and keep using the USB without suspecting any MBR problems ....I think this should be the sign of the problem of my USB at the very beginning.....am I right ?

For this USB, I haven't perform any formatting or partitioning actions after my purchase, I just it as data disk once I bought it..
Hope these info. help

Thanks !
ngpc

Attached Files


Edited by ngpc, 20 May 2009 - 11:04 PM.


#10
Kelsenellenelvian

Kelsenellenelvian

    WPI Guru

  • Developer
  • 8,845 posts
  • Joined 18-September 03
  • OS:Windows 7 x64
  • Country: Country Flag
I recently experienced close to the same thing with the autorun virus.

When I attached the drive the AV completly even refused to let windows recognized the whole drive.

#11
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,677 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag
There are a number of problems in the files you sent.
Basically:
  • the MBR code is only partially there
  • the MBR "Magic Number" Signature is not there
  • the MBR DATA is - to say the least - "queer":
    Entry|Type|Boot|bCyl|bHead|bSect|eCyl|eHead|eSect|Start Sector|Num Sectors|Size in bytes
    #0|06|80|0|1|1|255|61|0|32|1.966.137|1.006.662.144
  • both files are identical (which is normal, since the MBR is not recognized Physicaldrive=Logicaldrive)

Next steps:
get the dsfok toolkit:
http://members.ozema...eezip/freeware/
unzip in a new directory, say C:\dsfok
Open a command prompt and navigate to that directory.
You want to make a full image of the stick, so you will need roughly 1 Gb free on your hard disk.
Now, you must be sure that you get the "right" physicaldrive number (if you have just one hard disk, it will be "0", and the USB stick will be "1")
Run following command:

dsfo \\.\PHYSICALDRIVEn 0 0 C:\dsfok\USB_full.img

this will create a byte to byte copy of the stick, the program will print on screen something like:

OK, 1006695214 bytes, 56.540s, MD5 = 786a48c5db7548a6bf34cb945b62ae75

Jolt down (and post) the bolded part (actual size of the stick).
This way you have a full copy of the stick and we can start working on it without fear of making anything irreparable.
Run again dsfo as follows:

dsfo \\.\PHYSICALDRIVEn 0 51200 C:\dsfok\USB_100.img

This is a copy of the first 100 sectors of the stick, 51200 bytes in size, that you should compress in a .zip and attach to your next post.

The partition data refers to a 06 i.e. CHS FAT16 partition, starting at sector 33 or sector 64, the first 100 sectors should be enough to see if there are traces of it. (bootsector and start of FAT tables).

jaclaz

#12
ngpc

ngpc

    Newbie

  • Member
  • 21 posts
  • Joined 17-May 09
Dear Jaclaz,

Just need to clarify one thing before I performed the copy action because I am not so familiar with that dsfo software..

Do you mean in the below command, I replace the PHYSICALDRIVEn with the number "1" ? as I only have 1 HDD and 1 USB at this moment?
dsfo \\.\PHYSICALDRIVEn 0 0 C:\dsfok\USB_full.img

Thanks!
ngpc

#13
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,677 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

Dear Jaclaz,

Just need to clarify one thing before I performed the copy action because I am not so familiar with that dsfo software..

Do you mean in the below command, I replace the PHYSICALDRIVEn with the number "1" ? as I only have 1 HDD and 1 USB at this moment?
dsfo \\.\PHYSICALDRIVEn 0 0 C:\dsfok\USB_full.img

Thanks!
ngpc


If your USB is Physicaldrive #1, then the line is:
dsfo \\.\PHYSICALDRIVE1 0 0 C:\dsfok\USB_full.img

but for example if you have one of those multi-card readers, or a virtual disk device installed, this won't be always true.

Do the following:
get beeblebrox:
http://students.cs.byu.edu/~codyb/
try accessing Physicaldrive1 with it (the drop down menu top left).
If you see the same data I posted before:
Entry|Type|Boot|bCyl|bHead|bSect|eCyl|eHead|eSect|Start Sector|Num Sectors|
#0|06|80|0|1|1|255|61|0|32|1.966.137|

then 1 is the right number. ;)

jaclaz

Edited by jaclaz, 21 May 2009 - 07:17 AM.


#14
ngpc

ngpc

    Newbie

  • Member
  • 21 posts
  • Joined 17-May 09
Dear Jaclaz,

I finally got it ....

After saving the no. return is 1035206656 bytes.

I have attached the USB_100.IMG file .

Thanks!
ngpc

Attached Files



#15
ngpc

ngpc

    Newbie

  • Member
  • 21 posts
  • Joined 17-May 09
Hi Jaclaz ,

I just go to the web link you refer
get beeblebrox:
http://students.cs.byu.edu/~codyb/

I see what you mentioned...

Wait to see the next action!
ngpc

#16
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,677 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag
Got it.

The sectors as saved by dsfo seem MUCH better than the first ones, BOTH MBR and Bootsector appear to be valid.

It is possible that the stick is really suffering from some intermittent malfunctioning.

Try getting IMDISK:
http://www.ltr-data.se/opencode.html
and try mounting the USB_full.img
if IMDISK does not auto-detect the number of hidden sectors, supply 32 as the number of hidden sectors (skipped blocks)

Hopefully you should be able to find your data in the image mounted as a volume.

If everything is at it should be, we may try wiping the stick with 00's and re-apply to it the saved image.

If anything appears not as it should on the mounted image, next step would be running TESTDISK on the image.

jaclaz

#17
ngpc

ngpc

    Newbie

  • Member
  • 21 posts
  • Joined 17-May 09
Hi Jaclaz,

I am a bit stuck at here as I am not quite familiar with the technical operation of the IMDISK, can you explain more about it .

I have captured the screenshot for your reference.

After open the ImDisk, the Mount new virtual disk panel ask me to select a Image file, so I choose the USB_full.IMG which I saved in C:\dsfok.
The ImDisk automatically assign some values below the file selection bar after my selection.

So I come up one question,
Do I need to click check for
the box before "Copy image file to memory"
the box before " Removable media" and "Read Only Media"

Then I tried to ignore the check boxes , I click OK, the second screen come up as in the screenshot ImDisk Virtual Disk Driver
Then what should I do next ?

I am not quite understand when will I see something as you mentioned in your email, can you claify a bit:

if IMDISK does not auto-detect the number of hidden sectors, supply 32 as the number of hidden sectors (skipped blocks)
Hopefully you should be able to find your data in the image mounted as a volume.
If everything is at it should be, we may try wiping the stick with 00's and re-apply to it the saved image.
If anything appears not as it should on the mounted image, next step would be running TESTDISK on the image.


Can you further advise , Thanks you!
ngpc

Attached Files


Edited by ngpc, 22 May 2009 - 02:52 AM.


#18
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,677 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag
It was a caution.

IMDISK is a virtual drive which works at filesystem level (i.e. it mounts only a partition not the whole physical drive).
Thus when you give it a physicaldrive image (with MBR and hidden sectors) it tries to determine by reading the MBR where the partition starts.
Usually it gets the right values, the suggested 32 was in case it did not.
If you look at the screenshot, you can see how you have in third line from top (Image file offset) a value of 0 bytes.
This should be either 32 blocks or 16384 bytes (32*512=16384).
Do not bother for the moment for the other settings.

From the screenshot, the image was successfully mounted as drive G:, BUT since you see the N/A, no filesystem was recognized.

Try unmounting it and re-mounting supplying the given value.
See screenshot:
Posted Image

If we are lucky, you should see in the other IMDISK window instead of the N/A, FAT or FAT16 (cannot remember).

It is possible that while dsfo copied apparently properly the first 100 sectors, a malfunctioning occurred when you made the "full" image. :unsure:

Try (without actually mounting it) to start the mounting with IMDISK of the USB_100.img, you should have exactly the same situation as the above screenshot.

If the same does not happen with the "full" image, it means that at leastr it's first sectors are not "good" (just as it was no good the first sector you copied with HDhacker.

jaclaz

#19
ngpc

ngpc

    Newbie

  • Member
  • 21 posts
  • Joined 17-May 09
Hi Jaclaz,

As I tried again, I can mount the G: dirve with the value 32 in the image file offset row as you mentioned in the first window.
Then what should I do next in the second windows after I click OK in the first window .

I find there is a file G: c:\dsfok\USB_full.img 987.3MB in the second window...
Do I need to "Format" it or something else..

Besides, do you have an MSN account such that I can send my feedback to you and do the adjustment as soon as possible, what do you think about this.? I am open to this...

Thanks!
ngpc

Attached Files



#20
ngpc

ngpc

    Newbie

  • Member
  • 21 posts
  • Joined 17-May 09
Hi Jaclaz,

When tried to open the image file , the ImDisk reported that it cannot open the file, see attached screenshot..

Hope this provide more information to you!

Thanks !
ngpc

Attached Files



#21
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,677 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag
I am afraid that things are more complex than expected.

It seems like there is anyway some corrupted values in USB_100.IMG and probably also in USB_full.img.

Forget about IMDISK for the moment.

A test that you can make:
run:
dsfo C:\dsfok\USB_full.img 0 51200 C:\dsfok\USB_100_new.img
then:

FC /B C:\dsfok\USB_100_new.img C:\dsfok\USB_100.img

It should give "no differences found".

Please report if it instead FC finds differences.

It is still possible that testdisk can do something, but using it's advanced features will be required, something that you cannot do - at least for the moment.

You should provide me with some more sectors, it seems like the FAT (at least FAT#1) is gone beserk.

I need the whole set of FAT's.

According to the bootsector the filesystem has 247 sectors per FAT.

Thus I need:
32 - hidden sectors
1 - FAT16 bootsector
247 - First FAT
247 - Second FAT
(32+1+247+247)=527 sectors, rounded to 550, thus 550x512=281,600 bytes

Run this:
dsfo C:\dsfok\USB_full.img 0 281600 C:\dsfok\USB_550.img

Zip the USB_550.img to USB_550.zip and attach it.

jaclaz

#22
ngpc

ngpc

    Newbie

  • Member
  • 21 posts
  • Joined 17-May 09
HI Jaclaz,

I have run FC command and compare the 2 files, USB_100.img and USB_100_new.img, the system return no difference...

I have attached the USB_550.img zip file for analysis...

Are you mean that as ImDisk Virtual Disk Driver cannot open the USB_full.img file and USB_100.img file, so it can be predicted that the values fo these files are corrupted, am I right ?

Besides, if the TDisk can do something for my USB, can you teach me some instructions and then I can check it during the weekend...

I have run a test of the USB_100.img and USB_full.img in the TDisk software, TD report some findings of the these files, the result is attached inside the txt file , the two files report the same result as shown in the txt file. Hope this can help to provide more info....

Thanks!
ngpc

Attached Files


Edited by ngpc, 22 May 2009 - 11:04 AM.


#23
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,677 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag
Got it.

Good news. :thumbup

It seems like manually adapting Geometry it is possible to access the FAT(s).

It's a rather complex procedure, tomorrow I will post a step-by-step of what you should do.

jaclaz

#24
ngpc

ngpc

    Newbie

  • Member
  • 21 posts
  • Joined 17-May 09
Really

Thanks!

Looking forward to that !

ngpc

#25
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,677 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag
OK :), here it is:
Delete any testdisk.log you may have in testdisk directory.
Start testdisk mounting the image, as follows:
testdisk_win /log C:\dsfok\usb_full.img

Following italics is what you will see/will have to choose and bold is what you have to type, underlined comments/hints:

[Proceed] <ENTER>
[Intel] <ENTER>

[Geometry] <ENTER>
[Cylinders] <ENTER>
1 <ENTER>
[Heads] <ENTER>
64 <ENTER>
[OK] <ENTER>


[Options]<ENTER>
use arrow keys and <ENTER> to switch settings:
Expert Mode:Yes
Cylinder Boundary:No
Allow partial last cylinder: Yes
Dump:No
[Ok] <ENTER>

[Advanced] <ENTER>

1*FAT16 >32M 0 1 1 987 18 25 2021945 <--you should see this, if not something was made wrong before

[Boot] <ENTER>
[Rebuild BS] <ENTER>

FaT1 Location....:1 <ENTER>
Fat2 Location....:248 <ENTER>
Number of FATS...:2 <ENTER>
Cluster size.....:32 <ENTER>

[List] <ENTER>
here you can browse the FAT contents and (optionally) copy some files from the image - NO NEED to copy them, however, we will attempt retrieving them later
q <ENTER>

[Write] <ENTER>

Write FAT boot Sector, Confirm? (Y/N) Y

[Quit] <ENTER>
[Quit] <ENTER>

[Analyze] <ENTER>
[Backup] <ENTER>
Should Testdisk....Vista...? N
[Continue] <ENTER>
L
[Load]
<ENTER>
[Write] <ENTER>
Write partition table, confirm? (Y/N) Y
[Ok] <ENTER>
[Quit] <ENTER>
[Quit] <ENTER>

***END of testdisk session***


You don't actually need to reboot, since you were working on an image instead of a "real" device.

Now, mount USB_full.img with IMDISK and you should be able to copy out of it the files normally with Explorer to a new directory on your hard disk.

It is possible that you will be able to recover 100% of files, and as well it is possible that some will be corrupted, no way to know in advance.

Let me know how it goes.

If you don't feel confident in the procedure, make a copy of USB_full.img and try at first on the copy.

:hello:

jaclaz

P.S.: If you think the procedure is a bit too complex, I can post your USB_550.img "corrected" and show you how to "merge" it with USB_full.img, but then you won't have any fun at it. ;)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users