Welcome to MSFN

Register now to gain access to all of our features. Once registered and logged in, you will be able to contribute to this site by submitting your own content or replying to existing content. You'll be able to customize your profile, receive reputation points as a reward for submitting content, while also communicating with other members via your own private inbox, plus much more! This message will be removed once you have signed in.


ngpc

USB Access Problem

82 posts in this topic

Hi,

Recently, I got a problem, and see if anyone and expert can help !

When I tried to access my usb finger, I found that my computer cannot read the data although the usb drive No. can be seem on the computer, say G:

As I click on the usb drive icon, the computer told me that my usb drive is not formatted yet and ask if I want to format it .

Then sure I click "No" , all my data is inside.

When I use DOS mode to access the usb G: drive, the computer replied that the "Disk sector do not contain the system file "

I afraid that the boot sector has been damaged by some virus infection.

Can anyone advise how can I save my USB and retrieve the data, any tools and method can help ???

Would appreciate if anyone can offer the help !

Thanks in advance!

ngpc

0

Share this post


Link to post
Share on other sites

Welcome to the forum ngpc, I see that you use a translator but we understand you except for one thing:

Then sure I click "No" , all my data is inside.

So, you say no and you can enter the thumb drive? or you can't access it at all?

Seems that your flash memory has gone bad. Normally those thumb drives are build out of 2 components: The USB controller ship that makes the bridge between the USB connector and the Flash ROM, and the flash ROM itself. In this case I think it's the flash ROM.

0

Share this post


Link to post
Share on other sites

What I mean is my computer can recognise the drive No., but when I click on the icon of the USB, it prompt me to format the USB...

Do you have any software which can help to retrieve the data or recover the data...

Thanks !

ngpc

0

Share this post


Link to post
Share on other sites
What I mean is my computer can recognise the drive No., but when I click on the icon of the USB, it prompt me to format the USB...

Do you have any software which can help to retrieve the data or recover the data...

Thanks !

ngpc

When you double click on a drive letter, a mechanism inside Windows called filesystem recognizer, tries to identify the filesystem and load the appropriate driver (NTFS.SYS, FASTFAT.SYS, etc.).

Possibly "something" misrepresents the filesystem and thus, since no known filesystem is recognized, Windows "assumes" that it is an unformatted partition and prompts for formatting it.

It may be something as trivial as a a missing "55AA" signature in the bootsectors up to a serious case of data /filesystem structure corruption.

You may want to try first TESTDISK:

http://www.cgsecurity.org/wiki/TestDisk

to check if the error is solvable by correcting a few values in MBR or bootsector or use PHOTOREC:

http://www.cgsecurity.org/wiki/PhotoRec

to attempt recovering the data "directly".

jaclaz

0

Share this post


Link to post
Share on other sites

Indeed, you could give it a try, but mostly it's a hardware problem.

I still wish that you can recover your data ngpc.

0

Share this post


Link to post
Share on other sites

Dear Jaclaz,

Thanks very much for your help and resources!

I have tried the TestDisk to scan my problematic USB, TD reported there is a "Invalid FAT Boot sector" after I performed the [Analyse] function.

Then I proceed to do the [Quick Search] and [Deeper Search] function, TD reported structure OK..... I think this is expected as I haven't made any partition for this USB, I just use it for data storage...

Can you further advise what I should do next to solve the problem.... ?

I have also attached the screen of the TD report for reference... Would appreciate if you can further advise......

As the total upload cap. only allow 200k... , so I upload the remaining file in the separate email....

Thanks !

ngpc

Screen_Capture_of_Test_Disk_Result.doc

0

Share this post


Link to post
Share on other sites

From what you posted (second screenshot), it seems to me that you have a "direct" partition i.e. the stick is formattted as super-floppy with no MBR/partition table.

Which usually happens with "brand new" sticks, that are however:

  • formatted as FAT32
  • have 0/0/1 as start sector

From the other screenshot, on the contrary it seems like you you have a single partition FAT16 starting from sector 33 (which would carry as a consequence that you have 32 hidden sectrs and thus a MBR).

It also tells me that you used some formatting utility/method to re-partition/re-format the stick.

Only you can now how the stick was before partitioned/formatted, please post as much information on how the stick it was before (when working) as you can remember.

Also you should read this:

http://www.cgsecurity.org/wiki/TestDisk_Step_By_Step

Try the deeper search, and next time, instead of the screenshots, post testdisk.log (of course you should ALWAYS create a Log at the beginning of each seesion with Testdisk)

Cannot say how much you are familiar with PC/filesystems and more precisely with command lines app, but before starting with the "difficult things" do the following:

Get HD hacker:

http://dimio.altervista.org/eng/

and:

  • save first 1 sector of PhysicalDrive to a file named MBR.bin
  • save first sector of LogicalDrive to a file called BS.bin

make sure to select theright drive!

Compress the two files in a .zip archive and post it as an attachment, I'll have a look at them.

jaclaz

0

Share this post


Link to post
Share on other sites

HI Jaclaz,

I have used HDHacker to save the MBR of my USB for your analysis...

They are attached...

Here is my USB History:

I bought this USB drive at about year 2006, only for data storage, it is 1G in size.

Due to my work, I always use this USB in other computers for presentation... So sometimes, virus will be detected, while every time, I use Virus Cleaner to scan and clean the virus. It seems work...

From the scanning history, this virus has attacked my USB before

Trojan-GameThief.Win32.Magania.ahrz G:\yfmqo.cmd

And I think Autorun.ini has also infected my USB also... The infection has been occured several times...

As far as I remember, after one virus cleaning operation, I found that I cannot click-to-open the USB directly, a window pop up to ask me " Which software you are going to use to open the file" , I found that this is strange and different from what I have performed in the past....Then I mostly click IE Explorer to open the access the USB and it worked. Therefore, I ignored what happen and keep using the USB without suspecting any MBR problems ....I think this should be the sign of the problem of my USB at the very beginning.....am I right ?

For this USB, I haven't perform any formatting or partitioning actions after my purchase, I just it as data disk once I bought it..

Hope these info. help

Thanks !

ngpc

File_for_analysis_of_HDHacker_2009_05_21.zip

Edited by ngpc
0

Share this post


Link to post
Share on other sites

I recently experienced close to the same thing with the autorun virus.

When I attached the drive the AV completly even refused to let windows recognized the whole drive.

0

Share this post


Link to post
Share on other sites

There are a number of problems in the files you sent.

Basically:

  • the MBR code is only partially there
  • the MBR "Magic Number" Signature is not there
  • the MBR DATA is - to say the least - "queer":
    Entry|Type|Boot|bCyl|bHead|bSect|eCyl|eHead|eSect|Start Sector|Num Sectors|Size in bytes
    #0|06|80|0|1|1|255|61|0|32|1.966.137|1.006.662.144
  • both files are identical (which is normal, since the MBR is not recognized Physicaldrive=Logicaldrive)

Next steps:

get the dsfok toolkit:

http://members.ozemail.com.au/~nulifetv/freezip/freeware/

unzip in a new directory, say C:\dsfok

Open a command prompt and navigate to that directory.

You want to make a full image of the stick, so you will need roughly 1 Gb free on your hard disk.

Now, you must be sure that you get the "right" physicaldrive number (if you have just one hard disk, it will be "0", and the USB stick will be "1")

Run following command:

dsfo \\.\PHYSICALDRIVEn 0 0 C:\dsfok\USB_full.img

this will create a byte to byte copy of the stick, the program will print on screen something like:

OK, 1006695214 bytes, 56.540s, MD5 = 786a48c5db7548a6bf34cb945b62ae75

Jolt down (and post) the bolded part (actual size of the stick).

This way you have a full copy of the stick and we can start working on it without fear of making anything irreparable.

Run again dsfo as follows:

dsfo \\.\PHYSICALDRIVEn 0 51200 C:\dsfok\USB_100.img

This is a copy of the first 100 sectors of the stick, 51200 bytes in size, that you should compress in a .zip and attach to your next post.

The partition data refers to a 06 i.e. CHS FAT16 partition, starting at sector 33 or sector 64, the first 100 sectors should be enough to see if there are traces of it. (bootsector and start of FAT tables).

jaclaz

0

Share this post


Link to post
Share on other sites

Dear Jaclaz,

Just need to clarify one thing before I performed the copy action because I am not so familiar with that dsfo software..

Do you mean in the below command, I replace the PHYSICALDRIVEn with the number "1" ? as I only have 1 HDD and 1 USB at this moment?

dsfo \\.\PHYSICALDRIVEn 0 0 C:\dsfok\USB_full.img

Thanks!

ngpc

0

Share this post


Link to post
Share on other sites
Dear Jaclaz,

Just need to clarify one thing before I performed the copy action because I am not so familiar with that dsfo software..

Do you mean in the below command, I replace the PHYSICALDRIVEn with the number "1" ? as I only have 1 HDD and 1 USB at this moment?

dsfo \\.\PHYSICALDRIVEn 0 0 C:\dsfok\USB_full.img

Thanks!

ngpc

If your USB is Physicaldrive #1, then the line is:

dsfo \\.\PHYSICALDRIVE1 0 0 C:\dsfok\USB_full.img

but for example if you have one of those multi-card readers, or a virtual disk device installed, this won't be always true.

Do the following:

get beeblebrox:

http://students.cs.byu.edu/~codyb/

try accessing Physicaldrive1 with it (the drop down menu top left).

If you see the same data I posted before:

Entry|Type|Boot|bCyl|bHead|bSect|eCyl|eHead|eSect|Start Sector|Num Sectors|

#0|06|80|0|1|1|255|61|0|32|1.966.137|

then 1 is the right number. ;)

jaclaz

Edited by jaclaz
0

Share this post


Link to post
Share on other sites

Dear Jaclaz,

I finally got it ....

After saving the no. return is 1035206656 bytes.

I have attached the USB_100.IMG file .

Thanks!

ngpc

usb_100.zip

0

Share this post


Link to post
Share on other sites

Got it.

The sectors as saved by dsfo seem MUCH better than the first ones, BOTH MBR and Bootsector appear to be valid.

It is possible that the stick is really suffering from some intermittent malfunctioning.

Try getting IMDISK:

http://www.ltr-data.se/opencode.html

and try mounting the USB_full.img

if IMDISK does not auto-detect the number of hidden sectors, supply 32 as the number of hidden sectors (skipped blocks)

Hopefully you should be able to find your data in the image mounted as a volume.

If everything is at it should be, we may try wiping the stick with 00's and re-apply to it the saved image.

If anything appears not as it should on the mounted image, next step would be running TESTDISK on the image.

jaclaz

0

Share this post


Link to post
Share on other sites

Hi Jaclaz,

I am a bit stuck at here as I am not quite familiar with the technical operation of the IMDISK, can you explain more about it .

I have captured the screenshot for your reference.

After open the ImDisk, the Mount new virtual disk panel ask me to select a Image file, so I choose the USB_full.IMG which I saved in C:\dsfok.

The ImDisk automatically assign some values below the file selection bar after my selection.

So I come up one question,

Do I need to click check for

the box before "Copy image file to memory"

the box before " Removable media" and "Read Only Media"

Then I tried to ignore the check boxes , I click OK, the second screen come up as in the screenshot ImDisk Virtual Disk Driver

Then what should I do next ?

I am not quite understand when will I see something as you mentioned in your email, can you claify a bit:

if IMDISK does not auto-detect the number of hidden sectors, supply 32 as the number of hidden sectors (skipped blocks)

Hopefully you should be able to find your data in the image mounted as a volume.

If everything is at it should be, we may try wiping the stick with 00's and re-apply to it the saved image.

If anything appears not as it should on the mounted image, next step would be running TESTDISK on the image.

Can you further advise , Thanks you!

ngpc

IMDISK_operation_Question.doc

Edited by ngpc
0

Share this post


Link to post
Share on other sites

It was a caution.

IMDISK is a virtual drive which works at filesystem level (i.e. it mounts only a partition not the whole physical drive).

Thus when you give it a physicaldrive image (with MBR and hidden sectors) it tries to determine by reading the MBR where the partition starts.

Usually it gets the right values, the suggested 32 was in case it did not.

If you look at the screenshot, you can see how you have in third line from top (Image file offset) a value of 0 bytes.

This should be either 32 blocks or 16384 bytes (32*512=16384).

Do not bother for the moment for the other settings.

From the screenshot, the image was successfully mounted as drive G:, BUT since you see the N/A, no filesystem was recognized.

Try unmounting it and re-mounting supplying the given value.

See screenshot:

imdiskusb100.jpg

If we are lucky, you should see in the other IMDISK window instead of the N/A, FAT or FAT16 (cannot remember).

It is possible that while dsfo copied apparently properly the first 100 sectors, a malfunctioning occurred when you made the "full" image. :unsure:

Try (without actually mounting it) to start the mounting with IMDISK of the USB_100.img, you should have exactly the same situation as the above screenshot.

If the same does not happen with the "full" image, it means that at leastr it's first sectors are not "good" (just as it was no good the first sector you copied with HDhacker.

jaclaz

0

Share this post


Link to post
Share on other sites

Hi Jaclaz,

As I tried again, I can mount the G: dirve with the value 32 in the image file offset row as you mentioned in the first window.

Then what should I do next in the second windows after I click OK in the first window .

I find there is a file G: c:\dsfok\USB_full.img 987.3MB in the second window...

Do I need to "Format" it or something else..

Besides, do you have an MSN account such that I can send my feedback to you and do the adjustment as soon as possible, what do you think about this.? I am open to this...

Thanks!

ngpc

IMDISK_operation_Question_1.doc

0

Share this post


Link to post
Share on other sites

Hi Jaclaz,

When tried to open the image file , the ImDisk reported that it cannot open the file, see attached screenshot..

Hope this provide more information to you!

Thanks !

ngpc

IMDISK_operation_Question_2.doc

0

Share this post


Link to post
Share on other sites

I am afraid that things are more complex than expected.

It seems like there is anyway some corrupted values in USB_100.IMG and probably also in USB_full.img.

Forget about IMDISK for the moment.

A test that you can make:

run:

dsfo C:\dsfok\USB_full.img 0 51200 C:\dsfok\USB_100_new.img

then:

FC /B C:\dsfok\USB_100_new.img C:\dsfok\USB_100.img

It should give "no differences found".

Please report if it instead FC finds differences.

It is still possible that testdisk can do something, but using it's advanced features will be required, something that you cannot do - at least for the moment.

You should provide me with some more sectors, it seems like the FAT (at least FAT#1) is gone beserk.

I need the whole set of FAT's.

According to the bootsector the filesystem has 247 sectors per FAT.

Thus I need:

32 - hidden sectors

1 - FAT16 bootsector

247 - First FAT

247 - Second FAT

(32+1+247+247)=527 sectors, rounded to 550, thus 550x512=281,600 bytes

Run this:

dsfo C:\dsfok\USB_full.img 0 281600 C:\dsfok\USB_550.img

Zip the USB_550.img to USB_550.zip and attach it.

jaclaz

0

Share this post


Link to post
Share on other sites

HI Jaclaz,

I have run FC command and compare the 2 files, USB_100.img and USB_100_new.img, the system return no difference...

I have attached the USB_550.img zip file for analysis...

Are you mean that as ImDisk Virtual Disk Driver cannot open the USB_full.img file and USB_100.img file, so it can be predicted that the values fo these files are corrupted, am I right ?

Besides, if the TDisk can do something for my USB, can you teach me some instructions and then I can check it during the weekend...

I have run a test of the USB_100.img and USB_full.img in the TDisk software, TD report some findings of the these files, the result is attached inside the txt file , the two files report the same result as shown in the txt file. Hope this can help to provide more info....

Thanks!

ngpc

usb_550.zip

TDisk__anaylse_result_of_USB_full_image_file__1.txt

Edited by ngpc
0

Share this post


Link to post
Share on other sites

Got it.

Good news. :thumbup

It seems like manually adapting Geometry it is possible to access the FAT(s).

It's a rather complex procedure, tomorrow I will post a step-by-step of what you should do.

jaclaz

0

Share this post


Link to post
Share on other sites

Really

Thanks!

Looking forward to that !

ngpc

0

Share this post


Link to post
Share on other sites

OK :), here it is:

Delete any testdisk.log you may have in testdisk directory.

Start testdisk mounting the image, as follows:

testdisk_win /log C:\dsfok\usb_full.img

Following italics is what you will see/will have to choose and bold is what you have to type, underlined comments/hints:

[Proceed] <ENTER>

[intel] <ENTER>

[Geometry] <ENTER>

[Cylinders] <ENTER>

1 <ENTER>

[Heads] <ENTER>

64 <ENTER>

[OK] <ENTER>

[Options]<ENTER>

use arrow keys and <ENTER> to switch settings:

Expert Mode:Yes

Cylinder Boundary:No

Allow partial last cylinder: Yes

Dump:No

[Ok] <ENTER>

[Advanced] <ENTER>

1*FAT16 >32M 0 1 1 987 18 25 2021945 <--you should see this, if not something was made wrong before

[boot] <ENTER>

[Rebuild BS] <ENTER>

FaT1 Location....:1 <ENTER>

Fat2 Location....:248 <ENTER>

Number of FATS...:2 <ENTER>

Cluster size.....:32 <ENTER>

<ENTER>
here you can browse the FAT contents and (optionally) copy some files from the image - NO NEED to copy them, however, we will attempt retrieving them later
q <ENTER>
[Write] <ENTER>
Write FAT boot Sector, Confirm? (Y/N) Y
[Quit] <ENTER>
[Quit] <ENTER>
[Analyze] <ENTER>
[backup] <ENTER>
Should Testdisk....Vista...? N
[Continue] <ENTER>
L
[Load]
<ENTER>
[Write] <ENTER>
Write partition table, confirm? (Y/N) Y
[Ok] <ENTER>
[Quit] <ENTER>
[Quit] <ENTER>
***END of testdisk session***
You don't actually need to reboot, since you were working on an image instead of a "real" device.
Now, mount USB_full.img with IMDISK and you should be able to copy out of it the files normally with Explorer to a new directory on your hard disk.
It is possible that you will be able to recover 100% of files, and as well it is possible that some will be corrupted, no way to know in advance.
Let me know how it goes.
If you don't feel confident in the procedure, make a copy of USB_full.img and try at first on the copy.
:hello:
jaclaz
P.S.: If you think the procedure is a bit too complex, I can post your USB_550.img "corrected" and show you how to "merge" it with USB_full.img, but then you won't have any fun at it. ;)
0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.