ngpc

USB Access Problem

82 posts in this topic

Got it.

The sectors as saved by dsfo seem MUCH better than the first ones, BOTH MBR and Bootsector appear to be valid.

It is possible that the stick is really suffering from some intermittent malfunctioning.

Try getting IMDISK:

http://www.ltr-data.se/opencode.html

and try mounting the USB_full.img

if IMDISK does not auto-detect the number of hidden sectors, supply 32 as the number of hidden sectors (skipped blocks)

Hopefully you should be able to find your data in the image mounted as a volume.

If everything is at it should be, we may try wiping the stick with 00's and re-apply to it the saved image.

If anything appears not as it should on the mounted image, next step would be running TESTDISK on the image.

jaclaz

0

Share this post


Link to post
Share on other sites

Hi Jaclaz,

I am a bit stuck at here as I am not quite familiar with the technical operation of the IMDISK, can you explain more about it .

I have captured the screenshot for your reference.

After open the ImDisk, the Mount new virtual disk panel ask me to select a Image file, so I choose the USB_full.IMG which I saved in C:\dsfok.

The ImDisk automatically assign some values below the file selection bar after my selection.

So I come up one question,

Do I need to click check for

the box before "Copy image file to memory"

the box before " Removable media" and "Read Only Media"

Then I tried to ignore the check boxes , I click OK, the second screen come up as in the screenshot ImDisk Virtual Disk Driver

Then what should I do next ?

I am not quite understand when will I see something as you mentioned in your email, can you claify a bit:

if IMDISK does not auto-detect the number of hidden sectors, supply 32 as the number of hidden sectors (skipped blocks)

Hopefully you should be able to find your data in the image mounted as a volume.

If everything is at it should be, we may try wiping the stick with 00's and re-apply to it the saved image.

If anything appears not as it should on the mounted image, next step would be running TESTDISK on the image.

Can you further advise , Thanks you!

ngpc

IMDISK_operation_Question.doc

Edited by ngpc
0

Share this post


Link to post
Share on other sites

It was a caution.

IMDISK is a virtual drive which works at filesystem level (i.e. it mounts only a partition not the whole physical drive).

Thus when you give it a physicaldrive image (with MBR and hidden sectors) it tries to determine by reading the MBR where the partition starts.

Usually it gets the right values, the suggested 32 was in case it did not.

If you look at the screenshot, you can see how you have in third line from top (Image file offset) a value of 0 bytes.

This should be either 32 blocks or 16384 bytes (32*512=16384).

Do not bother for the moment for the other settings.

From the screenshot, the image was successfully mounted as drive G:, BUT since you see the N/A, no filesystem was recognized.

Try unmounting it and re-mounting supplying the given value.

See screenshot:

imdiskusb100.jpg

If we are lucky, you should see in the other IMDISK window instead of the N/A, FAT or FAT16 (cannot remember).

It is possible that while dsfo copied apparently properly the first 100 sectors, a malfunctioning occurred when you made the "full" image. :unsure:

Try (without actually mounting it) to start the mounting with IMDISK of the USB_100.img, you should have exactly the same situation as the above screenshot.

If the same does not happen with the "full" image, it means that at leastr it's first sectors are not "good" (just as it was no good the first sector you copied with HDhacker.

jaclaz

0

Share this post


Link to post
Share on other sites

Hi Jaclaz,

As I tried again, I can mount the G: dirve with the value 32 in the image file offset row as you mentioned in the first window.

Then what should I do next in the second windows after I click OK in the first window .

I find there is a file G: c:\dsfok\USB_full.img 987.3MB in the second window...

Do I need to "Format" it or something else..

Besides, do you have an MSN account such that I can send my feedback to you and do the adjustment as soon as possible, what do you think about this.? I am open to this...

Thanks!

ngpc

IMDISK_operation_Question_1.doc

0

Share this post


Link to post
Share on other sites

Hi Jaclaz,

When tried to open the image file , the ImDisk reported that it cannot open the file, see attached screenshot..

Hope this provide more information to you!

Thanks !

ngpc

IMDISK_operation_Question_2.doc

0

Share this post


Link to post
Share on other sites

I am afraid that things are more complex than expected.

It seems like there is anyway some corrupted values in USB_100.IMG and probably also in USB_full.img.

Forget about IMDISK for the moment.

A test that you can make:

run:

dsfo C:\dsfok\USB_full.img 0 51200 C:\dsfok\USB_100_new.img

then:

FC /B C:\dsfok\USB_100_new.img C:\dsfok\USB_100.img

It should give "no differences found".

Please report if it instead FC finds differences.

It is still possible that testdisk can do something, but using it's advanced features will be required, something that you cannot do - at least for the moment.

You should provide me with some more sectors, it seems like the FAT (at least FAT#1) is gone beserk.

I need the whole set of FAT's.

According to the bootsector the filesystem has 247 sectors per FAT.

Thus I need:

32 - hidden sectors

1 - FAT16 bootsector

247 - First FAT

247 - Second FAT

(32+1+247+247)=527 sectors, rounded to 550, thus 550x512=281,600 bytes

Run this:

dsfo C:\dsfok\USB_full.img 0 281600 C:\dsfok\USB_550.img

Zip the USB_550.img to USB_550.zip and attach it.

jaclaz

0

Share this post


Link to post
Share on other sites

HI Jaclaz,

I have run FC command and compare the 2 files, USB_100.img and USB_100_new.img, the system return no difference...

I have attached the USB_550.img zip file for analysis...

Are you mean that as ImDisk Virtual Disk Driver cannot open the USB_full.img file and USB_100.img file, so it can be predicted that the values fo these files are corrupted, am I right ?

Besides, if the TDisk can do something for my USB, can you teach me some instructions and then I can check it during the weekend...

I have run a test of the USB_100.img and USB_full.img in the TDisk software, TD report some findings of the these files, the result is attached inside the txt file , the two files report the same result as shown in the txt file. Hope this can help to provide more info....

Thanks!

ngpc

usb_550.zip

TDisk__anaylse_result_of_USB_full_image_file__1.txt

Edited by ngpc
0

Share this post


Link to post
Share on other sites

Got it.

Good news. :thumbup

It seems like manually adapting Geometry it is possible to access the FAT(s).

It's a rather complex procedure, tomorrow I will post a step-by-step of what you should do.

jaclaz

0

Share this post


Link to post
Share on other sites

Really

Thanks!

Looking forward to that !

ngpc

0

Share this post


Link to post
Share on other sites

OK :), here it is:

Delete any testdisk.log you may have in testdisk directory.

Start testdisk mounting the image, as follows:

testdisk_win /log C:\dsfok\usb_full.img

Following italics is what you will see/will have to choose and bold is what you have to type, underlined comments/hints:

[Proceed] <ENTER>

[intel] <ENTER>

[Geometry] <ENTER>

[Cylinders] <ENTER>

1 <ENTER>

[Heads] <ENTER>

64 <ENTER>

[OK] <ENTER>

[Options]<ENTER>

use arrow keys and <ENTER> to switch settings:

Expert Mode:Yes

Cylinder Boundary:No

Allow partial last cylinder: Yes

Dump:No

[Ok] <ENTER>

[Advanced] <ENTER>

1*FAT16 >32M 0 1 1 987 18 25 2021945 <--you should see this, if not something was made wrong before

[boot] <ENTER>

[Rebuild BS] <ENTER>

FaT1 Location....:1 <ENTER>

Fat2 Location....:248 <ENTER>

Number of FATS...:2 <ENTER>

Cluster size.....:32 <ENTER>

<ENTER>
here you can browse the FAT contents and (optionally) copy some files from the image - NO NEED to copy them, however, we will attempt retrieving them later
q <ENTER>
[Write] <ENTER>
Write FAT boot Sector, Confirm? (Y/N) Y
[Quit] <ENTER>
[Quit] <ENTER>
[Analyze] <ENTER>
[backup] <ENTER>
Should Testdisk....Vista...? N
[Continue] <ENTER>
L
[Load]
<ENTER>
[Write] <ENTER>
Write partition table, confirm? (Y/N) Y
[Ok] <ENTER>
[Quit] <ENTER>
[Quit] <ENTER>
***END of testdisk session***
You don't actually need to reboot, since you were working on an image instead of a "real" device.
Now, mount USB_full.img with IMDISK and you should be able to copy out of it the files normally with Explorer to a new directory on your hard disk.
It is possible that you will be able to recover 100% of files, and as well it is possible that some will be corrupted, no way to know in advance.
Let me know how it goes.
If you don't feel confident in the procedure, make a copy of USB_full.img and try at first on the copy.
:hello:
jaclaz
P.S.: If you think the procedure is a bit too complex, I can post your USB_550.img "corrected" and show you how to "merge" it with USB_full.img, but then you won't have any fun at it. ;)
0

Share this post


Link to post
Share on other sites

Jaclaz,

I just try upto this step and stop because I got the number return that is different from you , can you advise.?

1*FAT16 >32M 0 1 1 987 18 25 2021945 <--you should see this, if not something was made wrong before (Your code)

1*FAT16 >32M 0 1 1 1019 8 25 2021945

Is the no. important?

ngpc

0

Share this post


Link to post
Share on other sites
Jaclaz,

I just try upto this step and stop because I got the number return that is different from you , can you advise.?

1*FAT16 >32M 0 1 1 987 18 25 2021945 <--you should see this, if not something was made wrong before (Your code)

1*FAT16 >32M 0 1 1 1019 8 25 2021945

Is the no. important?

ngpc

Yep.

You did not make properly the [Geometry] change.

Re-check settings in the [Geometry] section:

Cylinders=1

Heads=64

Sectors=32

Sector Size=512

and you will get the 987/18/25. ;)

jaclaz

0

Share this post


Link to post
Share on other sites

Hey Jaclaz,

I just take a risk to try the remaining recovery procedure as I am so eager to see the result... So you bet... I finally GOT it... Wow, EXCELLENT !

All the file are back, they are back...... A very BIG THANKS to YOU.... I really appreciate your patience and professional advise...

I learnt a lot from this process and have much fun.... Interesting !

BTW, there is still a few questions here, can you help me to claify a bit:

As I reopened the image file, I found my useful file as well as some Virus files or virus information.

So my question is :

1/ Will the virus file still have effect on my C drive when I copy the data from this USB_full image file back to my C drive ?

2/ When I use the virus cleaning program to scan the G: virtual drive, it detect the Virus (See attached txt file) and going to kill them, so does it mean that the virus will become inactive (seems sleeping) when the USB_full image is not being recovered, but when it is being recovered now, the virus become active and will start to infect other drives who ever came across it ?

3/ Before I format my Defective USB , if I plug it into the computer , will the virus infect my computer ?

4/ Will the stand alone USB_full image file which has the virus file lock inside become active if I keep the image file ?

Curious to know that...

Thanks !

ngpc

TDisk_retrieving_record_eith_Virus_info.txt

Virus_Scan_Result_2009_5_23_after_USB_full_IMG_on_Virtual_Disk.txt

0

Share this post


Link to post
Share on other sites

Happy to hear about a happy ending. :)

Virii "for USB sticks" are generally triggered by the stupid (I know no better English word to describe it :whistle:) feature of Windows XP (and later I think :unsure: ) that tries to access "automagically" anything connected to the USB port and tries to Print, or Play or Open or whatever.

The culprit is the autorun.inf file, which is executed by the above mentioned stupid feature.

An Image file is not accessed the same way, so it is relatively safe.

Scan files in the image and your anti-virus should get rid of the things allright.

Since Windows cannot read properly your damaged stick, it shouldn't be a problem of reinfection.

Thus answer to all your questions is NO. ;)

What you should do next would be to WIPE your stick (as opposed to re-formatting it)

Get mksparse:

http://www.acc.umu.se/~bosse/

unzip it in the usual directory C:\DSFOK

(I presume that the C:\ volume has a NTFS filesystem, otherwise use a NTFS one)

Create a new sparse file the size you got from dsfo originally:

mksparse C:\dsfok\USB_empty.img 1035206656

The file, being sparse will occupy only a bunch of Kbytes instead of it's full size, and it will be full to the brim of 00's.

If the temporary occupation of about 1 Gb by the file is not a problem, you can use fsz that is already in the DSFOK you have.

Now, use dsfi to completely overwrite your stick:

dsfi \\.\PHYSICALDRIVE1 0 0 C:\dsfok\USB_empty.img

Remove and re-insert stick.

Now, use RMPREPUSB.EXE (advised):

http://www.boot-land.net/forums/index.php?showtopic=7739

to format your stick. (this will create a "properly formatted" stick including a MBR, i.e. HD-like, if you use XP Disk Management it will format the stick as super-floppy, unless you use a filter driver, that I guess it's out of the scope of this thread)

Using the re-known "HP utility" will work as well, though it will create "better-than-the-current-lousy-one" , but still unbalanced CHS/LBA partition table, which is more likely to cause problems in the future.

Remove and re-insert stick.

Then, get ninja pendisk :thumbup :

http://nunobrito.eu/ninja/

http://www.boot-land.net/forums/?showtopic=4350

http://nunobrito.eu/ninja/forum/

and use it. ;)

BTW, and just as a general advice for the future, a not-so-well-known "trick" on FAT16 and FAT32 filesystems, in order to increase the possibilities of recovering files is to avoid if possible to put files in the ROOT, but rather use Directories or sub-directories to store them.

:hello:

jaclaz

0

Share this post


Link to post
Share on other sites
I recently experienced close to the same thing with the autorun virus.

When I attached the drive the AV completly even refused to let windows recognized the whole drive.

Hi,

I finally retrieve all my data from the USB by following the process, you can try and see if this can help your situation...

Jaclaz's trouble shooting is really professional...

You can check it out yourself...

ngpc

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.