ngpc

USB Access Problem

82 posts in this topic

HI Jaclaz,

Just a curious question !

I just suppose I can use the XP format function to reformat my usb, it seems there is still a lot of steps to reformat it...

May I know that "

What is the difference between using the XP format function to format the usb instead of using the procedure you have mentioned in the last email.

I know your procedure may trying to config the usb in a new structure ...

Sure, I will try your procedure and learn more about that, it is interesting.

While I just want to learn more if there is any technical reasons...

Besides, after the TestDisk recovery, I retrieve all the file data and also see some file named as below

-rwxr-xr-x 0 0 594 22-Oct-2008 18:38 _UTORUN.INF

-rwxr-xr-x 0 0 110654 5-Oct-2008 16:57 _JIEF.CMD

Are they created repeatedly by virus , I saw a lot inside the file usb_full.img.... ?

Like to hear more !

Thanks !

ngpc

Edited by ngpc
0

Share this post


Link to post
Share on other sites
What is the difference between using the XP format function to format the usb instead of using the procedure you have mentioned in the last email.

Basically 2K/XP/2003 check if a flag in the controller of the USB device is set as either "Fixed" or "Removable".

If it detects it as "Removable" it won't:

  • allow partitioning the device
  • allow access to any partition but the first (Active) one (if the device is actually partitioned)

BUT, if it finds a MBR, it will "trust" information in it and allow to format the single partition it can access.

99.99% (read ALL) USB sticks have this flag in the controller set as "Removable"

ALL USB Hard Disks and USB Hard Disks enclosures have this flag in the controller set as "Fixed"

99.99% (read ALL, exception made for your stick ;)) are sold WITHOUT partitioning, with the whole stick formatted as "super-floppy"

If you Format from XP a stick that HAS NOT a valid MBR, it will be formatted as "super-floppy".

The given utilities allow partitioning and formatting the stick as a HD-like device.

An alternative is using in Windows XP a "Filter Driver" such as cfadisk.sys or dummydisk.sys that "tricks" XP in seeing the flag in the controller set as "Fixed" and thus allow Disk Management to partition the disk.

So, if you try re-formatting your stick as-is from Windows XP, it will assume the (currently containing "wrong" data) MBR to be a valid one and will re-create a "non-right" filesystem, which may nonetheless work, as it did yours, but that it is NOT advised as it may create problems on some machines, or with other OS.

If you try re-formatting your stick after having wiped it from Windows XP, it will assume that you want to create a "super-floppy" filesystem, which again works allright for the use you make it, but hat may be more problematic to recover in case of failure.

While I just want to learn more if there is any technical reasons...

There is no "needed" technical reason, it as an "advised" technical one.

Besides, after the TestDisk recovery, I retrieve all the file data and also see some file named as below

-rwxr-xr-x 0 0 594 22-Oct-2008 18:38 _UTORUN.INF

-rwxr-xr-x 0 0 110654 5-Oct-2008 16:57 _JIEF.CMD

Which you saw in the testdisk List view being RED:

-rwxr-xr-x 0 0 594 22-Oct-2008 18:38 _UTORUN.INF

-rwxr-xr-x 0 0 110654 5-Oct-2008 16:57 _JIEF.CMD

to evidentiate how they were DELETED files.

When you delete a file on a FAT filesystem it is NOT actually deleted, simply first character of it's name in the FAT table is overwritten by a "special" character (that testdisk shows as an underscore) to signify that that allocation is free and that it can be overwritten.

Are they created repeatedly by virus , I saw a lot inside the file usb_full.img.... ?

Yep, from the date/time of those files, you can track when the Virus wrote them, each _UTORUN.INF file you can see (and that you should delete once finished playing with them) is a single attempt of infection (or re-infection) by the Virus.

jaclaz

0

Share this post


Link to post
Share on other sites

Hi Jaclaz,

Thanks Again for sharing !

May I know that which tools you are using for viewing the MBR structure/data of my defective usb, can I download it from some sites ?

Is there any recommended site which documented the introduction of MBR or file system structure analysis? I am quite interested in data recovery after this learning experience .

And finally, can I apply the similiar value of my case to some usb which show the same symptoms but with different memory sizes say 2G, 4G, 8G..?

And I only experiment this on the extracted image file.

hope to hear your advise...

ngpc

:w00t:

0

Share this post


Link to post
Share on other sites
Thanks Again for sharing !

You are welcome. :)

May I know that which tools you are using for viewing the MBR structure/data of my defective usb, can I download it from some sites ?

I could tell you, but then I would have to kill you...:whistle:

Seriously:

And a number of other tools, depending on what is the problem at hand.

Remember that however usually a skilled carpenter is more important than the actual tools he uses. ;)

You'll need some time to learn and digest the info you can find in the below mentioned site (and it's links) and more generally take your time browsing around in boot-land:

http://www.boot-land.net/forums/

Also remember that the right approach to data recovery is avoiding needing it. (BACKUP!)

Is there any recommended site which documented the introduction of MBR or file system structure analysis? I am quite interested in data recovery after this learning experience .

The "mother of all MBR/filesystems sites", the Starman's Realm:

http://mirror.href.com/thestarman/asm/mbr/index.html

And of course the good ol' "Primer":

http://www.ranish.com/part/primer.htm

I would also suggest you getting acquaintaned to "ol' DOS" programs, like Ranish Partition Manager:

http://www.ranish.com/part/

and the several other DOS tools recommended by Daniel B. Sedory (the Starman)

And with Qemu:

http://www.nongnu.org/qemu/

Optionally using Qemu Manager GUI:

http://www.davereyn.co.uk/

And finally, can I apply the similiar value of my case to some usb which show the same symptoms but with different memory sizes say 2G, 4G, 8G..?

You can apply a similar method/approach.

Not a "similar value", a value can be either of two things:

  • Right
  • Wrong

(no space for "similar")

And I only experiment this on the extracted image file.

Sure, that's the "proper" approach, NEVER write anything on the "problematic" device if you are not sure (and double sure) about what you are writing and what effects it may have.

jaclaz

0

Share this post


Link to post
Share on other sites
99.99% (read ALL, exception made for your stick ;)) are sold WITHOUT partitioning, with the whole stick formatted as "super-floppy"

"U3" sticks get two drive letters, I guess they have two partitions ? I also saw that for "fingerprint secured" sticks. One partition for the security system, one for data.

0

Share this post


Link to post
Share on other sites
Thanks Again for sharing !

You are welcome. :)

May I know that which tools you are using for viewing the MBR structure/data of my defective usb, can I download it from some sites ?

I could tell you, but then I would have to kill you...:whistle:

Seriously:

And a number of other tools, depending on what is the problem at hand.

Remember that however usually a skilled carpenter is more important than the actual tools he uses. ;)

You'll need some time to learn and digest the info you can find in the below mentioned site (and it's links) and more generally take your time browsing around in boot-land:

http://www.boot-land.net/forums/

Also remember that the right approach to data recovery is avoiding needing it. (BACKUP!)

Is there any recommended site which documented the introduction of MBR or file system structure analysis? I am quite interested in data recovery after this learning experience .

The "mother of all MBR/filesystems sites", the Starman's Realm:

http://mirror.href.com/thestarman/asm/mbr/index.html

And of course the good ol' "Primer":

http://www.ranish.com/part/primer.htm

I would also suggest you getting acquaintaned to "ol' DOS" programs, like Ranish Partition Manager:

http://www.ranish.com/part/

and the several other DOS tools recommended by Daniel B. Sedory (the Starman)

And with Qemu:

http://www.nongnu.org/qemu/

Optionally using Qemu Manager GUI:

http://www.davereyn.co.uk/

And finally, can I apply the similiar value of my case to some usb which show the same symptoms but with different memory sizes say 2G, 4G, 8G..?

You can apply a similar method/approach.

Not a "similar value", a value can be either of two things:

  • Right
  • Wrong

(no space for "similar")

And I only experiment this on the extracted image file.

Sure, that's the "proper" approach, NEVER write anything on the "problematic" device if you are not sure (and double sure) about what you are writing and what effects it may have.

jaclaz

Thanks Jaclaz,

Don't kill me until one day, I become as professional as you are, ha ha ....

Anyway, thanks so much for your help in the past week and your generous sharing of your knowledge ! I did learnt a lot !

ngpc

:hello::thumbup

0

Share this post


Link to post
Share on other sites
99.99% (read ALL, exception made for your stick ;)) are sold WITHOUT partitioning, with the whole stick formatted as "super-floppy"

"U3" sticks get two drive letters, I guess they have two partitions ? I also saw that for "fingerprint secured" sticks. One partition for the security system, one for data.

NO. :(

They have two LUN's:

http://www.911cd.net/forums//index.php?sho...20186&st=16

http://www.911cd.net/forums//index.php?sho...20186&st=27

(of which one is a CD-ROM device and the other one is a "normal disk", which may be partitioned, but usually isn't)

Also, FYI:

http://www.msfn.org/board/index.php?showtopic=121502

http://www.msfn.org/board/index.php?showtopic=125138

BTW, the bootsector of ngpc's stick was formatted as FAT16 06 (CHS) and had a bootsector invoking DOS system file IO.SYS.

I have NEVER seen myself or read ANY report of such a stick being formatted like that in factory.

The unbalanced CHS/LBA makes me think of the use of the "HP" formatting utility and the n/64/32 of the use of VDK (which defaults to that geometry) or Winimage, that can use that geometry in some cases.

jaclaz

Edited by jaclaz
0

Share this post


Link to post
Share on other sites

Hi, jaclaz!

Our USB drive suddenly exhibited the same symptoms as ngpc's: When attempting to access it, Windows claims that it isn't formatted. I assume you want to start with a copy of Testdisk's log report. It's attached. MSFN's attachment system wouldn't allow me to upload it when it was named testdisk.log, so I added .txt to the file name.

Thank you for your help!

testdisk.log.txt

0

Share this post


Link to post
Share on other sites

Attached - but note:

1) The attachment system didn't like .bin any more than it liked .log, so added .txt to both files.

2) My system contains 2 physical hard drives, a floppy, and a DVD, and, at the moment, a USB drive is attached. I assumed that the floppy and DVD drives are not included in the chain of physical drives, and that the USB drive is physical drive 2.

bs.bin.txt

MBR.bin.txt

Edited by doniel
0

Share this post


Link to post
Share on other sites
Attached - but note:

1) The attachment system didn't like .bin any more than it liked .log, so added .txt to both files.

Really? :w00t:

Could this connected to this part of the referenced post?: :unsure:

Compress the two files in a .zip archive and post it as an attachment, I'll have a look at them.

:whistle:

2) My system contains 2 physical hard drives, a floppy, and a DVD, and, at the moment, a USB drive is attached. I assumed that the floppy and DVD drives are not included in the chain of physical drives, and that the USB drive is physical drive 2.

It may have been the right choice, but unfortunately, BOTH the files you posted are just a (nice, rounded ;)) collection of digital 00's. :(

This could mean EITHER:

  1. that something went wrong while extracting/copying the sectors/files
  2. that you got the right \\.\Physicaldrive AND the extracting/copying went allright BUT the sectors on the stick are actually all 00's

My guess is that unfortunately it is #2 above, which can be caused by three things:

  1. partial accidental wiping (of some initial sectors) of the device (not good, but leaving some hopes)
  2. total accidental wiping of the device (bad)
  3. device controller or flash memory malfunctioning (bad)

Can you describe with as much detail as you can remember how this thing happened, if there were previous symptoms of failure, if any particular program was run against the stick, if the stick was EVER attached to an unprotected by antivirus PC, etc.?

Let's try again with a slightly different approach.

Get dsfo (within the DSFOK toolkit):

http://members.ozemail.com.au/~nulifetv/fr...ware/index.html

Open a command prompt and run from the directory where you unzipped dsfo.exe:

dsfo \\.\Physicaldrive2 0 102400 C:\first200.dat

Compress C:\first200.dat to a .zip and attach to your next post the resulting archive.

If you have access to a hosting site of some kind (even a free one like megaupload or rapidshare would do) AND the stick did not contain privete/personal data that I shouldn't see, create a "full" image of the stick (you will need as much available space on your hard disk as the size of the stick + say another half size for the compressed file) by running:

dsfo \\.\Physicaldrive2 0 0 C:\fullima.dat

Compress C:\fullima.dat to a .zip, upload the resulting archive to the filehosting site and send me via PM the download link...

If it's not all 00's some partial recovery may be still possible.

By the way, you didn't need to provide a link - all you had to do was tell me to scroll to the top of this page!

A link is a link, and generally stays linked ;)

"Relative" addresses, such as "look at top of the page" may change depending on which particular view you are seeing this thread with, and from a number of other reasons.

jaclaz

0

Share this post


Link to post
Share on other sites

Sorry. I've been checking several times a day for your reply, but never realized that we'd gone to a page 3. I'll post a proper reply as soon as I can.

Thank you!

0

Share this post


Link to post
Share on other sites

Really? Could this connected to this part of the referenced post

Compress the two files in a .zip archive and post it as an attachment

Didn't realize that your request for a zip file was to get around attachment system restrictions.

"Relative" addresses, such as "look at top of the page" may change depending on which particular view you are seeing this thread with, and from a number of other reasons.

Point taken.

first200.zip attached.

Hope to be able to u/l full image. Will let you know. But first, I need an answer from you. Winrar won't let me break up the full image into smaller files in zip format. Do you have a problem with rar format?

Thanks again, jaclaz!

doniel

FIRST200.zip

0

Share this post


Link to post
Share on other sites

Unfortunately the whole file you sent is made of 00's. :(

No problem with .rar, the good (or bad) thing is that if the whole image is made of 00's the compressed file will be very, very small.

So, try compressing the image in a "monolithic" .zip or .rar, if the result is very small, it means that it contains mostly 00's, on the other hand, if the resulting archive is "biggish" it means that some data is still there, and then you can re-create it in splitted .rar files.

Is there any chance that the \\.\PhysicalDrive2 may be "wrong"?

I don't think so as if the device does not exist dsfo should throw an error.

Which size is the "full" image (without compression)?

Is it compatible with the "label" size of the stick?

It could be that simply something in the controller or in the flash memory has gone "beserk". :unsure:

jaclaz

Edited by jaclaz
0

Share this post


Link to post
Share on other sites

Full image uncompressed is about 7.5 GB. Rar is 4.7 GB. It's going to take me quite some time to u/l. Will let you know as it gets done so that you can d/l it as they get posted.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.