[jaclaz]

I am afraid that things are more complex than expected.

It seems like there is anyway some corrupted values in USB_100.IMG and probably also in USB_full.img.

Forget about IMDISK for the moment.

A test that you can make:
run:

dsfo C:\dsfok\USB_full.img 0 51200 C:\dsfok\USB_100_new.img

then:

FC /B C:\dsfok\USB_100_new.img C:\dsfok\USB_100.img

It should give "no differences found".

Please report if it instead FC finds differences.

It is still possible that testdisk can do something, but using it's advanced features will be required, something that you cannot do - at least for the moment.

You should provide me with some more sectors, it seems like the FAT (at least FAT#1) is gone beserk.

I need the whole set of FAT's.

According to the bootsector the filesystem has 247 sectors per FAT.

Thus I need:
32 - hidden sectors
1 - FAT16 bootsector
247 - First FAT
247 - Second FAT
(32+1+247+247)=527 sectors, rounded to 550, thus 550x512=281,600 bytes

Run this:

dsfo C:\dsfok\USB_full.img 0 281600 C:\dsfok\USB_550.img

Zip the USB_550.img to USB_550.zip and attach it.

jaclaz

[ngpc]

HI Jaclaz,

I have run FC command and compare the 2 files, USB_100.img and USB_100_new.img, the system return no difference...

I have attached the USB_550.img zip file for analysis...

Are you mean that as ImDisk Virtual Disk Driver cannot open the USB_full.img file and USB_100.img file, so it can be predicted that the values fo these files are corrupted, am I right ?

Besides, if the TDisk can do something for my USB, can you teach me some instructions and then I can check it during the weekend...

I have run a test of the USB_100.img and USB_full.img in the TDisk software, TD report some findings of the these files, the result is attached inside the txt file , the two files report the same result as shown in the txt file. Hope this can help to provide more info....

Thanks!
ngpc

Attached File(s)

•  usb_550.zip (188.42K)
  Number of downloads: 5
•  TDisk__anaylse_result_of_USB_full_image_file__1.txt (986bytes)
  Number of downloads: 4

This post has been edited by ngpc: 22 May 2009 - 11:04 AM

[jaclaz]

Got it.

Good news.

It seems like manually adapting Geometry it is possible to access the FAT(s).

It's a rather complex procedure, tomorrow I will post a step-by-step of what you should do.

jaclaz

[ngpc]

Really

Thanks!

Looking forward to that !

ngpc

[jaclaz]

OK , here it is:
Delete any testdisk.log you may have in testdisk directory.
Start testdisk mounting the image, as follows:

testdisk_win /log C:\dsfok\usb_full.img

Following italics is what you will see/will have to choose and bold is what you have to type, underlined comments/hints:

[Proceed] <ENTER>
[Intel] <ENTER>

[Geometry] <ENTER>
[Cylinders] <ENTER>
1 <ENTER>
[Heads] <ENTER>
64 <ENTER>
[OK] <ENTER>


[Options]<ENTER>
use arrow keys and <ENTER> to switch settings:
Expert Mode:Yes
Cylinder Boundary:No
Allow partial last cylinder: Yes
Dump:No
[Ok] <ENTER>

[Advanced] <ENTER>

1*FAT16 >32M 0 1 1 987 18 25 2021945 <--you should see this, if not something was made wrong before

[Boot] <ENTER>
[Rebuild BS] <ENTER>

FaT1 Location....:1 <ENTER>
Fat2 Location....:248 <ENTER>
Number of FATS...:2 <ENTER>
Cluster size.....:32 <ENTER>

[List] <ENTER>
here you can browse the FAT contents and (optionally) copy some files from the image - NO NEED to copy them, however, we will attempt retrieving them later
q <ENTER>

[Write] <ENTER>

Write FAT boot Sector, Confirm? (Y/N) Y

[Quit] <ENTER>
[Quit] <ENTER>

[Analyze] <ENTER>
[Backup] <ENTER>
Should Testdisk....Vista...? N
[Continue] <ENTER>
L
[Load]
<ENTER>
[Write] <ENTER>
Write partition table, confirm? (Y/N) Y
[Ok] <ENTER>
[Quit] <ENTER>
[Quit] <ENTER>

***END of testdisk session***


You don't actually need to reboot, since you were working on an image instead of a "real" device.

Now, mount USB_full.img with IMDISK and you should be able to copy out of it the files normally with Explorer to a new directory on your hard disk.

It is possible that you will be able to recover 100% of files, and as well it is possible that some will be corrupted, no way to know in advance.

Let me know how it goes.

If you don't feel confident in the procedure, make a copy of USB_full.img and try at first on the copy.



jaclaz

P.S.: If you think the procedure is a bit too complex, I can post your USB_550.img "corrected" and show you how to "merge" it with USB_full.img, but then you won't have any fun at it.

[ngpc]

Jaclaz,

I just try upto this step and stop because I got the number return that is different from you , can you advise.?

1*FAT16 >32M 0 1 1 987 18 25 2021945 <--you should see this, if not something was made wrong before (Your code)

1*FAT16 >32M 0 1 1 1019 8 25 2021945

Is the no. important?
ngpc

[jaclaz]

ngpc, on May 23 2009, 11:13 AM, said:

Jaclaz,

I just try upto this step and stop because I got the number return that is different from you , can you advise.?

1*FAT16 >32M 0 1 1 987 18 25 2021945 <--you should see this, if not something was made wrong before (Your code)

1*FAT16 >32M 0 1 1 1019 8 25 2021945

Is the no. important?
ngpc

Yep.

You did not make properly the [Geometry] change.
Re-check settings in the [Geometry] section:
Cylinders=1
Heads=64
Sectors=32
Sector Size=512

and you will get the 987/18/25.

jaclaz

[ngpc]

Hey Jaclaz,

I just take a risk to try the remaining recovery procedure as I am so eager to see the result... So you bet... I finally GOT it... Wow, EXCELLENT !
All the file are back, they are back...... A very BIG THANKS to YOU.... I really appreciate your patience and professional advise...
I learnt a lot from this process and have much fun.... Interesting !

BTW, there is still a few questions here, can you help me to claify a bit:

As I reopened the image file, I found my useful file as well as some Virus files or virus information.

So my question is :
1/ Will the virus file still have effect on my C drive when I copy the data from this USB_full image file back to my C drive ?

2/ When I use the virus cleaning program to scan the G: virtual drive, it detect the Virus (See attached txt file) and going to kill them, so does it mean that the virus will become inactive (seems sleeping) when the USB_full image is not being recovered, but when it is being recovered now, the virus become active and will start to infect other drives who ever came across it ?

3/ Before I format my Defective USB , if I plug it into the computer , will the virus infect my computer ?

4/ Will the stand alone USB_full image file which has the virus file lock inside become active if I keep the image file ?

Curious to know that...

Thanks !
ngpc

Attached File(s)

•  TDisk_retrieving_record_eith_Virus_info.txt (4.19K)
  Number of downloads: 2
•  Virus_Scan_Result_2009_5_23_after_USB_full_IMG_on_Virtual_Disk.txt (1.13K)
  Number of downloads: 2

[jaclaz]

Happy to hear about a happy ending.

Virii "for USB sticks" are generally triggered by the stupid (I know no better English word to describe it ) feature of Windows XP (and later I think ) that tries to access "automagically" anything connected to the USB port and tries to Print, or Play or Open or whatever.

The culprit is the autorun.inf file, which is executed by the above mentioned stupid feature.

An Image file is not accessed the same way, so it is relatively safe.

Scan files in the image and your anti-virus should get rid of the things allright.

Since Windows cannot read properly your damaged stick, it shouldn't be a problem of reinfection.

Thus answer to all your questions is NO.

What you should do next would be to WIPE your stick (as opposed to re-formatting it)

Get mksparse:
http://www.acc.umu.se/~bosse/
unzip it in the usual directory C:\DSFOK
(I presume that the C:\ volume has a NTFS filesystem, otherwise use a NTFS one)

Create a new sparse file the size you got from dsfo originally:

mksparse C:\dsfok\USB_empty.img 1035206656

The file, being sparse will occupy only a bunch of Kbytes instead of it's full size, and it will be full to the brim of 00's.
If the temporary occupation of about 1 Gb by the file is not a problem, you can use fsz that is already in the DSFOK you have.

Now, use dsfi to completely overwrite your stick:

dsfi \\.\PHYSICALDRIVE1 0 0 C:\dsfok\USB_empty.img

Remove and re-insert stick.

Now, use RMPREPUSB.EXE (advised):
http://www.boot-land...?showtopic=7739
to format your stick. (this will create a "properly formatted" stick including a MBR, i.e. HD-like, if you use XP Disk Management it will format the stick as super-floppy, unless you use a filter driver, that I guess it's out of the scope of this thread)
Using the re-known "HP utility" will work as well, though it will create "better-than-the-current-lousy-one" , but still unbalanced CHS/LBA partition table, which is more likely to cause problems in the future.

Remove and re-insert stick.

Then, get ninja pendisk :
http://nunobrito.eu/ninja/
http://www.boot-land...?showtopic=4350
http://nunobrito.eu/ninja/forum/

and use it.

BTW, and just as a general advice for the future, a not-so-well-known "trick" on FAT16 and FAT32 filesystems, in order to increase the possibilities of recovering files is to avoid if possible to put files in the ROOT, but rather use Directories or sub-directories to store them.



jaclaz

[ngpc]

Kelsenellenelvian, on May 21 2009, 12:12 PM, said:

I recently experienced close to the same thing with the autorun virus.

When I attached the drive the AV completly even refused to let windows recognized the whole drive.

Hi,

I finally retrieve all my data from the USB by following the process, you can try and see if this can help your situation...
Jaclaz's trouble shooting is really professional...
You can check it out yourself...

ngpc

[ngpc]

HI Jaclaz,

Just a curious question !

I just suppose I can use the XP format function to reformat my usb, it seems there is still a lot of steps to reformat it...

May I know that "
What is the difference between using the XP format function to format the usb instead of using the procedure you have mentioned in the last email.

I know your procedure may trying to config the usb in a new structure ...
Sure, I will try your procedure and learn more about that, it is interesting.

While I just want to learn more if there is any technical reasons...

Besides, after the TestDisk recovery, I retrieve all the file data and also see some file named as below
-rwxr-xr-x 0 0 594 22-Oct-2008 18:38 _UTORUN.INF
-rwxr-xr-x 0 0 110654 5-Oct-2008 16:57 _JIEF.CMD

Are they created repeatedly by virus , I saw a lot inside the file usb_full.img.... ?


Like to hear more !
Thanks !
ngpc

This post has been edited by ngpc: 24 May 2009 - 05:28 AM

[jaclaz]

ngpc, on May 24 2009, 12:51 PM, said:

What is the difference between using the XP format function to format the usb instead of using the procedure you have mentioned in the last email.

Basically 2K/XP/2003 check if a flag in the controller of the USB device is set as either "Fixed" or "Removable".
If it detects it as "Removable" it won't:

• allow partitioning the device
  
• allow access to any partition but the first (Active) one (if the device is actually partitioned)

BUT, if it finds a MBR, it will "trust" information in it and allow to format the single partition it can access.

99.99% (read ALL) USB sticks have this flag in the controller set as "Removable"
ALL USB Hard Disks and USB Hard Disks enclosures have this flag in the controller set as "Fixed"

99.99% (read ALL, exception made for your stick ) are sold WITHOUT partitioning, with the whole stick formatted as "super-floppy"

If you Format from XP a stick that HAS NOT a valid MBR, it will be formatted as "super-floppy".

The given utilities allow partitioning and formatting the stick as a HD-like device.

An alternative is using in Windows XP a "Filter Driver" such as cfadisk.sys or dummydisk.sys that "tricks" XP in seeing the flag in the controller set as "Fixed" and thus allow Disk Management to partition the disk.

So, if you try re-formatting your stick as-is from Windows XP, it will assume the (currently containing "wrong" data) MBR to be a valid one and will re-create a "non-right" filesystem, which may nonetheless work, as it did yours, but that it is NOT advised as it may create problems on some machines, or with other OS.

If you try re-formatting your stick after having wiped it from Windows XP, it will assume that you want to create a "super-floppy" filesystem, which again works allright for the use you make it, but hat may be more problematic to recover in case of failure.

ngpc, on May 24 2009, 12:51 PM, said:

While I just want to learn more if there is any technical reasons...

There is no "needed" technical reason, it as an "advised" technical one.

ngpc, on May 24 2009, 12:51 PM, said:

Besides, after the TestDisk recovery, I retrieve all the file data and also see some file named as below
-rwxr-xr-x 0 0 594 22-Oct-2008 18:38 _UTORUN.INF
-rwxr-xr-x 0 0 110654 5-Oct-2008 16:57 _JIEF.CMD

Which you saw in the testdisk List view being RED:

Quote

-rwxr-xr-x 0 0 594 22-Oct-2008 18:38 _UTORUN.INF
-rwxr-xr-x 0 0 110654 5-Oct-2008 16:57 _JIEF.CMD

to evidentiate how they were DELETED files.
When you delete a file on a FAT filesystem it is NOT actually deleted, simply first character of it's name in the FAT table is overwritten by a "special" character (that testdisk shows as an underscore) to signify that that allocation is free and that it can be overwritten.

ngpc, on May 24 2009, 12:51 PM, said:

Are they created repeatedly by virus , I saw a lot inside the file usb_full.img.... ?

Yep, from the date/time of those files, you can track when the Virus wrote them, each _UTORUN.INF file you can see (and that you should delete once finished playing with them) is a single attempt of infection (or re-infection) by the Virus.

jaclaz

[ngpc]

Hi Jaclaz,

Thanks Again for sharing !

May I know that which tools you are using for viewing the MBR structure/data of my defective usb, can I download it from some sites ?

Is there any recommended site which documented the introduction of MBR or file system structure analysis? I am quite interested in data recovery after this learning experience .

And finally, can I apply the similiar value of my case to some usb which show the same symptoms but with different memory sizes say 2G, 4G, 8G..?
And I only experiment this on the extracted image file.

hope to hear your advise...
ngpc

[jaclaz]

ngpc, on May 25 2009, 06:27 PM, said:

Thanks Again for sharing !

You are welcome.

ngpc, on May 25 2009, 06:27 PM, said:

May I know that which tools you are using for viewing the MBR structure/data of my defective usb, can I download it from some sites ?

I could tell you, but then I would have to kill you...

Seriously:

• any hex/disk editor, possibly one that offers templates
  
• Beeblebrox, the DSFOK toolkit, IMDISK which you already "met".
  
• Ken Kato's VDK:
  http://chitchat.at.i...re/vdk.html#top
  
• Optionally with my pseudo GUI for it:
  http://home.graffiti.net/jaclaz:graffiti.n...ts/VDM/vdm.html
  
• My small CHS/LBA spreadsheet:
  http://www.boot-land...?showtopic=2959
  (keep an eye on that thread, I am in the process, hopefully in a few days or maybe weeks, to publish a MUCH enhandced v2.0 of it)
  
• My small MBRBATCH/MKIMG:
  http://www.boot-land...?showtopic=3191
  http://www.boot-land...?showtopic=5000

And a number of other tools, depending on what is the problem at hand.

Remember that however usually a skilled carpenter is more important than the actual tools he uses.

You'll need some time to learn and digest the info you can find in the below mentioned site (and it's links) and more generally take your time browsing around in boot-land:
http://www.boot-land.net/forums/

Also remember that the right approach to data recovery is avoiding needing it. (BACKUP!)

ngpc, on May 25 2009, 06:27 PM, said:

Is there any recommended site which documented the introduction of MBR or file system structure analysis? I am quite interested in data recovery after this learning experience .

The "mother of all MBR/filesystems sites", the Starman's Realm:
http://mirror.href.c.../mbr/index.html

And of course the good ol' "Primer":
http://www.ranish.com/part/primer.htm

I would also suggest you getting acquaintaned to "ol' DOS" programs, like Ranish Partition Manager:
http://www.ranish.com/part/
and the several other DOS tools recommended by Daniel B. Sedory (the Starman)

And with Qemu:
http://www.nongnu.org/qemu/

Optionally using Qemu Manager GUI:
http://www.davereyn.co.uk/

ngpc, on May 25 2009, 06:27 PM, said:

And finally, can I apply the similiar value of my case to some usb which show the same symptoms but with different memory sizes say 2G, 4G, 8G..?

You can apply a similar method/approach.
Not a "similar value", a value can be either of two things:

• Right
  
• Wrong

(no space for "similar")

ngpc, on May 25 2009, 06:27 PM, said:

And I only experiment this on the extracted image file.

Sure, that's the "proper" approach, NEVER write anything on the "problematic" device if you are not sure (and double sure) about what you are writing and what effects it may have.

jaclaz

[Ponch]

jaclaz, on May 24 2009, 02:18 PM, said:

99.99% (read ALL, exception made for your stick ) are sold WITHOUT partitioning, with the whole stick formatted as "super-floppy"

"U3" sticks get two drive letters, I guess they have two partitions ? I also saw that for "fingerprint secured" sticks. One partition for the security system, one for data.

[ngpc]

jaclaz, on May 26 2009, 02:55 AM, said:

ngpc, on May 25 2009, 06:27 PM, said:

Thanks Again for sharing !

You are welcome.

ngpc, on May 25 2009, 06:27 PM, said:

May I know that which tools you are using for viewing the MBR structure/data of my defective usb, can I download it from some sites ?

I could tell you, but then I would have to kill you...

Seriously:

• any hex/disk editor, possibly one that offers templates
  
• Beeblebrox, the DSFOK toolkit, IMDISK which you already "met".
  
• Ken Kato's VDK:
  http://chitchat.at.i...re/vdk.html#top
  
• Optionally with my pseudo GUI for it:
  http://home.graffiti.net/jaclaz:graffiti.n...ts/VDM/vdm.html
  
• My small CHS/LBA spreadsheet:
  http://www.boot-land...?showtopic=2959
  (keep an eye on that thread, I am in the process, hopefully in a few days or maybe weeks, to publish a MUCH enhandced v2.0 of it)
  
• My small MBRBATCH/MKIMG:
  http://www.boot-land...?showtopic=3191
  http://www.boot-land...?showtopic=5000

And a number of other tools, depending on what is the problem at hand.

Remember that however usually a skilled carpenter is more important than the actual tools he uses.

You'll need some time to learn and digest the info you can find in the below mentioned site (and it's links) and more generally take your time browsing around in boot-land:
http://www.boot-land.net/forums/

Also remember that the right approach to data recovery is avoiding needing it. (BACKUP!)

ngpc, on May 25 2009, 06:27 PM, said:

Is there any recommended site which documented the introduction of MBR or file system structure analysis? I am quite interested in data recovery after this learning experience .

The "mother of all MBR/filesystems sites", the Starman's Realm:
http://mirror.href.c.../mbr/index.html

And of course the good ol' "Primer":
http://www.ranish.com/part/primer.htm

I would also suggest you getting acquaintaned to "ol' DOS" programs, like Ranish Partition Manager:
http://www.ranish.com/part/
and the several other DOS tools recommended by Daniel B. Sedory (the Starman)

And with Qemu:
http://www.nongnu.org/qemu/

Optionally using Qemu Manager GUI:
http://www.davereyn.co.uk/

ngpc, on May 25 2009, 06:27 PM, said:

And finally, can I apply the similiar value of my case to some usb which show the same symptoms but with different memory sizes say 2G, 4G, 8G..?

You can apply a similar method/approach.
Not a "similar value", a value can be either of two things:

• Right
  
• Wrong

(no space for "similar")

ngpc, on May 25 2009, 06:27 PM, said:

And I only experiment this on the extracted image file.

Sure, that's the "proper" approach, NEVER write anything on the "problematic" device if you are not sure (and double sure) about what you are writing and what effects it may have.

jaclaz

Thanks Jaclaz,

Don't kill me until one day, I become as professional as you are, ha ha ....
Anyway, thanks so much for your help in the past week and your generous sharing of your knowledge ! I did learnt a lot !

ngpc

[jaclaz]

Ponch, on May 26 2009, 10:45 AM, said:

jaclaz, on May 24 2009, 02:18 PM, said:

99.99% (read ALL, exception made for your stick ) are sold WITHOUT partitioning, with the whole stick formatted as "super-floppy"

"U3" sticks get two drive letters, I guess they have two partitions ? I also saw that for "fingerprint secured" sticks. One partition for the security system, one for data.

NO.

They have two LUN's:
http://www.911cd.net/forums//index.php?sho...20186&st=16
http://www.911cd.net/forums//index.php?sho...20186&st=27

(of which one is a CD-ROM device and the other one is a "normal disk", which may be partitioned, but usually isn't)

Also, FYI:
http://www.msfn.org/...howtopic=121502
http://www.msfn.org/...howtopic=125138

BTW, the bootsector of ngpc's stick was formatted as FAT16 06 (CHS) and had a bootsector invoking DOS system file IO.SYS.
I have NEVER seen myself or read ANY report of such a stick being formatted like that in factory.

The unbalanced CHS/LBA makes me think of the use of the "HP" formatting utility and the n/64/32 of the use of VDK (which defaults to that geometry) or Winimage, that can use that geometry in some cases.


jaclaz

This post has been edited by jaclaz: 26 May 2009 - 05:15 AM

[doniel]

Hi, jaclaz!

Our USB drive suddenly exhibited the same symptoms as ngpc's: When attempting to access it, Windows claims that it isn't formatted. I assume you want to start with a copy of Testdisk's log report. It's attached. MSFN's attachment system wouldn't allow me to upload it when it was named testdisk.log, so I added .txt to the file name.

Thank you for your help!

Attached File(s)

•  testdisk.log.txt (3.47K)
  Number of downloads: 4

[jaclaz]

doniel, on Jun 24 2009, 08:50 PM, said:

When attempting to access it, Windows claims that it isn't formatted. I assume you want to start with a copy of Testdisk's log report.

Got it.

But I also need the MBR and bootsector, see second part of this post:
http://www.msfn.org/board/index.php?showto...133933&st=7

jaclaz

[doniel]

Attached - but note:

1) The attachment system didn't like .bin any more than it liked .log, so added .txt to both files.

2) My system contains 2 physical hard drives, a floppy, and a DVD, and, at the moment, a USB drive is attached. I assumed that the floppy and DVD drives are not included in the chain of physical drives, and that the USB drive is physical drive 2.

Attached File(s)

•  bs.bin.txt (512bytes)
  Number of downloads: 2
•  MBR.bin.txt (512bytes)
  Number of downloads: 2

This post has been edited by doniel: 26 June 2009 - 10:08 AM