| 1 |
Hi, |
| 2 |
|
| 3 |
On Fri, 18 May 2007 14:11:14 +0100 Mick <michaelkintzios@×××××.com> |
| 4 |
wrote: |
| 5 |
|
| 6 |
> > Did you try the recovery tools for the FS in question? |
| 7 |
> |
| 8 |
> I tried fsck.msdos but didn't fix it. |
| 9 |
|
| 10 |
Doesn't make me wonder, as I'll explain below, there's no file system |
| 11 |
starting at offset 0 in that image of your stick... |
| 12 |
|
| 13 |
> Like most USB sticks I would assume that it is either FAT32 or |
| 14 |
> FAT16. |
| 15 |
|
| 16 |
I would have guessed that too. However: FAT file systems even carry |
| 17 |
"FAT" as verbatim chars at the start of the partition... So it's quite |
| 18 |
easy to spot the start of a FAT partition... |
| 19 |
|
| 20 |
> Given that this is what I see when I dump the first few |
| 21 |
> bytes, can you please tell me where the fs data starts and how to dd |
| 22 |
> that without inc the initial partition table data? |
| 23 |
> ============================================== |
| 24 |
> 000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
| 25 |
> * |
| 26 |
> 0001f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 aa |
| 27 |
|
| 28 |
I'll answer another question first: The asterisk indicates consecutive |
| 29 |
lines w/ the same data. So here, we have a full block (512 bytes, |
| 30 |
0x000-0x1ff) containing almost only zeros. It stops with a valid master |
| 31 |
boot record magic number (0x55aa). This MBR doesn't contain anything, |
| 32 |
so there's no partition table, either. It also might be a part of a FAT |
| 33 |
file system's boot sector (the end-of-sector marker bytes). |
| 34 |
|
| 35 |
> 000200 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |
| 36 |
> * |
| 37 |
> 020000 [...] |
| 38 |
|
| 39 |
OK, so from 0x00200-0x1ffff it contains only consecutive 0xff bytes, |
| 40 |
i.e. (0x20000 / 0x200) = 0x100 = 256 (dec) blocks (à 0x200=512 bytes). |
| 41 |
That's nearly 128 kBytes of 0xff. I wonder how it got there. I think |
| 42 |
all this indicates that there might have been some tool which overwrote |
| 43 |
the first 128k of this stick with some "default data" or similar. At |
| 44 |
least, the first 128k are modified and can't work this way, since |
| 45 |
there's neither a valid MBR, nor a valid partition table nor a valid |
| 46 |
file system at offset 0. |
| 47 |
|
| 48 |
What's following next? I think it might be the tail of a FAT16 (the FAT |
| 49 |
itself). This means there is no boot sector anymore. The boot sector is |
| 50 |
not redundant for FAT file systems, so it would have to be recreated. |
| 51 |
The FAT itself, however, is usually present a second time (see |
| 52 |
http://en.wikipedia.org/wiki/File_Allocation_Table for details). It |
| 53 |
clearly looks like FAT, since this we have a end-of-file indication: |
| 54 |
|
| 55 |
> 020000 01 df 02 df 03 df 04 df 05 df 06 df 07 df 08 df |
| 56 |
> 020010 09 df 0a df 0b df 0c df 0d df 0e df 0f df 10 df |
| 57 |
> 020020 11 df 12 df 13 df 14 df 15 df 16 df 17 df 18 df |
| 58 |
> 020030 19 df 1a df 1b df 1c df 1d df 1e df 1f df 20 df |
| 59 |
> 020040 21 df 22 df 23 df 24 df 25 df 26 df 27 df 28 df |
| 60 |
> 020050 29 df 2a df 2b df 2c df ff ff 2e df 2f df 30 df |
| 61 |
----- |
| 62 |
> 020060 31 df 32 df 33 df 34 df 35 df 36 df 37 df 38 df |
| 63 |
> [...] |
| 64 |
|
| 65 |
All the rest of data you've quoted doesn't mean a lot, I think it's all |
| 66 |
from the FAT. I would suggest you find out whether there's a full copy |
| 67 |
of the FAT intact after the data you quoted. Just search for some of |
| 68 |
the byte sequences you quoted here and if you're lucky, there's an |
| 69 |
intact FAT later on. After the FATs, there will most probably be the |
| 70 |
directory table. You should be able to look up the file names there |
| 71 |
verbatim. |
| 72 |
|
| 73 |
OK, but how to continue? You probably need a new boot sector and a |
| 74 |
clean FAT. You can manually create one, but it's a tedious process. |
| 75 |
Look at the FAT documentation and try to figure out cluster size |
| 76 |
(probably Stick size / 65536) and so on. OTOH, you can try to create a |
| 77 |
new FAT16 fs on media with the same size as the stick (e.g. |
| 78 |
"dd if=/dev/zero") and then try to "implant" the backup copy of your |
| 79 |
FAT (two times, once as new primary FAT, once as a secondary FAT) and |
| 80 |
directory table and of course the data into that new FAT16. |
| 81 |
|
| 82 |
Unfortunately, by default it seems that the backup copy of the FAT |
| 83 |
itself for a 255744 sector Stick defaults to start at 0x1f600. So a |
| 84 |
considerable amount even of the backup FAT would be destroyed if the |
| 85 |
original layout resembles this geometry. |
| 86 |
|
| 87 |
So at that point, there's not a lot you can do, aside from tools like |
| 88 |
the mentioned Photorec and its commercial brothers, which can do a neat |
| 89 |
job when you're back to heuristically determining start/stop of files |
| 90 |
(which mustn't be too fragmented, of course) in a data stream. |
| 91 |
|
| 92 |
-hwh |
| 93 |
-- |
| 94 |
gentoo-user@g.o mailing list |
Archives