[SGVLUG] Anyone with experience recovering data from flash memory(camera card)

Sat Apr 15 05:47:21 PDT 2006

Here is a link to an article about a forensics program called Foremost
that can be used to recover specific file types, i.e., JPEG. It should
be able to do that even if the file system is damaged. It's a Linux
program, available at sourceforge:
http://sourceforge.net/projects/foremost/

http://www.samag.com/documents/s=8859/sam0309a/sam0309a.htm

Jeff

On 4/10/06, Emerson, Tom <Tom.Emerson at wbconsultant.com> wrote:
> > -----Original Message-----
> > Michael Proctor-Smith
> > On 4/10/06, Emerson, Tom <Tom.Emerson at wbconsultant.com> wrote:
>
> > > Over the weekend I took a bunch of pictures of our rocket launch
> [snipped horror story leading to...]
> > > at this point, the system said, "device not formatted"
>
> > > [...] I rather doubt the /entire/ contents of the card
> > > are scrambled as it is a gigabyte sized flash card [...]
> > > *I hope* I can mount this under linux as a raw device and
> > use "dd" to
> > > copy the contents of the flash card to a file, [...]
> >
> > you can use dd(I assume your card reader is usb [...(yes)...]
> > [use] fsck check the image, unless you managed to corrupt both
> > copies of the fat you should be fine.
>
> Ahhh... Of course, "I forgot..." Linux tends to include recovery tools
> such as this...
>
> > > This might be a real outside chance, but does anyone else
> > think that a  "quick format" followed by an "unformat" operation would
>
> > > recover the corrupted superblock?
>
> > I would never do the a format if I want the data that on the device.
>
> Yeah -- this is a real "last resort" option.  Theoretically, "quick
> format" simply erases the root directory, and might not even touch the
> FAT's (hence how MS was able to support an "unformat" operation) and
> even then, they caution that "unformat" only works if you don't actively
> write *anything* else to the disk in question.  I'm not even sure if
> "unformat" will work against removable devices, because even though the
> memory stick is still a gigabyte in size, DOS/Windows may treat it as a
> "floppy" device, and I don't recall unformat working against floppies
> [google time...]  (hmmm... Seems unformat was only a DOS command, never
> even implemented under the windows shell, but at the same time there
> seems to be quite a few utilities to do this sort of work...)
>
> > > Likewise, if the "dd" trick works to capture viable contents of the
> > > memory, how much of a freshly-formatted memory stick would
> > I have to
> > > write over the "corrupted" image to repair it to a point to
> > retrieve
> > > the files?
> >
> > I don't get what you are talking about here if you have
> > recovered the data I would ether reformat the memory card and
> > copy needed stuff back or use the same working commands on
> > the memory card as I used on image of the card.
>
>
> OK, step-by-step, my plan is/was as follows:
>
>   1) capture an image of the memory stick using dd
>   2) work with the captured image to recover any files
>   3) failing that, capture TWO images of the memory stick
>   4) use "mkfs" against one of the images to effectively "format" the
> image
>   5) use dd to copy the superblock/root directory from the "formatted"
> imave to the "corrupted" image
>   6) failing that, capture one last image...
>   7) ...and then actually format the memory stick [up to now it has been
> "read only"]
>   8) use dd to copy the initial part of the actual formatted device to
> the presumed corrupt image.
>
> However, it sounds like I can start at/prior to step 1 with "fsck"
> against either the image or the actual device itself -- that may save me
> plenty of headaches...
>
> In any event, once the pictures are recovered -OR- I've completely
> resigned myself to the fact that nobody else will ever see the results,
> I'll format the memory stick for future use...
>