💾 Archived View for gmi.si3t.ch › sm4llth1ng › 2021-01-14.gmi captured on 2023-09-28 at 16:00:22. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2022-01-08)

-=-=-=-=-=-=-

Damaged USB pen drive content rescue

Jan 14th, 2021

TIL using the foremost utility to save files on a damaged USB pen drive.

The daughter of a friend had a single 32GB USB key with photos and

academic courses files (.odt), but the key was not readable any more (nor

from windows nor from linux).

First, a raw copy of the pendrive in order to not add more damage.

  $ sudo dd if=/dev/sda of=pendrive.img

The header of the key was completely scrambled:

  $ file pendrive.img
  pendrive.img: data
  $ xxd -g 1 pendrive.img | head -20
  00000000: e4 10 cd 20 20 a0 01 48 28 22 00 00 41 48 00 22  ...  ..H("..AH."
  00000010: 00 00 00 08 00 02 01 0a 00 00 00 00 00 00 00 00  ................
  00000020: 00 02 00 00 00 00 00 00 00 08 00 00 00 80 01 12  ................
  00000030: 00 01 00 00 00 00 00 00 00 00 00 0a 00 04 00 00  ................
  00000040: 00 01 00 00 00 80 01 1a 00 05 00 00 00 00 00 00  ................
  00000050: 00 22 00 20 00 02 00 00 00 00 00 00 00 00 01 21  .". ...........!
  00000060: 00 02 00 00 00 00 00 00 00 80 01 10 00 00 00 00  ................
  00000070: 00 10 00 00 00 18 02 03 00 01 00 00 00 00 00 00  ................
  00000080: 00 00 83 40 00 04 00 00 00 01 00 00 00 04 08 25  ...@...........%
  00000090: 00 00 00 00 00 00 00 00 04 38 00 00 08 10 41 60  .........8....A`
  000000a0: 10 08 45 00 48 10 20 06 06 04 00 08 00 00 00 00  ..E.H. .........
  000000b0: 00 40 00 00 00 01 00 00 00 40 00 00 00 00 31 01  .@.......@....1.
  000000c0: 04 34 2a 11 00 00 22 10 20 30 10 30 28 12 00 31  .4*...". 0.0(..1
  000000d0: 20 02 00 30 30 20 20 02 14 00 00 00 02 18 00 04   ..00  .........
  000000e0: 00 00 00 01 00 00 02 78 82 84 00 01 00 00 00 00  .......x........
  000000f0: 00 00 02 00 88 00 00 03 00 00 00 00 00 02 00 00  ................
  00000100: 00 27 00 03 00 00 00 01 00 00 00 00 80 00 00 04  .'..............
  00000110: 00 00 00 04 00 12 23 30 80 03 00 02 00 00 00 04  ......#0........
  00000120: 00 00 02 08 80 00 00 02 00 00 00 00 00 00 00 9c  ................
  00000130: 10 10 00 02 00 00 00 07 00 00 02 30 00 00 00 00  ...........0....

To try to recover anything from the drive I used the foremost utility. It

was able to retrieve 1300+ jpg images and documents. The filename are not

found back and the zip folder contains in fact .docx and .odt files (on

this run).

  $ foremost pendrive.img
  ...
  $ ll output/
  total 64K
  -rw------- 1 xxxx xxxx  62K Jan 14 16:42 audit.txt
  drwx------ 1 xxxx xxxx   52 Jan 14 16:47 docx/
  drwx------ 1 xxxx xxxx  29K Jan 14 16:30 jpg/
  drwx------ 1 xxxx xxxx  288 Jan 14 16:29 mov/
  drwx------ 1 xxxx xxxx  288 Jan 14 16:29 mp4/
  drwx------ 1 xxxx xxxx   48 Jan 14 16:28 pdf/
  drwx------ 1 xxxx xxxx 1.2K Jan 14 16:29 png/
  drwx------ 1 xxxx xxxx  552 Jan 14 16:47 zip/

Then, using the command file on each file in the .zip folder allowed to

find back the proper content and renamed the file appropriately.

  $ file 00057856.zip
  00057856.zip: OpenDocument Text
  $ mv 00057856.zip ../00057856.odt

I can't tell if all the files were restored, and did not scan the photos

(I did not receive permission to do so), but a lot has been saved.

Thank you foremost (developers) and kali!

Please, for your sanity do a backup / copy of your data...