Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Flash Drive - Improperly Ejected - RAW - Scrambled label - shows wrong size


  • Please log in to reply
25 replies to this topic

#1 matt314159

matt314159

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:39 AM

Posted 27 February 2013 - 08:10 PM

Hey folks, long-time lurker, first-time poster.   I work at an IT helpdesk at a small private, religious, nonprofit college and a faculty member approached us two days ago quite distraught.  She has a 16GB PNY Attache flash drive that a student improperly yanked from her laptop.  Upon inserting into windows, "Your disk must be formatted" error, chkdsk shows RAW file system, the works.  I've read about this before plenty of times but in my relatively short time here, I haven't encountered it.  

 

The reason for her distress is that it has very important data on it. 

 

This is what the disk shows up as:  

 

kGuK2EO.jpg

 

Note the scrambled drive label and information, and the erroneous disk size. 

 

We've thrown a few things at it so far.  The first was to try the testdisk method as per the writeup from what I think is one of your forum members Here.  

 

Test Disk shows the drive as 229.34GB and we never really got too far with it, even the deeper analysis didn't show us any partitions with any sort of recognizable file structure.  

 

We've scanned it with various utilities from EaseUS and RStudio but they all show the same incorrect labeling, size information, etc.  

 

We did attempt to copy files off of it with (I think it was) EaseUS - The result was mixed at best.  JPGs, PDFs, DOCs, etc, all in sequential numbering, no file structure, and 3/4 of them corrupted.  JPGs with incomplete information, scrambled word docs, etcetera.  

 

My colleague made an offhanded remark that he used to have a PNY flash drive exactly like this, and it died within a year.  So I'm wondering if --in addition to a broken partition table and filesystem-- perhaps the memory itself in this model is poor quality and has suffered some sort of failure.  I always thought PNY was a trusted brand, but I've been unpleasantly surprised before...

 

At this juncture - Given the things we've tried, is there anything else I can do / try?  If it's toast, and she's simply out of luck, I'll break the news to her and life will go on.  But I'd like to say I made my best, good-faith effort to exhaust all options for cleanly recovering her data.  

 

Thanks in advance, folks, and I'll set up alerts on this thread and be sure to answer swiftly this evening and tomorrow to be able to respond, follow instructions, answer follow-up questions, etcetera, as necessary.  Though I don't have the drive with me at home, I have it plugged into my office computer and can VPN into work to try various things, so long as they can be done in windows.  Anything booting off a live disc or other non-windows solution will have to wait till tomorrow AM when I'm back in the office. 

 

Best, 

 

Matt

 

*edited to remove some non-pertinent comments and cover my butt ;)


Edited by matt314159, 28 February 2013 - 05:49 PM.


BC AdBot (Login to Remove)

 


#2 James Litten

James Litten

    Ԁǝǝ˥q


  • BC Advisor
  • 1,945 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:12:39 AM

Posted 27 February 2013 - 11:15 PM

Hi Matt

 

Did you use TestDisk in Windows or in PartedMagic?

 

James



#3 matt314159

matt314159
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:39 AM

Posted 28 February 2013 - 12:17 AM

PartedMagic.  The live CD ISO the article references. 

 

*eta - Just realized you're the author of the TestDisk writeup I referenced.  Thanks for taking the time to post!

 

*edit2 - last night before I went to sleep I started a scan in R-Studio to check for what partitions it would see.  This program came up with what looks like probably hundreds of various options, a sample of which is below:  

 

 

If you were to open one of those found partitions, it would look like this:  

 

p5BYwrn.jpg

 

The files you can 'recover' under this partition have their original name, but all seem corrupted.  

 

I'm just throwing all this out there to maybe help you get a better picture of various symptoms, maybe it will help better point people in the right direction on how to point ME in the right direction - I don't necessarily think R-Studio will be the way to go, and when I get back into the office I can do more stuff in TestDisk if necessary, etc.  


Edited by matt314159, 28 February 2013 - 08:12 AM.


#4 James Litten

James Litten

    Ԁǝǝ˥q


  • BC Advisor
  • 1,945 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:12:39 AM

Posted 28 February 2013 - 01:35 PM

Thanks Matt.

 

Since I'm not there with you, I'm going to have to ask you to do some steps to help me get a better situational awareness of what exactly the issue is with the drive.

 

Try this, please.
Shutdown the computer
Remove the flash drive
Start the computer with the PartedMagic CD and boot into PartedMagic
After it boots, plug the flash drive into the computer and wait for a couple of minutes to make sure that it has time to get automatically detected.

Open the terminal (monitor icon in lower left of desktop)
In the terminal window type
fdisk -l
(that is fdisk SPACE DASH l as in Lima)


I'd like to see the results it shows for the flash drive (it will list all of the drives connected).

Copy it and paste it in your reply (if you can access this thread from PartedMagic) or take a picture of it with a camera or phone and post the pic (as long as the text is legible).

 

Hopefully, you can open Firefox in PartedMagic and login here and reply. There is a wireless network connection icon in the lower right (by the clock) of the PartedMagic desktop if you need to connect to a wireless network.

 

Next, close the Terminal window
Double-click the DISK HEALTH icon on the PartedMagic desktop
If you see the flash drive listed, double-click it
You'll likely get an error, if you do, click the SHOW OUTPUT button
I'd like to know if what it says for any of these...
VENDOR
PRODUCT
REVISION
USER CAPACITY
LOGICAL BLOCK SIZE

 

If it doesn't give an error, then click the VIEW OUTPUT button and post that or take a picture of it.

 

Finally,
Are there any details about what occurred prior to it becoming unreadable that may have anything to do with the drive developing a problem (besides removing without clicking the "Safely Remove Device" icon in the systray)?

 

Let me know if you have questions/problems or if anything looks different to you than I describe.

James


Edited by James Litten, 28 February 2013 - 01:37 PM.


#5 matt314159

matt314159
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:39 AM

Posted 28 February 2013 - 01:48 PM

Hi James, an interesting turn of events took place about a half hour ago that left me a little taken aback.  

 

The faculty member came by, realized we hadn't retrieved her data yet, and decided to take the drive back.  

 

She took the drive back, and I am going --to edit out what I said here just in case the stuff I post online ever comes back to bite me--  

 

I'm so sorry that you took the time time to write up a detailed follow-up post and now I'm sitting here without the drive in-hand to do anything you've suggested, but unfortunately that's the fact of the matter right now.  

 

:(

 

And it's not even friday yet.  


Edited by matt314159, 28 February 2013 - 05:56 PM.


#6 James Litten

James Litten

    Ԁǝǝ˥q


  • BC Advisor
  • 1,945 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:12:39 AM

Posted 28 February 2013 - 01:52 PM

No problem, dealing with stressed out people is part of my biz :) I totally, understand.

 

The write up will likely help others in the future. Please let us know how things turn out.

 

James

 

EDIT: For those interested, my post was attempting to gather information that may allow us to make a raw image of the drive so we could attempt recovery from the image and not put anymore stress on the device. Maybe something like using the --max-size=bytes option on ddrescue if the size was still being reported incorrectly or if a standard run of ddrescue did not work.


Edited by James Litten, 28 February 2013 - 02:31 PM.


#7 matt314159

matt314159
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:39 AM

Posted 28 February 2013 - 02:40 PM

That's kind of what I'd like to do - We use DDrescue fairly frequently on bad HDDs, though the VM ubuntu instance on my colleague's computer was not recognizing the hardware at all (whereas it does on HDDs in our USB adapter for some reason)

 

I may see if I can get the drive back for a bit and give you some more information from that, using a D630 we have laying around that also has ubuntu on it.  Maybe it was the VM messing things up.

 

The gillware people called with a quote that said it would range anywhere from $250 to $2500.  that might persuade the faculty member to give me back the flash drive ;) 

 

*eta* flash drive is back in-house.  Colleague is currently working on getting you answers to the first questions you posted.  

 

Such fun drama :)   ;)  


Edited by matt314159, 28 February 2013 - 03:29 PM.


#8 matt314159

matt314159
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:39 AM

Posted 28 February 2013 - 03:44 PM

This is the result of the
fdisk -l command

 

Welcome - Parted Magic (Linux 3.7.5-pmagic)

root@partedmagic:~# fdisk -l


Disk /dev/sdb: 246.3 GB, 246255976448 bytes

255 heads, 63 sectors/track, 29938 cylinders, total 480968704 sectors

Units = sectors of 1 * 512 = 512 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes


root@partedmagic:~#
 

 


 

This is the result of DISK HEALTH.  It did give an error
 

Vendor:              
pn;<  &'

Product:             
US�?2.p

Revision:            
��00

User Capacity:        246,255,976,448 bytes
[246 GB]

Logical block size:   512 bytes

Serial number:        A�00��40��00�X23K�91�v7Dv                                  


Device type:          disk

scsiModePageOffset: response length too short, resp_len=4 offset=4 bd_len=0

Local Time is:        Thu Feb 28 15:35:24
2013 UTC

Device supports SMART and is Enabled

Temperature Warning Disabled or Not Supported

SMART Health Status: OK



Error Counter logging not supported

scsiModePageOffset: response length too short, resp_len=4 offset=4 bd_len=0

Device does not support Self Test logging
 

Edited by matt314159, 28 February 2013 - 03:52 PM.


#9 James Litten

James Litten

    Ԁǝǝ˥q


  • BC Advisor
  • 1,945 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:12:39 AM

Posted 28 February 2013 - 04:22 PM

Okay, I would suggest trying to make an image.

There is a chance that it will make a proper sized image so I would try it normally first and monitor its progress to see if it starts to try to run past 16GB or throws lots of errors.

In PartedMagic with the flash drive connected, mount a partition on another drive (like sda1 if that is an accessible drive) that has at least 20GB of free space on it.

Mount the 'good' drive partition (called /media/sda1 in our example though yours may be different) by clicking the 'mount devices' button which is next to the TERMINAL icon in the lower left of the desktop (see picture)
http://litten.com/images/mount1.jpg

Click the button that says mount next to your 'good' drive partition (called /media/sda1 in our example though yours may be different). We only want to mount that one and not any of the others.

Open a terminal window like you did to run the fdisk command before.
ASSUMING THE FLASH DRIVE IS STILL /dev/sdb
Type
ddrescue -r 3 /dev/sdb /media/sda1/image.dd /media/sda1/rescuelog.log
and press enter.

That is
ddrescueSPACE-rSPACE3SPACE/dev/sdbSPACE/media/sda1/image.ddSPACE/media/sda1/rescuelog.log

  • ddrescue is the command
  • -r 3 tells ddrescue to try bad sectors 3 times before giving up on them.
  • /dev/sdb is the flash drive that we are trying to copy.
  • /media/sda1/image.dd is the image file on the good drive that we are copying to (in our example it is sda1 though yours may be different from sda1).
  • /media/sda1/rescuelog.log is our log file that makes it possible for us to stop and resume the rescue cloning as we please (in our example it is sda1though yours may be different from sda1).

As it runs, watch it to see if it is getting lots of errors or if it goes past 16GB of data. If it does, stop it with ctrl-c and let us know what happened.

If it finishes with no errors and at less than 20GB, then it may be an image we can work with and attempt a recovery from.

Let us know what happens or if anything looks different than I described.

James



#10 matt314159

matt314159
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:39 AM

Posted 28 February 2013 - 05:42 PM

In the interest of full disclosure, we cheated a little - By the time you had posted the most recent instructions, we had already started a down-n-dirty ddrescue capture on it with the following command: 

ddrescue -n /dev/sdb
"/media/My Passport/New Folder/test.img" "/media/My Passport/New
Folder/test.log"
 

 

We continued to let that run, and while there were no reported errors, it carried on past 20GB so we killed it.  

 

Would you like us to try it again with the switches you posted,or was our quickie enough to let you know that since ddrescue continues well past the logical termination of where the memory *should* stop, does that alone give you what you need to know? 

 

Sorry for all the edits, I'm trying to keep things up-to-date and accurate as I get more information from my colleague. 


Edited by matt314159, 28 February 2013 - 05:59 PM.


#11 James Litten

James Litten

    Ԁǝǝ˥q


  • BC Advisor
  • 1,945 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:12:39 AM

Posted 28 February 2013 - 06:26 PM

That's fine.
 
As long as there were no errors, let's take a look at the image with TestDisk. (just stop and let me know if it starts looking like a dead end, we may be able to change the settings to see it properly but I need a plain old testdisk.log file first to determine some stuff :) )
 
Shutdown the computer and remove the flash drive and put it some place safe.
 
Boot back into PartedMagic
Mount the partition with the image on it (for this example, I'll call that mounted partition /media/sda1 but yours may be different).
Open the Terminal window.
Type
testdisk /log /media/sda1/test.img
The file testdisk.log will be created in the root folder which is a folder stored in the computer's RAM so it is erased when the computer is shutdown).
Select the image and choose Proceed and hit enter
It should automatically have Intel (if not, select Intel and let me know) hit enter
Select Analyse and hit enter
Select Quick Search and hit enter
Say 'Y' if it asks if the disk was made in Vista/Win7 (even if it was made in XP say 'yes')

If you see The FAT partition, highlight it and press
p
and see if you can see your files and folders there.
If there is more than one FAT partition listed check each one for files and folders by getting back to the list of partitions found (pressing q), highlighting the next one and pressing p again.

If you can see your files and folders and it all looks normal then stop here and go down to the section below called POST TESTDISK.LOG

If anything does not look correct then continue on to the DEEPER SEARCH. Get to the screen showing the partitions that it found and press ENTER to coninue.
DEEPER SEARCH is an option at the bottom of the screen.
Highlight it and press ENTER

After the DEEPER SEARCH finishes, if you see the NTFS partition, do the same thing with pressing p to see if you can see your files and folders in any of the partitions found and then press
q
a bunch of times to get out of TestDisk.

POST TESTDISK.LOG

On the PartedMagic desktop, double-click the File Manager icon.
In the left pane, you should see a folder called

root

Locate the testdisk.log file in that folder
Double-click it to open it.
Select all of the text in it and paste that text in your reply for us to look at.
Hopefully, you can open Firefox in PartedMagic and login here and reply. There is a wireless network connection icon in the lower right (by the clock) of the PartedMagic desktop if you need to connect to a wireless network.

If you can not get an internet connection from PartedMagic, you will need to mount the internal drive or a flash drive and copy the testdisk.log file from the root folder to it. Then you can get it to us via posting from Windows (Let us know if you need directions for doing this).

If anything looks different than I described or you have any questions/problems, stop and ask.

 

James



#12 matt314159

matt314159
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:39 AM

Posted 28 February 2013 - 06:34 PM

will do - we're now out of the office until tomorrow AM, back in at 8AM Central US Time.   I'll get that to you as soon as we get the help desk up and running and make sure there are no immediate fires to put out first.  

 

Thanks again for keeping at this with me - Despite the fact I felt a little snubbed earlier by the faculty member, I'm very keen to learn good protocol for this kind of thing, as I'm quite sure it will come in handy in the future.  My technician and I are learning a lot.  

 

-Matt


Edited by matt314159, 28 February 2013 - 06:34 PM.


#13 matt314159

matt314159
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:39 AM

Posted 01 March 2013 - 02:35 PM

This is the testdisk log, sorry it took so long. 

 

http://pastebin.com/jyweYjTp

 

(it looked a little long when pasted into the post body)


Edited by matt314159, 01 March 2013 - 02:39 PM.


#14 James Litten

James Litten

    Ԁǝǝ˥q


  • BC Advisor
  • 1,945 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:12:39 AM

Posted 01 March 2013 - 02:47 PM

I'll type up some instructions for how to get TestDisk to see the full partition on that image without the disk size error as well as a command that you can try to recover specific files.

 

I need to know what is the most important file(s) to recover. Specifically, I need to know the file type extension (.docx .jpg .xls)

 

James



#15 matt314159

matt314159
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:39 AM

Posted 01 March 2013 - 03:30 PM

Awesome.  **UPDATE** I just spoke with her and .xlsx would be the high priority. Second, .doc and .docx...  .pdf would be medium priority, and jpg lowest priority (there are a ton of photos, but she already has those and doesn't need to retrieve them.
 

Finally,
Are there any details about what occurred prior to it becoming unreadable that may have anything to do with the drive developing a problem (besides removing without clicking the "Safely Remove Device" icon in the systray)?

 
I just noticed I never answered this question.  There was nothing reported to me about any potential other problems.  According to the faculty member, the only out-of-place occurrence happened when a student shut her laptop, and then yanked the drive out before the computer had gone to sleep.  That's all I know, and I'm operating on the working assumption that that was when the damage happened.  

Edited by matt314159, 01 March 2013 - 03:44 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users