Weird files

Hi guys

I received a flash drive with some crazy files on it.

The client doesn't know what happened to it.
All the files are renamed "D" with no extension.

With Winhex, I can see the sectors filled, so the info should be in there.

Any idea how the get these files out?

Thanks

Attachments

date of file is xx-xx-1980 each, correct ?

@pclab,

pclab wrote:The client doesn't know what happened to it.
All the files are renamed "D" with no extension.

The filesystem would not allow that - so this is not simple "user error". I expect that the FAT has been overwritten with something else which is then being interpreted as a FAT (hence silly file dates, as freakzy also mentioned), and I would start looking at that area for clues. Any difference between FAT1 & FAT2?

pclab wrote:With Winhex, I can see the sectors filled, so the info should be in there.

But is the data which you are finding actually correct for the type of files which the user had stored on this drive - or is it random garbage?

This looks encrypted.

northwind wrote:This looks encrypted.

It's probably encrypted or just scrambled chars caused by mismatch in something

, what brand is this flash memory ? Sandisk ? (I'm just guessing)

did u try raw recovery test and see if you are able to get something?

Vulcan wrote: I expect that the FAT has been overwritten with something else which is then being interpreted as a FAT

I agree, or at least that the problem is with the file system.

FAT has always been prone to corruption, and often can be difficult to recover from in many commercial softwares.

Thank you all for the answers.

freakzy wrote:date of file is xx-xx-1980 each, correct ?

This is correct.

Vulcan wrote:@pclab,

pclab wrote:With Winhex, I can see the sectors filled, so the info should be in there.

But is the data which you are finding actually correct for the type of files which the user had stored on this drive - or is it random garbage?

There's a part that says: missing or corrupted.. I'll post a new picture of it.

freakzy wrote:
northwind wrote:This looks encrypted.

It's probably encrypted or just scrambled chars caused by mismatch in something , what brand is this flash memory ? Sandisk ? (I'm just guessing)

The brand is a Emtec. Not gonna disassemble the plastic cover for now, to see the memory chip.

einstein9 wrote:did u try raw recovery test and see if you are able to get something?

Gonna try this now.

The other winhex view.

Attachments

Already getting the files out with GDB.

Thanks All.

Your last screenshot shows the first sector of a 32-bit FAT immediately following a FAT32 boot sector. I believe that the FAT follows the boot sector in a FAT16 file system. AIUI, the second sector in a FAT32 volume should be an FS INFO sector.

An Examination of the MSWIN4.1 OS Boot Record:
http://thestarman.pcministry.com/asm/mbr/MSWIN41.htm

Offset 0x0e in the boot sector contains the first sector of the FAT, ie logical sector 0x181. It may be an idea to examine this sector to see if it does indeed contain a FAT structure.

Thanks Franc

For now, problem solved.

Weird files

Weird files

Re: Weird files

Re: Weird files

Re: Weird files

Re: Weird files

Re: Weird files

Re: Weird files

Re: Weird files

Re: Weird files

Re: Weird files

Re: Weird files

Re: Weird files