Hi guys

I received a flash drive with some crazy files on it.

The client doesn't know what happened to it.
All the files are renamed "D" with no extension.

With Winhex, I can see the sectors filled, so the info should be in there.

Any idea how the get these files out?

Thanks

_________________
http://www.pclab.com.pt facebook.com/PCLAB.A.T
ACELab partner

date of file is xx-xx-1980 each, correct ?

@pclab,


The filesystem would not allow that - so this is not simple "user error". I expect that the FAT has been overwritten with something else which is then being interpreted as a FAT (hence silly file dates, as freakzy also mentioned), and I would start looking at that area for clues. Any difference between FAT1 & FAT2?


But is the data which you are finding actually correct for the type of files which the user had stored on this drive - or is it random garbage?

This looks encrypted.

_________________
http://www.northwind.gr
SandForce SSD Recovery
Ransomware Reverse Engineering - NoMoreRansom! partners

It's probably encrypted or just scrambled chars caused by mismatch in something , what brand is this flash memory ? Sandisk ? (I'm just guessing)

did u try raw recovery test and see if you are able to get something?

_________________
Kuwait Data Recovery - UNIX GTC
The only reason for time is so that everything doesn't happen at once. By: Albert Einstein

I agree, or at least that the problem is with the file system.

FAT has always been prone to corruption, and often can be difficult to recover from in many commercial softwares.

Thank you all for the answers.



This is correct.



There's a part that says: missing or corrupted.. I'll post a new picture of it.



The brand is a Emtec. Not gonna disassemble the plastic cover for now, to see the memory chip.



Gonna try this now.

_________________
http://www.pclab.com.pt facebook.com/PCLAB.A.T
ACELab partner

The other winhex view.

_________________
http://www.pclab.com.pt facebook.com/PCLAB.A.T
ACELab partner

Already getting the files out with GDB.

Thanks All.

_________________
http://www.pclab.com.pt facebook.com/PCLAB.A.T
ACELab partner

Your last screenshot shows the first sector of a 32-bit FAT immediately following a FAT32 boot sector. I believe that the FAT follows the boot sector in a FAT16 file system. AIUI, the second sector in a FAT32 volume should be an FS INFO sector.

An Examination of the MSWIN4.1 OS Boot Record:
http://thestarman.pcministry.com/asm/mbr/MSWIN41.htm

Offset 0x0e in the boot sector contains the first sector of the FAT, ie logical sector 0x181. It may be an idea to examine this sector to see if it does indeed contain a FAT structure.

_________________
A backup a day keeps DR away.

Thanks Franc

For now, problem solved.

_________________
http://www.pclab.com.pt facebook.com/PCLAB.A.T
ACELab partner