Corrupted USB flash key recovery

There are only two kinds of people in the world, those who have lost data and those who are about to. — Anon

The 128Mb Swisskey belongs to a friend and contained the only edited copy of a manuscript she has been working on. She had forgotten to "trash can" or eject it before removing it from her Mac and could no longer read anything from the key. It's doubtful whether the act of removing the key caused the corruption but there does seem to be a link.

The first thing I tried was reading the raw key image.

# dd if=/dev/sda of=key.img
500+0 records in
500+0 records out
131072000 bytes (131 MB) copied, 132.2937 s, 1.0 MB/s
#

I repeated this step to create another image file and then compared their md5 signatures to make sure the key wasn't corrupting the data itself. The next thing I did was try to mount the image.

# mount -o loop -t vfat key.img /mnt/usb
mount: wrong fs type, bad option, bad superblock on /dev/loop0,
       missing codepage or other error
       In some cases useful info is found in syslog - try
       dmesg | tail  or so

#

So, no joy there. A hexdump of the image shows that the first 0xa0000 bytes were corrupted. There should at least be a partition table there.

# hexdump -C key.img | head
00000000  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
*
000a0000  eb 3e 90 4d 53 57 49 4e  34 2e 31 00 02 04 01 00  |.>.MSWIN4.1.....|
000a0010  02 d0 02 00 00 f8 f9 00  20 00 ff 00 00 00 00 00  |........ .......|
000a0020  00 e2 03 00 80 00 29 aa  70 ac 30 4e 4f 20 4e 41  |......).p.0NO NA|
000a0030  4d 45 20 20 20 20 46 41  54 31 36 20 20 20 f1 7d  |ME    FAT16   .}|
000a0040  fa 33 c9 8e d1 bc fc 7b  16 07 bd 78 00 c5 76 00  |.3.....{...x..v.|
000a0050  1e 56 16 55 bf 22 05 89  7e 00 89 4e 02 b1 0b fc  |.V.U."..~..N....|
000a0060  f3 a4 06 1f bd 00 7c c6  45 fe 0f 8b 46 18 88 45  |......|.E...F..E|
000a0070  f9 fb 38 66 24 7c 04 cd  13 72 3c 8a 46 10 98 f7  |..8f$|...r<.F...|
#

A little bit of googling led me to this Linux Journal article and gpart. It sounds like gpart should do the trick of finding and identifying the lost partitions but I just wasn't able to make it perform.

Looking again at the hexdump above and that of another USB key it became clear that 0xa0000 was the start of the partition itself. All that was required was to mount it.

# mount -o loop,offset=0xa0000 -t vfat key.img /mnt/usb

I was then able to burn the recovered contents to CD and a happy writer got back her edited manuscript. The USB key is unusable - fdisk couldn't write a partition table back and it wouldn't format under Windows.

posted by James Gemmell on Thu, 15 Mar 2007 at 10:31 | permalink | tags: