Rescuing data from defective flash media using the Sleuthkit under Linux

Do you have a corrupted flash media and want to rescue as much of your data as possible? Or do you want to be prepared, just in case this happens to you one day? Do you use Linux? Then read on.

Yesterday I was given a defective flash card. It was said to contain several photos, but every attempt to see more than the first DCIM directory resulted in unrecoverable errors on Windows. So I inserted the card into a Linux box, created an image of it using

dd if=/dev/sdb1 of=/tmp/sdb1.img bs=8k

and gave the card back to it's owner. That's important: If you want to experiment with defective or suspect media, then dump it and remove it as soon as possible. Otherwise chances would be high that you only worse the state of the media.

Once I got rid of the original, I created a copy of the dump. It's always a good idea to work on a copy, so:

cp /tmp/hdb1.img /tmp/

Done that, I first tried to mount the copy as a loop device:

mount -t vfat -o loop /tmp/

But the image was so broken that I wasn't able to get mount to accept it as a FAT partition of any type. I also gave the mtools collection a try, but to no avail.

Thinking about other tools to try I remembered the Sleuthkit that I once used to exermine a compromised system. If it is good enough for the big job, it should handle this one with ease, I thought. Sleuthkit is a collection of file system and media management forensic analysis tools. And this great toolkit didn't let me down. Here's what to do:

  • Install Sleuthkit (Doh!). Many distributions already contain packages for it, at least Debian Sid does.
  • Sneak a peak of the file system with fls. In this case it looks like this:
    $ fls -f fat16 -r /tmp/
    d/d 3: DCIM
    + d/d 517: 100MLT19
    ++ r/r 1029: PICT0001.JPG
    ++ r/r 1030: PICT0002.JPG
    ++ r/r 1031: PICT0003.JPG
    ++ r/r 1032: PICT0004.JPG
    ++ r/r 1033: PICT0005.JPG
    ++ r/r 1034: PICT0006.JPG [...]
  • Now we want to extract everything that looks like an picture. We can use the icat tool to do that, and because I like oneliners, I did it with a pipe:
    fls -f fat16 -r /tmp/ | fgrep PICT | while read bla; do
    set `echo $bla | tr -d ':+'`
    icat -f fat16 sdb.tmp $2 >/tmp/$3

And voila, that's all! The first nine pictures contain random data caused by the filesystem damage, but the other seventy or so are fine. Even if you happen to get a media that in worse condition than the one I was given — never despair, Sleuthkit contains other tools that you can use to find your data, no matter if it is deleted. It also lets you search for binary signatures in case the filesystem is completely screwed. For example you could want to search for some Exif information found in every picture, like "MINOLTA DIGITAL CAMERA" in this case. Just read around on the web site and in the man pages, try out as you like, you can't damage anything since you are working an a copy that you can create again in seconds.

Good luck, or better, don't buy cheap flash cards. ;-)


Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Das ist ja extrem praktisch

Das ist ja extrem praktisch und gut zu wissen. Diesen Speicherkarten traue ich nämlich nur soweit ich gucken kann.

Da muß ich mir doch gleich mal einen Bookmark auf den Node setzen.

Vielen Dank für den Tipp!