How to access files a USB stick that is playing up


cyber101

New Member
Sep 21, 2016
84
0
#1
Could someone please assist with this?

I need to gain access to my files on a USB stick that wont let me.
Here is the error message:
" The volume does not contain recognized file system.
Please make sure that all required file system drivers are loaded
and that the volume is not corrupted"
also asking me to reformat (which I wont do for obvious reasons).

I have important files on the USB stick. Any idea what I should do to gain access on Windows 8.1 machine?

History:
USB stick has been playing up for past 3-4 months disappearing from desktop and reappearing; other times I would need to click Windows 8.1 Repair usb function to access it. However this last occasion I was distracted and may have clicked something else during Windows 8.1 Repair USB process?

Machine:
Windows 8.1
 

athulin

Member
Experienced Member
Oct 18, 2007
734
Ratings
11
18
#2
cyber101 said:
Here is the error message:
" The volume does not contain recognized file system.
Please make sure that all required file system drivers are loaded
and that the volume is not corrupted"
also asking me to reformat (which I wont do for obvious reasons).
That means that the contents of that USB stick has become damaged, and is so damaged that Windows doesn't recognize it as legitimate volume.

If the files are very important, get in touch with a reputable data recovery company to help you.

If you can live without them, you may experiment on your own (after getting a full sector copy of the current contents). In this case, resign yourself to losing the files, due to mistakes you make.
 

cyber101

New Member
Sep 21, 2016
84
0
#3
athulin said:
If you can live without them, you may experiment on your own (after getting a full sector copy of the current contents). In this case, resign yourself to losing the files, due to mistakes you make.
I will take the risk. Which program, preferably free open source, do
you recommend to make a full sector copy of current contents?

Where in this forum can I source info on how to learn how to access the
files on this USB stick? What skills should I acquire to access my files in the USB stick? Any websites sources to garner those skills?

Thank you.
 

athulin

Member
Experienced Member
Oct 18, 2007
734
Ratings
11
18
#4
cyber101 said:
I will take the risk. Which program, preferably free open source, do you recommend to make a full sector copy of current contents?
That depends on your platform.

On Windows, I'm not sure the tools I would recommend are open source. I would suggest FTK Imager Light from AccessData (you can download and use it for free, but you may be asked for your mail address).

If you insist on open source, try Autopsy. I don't think I've ever used it for sector-copying a disk except experimentally, so for that reason I can't recommend it, though I have no reason to suspect that it would misbehave.

On any Unix-based platform (I include BSD and Linux in those), the standard 'dd' command is already available. If there are sector read errors, forensic versions may be preferrable: ddrescue, dc3dd, dcfldd, etc. (you'll find these mentioned on Forensics Wiki -- see the category Disk Imaging.) For these, you need Unix as well as dd competence. If you don't have that, you may overwrite the source drive instead of copying it. For these situations an USB write blocker is recommended, but typically only IT and computer forensic professionals have one easily available.

In general, you can also use a free bootable CD (such as Kali Linux or DEFT or many others -- see Forenics Wiki, category Live CD) for the job, but I won't make any claims about open source-ness for them. (I've never investigated that question in depth -- that's why. Their home pages may have information.)
Where in this forum can I source info on how to learn how to access the files on this USB stick? What skills should I acquire to access my files in the USB stick? Any websites sources to garner those skills?
That's more difficult to answer, as you are more or less asking for a royal road to computer forensics, and there isn't really one.

It depends on what has happened to the USB. If sector 0 has been overwritten by garbage, you may still be able to locate and recover the file system, only you have to know and use the appropriate tool correctly. Or if the files simply have been deleted, they may still be possible to recover. Sleuthkit might work, FTK Imager might work. IsoBuster (which can handle other file systems than ISO9660) may work. If they have been totally overwritten, you may need to be able to diagnose the fact, and not spend time trying to find files on an empty USB drive.

For other situations, look at something like Forensics Wiki, particular the section on data recovery or file carving or file carving tools. I would not expect one single tool to do the entire job, but would make several tests (not on the original sector copy, but copies of that copy, of course). It also depends on what the files are -- if they have a particular format, I would use programs designed for that particular file type.

I would try PhotoRec, because it has worked pretty well for me in the past, but I would not get stuck on it.

But it's a question of looking at the image, diagnosing what has actually happened to it, and from there decide what tools may be the best to use. That's largely a question of experience.

Skills ... well, you need knowledge about file systems, and experience in dealing with file systems on a low level. (Don't know any web sites -- Brian Carrier's book Forensic File System Analysis is likely to be helpful). You need experience with the tools you use -- and many of them do require user competence -- so expect to have to read any user manual or similar kind of document very closey, with attention to details, and possibly experiment.

To lessen the chance of destroying the original USB, do trial runs of some other USB with test contents just to ensure you get everything right, before you copy the original.

You may also find books such as 'Digital Forensics with Open Source Tools' by Altheide and Carvey useful -- I don't really think you find all information you need on the web. (The main body of your question are likely to be answered in Chapter 3 of that book: Disk and File System Analysis.)
 

cyber101

New Member
Sep 21, 2016
84
0
#5
athulin said:
cyber101 said:
Here is the error message:
" The volume does not contain recognized file system.
Please make sure that all required file system drivers are loaded
and that the volume is not corrupted"
also asking me to reformat (which I wont do for obvious reasons).
That means that the contents of that USB stick has become damaged, and is so damaged that Windows doesn't recognize it as legitimate volume.

If the files are very important, get in touch with a reputable data recovery company to help you.

If you can live without them, you may experiment on your own (after getting a full sector copy of the current contents). In this case, resign yourself to losing the files, due to mistakes you make.
I used Find and Mount to scan it, do you think I have added further fuel to the fire by using Find and Mount? Zero results though.
 

cyber101

New Member
Sep 21, 2016
84
0
#6
athulin said:
cyber101 said:
I will take the risk. Which program, preferably free open source, do you recommend to make a full sector copy of current contents?
I would suggest FTK Imager Light from AccessData (you can download and use it for free, but you may be asked for your mail address).
Should I get the FTK Imager Light from AccessData International version if I'm outside North America? What's the difference? Do they have a forum for support?

I've noticed the download for it is supplied by Source Forge, I've read Source Forge is dodgy, and the mirror is supplied by Chinese firm; not reassuring. Should I go ahead? Thanks in advance.
 

athulin

Member
Experienced Member
Oct 18, 2007
734
Ratings
11
18
#7
cyber101 said:
Should I get the FTK Imager Light from AccessData International version if I'm outside North America? What's the difference? Do they have a forum for support?
Which version: I have no idea. Forum: ... try their web site?
I've noticed the download for it is supplied by Source Forge, I've read Source Forge is dodgy, and the mirror is supplied by Chinese firm; not reassuring. Should I go ahead? Thanks in advance.
Sourceforge provides multiple mirrors -- choose one you feel more comfortable with. As to dodginess of SF in general, that's something you decide yourself.
 

cyber101

New Member
Sep 21, 2016
84
0
#9
athulin said:
cyber101 said:
Should I get the FTK Imager Light from AccessData International version if I'm outside North America? What's the difference? Do they have a forum for support?
Which version: I have no idea. Forum: ... try their web site?
I've noticed the download for it is supplied by Source Forge, I've read Source Forge is dodgy, and the mirror is supplied by Chinese firm; not reassuring. Should I go ahead? Thanks in advance.
Sourceforge provides multiple mirrors -- choose one you feel more comfortable with. As to dodginess of SF in general, that's something you decide yourself.
In my case should I clone or image the usb stick that I'm trying to gain access to due to it reverting to RAW format before using recovery software? (I have a vague idea of the difference between clone)

Thanks in advance
 

SgtJackie

New Member
Nov 30, 2015
58
0
#11
OS Forensics has a free version and is very good.
 

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu