Recover files from USB RAW partition


Apr 23, 2019
20
Ratings
9
3
#1
Hi all,

I have an SD card with important files on it. Whenever I plug it in windows, it comes up with this message (or st similar):

"The drive cannot be used and must be formatted. ¿Do you want to do so?"

No! I have important files in there, and I want to recover them first!

The drive appears in Device administration. I have dumped the contents to a drive image and tried to analyze its contens with either OSForensics and Autopsy.
No success so far :(

Is there any way in which I can dig into the RAW drive, recover the files prior to formatting the card?

Many thanks!
 

azuleonyx

Member
Experienced Member
Oct 20, 2018
60
Ratings
48
18
Charlotte, North Carolina Area
cyberfenixtech.blogspot.com
Twitter
https://twitter.com/AzuleOnyx
#2
Did Autopsy showed any deleted files? How did you create the USB drive image?

You can also take a look at The Sleuth Kit (TSK): FS Analysis - SleuthKitWiki

Granted Autopsy should have used TSK but never hurts to run it manually.
 
Apr 23, 2019
20
Ratings
9
3
#3
Did Autopsy showed any deleted files? How did you create the USB drive image?

You can also take a look at The Sleuth Kit (TSK): FS Analysis - SleuthKitWiki

Granted Autopsy should have used TSK but never hurts to run it manually.
Hi!

I created the image with WinImage 9.0 (Download WinImage ). Autopsy doesn't show absolutely anything. Is as if it was a completely blank file.
 

azuleonyx

Member
Experienced Member
Oct 20, 2018
60
Ratings
48
18
Charlotte, North Carolina Area
cyberfenixtech.blogspot.com
Twitter
https://twitter.com/AzuleOnyx
#4

azuleonyx

Member
Experienced Member
Oct 20, 2018
60
Ratings
48
18
Charlotte, North Carolina Area
cyberfenixtech.blogspot.com
Twitter
https://twitter.com/AzuleOnyx
#6
I has to do how WinImage or other software reads the drive. FTK Image or even the basic linux DD command does a byte copy which gets all the deleted information which can then be recovered/found using tools like TSK.
 
Apr 23, 2019
20
Ratings
9
3
#7
I has to do how WinImage or other software reads the drive. FTK Image or even the basic linux DD command does a byte copy which gets all the deleted information which can then be recovered/found using tools like TSK.
Thank you. I have requested the physical SD card and I will make a dump with FTK Imager.

Best!
 

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu