Multiple Hobbiotis

Recovering Files in FAT File System

Today I had an interesting task. There were pictures and videos on the sd card of Alexanders digital camera. Unfortunately, some of them were deleted. But I wanted to take a look. So I played a bit around to recover them. Read how I did this.

Step 1 – Disk image

The beginning is always the easiest. I wanted to take an image of the sd card so I wouldn’t have to manipulate on the card itself. So I used Baton’s camera, which registers itself as usb-storage device. Then I used dd to create a binary copy of the partition:

Dec 16 23:03:43 netrunner kernel: usb 1-2: USB disconnect, address 3
Dec 16 23:03:46 netrunner kernel: usb 1-2: new full speed USB device using uhci_hcd and address 4
Dec 16 23:03:46 netrunner kernel: scsi1 : SCSI emulation for USB Mass Storage devices
Dec 16 23:03:51 netrunner kernel: Vendor: KMCA Model: DiMAGE Z2 Rev: 1.00
Dec 16 23:03:51 netrunner kernel: Type: Direct-Access ANSI SCSI revision: 02
Dec 16 23:03:51 netrunner kernel: SCSI device sda: 245504 512-byte hdwr sectors (126 MB)
Dec 16 23:03:51 netrunner kernel: sda: Write Protect is off
Dec 16 23:03:51 netrunner kernel: sda: assuming drive cache: write through
Dec 16 23:03:51 netrunner kernel: SCSI device sda: 245504 512-byte hdwr sectors (126 MB)
Dec 16 23:03:51 netrunner kernel: sda: Write Protect is off
Dec 16 23:03:51 netrunner kernel: sda: assuming drive cache: write through
Dec 16 23:03:51 netrunner kernel: /dev/scsi/host1/bus0/target0/lun0: p1
Dec 16 23:03:51 netrunner kernel: Attached scsi removable disk sda at scsi1, channel 0, id 0, lun 0
Dec 16 23:03:51 netrunner kernel: Attached scsi generic sg0 at scsi1, channel 0, id 0, lun 0, type 0

$ dd if=/dev/sda1 of=sd-card.img

This left me with a 256MB file called sd-card.img.

Step 2 – Finding Software

Now since I was lazy and most probably not the first person who wanted to do this, I searched the internet for recovery software. There was plenty of it, but just for windows. I tried some of them in wine, but either they crashed during installation, or wanted to register to a non-existant explorer.exe. But then, I found by accident the website of Adam about how he recovered his lost digital photos. He had written a perl script jpeg-recover, that scan’s a image file and looks for jpeg start headers. This was was a start.

Step 3 – Recovery of pictures

For this I used the jpeg-recover mentioned before. It was running quite slow on the image file, but soon printed out some messages that it found pictures. I was happy about it and left it running over night.

On the next morning I started up gwenview. As I ran the recover utility directly in my home, all the pictures were also there. 103 files 🙂 Not all of them were recognized by gwenview as displayable pictures, but those I was missng were there. Success 🙂

Step 4 – Recover the movie

This was more work. At first I thought about putting the avi file header into the perl script. This would be easy, as it was specified in /usr/share/file/magic. But I chose another way. I opened the file in a hexeditor and looked for the avi header (“RIFF”) myself. Then I cut the beginning away, or better, took just everything starting from the header to a new file. This resulting file I played in mplayer. Success 🙂

$ hexedit sd-card.img
 <tab>/RIFF<enter>
 read the hexadecimal line number to the left, let's say 01CD3A00
 <strg-c>
 convert hexadecimal number to int (01CD3A00 = 
$units
2083 units, 71 prefixes, 32 nonlinear units
You have: 0x01CD3A00
You want:
 Definition: 30226944
$ dd if=sd-card.img of=out.avi bs=512 skip=$((30226944/512))
$ mplayer out.avi
</strg-c></enter></tab>

Well, the movie played only 3 seconds. Probably it was stored in the file system non-contiguous. Maybe I will try later to skip the bad parts, but for now: Success 🙂

Post navigation

Comments are closed.