Jump to content

  • Log In with Google      Sign In   
  • Create Account

Trying to recover photos from formatted MicroSD card


Old topic!
Guest, the last post of this topic is over 60 days old and at this point you may not reply in this topic. If you wish to continue this conversation start a new topic.

  • This topic is locked This topic is locked
17 replies to this topic

#1 Servant of the Lord   Crossbones+   -  Reputation: 21022

Posted 10 October 2013 - 02:25 PM

A family friend asked me to try and recover some photos from his Android phone's MicroSD card when it was accidentally reformatted. Not having done this before, I did some googling and found PhotoRec as a tool to try.

 

Using it, I successfully recovered >1000 photos! smile.png

The only problem is, all the photos are the same!? sad.png

 

It looks like a Modern Warfare cover or something - which is odd, because he's an older gentleman and isn't a gamer, afaik.

Here it is:

0bch.jpg

 

[Edit:] Yep, Modern Warfare 2's cover, but without the text or anything.

 

Multiply that by 1,376 files with different filenames, all with a filename like "f11746222.jpg". Always starting with an 'f', 8 numerical digits, and then .jpg.

 

It's possible I selected the wrong drive (It's using the linux-style names of the drives (/dev/sdc/ is the one I was doing it on), rather than Windows single-letter drive names (F:/)), I was going off of the listed size of the drives to guess which one was the MicroSD card; seeing that the MicroSD card is 16 gb, and my harddrives are both >300GB, it seems like I chose the right one. Even if I messed up, I'm fairly sure none of my harddrives have a thousand thumbnails of the MW2 cover art. But Modern Warfare 2 was recently re-installed on this computer... Not while the SD card was plugged in though (MW2 was installed two weeks ago. I was given the MicroSD card this morning).

 

Anyone have a guess what I'm doing wrong? I was expecting photos of his family.

 

Actually, I did recover one photo (and a resized thumbnail of the photo) of two women standing in front of a nice office building - guessing it's his daughters. But other than that, just thousands of duplicates of the exact same image (at the exact same resolution) of the above photo.

 

Is there a different tool you would recommend?


It's perfectly fine to abbreviate my username to 'Servant' rather than copy+pasting it all the time.
All glory be to the Man at the right hand... On David's throne the King will reign, and the Government will rest upon His shoulders. All the earth will see the salvation of God.
Of Stranger Flames - [indie turn-based rpg set in a para-historical French colony] | Indie RPG development journal

[Fly with me on Twitter] [Google+] [My broken website]

[Need web hosting? I personally like A Small Orange]


Sponsor:

#2 Shane C   Crossbones+   -  Reputation: 1283

Posted 10 October 2013 - 02:54 PM

Sell it on Ebay as a haunted MicroSD card. Or go to the gravesite of the deleted files and have an all-out war with the dead.

Or you could try this: http://www.z-a-recovery.com/. I have not personally tried it but I searched and saw people recommending it.

#3 Servant of the Lord   Crossbones+   -  Reputation: 21022

Posted 10 October 2013 - 03:33 PM

I saw when googling that some people release fake data recovery software that damages the PC you run it on, as a prank (instead of using PC A to recover data from accidentally formatted drive B, the software reformats PC A itself).

 

I've no idea if the link you gave does that, but to be safe, I use the wikipedia-test for software downloads (if I can't find it on Wikipedia, it's to be dealt with as extra suspicious).


It's perfectly fine to abbreviate my username to 'Servant' rather than copy+pasting it all the time.
All glory be to the Man at the right hand... On David's throne the King will reign, and the Government will rest upon His shoulders. All the earth will see the salvation of God.
Of Stranger Flames - [indie turn-based rpg set in a para-historical French colony] | Indie RPG development journal

[Fly with me on Twitter] [Google+] [My broken website]

[Need web hosting? I personally like A Small Orange]


#4 slicer4ever   Crossbones+   -  Reputation: 3982

Posted 10 October 2013 - 04:18 PM

Recuva is my goto data recovery tool.
Check out https://www.facebook.com/LiquidGames for some great games made by me on the Playstation Mobile market.

#5 Servant of the Lord   Crossbones+   -  Reputation: 21022

Posted 10 October 2013 - 08:07 PM

Recuva is identifying the files (first it said >340 found, now it's only saying 102 found), but whenever I try to 'Recover' the files, it complains that: "the volume for a file has been externally altered so that the opened file is no longer valid" - which appears to be a standard Windows error message.

 

Weird that it seems like the contents of the MicroSD card is changing... the card didn't fail (afaik), it was accidentally reformatted. I wonder if it's just my MicroSD->SD->USB reader that is giving sporadic results. I'll let the card rest and then give it a try tomorrow.

 

Anyone have any insight or any other suggestions? Recuva for a moment there found a bunch of filenames, dates, filesizes, but couldn't recover the files themselves (giving the aforementioned message)... but said that their sectors weren't overwritten.


It's perfectly fine to abbreviate my username to 'Servant' rather than copy+pasting it all the time.
All glory be to the Man at the right hand... On David's throne the King will reign, and the Government will rest upon His shoulders. All the earth will see the salvation of God.
Of Stranger Flames - [indie turn-based rpg set in a para-historical French colony] | Indie RPG development journal

[Fly with me on Twitter] [Google+] [My broken website]

[Need web hosting? I personally like A Small Orange]


#6 Servant of the Lord   Crossbones+   -  Reputation: 21022

Posted 11 October 2013 - 04:55 PM

Recovered a good portion of them - running PhotoRec from a Linux boot disk was able to do a much better job, and recovered almost 2000 files (mostly text XML metadata files, but at least 500 photos).

 

PhotoRec was installed by default on the Knoppix disc I had laying around. This is probably the fourth time Knoppix has come in handy.

 

Thanks for the help, gentlemen!


Edited by Servant of the Lord, 11 October 2013 - 04:55 PM.

It's perfectly fine to abbreviate my username to 'Servant' rather than copy+pasting it all the time.
All glory be to the Man at the right hand... On David's throne the King will reign, and the Government will rest upon His shoulders. All the earth will see the salvation of God.
Of Stranger Flames - [indie turn-based rpg set in a para-historical French colony] | Indie RPG development journal

[Fly with me on Twitter] [Google+] [My broken website]

[Need web hosting? I personally like A Small Orange]


#7 Dragonsoulj   Crossbones+   -  Reputation: 2126

Posted 11 October 2013 - 08:27 PM

I have had decent success using Recuva, but PhotoRec sounds like it is a useful program.



#8 Dragonsoulj   Crossbones+   -  Reputation: 2126

Posted 11 October 2013 - 10:02 PM

The big thing is most of the time it just drops the file table and leaves the files themselves alone. Recovery programs look for bit patterns that match certain file types. Unless the area of the storage was used for something else and the bits overwritten/partially overwritten, it is possible to recover files most of the time.



#9 Luckless   Crossbones+   -  Reputation: 1885

Posted 11 October 2013 - 10:48 PM

I've used PhotoRec a few dozen times to recover data from mistakenly formatted/damaged disks, but it has always worked fine for me and never had an issue with it showing some random data that wasn't on the card. That's just weird.

 

We also used it at one of the places I work. It was one of a half dozen or so tools that were bundled into an automated scan system that all hard drives and digital media were passed through to ensure no critical data remained on the disk before disposal. If they passed the test the disks were then tossed into a modified wood chipper. If they failed then they went back for additional formatting and overwriting. Apparently SSDs have been proving troublesome and are now being melted in a three stage thermite based process. (However I have a suspicion that change in protocol was more of an excuse to use thermite in 'the office', more so than an actual valid issue on security over the wood chipper.)


Old Username: Talroth
If your signature on a web forum takes up more space than your average post, then you are doing things wrong.

#10 slicer4ever   Crossbones+   -  Reputation: 3982

Posted 11 October 2013 - 10:55 PM

 Apparently SSDs have been proving troublesome and are now being melted in a three stage thermite based process. (However I have a suspicion that change in protocol was more of an excuse to use thermite in 'the office', more so than an actual valid issue on security over the wood chipper.)

Eh? shoudn't SSD's be more secure in terms of wiping data, due to how data is erased on a SSD.


Check out https://www.facebook.com/LiquidGames for some great games made by me on the Playstation Mobile market.

#11 Luckless   Crossbones+   -  Reputation: 1885

Posted 12 October 2013 - 08:13 AM

 

 Apparently SSDs have been proving troublesome and are now being melted in a three stage thermite based process. (However I have a suspicion that change in protocol was more of an excuse to use thermite in 'the office', more so than an actual valid issue on security over the wood chipper.)

Eh? shoudn't SSD's be more secure in terms of wiping data, due to how data is erased on a SSD.

 

 

It is "not my department" so to speak, so I'm out of the loop on actual details. The impression I got from lunch time talks with one of the techs is that this one model, of which we bought a ton of, supported this fun in disk compression buffer. Before writing data it compared the next write to its buffer and looked for data blocks that could be quickly compressed/cloned to save space. This in turn gave the techs headaches when it came to their over writing protocol software as the drive kept looking at the incoming data and saying "Hey! I have a copy of that over here in the first 5% of the drive, I'll just point to this bit of already written data..." and then not actually forcing deletes on other parts of the drive that still contained potentially sensitive data. 


Old Username: Talroth
If your signature on a web forum takes up more space than your average post, then you are doing things wrong.

#12 wintertime   Members   -  Reputation: 1877

Posted 12 October 2013 - 09:31 AM

And they didnt think of trying to switch from filling with zeros to filling with a stream of ever changing random numbers?



#13 Servant of the Lord   Crossbones+   -  Reputation: 21022

Posted 12 October 2013 - 10:16 AM

Here's my thoughts about the ghosting images:

The MW2 image turned out to be the same size (220x195) as a few dozen other non-family-photograph images that were mixed in with the real photographs.

I also found a Battlefield 3 cover-art image of about the same size.

 

They were probably cached on the card for some marketing purpose: Maybe as pre-installed wallpapers that came on the phone (weird resolution for a wallpaper though), maybe for some other reason. Perhaps they are the cover-art image for purchasing an app version of the game or something.

 

If the drive had hundreds of entries for files, but they got overwritten and all pointed at the same location (a single block of memory early on in the disk, for example - which might reinforce the idea that they were pre-installed for marketing reasons), PhotoRec could've ended up accidentally pulling from the same memory block hundreds of times. I don't know how filesystems are actually laid out, nor what method PhotoRec uses to recover files, so this is purely speculation.


It's perfectly fine to abbreviate my username to 'Servant' rather than copy+pasting it all the time.
All glory be to the Man at the right hand... On David's throne the King will reign, and the Government will rest upon His shoulders. All the earth will see the salvation of God.
Of Stranger Flames - [indie turn-based rpg set in a para-historical French colony] | Indie RPG development journal

[Fly with me on Twitter] [Google+] [My broken website]

[Need web hosting? I personally like A Small Orange]


#14 Luckless   Crossbones+   -  Reputation: 1885

Posted 12 October 2013 - 04:28 PM

And they didnt think of trying to switch from filling with zeros to filling with a stream of ever changing random numbers?

 

Given that much of the sensitive data is frequently made up of streams of fairly random numbers, detecting the difference between a legit random data stream that was previously on the hard drive and a 'safe' random stream used to overwrite it is somewhat non-trivial. So the only data that was allowed to exist on the drives before their destruction is a series of cat photos, that way it is easy to verify that the data is in fact not fractional remains of sensitive material that was required to be fully scrubbed prior to drive physical destruction.

 

I'm sure it sounds very odd, but the protocol had the drives handled at various levels on their way out. The checks and additional scrubbing just prior to destruction were to weed out issues that were happening in levels above. If the guys handling drive destruction detected data that wasn't suppose to reach them then there was a problem upstream of them. And if they can eliminate the data that the previous department failed to, then there was a problem at the previous department that needed to be fixed/heads roll. Destruction and disposal guys get security clearance to see the data, but the data isn't suppose to have made it to them. (Reduces the ability for someone to nick a drive in transit between its department and destruction.)


Old Username: Talroth
If your signature on a web forum takes up more space than your average post, then you are doing things wrong.

#15 Bacterius   Crossbones+   -  Reputation: 9282

Posted 12 October 2013 - 05:15 PM

And they didnt think of trying to switch from filling with zeros to filling with a stream of ever changing random numbers?

 

Many SSD's these days tend to use internal full-drive encryption and simply erase the encryption key, permanently destroying all data on the drive. This approach works to the SSD's strengths by reducing the amount of writes required, and is quite efficient especially when done at the hardware level. In theory, if this was done right, there would be no possible recovery. But in practice, nothing is implemented properly and the firmware is so opaque and has so many levels of indirection that you're better off just physically destroying the drive for peace of mind happy.png

 

(just to make it clear, the encryption feature offers no security whatsoever when it comes to someone stealing your SSD, because it is built into the firmware, it exists only so that data at rest can be quickly disposed of without forcibly overwriting every last bit of information and wearing out the drive in the process, and it does not prevent you from using an additional encryption layer if you are the paranoid type)


The slowsort algorithm is a perfect illustration of the multiply and surrender paradigm, which is perhaps the single most important paradigm in the development of reluctant algorithms. The basic multiply and surrender strategy consists in replacing the problem at hand by two or more subproblems, each slightly simpler than the original, and continue multiplying subproblems and subsubproblems recursively in this fashion as long as possible. At some point the subproblems will all become so simple that their solution can no longer be postponed, and we will have to surrender. Experience shows that, in most cases, by the time this point is reached the total work will be substantially higher than what could have been wasted by a more direct approach.

 

- Pessimal Algorithms and Simplexity Analysis


#16 MerryJoseph   Banned   -  Reputation: 101

Posted 15 October 2013 - 10:22 AM

once I used Photo Rec and went in same state of affairs as you. Then my friend suggest me one utility named as Remo Recover for Android. Trust me, I effortlessly recovered my photos from Android phone SD card. You can also try this utility.    



#17 Servant of the Lord   Crossbones+   -  Reputation: 21022

Posted 15 October 2013 - 11:26 AM

Uh, it seems that file recovery threads get more targeted spambot responses than many other topics (you see this on other forums when googling as well).
The two posts above me are spambots, and there was a third that was already removed.
 
Since my problem is resolved, could a moderator lock this thread?

For any future person having the same issue:

Using the Linux version of PhotoRec from a Knoppix install disc worked perfectly for me (and both of these are free/opensource)

For some reason (I think it might have been my cheap SD card reader which I got for free and probably cost < $2 to manufacture) the Windows version of PhotoRec wasn't doing as great a job (but is still worth giving a try).


Edited by Servant of the Lord, 15 October 2013 - 11:27 AM.

It's perfectly fine to abbreviate my username to 'Servant' rather than copy+pasting it all the time.
All glory be to the Man at the right hand... On David's throne the King will reign, and the Government will rest upon His shoulders. All the earth will see the salvation of God.
Of Stranger Flames - [indie turn-based rpg set in a para-historical French colony] | Indie RPG development journal

[Fly with me on Twitter] [Google+] [My broken website]

[Need web hosting? I personally like A Small Orange]


#18 Tom Sloper   Moderators   -  Reputation: 10160

Posted 15 October 2013 - 11:52 AM

Locking as requested. One spammer banned; other being watched.


-- Tom Sloper
Sloperama Productions
Making games fun and getting them done.
www.sloperama.com

Please do not PM me. My email address is easy to find, but note that I do not give private advice.




Old topic!
Guest, the last post of this topic is over 60 days old and at this point you may not reply in this topic. If you wish to continue this conversation start a new topic.



PARTNERS