I have a 16GB microSDHC card that apparently was nuked by the phone (a friend's phone, not sure which, but I can find out): while taking pictures, it suddenly could no longer access/recognize the card. I was with her when it happened. We immediately switched off the phone, and didn't try to format the card or anything.
Using an SD-CardReader and Ubuntu, the device could still be recognized, and the complete 16GB could be read via dd without errors. However, 99% of the dd-dump were just zerobytes, although the card previously contained several GB of data. Only a very small fraction still contained data, and these fragments were scattered throughout the 16GB.
For example, the card originally contained a FAT32 file system. However, now the boot sector and partition table were zeroed out, as well as the first FAT copy, and most of the data. Curiously, the 2nd FAT copy was intact, as well as the root directory. I found (only) three partial JPGs in the dd-dump, and the interesting thing is the Exif-data from these JPGs suggests they were taken just before the card crashed.
So my questions are as follows:
- Instead of using dd, which relies on the Linux usb mass storage drivers recognizing (and interpreting) the device, is there some other way to access even lower levels of information of the flash card (i.e., truly reading out the chip contents, instead of what usb_storage sees? Some form of FTL, JFFS etc.?)?
- Was the data truly erased, or just tagged as "dirty" somewhere? It would be physically impossible for a phone to really overwrite 16GB of memory within seconds. So maybe there is a way to read out the real data ? Or is this generally only possible by dismantling the card and directly accessing the NAND(?)-device via specialized hardware?
I'd appreciate any pointers whatsoever - as my friend isn't really using computers beside her phone, she never bothered to ever copy any images from it to a safer place, so several hundred photos of friends&family would be lost :-/
No comments:
Post a Comment