Corrupted USB files… is there hope? Keep reading.

So your USB files are corrupted. And your friend ran a command that completely wiped out all the files. The damage is done, and it is irreversible. And worst of all, you didn’t back up the removable media to another device. In layman’s terms, it looks like we’re screwed.

This scenario happened to me just yesterday, as I was trying to repair a USB for a friend. Tuesday afternoon, right before lunch, she scurries over to my desk, panicking over her allegedly lost files in her USB. In a frustrated tone, along with a few cuss words, she explains that the computer wasn’t reading her USB. She yanks out the thumb drive and re-inserts it as she was editing some files. As she remounts the drive, she finds all her files corrupted and translated to something that looks like MT Extra, or like she said, Chinese. The drive was still accessible, but the files were unintelligible and not openable. I ask her if I can take the USB home to fix it, and she agreed. I decided to take on the task because lately I’ve been reading up on file systems, data recovery tools, and hex editors. I did some research on how files get corrupted and if said files are beyond repair.

I take the drive home and later to a class, where I show it to my friend. My friend says he knows how to fix it, so he runs a command… that completely wipes out the drive. I said, “dude, did you just delete all the files? I was trying to fix them, not get rid of them…”, to which he replied, “oh, you wanted to fix them?” After an awkward silence, I nodded and began doing research, now on how to recover deleted files on a thumb drive.

The drive has deleted files, and these files are also corrupted.

Great.

It may seem like this drive is beyond repair. How do you fix a USB in this state?

This story speaks to many of us. A lot of times, we take for granted that when we delete files like pictures, documents, PDFs, videos, and audio files, they are truly deleted. Also, when we see a file that has been corrupted, we assume that it is beyond repair. A lot of times, we do it by accident, and this may cause us to panic. Especially if there are no backups of the data. It could have been hours of work wasted! Or simply, files that we cannot make again. However, here’s a little secret about computers: nothing truly deletes. That’s the beauty of computer forensics. Things only get rewritten, not deleted. There are procedures in place to truly wipe a drive, but often times with incidents like this, drives aren’t wiped like that on purpose. So there is always a chance for recovery. We will review some facts about data recovery at the end of the post.

Let’s review some of the steps I took to recover the files on the thumb drive and cool applications that can simplify the process. We will then enter some technicalities regarding file systems and hex editors and conclude with some lessons learned.

HOW TO REPAIR A USB WITH CORRUPTED FILES

1. DON’T TOUCH ANYTHING!!!

Fine. Your files are deleted. But actually, what was deleted was the pointer to the files, which is what shows up on File Explorer. Your file is still actually there! But it has been flagged to be rewritten. So if you make any changes to the drive in this state (add new files, make folders, etc.) then there is a chance for data loss, and that is irreversible (it probably isn’t, but let’s stick to the basics).

2. OPEN A COMMAND PROMPT ON THE DRIVE

The command my friend ran was:

chkdsk D: /r

This command locates bad sectors and recovers readable information. It includes the functionality of /f, with the additional analysis of physical disk errors. So, it may appear that your once corrupted files have now disappeared, since none of them show up on File Explorer. This is fine: what the command did was verify the file system integrity (this case FAT32 was the thumb drive) and attempt to fix logical file system errors. The error with the drive appeared to be logical rather than physical (the table got wonky or something), so this command works. After, execute this command:

ATTRIB -H -R -S /S /D X:*.*

This command shows the attributes set on the files within the directory. It will clear out everything: the hidden file attribute, the read-only attribute, and the clear system file attribute. It will do it to all files in the drives, regardless of the extension. Now, you should see two folders on File Explorer: FOUND.000 and System Volume Information.

3. USE DECHK

Great! So the once empty drive now has some files! But, when you try opening them, they’re still no good. And they also have an unfamiliar format: CHK. What are those?

What Windows has done with the previous two commands is create fragments of corrupted files found on the drive. Instead of deleting any corrupted data it finds, Check Disk puts the CHK file fragments into the FOUND.000 folder. Supposedly, Microsoft says that these file fragments cannot be re-constituted into actual files, and that the data is not recoverable, but that’s just Microsoft being Microsoft. Let’s use a tool called deCHK, developed by Sascha Presnac, a developer, gamer, and simply a dude from Germany. This free program regains/recovers chk-files in the Windows platform. It’s a small tool that recovers about 80% of files lost, and most importantly, it’s free. The link is here below:

http://www.techcrawler.de/dechk/index_en.html

After you download it, make sure you create a separate folder to store your newly recovered files. The program detects about 50 different file types, so there is a high chance that it will fix your lost files.

4. CONGRATS! YOU HAVE PERFORMED DATA RECOVERY FOR FREE!

Once you finish using the tool, you are presented with most if not all the files you lost on the drive. FAT32 is kind of stupid, so your file names are lost. But hey, the content of the files is all there! I did notice that on some file types, like Word or Excel documents, when you open them, a dialogue box pops up alerting you that the file is corrupted. These Microsoft apps will attempt to repair them, and out of the documents I tried recovering, all of them opened successfully. Audio files may be a little trickier, simply because of the nature of the file, but they are not impossible to recover.

FILE SYSTEM WHO?

So, what just happened? There are probably a million questions on your mind after this short tutorial. For example, didn’t I delete the files? How come they’re still there? How did these programs recover deleted data? How do programs know just from the CHK files which files are which? Or simply, what is a file system?

These are all great questions, and they touch upon many different subjects related to computers. Although we won’t really focus on the operating system side of things, since that is extremely technical (and not the purpose of this post), it is worth mentioning a few key words that can aid us in understanding what’s going on behind the scenes and start answering some of our questions.

With time, review these topics:

• Logical Structure of a Disk
• Windows File Systems
• Encoding Standards and Hex Editors

Let’s briefly review what you may find when you search up these topics… next post.

Thanks for reading 🙂