Recover pictures from Compact Flash

Drama

So after our last vacations, one of our 256MB Compact Flash full with pictures from our trip is causing us some serious problem. Only 41 out of over 200 pictures are readable from the flash. The other pictures seem gone forever. :-(

Initial backup

My forensics experience teaches me to start by making a backup. this is quite simple on any Unix using the dd command:

dd if=/dev/sda1 of=/opt/cpc/sda1.dat
sha1sum /opt/cpc/sda1.dat > /opt/cpc/sda1.dat.sha

Recovering the first file

My first idea was to hope that the filesystem is not fragmented and copy data from partition to a file, switching to a new one each time a JPG header is detected.

hexdump -C sda1.dat | grep -i "exif" >headers.hex
cat headers.hex | awk '{print (sprintf("%d","0x"$1)/512)}' > headers.512.dec
cat headers.512.dec | xargs --replace bash -c "dd skip={} if=sda1.dat bs=512 count=4000 of=./{}.jpg"

Unfortunately, we sometimes delete images and some data was fragmented, so we only recovered half of the images that way.

Looking for external help

I gave a try to the following URL, but no more success than with the previous attempt. http://www.cs.washington.edu/homes/oskin/saveimg.html

Getting serious

One month after this first attempt, I decided to come back on that problem and try some tools on it. I tried using Sleuth Kit. The first attempt using sorted is not very good:

Images
- sda1.dat

Files (471)
- Allocated (260)
- Unallocated (211)

Files Skipped (425)
- Non-Files (425)
- 'ignore' category (0)

Extensions
- Extension Mismatches (0)

Categories (42)
- images (41)
- unknown (1)

Then I decided to do some home magic to take care of the non-files:

#!/usr/bin/perl
# recover.pl - 2005/09/27 - Nicolas Lidzborski  - GPL2
open FLS,'fls sda1.dat -f fat -r|' or die "Cannot use fls: $!";
while(){
        if (m|r/r \* (\d+):\s+(\S+JPG)$|){
                my ($inode,$filename)=($1,$2);
                print "icat -t fat sda1.dat $inode > data/$filename\n";
                `icat -f fat sda1.dat $inode > data/$filename`;
        }
}
close FLS;

Here we go, I got 206 files out of this, recovering all the pictures of our trip! :)

Nicolas Lidzborski (cpc at freeshell.org) on June 9th 2003, edited on August 22nd 2003