Partition table corrupted (USB flash drive)

It's an 8 GB Patriot thumb drive, which I've used extensively with lots of data. Today, it is detected, but all data is gone: (EDIT at least some data is still there, but the partition table is gone)

EDIT @Sathya (thanks) here's the relevant output from sudo fdisk -l:

Disk /dev/sdc: 8019 MB, 8019509248 bytes
247 heads, 62 sectors/track, 1022 cylinders
Units = cylinders of 15314 * 512 = 7840768 bytes

Disk /dev/sdc doesn't contain a valid partition table

It looks like it is /dev/sdc, with that 8 GB... and no partition table.

I tried to mount /dev/sdc (and then dmesg | tail):

/media> sudo mount /dev/sdc mytmp
mount: wrong fs type, bad option, bad superblock on /dev/sdc,
       missing codepage or other error
       In some cases useful info is found in syslog - try
       dmesg | tail  or so

/media> dmesg | tail
[   24.300000]  sdc: unknown partition table
[   24.320000] sd 2:0:0:0: Attached scsi removable disk sdc
[   24.370000] usb-storage: device scan complete
[   26.870000] EXT2-fs error (device sdc): ext2_check_descriptors: Block bitmap for group 1 not in group (block 0)!
[   26.870000] EXT2-fs: group descriptors corrupted!
[   50.420000] unhashed dentry being revalidated: .DCOPserver_eeepc-brendanma__0
[   50.430000] unhashed dentry being revalidated: .DCOPserver_eeepc-brendanma__0
[   50.430000] unhashed dentry being revalidated: .DCOPserver_eeepc-brendanma__0
[ 5565.470000] EXT2-fs error (device sdc): ext2_check_descriptors: Block bitmap for group 1 not in group (block 0)!
[ 5565.470000] EXT2-fs: group descriptors corrupted!

EDIT @Col: results from testdisk

Disk /dev/sdc - 8013 MB / 7642 MiB - CHS 1022 247 62
Current partition structure:
     Partition                  Start        End    Size in sectors

Partition sector doesn't have the endmark 0xAA55

After I hit [proceed], it says:

Structure: Ok.


Keys A: add partition, L: load backup, Enter: to continue

The "Structure: Ok." seems reassuring... will "A: add partition" make my old data accessible (if it's still there), or will it make a new, fresh partition?

Another option is "[ MBR Code ] Write TestDisk MBR code to first sector" - would it be better to do this?

EDIT I found that at least some of my data is still on the flash drive, by using the below, and searching for English text in less (like " the "):

cat /dev/sde | tr -cd '\11\12\40\1540-\176' | less

(The drive changed from "/dev/sdb" to "/dev/sde" because I connected some extra drives today). I've learnt that "/dev/sde1" would be the first partition; and "/dev/sde" is the whole drive. Because unix treats these devices just like files, you can use all the ordinary unix file commands on them, like cat, and then process them like any other stream of data. The tr above removes non-printable characters ("\40" is space, which I wanted to preserve). In less, you can use "/" to search, similar to Vim.

How can I get my data back (assuming it's still there)? If only the partition table is corrupted, is there a standard "partition recovery tool"? Is there a way to "repartition" without deleting everything?

13ren

Posted 2009-08-31T10:38:30.230

Reputation: 133

@ChrisF That answer doesn't work... and I can't respond to it there - so I have here (see the edit to the question). – 13ren – 2009-08-31T10:45:01.387

@13ren - If you use the same OpenID on both sites you can associate your accounts. However for now please e-mail team@superuser.com and ask them to do the association. I have merged the two questions in the meantime. – BinaryMisfit – 2009-08-31T10:55:03.127

1@13ren - I know you can't respond there. I was including the link for the moderators so they could find the question. – ChrisF – 2009-08-31T10:57:38.630

Thanks ChrisF, sorry I misunderstood. I sent an email as you suggested. @Diago thanks for merging, I can comment now. I'll email them again. – 13ren – 2009-08-31T11:12:53.327

1Insert the drive, and do a sudo fdisk -l and can you please update the post with the output ? – Sathyajith Bhat – 2009-08-31T12:34:31.940

@Sathya: done (thanks). Looks like the partition table is gone (how could that happen?) – 13ren – 2009-09-01T05:21:37.213

@13ren the most likely cause is an unsafe removal while it was writing to the partition table – Col – 2009-09-03T15:16:48.373

@Col OK, my case is unusual, because it hadn't been removed at that time (although a few weeks previously I removed the power supply from the USB hub it was connected to... maybe there was low power?). Also, I was only writing ordinary files, not partitioning it or anything (or does writing files also update the partition table?) – 13ren – 2009-09-05T10:30:23.573

Answers

It may be worth running testdisk over the device, it sounds like your partition table may have gone pop. Testdisk should be able to recover your data.

Col

Posted 2009-08-31T10:38:30.230

Reputation: 6 995

@Col thanks, but I don't have testdisk - I tried sudo testdisk and man testdisk. I just apt-get installed it, and it detects /dev/sdc with 8GB (as added to the question). I'm don't want to proceed further til I understand a little more. – 13ren – 2009-09-01T05:56:31.400

@Col, I've tried it, and added the results to the question – 13ren – 2009-09-02T08:14:37.087

If you're feeling nervous it might be worth using dd to create an image of the usb stick onto your hard drive, I think this should work even with an unmountable drive since it copies bit for bit. – Col – 2009-09-02T08:28:42.707

Thanks, that's a good idea! But how do I copy a file with dd? The man page talks about "files"... oh, does /dev/sdc count as a "file"? So I can just copy the entire /dev/sdc to a convention file like" dd /dev/sdc mybackupfile ? – 13ren – 2009-09-02T08:38:56.117

Yah, it would be something like sudo dd if=/dev/sdc of=usb.dd which will copy everything to the file usb.dd – Col – 2009-09-02T08:44:12.020

er, the syntax should be: dd if=/dev/sdc of=mybackupfile. I googled a bit, and it's amazing to me that pipes also work with this stuff, e.g. for compressing the backup. I know it's all data, but it's surprising that it's fast enough. – 13ren – 2009-09-02T08:44:18.900

In theory you can mount that image (if it was mountable) and read from it. – Col – 2009-09-02T08:45:52.250

Oh yeah, you can do all sorts of weird stuff in linux as I keep finding out. You'll probably want to set the block size as well I think the setting is bs=16K which speeds up the copy. I've used this to back up a 500gb disk to move it to a new one although it took a heck of a long time. – Col – 2009-09-02T08:47:51.043

OK thanks! (our messages crossed) I'll this out tomorrow, when I'm fresh. – 13ren – 2009-09-02T08:49:06.253

1Now I've got some reputation points now, so I can vote you up! – 13ren – 2009-09-03T12:09:25.050

@Col I copied the faulty drive with dd. I also found you can cat /dev/sdc, and it will write the raw data - just like a file. I can see my data still! (so at least some of it is still there). I stripped off non-printable char, piped to less, and then searched for English words (" the " worked well, but "the" also appeared in random/executable data). So now my question is to how to recover this data - can repartition and preserve the data? I think I'd best start a new question, framed more directly using the info I now have - nobody will see it here. – 13ren – 2009-09-05T10:36:21.640

If you can recover the partition table with testdisk the drive should become readable as it was before the problem occurred, or at least that's been my experience. – Col – 2009-09-06T12:22:00.183

Here are some pretty good instructions http://www.cgsecurity.org/wiki/TestDisk_Step_By_Step they seem to be describing what to do in your situation.

– Col – 2009-09-06T12:25:18.140

While it's possible to rebuild the partition table, the first thing you should do it to take an image of the device. You can do this with dd if=/dev/sdb of=~/memstick.img - changing paths as needed.

Once you've done that, run PhotoRec, which should be able to pull out any files that are on there. If you've got everything you need, format the stick and start again, if not, you can try further data recovery.

Dentrasi

Posted 2009-08-31T10:38:30.230

Reputation: 10 115

Don't worry, your data is not gone --- you are right about the disk not being mounted, regardless of what the graphical interface says.

You can mount it by doing (as root) something like:

mount /dev/sdb1 /media/Patriot\ Memory

Where I think that sdb1 refers to your usb stick--it might be sdc1 or sdd1

Michiel Buddingh'

Posted 2009-08-31T10:38:30.230

Reputation:

Or even sda1, depending on the age of the computer (ie, if the harddrives in it are IDE ones) – Matthew Scharley – 2009-08-31T08:12:47.083

@Michiel thanks - but it says "mount: No medium found". Using sdc1 and sdd1 gave "mount: special device /dev/sdc1 does not exist", which makes me think that "sdb1" does exist but there's something wrong. It has worked for months, and nothing changed that I know of - so I fear it's some kind of hardware failure – 13ren – 2009-08-31T11:20:12.860

ddrescue is the tool you need. I don't think you'll be able to salvage the partition table and access the data any other way, based on the output you've posted from testdisk etc.

http://www.forensicswiki.org/wiki/Ddrescue

ddrescue is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors.

The basic operation of ddrescue is fully automatic. That is, you don't have to wait for an error, stop the program, read the log, run it in reverse mode, etc.

If you use the logfile feature of ddrescue, the data is rescued very efficiently, (only the needed blocks are read). Also you can interrupt the rescue at any time and resume it later at the same point.

Ddrescue does not write zeros to the output when it finds bad sectors in the input, and does not truncate the output file if not asked to. So, every time you run it on the same output file, it tries to fill in the gaps without wiping out the data already rescued.

If you have two or more damaged copies of a file, cdrom, etc, and run ddrescue on all of them, one at a time, with the same output file, you will probably obtain a complete and error-free file. This is because the probability of having damaged areas at the same places on different input files is very low. Using the logfile, only the needed blocks are read from the second and successive copies.

Sam Dunlap

Posted 2009-08-31T10:38:30.230

Reputation: 31