Forensics
Re: Physically damaged SD card Jan 04 2007 07:47PM
Tim (tim-forensics sentinelchicken org)
Spam detection software, running on the system "mail.securityfocus.com", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.

Content preview: > I've tried several readers that I have available.
Applying some > physical pressure to close up the cracks seemed to help
a bit at > first. Typically, if I can get it to read, I can read some
data, but > then it un-mounts and either fails to read, or all data read
contains zeros. [...]

Content analysis details: (10.0 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
4.1 HELO_DYNAMIC_HCC Relay HELO'd using suspicious hostname (HCC)
3.8 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr
2)
0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
[score: 0.5201]
2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address
[207.172.85.4 listed in dnsbl.sorbs.net]

Received: (qmail 25949 invoked from network); 4 Jan 2007 19:33:30 -0000
Received: from 207-172-85-4.c3-0.slvr-ubr2.lnh-slvr.md.static.cable.rcn.com (207.172.85.4)
by mail.securityfocus.com with SMTP; 4 Jan 2007 19:33:30 -0000
Received: from 207-172-85-4.c3-0.slvr-ubr2.lnh-slvr.md.static.cable.rcn.com ([207.172.85.4]) by 207-172-85-4.c3-0.slvr-ubr2.lnh-slvr.md.static.cable.rcn.com
via smtpd (for mail.securityfocus.com [205.206.231.9]) with ESMTP; Thu, 4 Jan 2007 11:41:33 -0800
Received: (qmail 32071 invoked from network); 4 Jan 2007 19:47:59 -0000
Received: from unknown (HELO pascal.sentinelchicken.org) (10.0.1.2)
by claudius.sentinelchicken.org with SMTP; 4 Jan 2007 19:47:59 -0000
Received: (qmail 32124 invoked from network); 4 Jan 2007 19:47:59 -0000
Received: from feynman.sentinelchicken.org (10.0.1.3)
by pascal.sentinelchicken.org with SMTP; 4 Jan 2007 19:47:59 -0000
Received: (nullmailer pid 4328 invoked by uid 1000);
Thu, 04 Jan 2007 19:47:59 -0000
Date: Thu, 4 Jan 2007 14:47:59 -0500
From: Tim <tim-forensics (at) sentinelchicken (dot) org [email concealed]>
To: Michael Edwards <medwards (at) digital-legal (dot) com [email concealed]>
Cc: forensics (at) securityfocus (dot) com [email concealed]
Subject: Re: Physically damaged SD card
Message-ID: <20070104194759.GB3167 (at) sentinelchicken (dot) org [email concealed]>
References: <20070102202953.30634.qmail (at) securityfocus (dot) com [email concealed]> <7.0.1.0.0.20070104102619.019b3568 (at) digital-legal (dot) com [email concealed]>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <7.0.1.0.0.20070104102619.019b3568 (at) digital-legal (dot) com [email concealed]>
User-Agent: Mutt/1.5.13 (2006-08-11)

> I've tried several readers that I have available. Applying some
> physical pressure to close up the cracks seemed to help a bit at
> first. Typically, if I can get it to read, I can read some data, but
> then it un-mounts and either fails to read, or all data read contains zeros.

Are you saying you're mounting directly? I wouldn't recommend that.
Given that you can get a little bit of data off it it, at least, I'd
suggest taking a raw image of it and then trying to mount that. If
there isn't enough structure to mount the image, read it multiple times,
front to back, back to front, and see how far you get in the read before
it freaks out or gives all 0's. Combine the good-looking data and then
try running foremost or something similar to get your images off.

Good luck,
tim

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus