Dear Alexey,

I just bought your software (ZAR) after the trial version really persuaded me - it was the one in many who really could recover my files.
But unfortunately, with recovering the files I'm not done - I have a bit a special case indeed. So I hope you may help me with your knowledge.

I've got a Kingston Data Traveler Secure USB stick with 128-bit AES hardware encryption. On the stick, there are two partitions (or at least I think they are) - an unencrypted one and an encrypted one. If you plug in the stick under Windows, only the unencrypted one is shown - now you have to run a program from there, and after entering a PW, the encrypted one is being shown.
Now my stick crashed while I was staying within the encrypted partition and (so I suspect) lost its partition table. If I plug in the stick now, it is recognized by Windows indeed, but I can't access it ("file or directory is corrupted"). The mmc Disk Management snap-in shows the partition size correctly, but with no file system on it. As already named, ZAR managed to rescue all my data from the stick - so I think the "core structure" is OK. But i couldn't manage it to repair the partition table (tried many tools) - and I fear that I won't have any chance to get into the encrypted partition again if I just format the stick (e.g. the part of it that is shown to Windows).
Do you have any idea what I could try furthermore? Unfortunately, I don't know how the encryption thing is made exactly - I just know it's quite secure (Data erase after entering the false PW 10 times, changing the partition size only with formatting the stick etc.).

I know my post doesn't directly concerns your program - but I would be very glad to get an answer from you anyway.

Kind regards,

Dominik

Could you please get a Disk Manager screenshot as it is now?
Open Disk Management, press Alt+PrintScreen, paste into whatever graphics program you use, save GIF, post here.

After some thinking there is a little more I want you to do

First of all, tell me what is the total size of the stick?

Then,

Install the latest ZAR from http://www.z-a-recovery.com/zar-83-030.exe
Start it, click Next, pick "Recover simple volume" and click Next again. You thus arrive at the physical disk selection.
Right click your stick, select "Open disk viewer".
In disk viewer select on the menu "Disk Viewer" -- "Copy to clipboard".
Paste what it gives here. This should be the dump of the partition table, or whatever left of it.
Close everything.

Dear Alexey,

Thank you very much for your fast response!

The total size of the stick is 4 GB (so the label says), I know that there is a round 3 GB encrypted part and the 731 MB non-encrypted part which I still can see.

The disk manager view:

http://imageupper.com/s08/1/10/S2059631021611433_1.gif

It takes some time until this information is shown ("Connecting to Logical Disk Manager Service" / "Loading disk configuration information"), definitively longer than normal.

Here the information of ZAR's disk viewer (didn't know it offers such a function at all - the program pleases me the longer the more :) ):

0105 - Kingston DT Secure
1 sector(s) at LBA 0 as Partition table
No virtual volume defined
Boot sector signature AA55 Valid
Loader code Nonzero data
Partition table entry #1 * Linked to LBA 8
Filesystem type 06 Large FAT16
Relative sectors 8 * Linked to LBA 8
Size 1497847 731 MB
Bootable 80 Yes
Partition table entry #2
Filesystem type 00 Unknown
Relative sectors 0
Size 0 0 B
Bootable 00 No
Partition table entry #3
Filesystem type 00 Unknown
Relative sectors 0
Size 0 0 B
Bootable 00 No
Partition table entry #4
Filesystem type 00 Unknown
Relative sectors 0
Size 0 0 B
Bootable 00 No

The first entry is correct IMHO - even if I think the stick was rather formatted FAT32 than FAT16. But I really don't know what's with the three empty entries... maybe one of them is changed into a valid entry after the lauch of the decryption program (see my initial post).

Again, Thank you very much for helping me!

Yours,

Dominik

Okay I really wonder what do we do now.

Regardless of what we try, we need an image of the entire card before we start doing changes.

An obvoius idea is to format the partition as it was, and place the recovered files back onto the volume, then see if it works. Somehow I do not feel like doing it, yet.

So we still go and examine the volume further, in hope we can somehow resurrect it without format. The partition table looks fine, so the boot sector(s) must be broken. We are now looking to confirm this fact, and to check status on the backup boot. Based on the partition table, sector 8 should contain the boot sector of the volume, and sector 14 is the most likely place where the backup of that boot sector is stored.

Get back to the viewer,
We need to get a dump of sector number 8. Press Ctrl+G. In a "go to" field, type in "8" (w/o quotes), click OK. Now three things are possible.
It will tell you "no structured data in raw view", and the binary data (left side) is all zeros.
The binary data is not zeros but still "no structured data". In this case select "View mode" -- "FAT32 boot sector", then copy&paste.
The mode is autmatically selected as "FAT32 boot sector". Copy&paste that then.
Press Ctrl+G again, then repeat the above procedure with sector 14.

Dear Alexey,

At sector 8, everything looks OK, it shows the boot sector without manual selection:

0105 - Kingston DT Secure
1 sector(s) at LBA 8 as FAT32 boot sector
No virtual volume defined
Boot sector signature 0xAA55 Valid
System ID FAT32 Valid
Bytes per sector 512
Sectors per cluster (CF) 8
Legacy parameters
Media descriptor byte 248
Sectors per track 8
Number of heads 4
Big number of sectors 6385911 3118 MB
Number of FAT copies 2
Reserved sectors 32
Big sectors per FAT 6225
Max entries in the root directory 0
Root directory at LCN 2
Backup boot sector at LBA 14 * Linked to LBA 14
1st FAT at LBA 40 * Linked to LBA 40
2nd FAT at LBA 6265 * Linked to LBA 6265
Root directory at LBA 12490 * Linked to LBA 12490
Data area starts at LBA 12490 * Linked to LBA 12490

What I ask myself, is it normal that the boot sector is FAT32 when the rest of the partition is formatted FAT16?

At sector 14, it showed me only some strange data, so I changed the view manually to "FAT32 boot sector":

0105 - Kingston DT Secure
1 sector(s) at LBA 14 as FAT32 boot sector
No virtual volume defined
Boot sector signature 0x0600 Invalid
System ID *+,- Invalid
Bytes per sector 1797
Sectors per cluster (CF) 5
Legacy parameters
Media descriptor byte 5
Sectors per track 1293
Number of heads 1294
Big number of sectors 85067025 41536 MB
Number of FAT copies 9
Reserved sectors 1288
Big sectors per FAT 85198099
Max entries in the root directory 2565
Root directory at LCN 85460247
Backup boot sector at LBA 1320 * Linked to LBA 1320
1st FAT at LBA 1302 * Linked to LBA 1302
2nd FAT at LBA 85199401 * Linked to LBA 85199401
Root directory at LBA 597698725 * Linked to LBA 597698725
Data area starts at LBA 170397500 * Linked to LBA 170397500

Is it a problem when the original boot sector is OK but its backup is invalid?


Yours,

Dominik

The filesystem is (was) FAT32 by the looks of it. Now please repeat the same procedure for a sector 12490? The correct format should be "FAT directory entry". This should be a root directory of a volume.

Ah, I stand corrected The filesystem entry in the partition table is FAT16. However, the boot sector is FAT32, with no backup.

Dear Alexey,

I repeated the procedure for sector 12490. If I set the view mode to "FAT directory entry", disk viewer just states "Invalid directory entry" (16 times). When set to "FAT16 table", that's what I get:

0105 - Kingston DT Secure
1 sector(s) at LBA 12490 as FAT16 table
No virtual volume defined
Cluster Next culster
+00 47438
+01 8704
+02 51418
+03 47694
+04 33321
+05 96
+06 59392
+07 63809
+08 [Free]
+09 42112
+10 60081
+11 2048
+12 3174
+13 35630
+14 2607
+15 47694
+16 45062
+17 96
+18 52736
+19 30732
+20 512
+21 34428
+22 6758
+23 30752
+24 28266
+25 59457
+26 20994
+27 60081
+28 2048
+29 3174
+30 47150
+31 28266
+32 47694
+33 40990
+34 96
+35 44544
+36 60225
+37 20994
+38 60081
+39 2048
+40 102
+41 41472
+42 35630
+43 47694
+44 35358
+45 96
+46 38912
+47 35630
+48 47694
+49 33281
+50 60231
+51 20994
+52 35630
+53 47438
+54 8704
+55 45280
+56 35374
+57 47694
+58 10981
+59 96
+60 31744
+61 30732
+62 512
+63 34428
+64 4198
+65 16450
+66 11024
+67 6659
+68 27312
+69 1024
+70 1127
+71 30758
+72 28266
+73 60231
+74 20994
+75 35630
+76 47438
+77 8704
+78 15072
+79 21600
+80 47438
+81 10752
+82 32455
+83 27466
+84 40450
+85 2150
+86 48190
+87 256
+88 47694
+89 38421
+90 47694
+91 54312
+92 14944
+93 48190
+94 256
+95 4671
+96 47438
+97 10752
+98 20511
+99 36692
+100 10848
+101 48190
+102 [Free]
+103 4671
+104 47438
+105 10752
+106 20511
+107 36692
+108 6752
+109 35630
+110 2607
+111 27404
+112 256
+113 40450
+114 1638
+115 64067
+116 51204
+117 1120
+118 64067
+119 45590
+120 37198
+121 36696
+122 47438
+123 8704
+124 9228
+125 3680
+126 47438
+127 8704
+128 51231
+129 33598
+130 47438
+131 8704
+132 50187
+133 47438
+134 8704
+135 51231
+136 61263
+137 19456
+138 57164
+139 2060
+140 30030
+141 [Free]
+142 21248
+143 40704
+144 23552
+145 59208
+146 12288
+147 28452
+148 3072
+149 63815
+150 [Free]
+151 42112
+152 15423
+153 1
+154 31304
+155 58623
+156 2863
+157 47438
+158 8704
+159 53479
+160 15423
+161 256
+162 2863
+163 47438
+164 8704
+165 60642
+166 15423
+167 1024
+168 2863
+169 47438
+170 8704
+171 58074
+172 2863
+173 47438
+174 8704
+175 51418
+176 31797
+177 [Free]
+178 40450
+179 2607
+180 47694
+181 9218
+182 61263
+183 7680
+184 57164
+185 12
+186 30030
+187 22094
+188 58623
+189 61000
+190 12
+191 63743
+192 28196
+193 2048
+194 30758
+195 55400
+196 112
+197 16437
+198 40450
+199 32830
+200 47694
+201 46612
+202 60995
+203 60159
+204 35118
+205 28232
+206 61695
+207 28232
+208 62207
+209 28232
+210 62719
+211 28232
+212 63231
+213 10815
+214 43010
+215 10815
+216 40962
+217 2607
+218 47694
+219 37922
+220 61263
+221 6144
+222 10800
+223 41474
+224 28368
+225 63231
+226 16466
+227 16437
+228 42498
+229 59912
+230 1280
+231 20994
+232 52001
+233 55400
+234 35374
+235 47694
+236 54794
+237 61004
+238 12
+239 63743
+240 24142
+241 30030
+242 22094
+243 56575
+244 61000
+245 2060
+246 62719
+247 28196
+248 2048
+249 30758
+250 55400
+251 27148
+252 256
+253 40450
+254 102
+255 32256

Yours,

Dominik

How much more time can we put into this? I'm about to go shopping for the sample stick, but it is not likely there is one in stock at a local dealer. So I have to wait till the shipment arrives. What is the exact model?

Dear Alexey,

From the time aspect it's absolutely no problem - I've been trying to get the data back for over a month, so I really don't need it urgently.
But you don't have to spend money just for solving my problem! I knew the stick was quite expensive when I bought it back in last year, but it seems the price has decreased a little bit. The exact model is "Kingston Data Traveler Secure 4GB (DTS/4GB)", $120 at Amazon. But please, buy the stick only if you really want it, and not just for helping me. That really wouldn't be worth it.

Yours,

Dominik

We would obviously find the use for it once we are done. Provided that there would be something still left to use :) Such a thing actually happens every once in a while, that we go to buy things just for testing purposes, and then try to find a use for them (and I take USB flash over the RAID controller any day :)).

So I got myself a sample, albeit a 2GB one. Thats summary of the findings so far


If you have privacy off, the entire capacity is available as a FAT32 volume.
If you turn privacy on, then a "plain" part is available as a FAT16 volume and "encrypted" part is available as FAT32.
However, I converted both of the volumes to NTFS and it still worked fine.
There is a program stored on a card, "mydatazone.exe", in an unprotected part. If you copy it to the hard disk, it complains like "run from USB drive only". So I put it on some JetFlash USB and it complained something funny like "This DataTraveler device does not support encryption".
If I format the unencrypted drive, nothing of real interest happens. The unencrypted part is recoverable, and if I place the program back to it, the encrypted part is regained.However, I still do not see how to get around to read the raw encrypted data. That may be not possible. Although we probably do not need it anyway.

So I got a couple of questions

What was the overall quality of the recovery of the unencrypted part?
The device looks like this, http://www.kingston.com/support/USBFLASHDRIVES/dt_secure.asp?

Dear Alexey,

wow, that was really quick! Yes, my stick is exactly the same model (of course, in 4GB).

My recovery result is almost 100%, even the files which the log states as "FAIL" were correctly recovered. Just some Firefox system files are empty (even they're not 0KB), but I'm not sure if they haven't been deleted before.

If I point your test results correctly, I could risk it now to format the unencrypted partition, copy "mydatazone.exe" back and try to get into the encrypted part again?

Again, thank you very much for your great help!

Yours,

Dominik

If I point your test results correctly, I could risk it now to format the unencrypted partition, copy "mydatazone.exe" back and try to get into the encrypted part again?


Not yet. I'll be probably posting the exact instructions "later today" (depending on what timezone you are in), I'd say six hours from now.

Now the problem is that as long as the stick functions properly, you do not see both "plain" and "encrypted" space at the same time. Which in your case does not hold.


Get Zlon at http://www.z-a-recovery.com/download.htm. Go with the trial version - it will do.
Run it, "Disk to file", "Physical disk" and select your flash.
Put in whatever file name, no compression, no splitting and take an image. Remember you need to put an image onto an NTFS volume.
Important: verify that the image file is 4GB in size. Or close to that. Do not continue unless you are sure the size is correct.
Then, format the drive. Put the program back on it and run, and that's it.

Dear Alexey,

unfortunately, the image taken by Zlon is always just 731MB in size.

Yours,

Dominik

Even better that I thought. You can get
4GB - full image, meaning hardware forgot what the encrypted part is
2GB - malfunction
731 MB - image of an unencrypted part, meaning hardware still remembers how what part is encrypted and which one is not.

Anyway there is nothing left I can think of. So go ahead and format.

Dear Alexey,

Sorry for the late answer, but...

it worked :D

I just formatted the unencrypted part, put the data back and launched MyDataZone.exe - and there was my data again!

Thank you very very much for the time and the effort you put in my problem. I'd like to give you a donation for your help, do you have a PayPal account?

Yours,

a happy Dominik

OK thats fine :)