Contenu | Rechercher | Menus

Annonce

Si vous avez des soucis pour rester connecté, déconnectez-vous puis reconnectez-vous depuis ce lien en cochant la case
Me connecter automatiquement lors de mes prochaines visites.

À propos de l'équipe du forum.

#1 Le 20/05/2013, à 19:13

saelyx

Forensic USB - clé reconnue par lsusb non montable

Hello World !!!
Ça fait très longtemps que j'ai rien posté ici :-)

Alors voici un problème assez fun :-P

Le problème : j'ai une clé USB sur laquelle il y a des documents importants à récupérer.

Mes tests :

La clé USB est reconnue par lsusb :

Bus 001 Device 014: ID 1307:0163 Transcend Information, Inc. 256MB/512MB/1GB Flash Drive

Mais n'est pas visible par fdisk -l :

Disk /dev/sda: 32.2 GB, 32212254720 bytes
255 heads, 63 sectors/track, 3916 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x0006ec84

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *           1        3750    30113792   83  Linux
/dev/sda2            3750        3917     1340417    5  Extended
/dev/sda5            3750        3917     1340416   82  Linux swap / Solaris
~:0# dmesg

Et qui laisse ça dans le dmesg :

[50611.592433] usb 1-1: USB disconnect, device number 14
[50620.516901] usb 1-1: new high-speed USB device number 15 using ehci_hcd
[50621.417274] scsi6 : usb-storage 1-1:1.0
[50622.419902] scsi 6:0:0:0: Direct-Access     USBest   USB2FlashStorage 0.00 PQ: 0 ANSI: 2
[50622.425934] sd 6:0:0:0: Attached scsi generic sg2 type 0
[50622.429383] sd 6:0:0:0: [sdb] Attached SCSI removable disk

Si quelqu'un à une piste autre que d'envoyer ça à une entreprise spécialisée (et donc dépenser ~300€) je suis preneur !


-----BEGIN GEEK CODE BLOCK-----
GCS d- s+:+ a? C++ UL+++ P L++ E--- W+ N o-- K- w+ O-- M- V-
PS+ PE Y PGP t 5 X+ R- tv-- b+ DI- D++ G e-- h--- r+++ z+++
------END GEEK CODE BLOCK------

Hors ligne

#2 Le 20/05/2013, à 19:50

saelyx

Re : Forensic USB - clé reconnue par lsusb non montable

Tests supplémentaires :

~:0,1# ls /dev/sdb*
/dev/sdb

~:0# ls -l /dev/sdb*  
brw-rw---- 1 root disk 8, 16 2013-05-20 20:39 /dev/sdb

~:0# fdisk /dev/sdb
Unable to open /dev/sdb

~:0,1# cat /dev/sdb > sdb
cat: /dev/sdb: No medium found

~:0,1# dd if=/dev/sdb of=sdb conv=sync,notrunc
dd: opening `/dev/sdb': No medium found

~:0,1# parted /dev/sdb                                         
Error: Error opening /dev/sdb: No medium found                            
Retry/Cancel? C                                                           

-----BEGIN GEEK CODE BLOCK-----
GCS d- s+:+ a? C++ UL+++ P L++ E--- W+ N o-- K- w+ O-- M- V-
PS+ PE Y PGP t 5 X+ R- tv-- b+ DI- D++ G e-- h--- r+++ z+++
------END GEEK CODE BLOCK------

Hors ligne

#3 Le 20/05/2013, à 20:20

saelyx

Re : Forensic USB - clé reconnue par lsusb non montable

Avec ltrace :

~:0,1# ltrace fdisk /dev/sdb 
__libc_start_main(0x80516b0, 2, 0xbf80bd94, 0x805a0a0, 0x805a090 <unfinished ...>
setlocale(6, "")                                                                          = "en_US.UTF-8"
bindtextdomain("util-linux-ng", "/usr/share/locale")                                      = "/usr/share/locale"
textdomain("util-linux-ng")                                                               = "util-linux-ng"
getopt(2, 0xbf80bd94, "b:cC:hH:lsS:uvV")                                                  = -1
calloc(1, 2048)                                                                           = 0x081e00e0
open64("/dev/sdb", 0, 026731243354)                                                       = -1
__open64_2(0xbf80c785, 2, 0x8060028, 0, 0xb75e9760)                                       = -1
open64("/dev/sdb", 0, 01001400050)                                                        = -1
dcgettext(0, 0x805a33b, 5, 0xb771a4f4, 0xb771a7e2)                                        = 0x805a33b
__snprintf_chk(0xbf80b8cc, 800, 1, 800, 0x805a33b)                                        = 24
fputc('\n', 0xb773d580
)                                                                   = 10
fputs("Unable to open /dev/sdb\n", 0xb773d580Unable to open /dev/sdb
)                                            = 1
exit(1 <unfinished ...>
+++ exited (status 1) +++

Avec strace strace :

~:0# strace fdisk /dev/sdb
execve("/sbin/fdisk", ["fdisk", "/dev/sdb"], [/* 32 vars */]) = 0
brk(0)                                  = 0x9d52000
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb76e7000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=83932, ...}) = 0
mmap2(NULL, 83932, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb76d2000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/libblkid.so.1", O_RDONLY)    = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`5\0\0004\0\0\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0644, st_size=112768, ...}) = 0
mmap2(NULL, 115464, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb76b5000
mmap2(0xb76cf000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x19) = 0xb76cf000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/libuuid.so.1", O_RDONLY)     = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`\20\0\0004\0\0\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0644, st_size=14000, ...}) = 0
mmap2(NULL, 16592, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb76b0000
mmap2(0xb76b3000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2) = 0xb76b3000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/tls/i686/cmov/libc.so.6", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0000m\1\0004\0\0\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1430084, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb76af000
mmap2(NULL, 1436072, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7550000
mmap2(0xb76a9000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x159) = 0xb76a9000
mmap2(0xb76ac000, 10664, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb76ac000
close(3)                                = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb754f000
set_thread_area({entry_number:-1 -> 6, base_addr:0xb754f700, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
mprotect(0xb76a9000, 8192, PROT_READ)   = 0
mprotect(0xb76b3000, 4096, PROT_READ)   = 0
mprotect(0xb76cf000, 8192, PROT_READ)   = 0
mprotect(0x805f000, 4096, PROT_READ)    = 0
mprotect(0xb7705000, 4096, PROT_READ)   = 0
munmap(0xb76d2000, 83932)               = 0
brk(0)                                  = 0x9d52000
brk(0x9d73000)                          = 0x9d73000
open("/usr/lib/locale/locale-archive", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/locale.alias", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=2570, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb76e6000
read(3, "# Locale name alias data base.\n#"..., 4096) = 2570
read(3, "", 4096)                       = 0
close(3)                                = 0
munmap(0xb76e6000, 4096)                = 0
open("/usr/lib/locale/en_US.UTF-8/LC_IDENTIFICATION", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.utf8/LC_IDENTIFICATION", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=373, ...}) = 0
mmap2(NULL, 373, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb76e6000
close(3)                                = 0
open("/usr/lib/gconv/gconv-modules.cache", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=26048, ...}) = 0
mmap2(NULL, 26048, PROT_READ, MAP_SHARED, 3, 0) = 0xb76df000
close(3)                                = 0
open("/usr/lib/locale/en_US.UTF-8/LC_MEASUREMENT", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.utf8/LC_MEASUREMENT", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=23, ...}) = 0
mmap2(NULL, 23, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb76de000
close(3)                                = 0
open("/usr/lib/locale/en_US.UTF-8/LC_TELEPHONE", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.utf8/LC_TELEPHONE", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=59, ...}) = 0
mmap2(NULL, 59, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb76dd000
close(3)                                = 0
open("/usr/lib/locale/en_US.UTF-8/LC_ADDRESS", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.utf8/LC_ADDRESS", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=155, ...}) = 0
mmap2(NULL, 155, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb76dc000
close(3)                                = 0
open("/usr/lib/locale/en_US.UTF-8/LC_NAME", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.utf8/LC_NAME", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=77, ...}) = 0
mmap2(NULL, 77, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb76db000
close(3)                                = 0
open("/usr/lib/locale/en_US.UTF-8/LC_PAPER", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.utf8/LC_PAPER", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=34, ...}) = 0
mmap2(NULL, 34, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb76da000
close(3)                                = 0
open("/usr/lib/locale/en_US.UTF-8/LC_MESSAGES", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.utf8/LC_MESSAGES", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
close(3)                                = 0
open("/usr/lib/locale/en_US.utf8/LC_MESSAGES/SYS_LC_MESSAGES", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=57, ...}) = 0
mmap2(NULL, 57, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb76d9000
close(3)                                = 0
open("/usr/lib/locale/en_US.UTF-8/LC_MONETARY", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.utf8/LC_MONETARY", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=286, ...}) = 0
mmap2(NULL, 286, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb76d8000
close(3)                                = 0
open("/usr/lib/locale/en_US.UTF-8/LC_COLLATE", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.utf8/LC_COLLATE", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=1170770, ...}) = 0
mmap2(NULL, 1170770, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7431000
close(3)                                = 0
open("/usr/lib/locale/en_US.UTF-8/LC_TIME", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.utf8/LC_TIME", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=2454, ...}) = 0
mmap2(NULL, 2454, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb76d7000
close(3)                                = 0
open("/usr/lib/locale/en_US.UTF-8/LC_NUMERIC", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.utf8/LC_NUMERIC", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=54, ...}) = 0
mmap2(NULL, 54, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb76d6000
close(3)                                = 0
open("/usr/lib/locale/en_US.UTF-8/LC_CTYPE", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.utf8/LC_CTYPE", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=256324, ...}) = 0
mmap2(NULL, 256324, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb73f2000
close(3)                                = 0
open("/dev/sdb", O_RDONLY|O_LARGEFILE)  = -1 ENOMEDIUM (No medium found)
open("/dev/sdb", O_RDWR|O_LARGEFILE)    = -1 ENOMEDIUM (No medium found)
open("/dev/sdb", O_RDONLY|O_LARGEFILE)  = -1 ENOMEDIUM (No medium found)
open("/usr/share/locale/en_US.UTF-8/LC_MESSAGES/util-linux-ng.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US.utf8/LC_MESSAGES/util-linux-ng.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US/LC_MESSAGES/util-linux-ng.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.UTF-8/LC_MESSAGES/util-linux-ng.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.utf8/LC_MESSAGES/util-linux-ng.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en/LC_MESSAGES/util-linux-ng.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale-langpack/en_US.UTF-8/LC_MESSAGES/util-linux-ng.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale-langpack/en_US.utf8/LC_MESSAGES/util-linux-ng.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale-langpack/en_US/LC_MESSAGES/util-linux-ng.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale-langpack/en.UTF-8/LC_MESSAGES/util-linux-ng.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale-langpack/en.utf8/LC_MESSAGES/util-linux-ng.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale-langpack/en/LC_MESSAGES/util-linux-ng.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
write(2, "\n", 1
)                       = 1
write(2, "Unable to open /dev/sdb\n", 24Unable to open /dev/sdb
) = 24
exit_group(1)                           = ?

-----BEGIN GEEK CODE BLOCK-----
GCS d- s+:+ a? C++ UL+++ P L++ E--- W+ N o-- K- w+ O-- M- V-
PS+ PE Y PGP t 5 X+ R- tv-- b+ DI- D++ G e-- h--- r+++ z+++
------END GEEK CODE BLOCK------

Hors ligne