This is a quick write up after some initial research into occurrence of sectors that start with the string USBC or 0x55534243. These are common cause for data loss and can be hard to recover from. I think I see why data recovery software is often unsuccessful as these sectors appear to be ‘inserted’ causing sector that follow to shift one LBA.
If these inserts happen near a boot sector or a inside directory entry they may be noticed quite easily. All of a sudden a file called USBC appears with erroneous file size while other files disappeared. In many online guides and forums the issue is mistaken for a virus, which it is most definitely not.
Edit Nov 2021: Quick recipe for correcting/patching the issue:
The observed shift only affects the number of sectors written by the command. To patch the drive or disk image
- Decode the USBC sector.
- Determine number of sectors the command was writing (n)(offset 22, WORD value, MSB first).
- Assuming n = 8, shift sector 2 – 8 (one based) up one LBA.
- Fill last sector in block with zeros.
SECTOR 1 (was 2)
SECTOR 2 (was 3)
SECTOR 3 …
ZERO FILLED SECTOR
‘USBC’ file or sector
I have seen this on multiple occasions and have been looking for a solution for years. I think I have one now. If you actually look at the USBC sector you’ll find you can decode it as a USB command block. And also that these sector cause following sectors to shift.
Here’s an example I have which is interesting for more than one reason, which I will explain in a minute:
- We see the USBC sector plus an NTFS boot sector. If we decode the NTFS boot sector you’ll learn that it ‘thinks’ it is at LBA 63 (0x3F) while it is in fact at LBA 64.
- The USBC sector can be decoded as USB command block!
In my case it would decode to something like “write 16 (10h) sectors starting with LBA 63 (3Fh)” (2Ah is write command).
So, my analysis is, for some reason (no idea really) the USB command block ends up being written to the drive, but more importantly, it ‘shifts’ data following it by one LBA sector. So the USBC sector is inserted rather than overwriting a sector.
Can USBC sectors that go unnoticed explain unsolvable cases?
On this same drive I found several other ‘USBC’ sectors that all resulted in sector shift. If these occur in visible places, like in my example very close to the boot sector or in OP example in a directory we actually notice then. However these sectors may also occur inside user data (we only would discover it by opening the file in a hex editor) or perhaps in unallocated disk space. I guess USBC cases, sometimes it’s assumed they’re result of a virus, we can find on the internet, may be a tip of the iceberg. Perhaps some cases that are deemed unrecoverable are in fact caused by this very issue.
I need to revise strike-through text:
Possible solutions A data recovery technician should determine if sector shift can be observed. Solution may depend on where the USBC sector(s) is/are. If a single occurrence like in above screenshot the NTFS boot sector can be patched. If there are multiple USBC sectors, also in unallocated space for example any solution file recovery software computes for file system offset will be invalid after the USBC sector.
File recovery software File recovery software could try to detect all ‘USBC’ sector and account for each sector shift. These shifts have consequences depending on where they occur as in a file system data is addressed by cluster numbers versus a certain offset. This explains why the file system fails, but also why file recovery software fails. Both fail for the exact same reason. To properly address clusters we need to take the shifts into account: n = number of USBC sectors inserted prior to current cluster. fs_ofs = file system offset (LBA address) cl_factor = sectors per cluster Cluster to LBA conversion should be LBA = fs_ofs + (cluster * cl_factor) + n
Only one occurrence! We can scan drive for number of occurrences. If limited to one then in above example we could patch the NTFS boot sector to update the value for hidden sectors from 63 to 64.
Probably simplest method.. An easier way of dealing with the issue I found is imaging the drive and simply skip all ‘USBC sectors’, all following sectors will automatically ‘shift back’. Advantage of that is that all file recovery software that is capable of working with dd type disk images can be used to recover data. I’ll soon release a version JpegDigger with some provisional methods to detect USBC sectors and image drives affected by the issue.
If however file system reconstruction is of no concern a sector aligned RAW scan should have no issues recovering files either.
A few months later (Sept 21, 2021)
I finally received a full disk image of an SD Card with the issue! I have done various experiments using different data recovery tools and finally manually patched the ‘USBC sectors’. I’ll document it later and I also intend to update the JpegDigger disk imager so it handles these USBC sectors while imaging. This way you can either image the drive directly or an image of the drive that would result in a disk image data can be recovered from.