Example using a phone SIM card. In Windows, a deleted file from such flash type media does not go into the Recycle Bin so is "lost" immediately no?
The card is /dev/sdf1 in this case.
Let's look at it with some Linux tools...
# cfdisk /dev/sdf
cfdisk (util-linux-ng 2.13.1.1)
Disk Drive: /dev/sdf
Size: 249823232 bytes, 249 MB
Heads: 16 Sectors per Track: 32 Cylinders: 953
Name Flags Part Type FS Type [Label] Size (MB)
Pri/Log Free Space 0.09 *
sdf1 Boot Primary FAT16 [ ] 249.48 *
Pri/Log Free Space 0.27
So it is formatted with FAT16 file system.
Lets look at the boot sector with fdisk...
# fdisk /dev/sdf
Command (m for help): m
Command action
a toggle a bootable flag
b edit bsd disklabel
c toggle the dos compatibility flag
d delete a partition
l list known partition types
m print this menu
n add a new partition
o create a new empty DOS partition table
p print the partition table
q quit without saving changes
s create a new empty Sun disklabel
t change a partition's system id
u change display/entry units
v verify the partition table
w write table to disk and exit
x extra functionality (experts only)
Command (m for help):
Type p for partition info...
Disk /dev/sdf: 249 MB, 249823232 bytes
16 heads, 32 sectors/track, 953 cylinders
Units = cylinders of 512 * 512 = 262144 bytes
Disk identifier: 0x00000000
Device Boot Start End Blocks Id System
/dev/sdf1 * 1 952 243630+ 6 FAT16
Command (m for help):
Now type x, then d to show hex info:
The last 55 AA shows a FAT file system:
0x1A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 05
0x1C0: 04 00 06 0F E0 B7 A3 00 00 00 5D 6F 07 00 00 00
0x1D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 *55 AA*
Type Q to quit.
Install TestDisk and DDrescue
# apt-get install testdisk ddrescue
I will zero the whole card so we know it is totally blank to start...
# dd_rescue /dev/zero /dev/sdf
dd_rescue /dev/zero /dev/sdf
dd_rescue: (info): ipos: 31744.0k, opos: 31744.0k, xferd: 31744.0k
errs: 0, errxfer: 0.0k, succxfer: 31744.0k
+curr.rate: 319778kB/s, avg.rate: 319778kB/s, avg.load: 80.6%
Once you see repeated info, Ctrl C to Quit...
dd_rescue: (warning): /dev/sdf1 (92920448.0k): No space left on device
dd_rescue: (warning): assumption rd(65536) == wr(^Cvice!
dd_rescue: (fatal): Caught signal 2 "Interrupt". Exiting!
Now the partition should be blank...check what cfdisk says...
# cfdisk /dev/sdf
cfdisk (util-linux-ng 2.13.1.1)
Disk Drive: /dev/sdf
Size: 249823232 bytes, 249 MB
Heads: 8 Sectors per Track: 60 Cylinders: 1016
Name Flags Part Type FS Type [Label] Size (MB)
---------
Pri/Log Free Space 249.70
YEP! It is blank...
OK, let's create a partition and give it FAT file system...
# fdisk /dev/sdf
n add a new partition
o create a new empty DOS partition table
p print the partition table
q quit without saving changes
s create a new empty Sun disklabel
t change a partition's system id
u change display/entry units
v verify the partition table
w write table to disk and exit
x extra functionality (experts only)
Command (m for help): n
Command action
e extended
p primary partition (1-4)
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4): 1
First cylinder (1-1016, default 1):
Using default value 1
Last cylinder or +size or +sizeM or +sizeK (1-1016, default 1016):
Using default value 1016
Command (m for help):
p
Disk /dev/sdf: 249 MB, 249823232 bytes
8 heads, 60 sectors/track, 1016 cylinders
Units = cylinders of 480 * 512 = 245760 bytes
Disk identifier: 0x1d3b765e
Device Boot Start End Blocks Id System
/dev/sdf1 1 1016 243810 83 Linux
# mkfs.vfat /dev/sdf1
mkfs.vfat 3.0.1 (23 Nov 2008)
Looking at the card with Hexedit...
# apt-get install hexedit
# hexedit /dev/sdf1
00000000 EB 3C 90 6D 6B 64 6F 73 66 73 00 00 02 08 01 00 .<.mkdosfs......
00000010 02 00 02 00 00 F8 EE 00 20 00 10 00 00 00 00 00 ........ .......
00000020 5C 6F 07 00 00 00 29 D8 29 DF AF 20 20 20 20 20 \o....).)..
00000030 20 20 20 20 20 20 46 41 54 31 36 20 20 20 0E 1F FAT16 ..
00000040 BE 5B 7C AC 22 C0 74 0B 56 B4 0E BB 07 00 CD 10 .[|.".t.V.......
00000050 5E EB F0 32 E4 CD 16 CD 19 EB FE 54 68 69 73 20 ^..2.......This
00000060 69 73 20 6E 6F 74 20 61 20 62 6F 6F 74 61 62 6C is not a bootabl
00000070 65 20 64 69 73 6B 2E 20 20 50 6C 65 61 73 65 20 e disk. Please
00000080 69 6E 73 65 72 74 20 61 20 62 6F 6F 74 61 62 6C insert a bootabl
00000090 65 20 66 6C 6F 70 70 79 20 61 6E 64 0D 0A 70 72 e floppy and..pr
000000A0 65 73 73 20 61 6E 79 20 6B 65 79 20 74 6F 20 74 ess any key to t
000000B0 72 79 20 61 67 61 69 6E 20 2E 2E 2E 20 0D 0A 00 ry again ... ...
000000C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
CtrlC to quit prog...
Mount the card in a test directory and put some test files on it....
# mount /dev/sdf1 /mstest
I have already used these cmds so can call the cmd history to save re-typing them...
# history | grep cp
581 cp -vr /College/ReportWriting/front\ cover.doc /mstest/
582 cp -vr /College/ReportWriting/ReportTemplate.doc /mstest/
# !581; !582
cp -vr /College/ReportWriting/front\ cover.doc /mstest/; cp -vr /College/ReportWriting/ReportTemplate.doc /mstest/
`/College/ReportWriting/front cover.doc' -> `/mstest/front cover.doc'
`/College/ReportWriting/ReportTemplate.doc' -> `/mstest/ReportTemplate.doc'
# ls /mstest
front cover.doc ReportTemplate.doc
To see if file recovered is identical...
# shasum /mstest/* > /mstest/hashes.txt
# ls /mstest/
front cover.doc hashes.txt ReportTemplate.doc
# cat /mstest/hashes.txt
3846af692dfbdee3dbc88f7a6b78c6d79cde07c7 /mstest/front cover.doc
5ccd582e7ec047b0f79aa7efc864dc09b4a31089 /mstest/ReportTemplate.doc
Now to "accidently" delete a file...
# rm -v /mstest/front\ cover.doc
removed `/mstest/front cover.doc'
# ls /mstest/
hashes.txt ReportTemplate.doc
Now, front\ cover.doc is missing.
Now to recover the lost file using TestDisk....
NOTE! Choose the whole disk NOT the partition...
Unmount the card first else TD won't find the partition!!!
# umount /mstest
# testdisk /dev/sdf
TestDisk 6.11, Data Recovery Utility, April 2009
Christophe GRENIER <grenier@cgsecurity.org>
TestDisk is free software, and
comes with ABSOLUTELY NO WARRANTY.
Select a media (use Arrow keys, then press Enter):
*Disk /dev/sdf - 249 MB / 238 MiB - Generic USB MS Reader*
[Proceed ] [ Quit ]
Disk /dev/sdf - 249 MB / 238 MiB - CHS 1016 8 60
Partition Start End Size in sectors
*1 P FAT16 >32M 0 1 1 1015 7 60 487620*
[ Type ] [ Boot ] [Image Creation] *[Undelete] * [ Quit ]
*1 P FAT16 >32M 0 1 1 1015 7 60 487620*
Directory /
*-rwxr-xr-x 0 0 19456 14-May-2012 00:23 front cover.doc*
-rwxr-xr-x 0 0 36352 14-May-2012 00:23 ReportTemplate.doc
-rwxr-xr-x 0 0 135 14-May-2012 00:24 hashes.txt
Use Right arrow to change directory, *c *to copy, h to hide deleted files, q to quit
Are you sure you want to copy /front cover.doc to the directory / ? [Y/*N]*
To select another directory, use the arrow keys.
drwxr-xr-x 0 0 4096 14-May-2012 00:19 .
drwxr-xr-x 0 0 4096 14-May-2012 00:19 ..
drwx------ 1000 0 4096 26-Jun-2010 14:39 College
drwxr-xr-x 0 0 4096 5-Oct-2009 20:41 Files
drwxr-xr-x 0 0 4096 13-May-2012 19:31 bin
drwxr-xr-x 0 0 4096 7-May-2012 13:29 black......
*drwxrwxrwt 0 0 4096 14-May-2012 00:02 tmp*
drwxr-xr-x 0 0 4096 30-Aug-2008 16:37 usr
drwxr-xr-x 0 0 4096 20-Feb-2010 22:50 var
Are you sure you want to copy /front cover.doc to the directory /tmp ? [*Y*/N]
1 P FAT16 >32M 0 1 1 1015 7 60 487620
Directory /
*Copy done!*
-rwxr-xr-x 0 0 *19456* 14-May-2012 00:23 front cover.doc
-rwxr-xr-x 0 0 36352 14-May-2012 00:23 ReportTemplate.doc
-rwxr-xr-x 0 0 135 14-May-2012 00:24 hashes.txt
Now check the recovered file size and checksum in the /tmp directory...
# ls -ls /tmp/front\ cover.doc
20 -rw-r--r-- 1 root root *19456* 2012-05-14 00:23 /tmp/front cover.doc
# shasum /tmp/front\ cover.doc
3846af692dfbdee3dbc88f7a6b78c6d79cde07c7 /tmp/front cover.doc
From earlier dir...
3846af692dfbdee3dbc88f7a6b78c6d79cde07c7 /mstest/front cover.doc
As the checksum is the same, the file size has to be the same by definition!
Cool huh?