How can I get photorec to search the whole file for the provided signature?
I need to recover a lost file using a signature I already know. My problem is it could appear anywhere inside the file.
Can photorec be instructed to look the entire file for the signature provided? Is there a wildcard or way to achieve this function?
wildcard for custom signature?
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
-
- Posts: 2735
- Joined: 04 Jan 2019, 09:48
- Location: Hannover, Deutschland (Germany, Allemagne)
Re: wildcard for custom signature?
Photorec is using the signature to determine the beginning of the file and will end a file once the next signature appears.
Use a hex editor to search for a specific byte sequence anywhere on the disc.
Use a hex editor to search for a specific byte sequence anywhere on the disc.
Re: wildcard for custom signature?
Hi, recovery
Thanks for your response, I didn't think about that. I will make a copy of the disk and proceed that way.
I know .photorec.sig file has a format of "[extension] [offset] [signature]", can you teach me how to define a begining signature and a end one?
EDIT:
I found this example in docs:
pfi 0 "PhotoFiltre", 0x20, "Image"
Perhaps this would serve my purpose, but documentation does not explain any further. Could you please explain what is happening in that example?
Thank in advance
Thanks for your response, I didn't think about that. I will make a copy of the disk and proceed that way.
I know .photorec.sig file has a format of "[extension] [offset] [signature]", can you teach me how to define a begining signature and a end one?
EDIT:
I found this example in docs:
pfi 0 "PhotoFiltre", 0x20, "Image"
Perhaps this would serve my purpose, but documentation does not explain any further. Could you please explain what is happening in that example?
Thank in advance
-
- Posts: 2735
- Joined: 04 Jan 2019, 09:48
- Location: Hannover, Deutschland (Germany, Allemagne)
Re: wildcard for custom signature?
Please reread my previous answer!
Of course not, because you are talking about a file signature that could be located anywhere in your file. Signatures are typically located at the beginning of a file, maybe also at the end because that location enables the associated software a quick verification if the software is able to process the content of the file.
EDIT:
I found this example in docs:
pfi 0 "PhotoFiltre", 0x20, "Image"
Perhaps this would serve my purpose,
Photorec requires a fixed position for manual signatures. This way there is no need to search the signature byte-wise at every possible position inside the hard drive which would not provide any advantage over searching strings with a hex editor.
If Photorec finds the string ""PhotoFiltre Image" at a location in the selected partition which could be the beginning of a file (0) start a file extraction from there and give it the extension "pfi".but documentation does not explain any further. Could you please explain what is happening in that example?
Re: wildcard for custom signature?
Thanks for your answer, recovery
I'm sorry I didn't explain myself appropriately here:
Perhaps I didn't understand and that is not possible.
Anyways, I have one last question, please
pfi 0 "PhotoFiltre", 0x20, "Image"
I Understand that
I'm sorry I didn't explain myself appropriately here:
What I wanted to ask you for was a written example of defining both a beginning signature and an ending signature to search for, please.I know .photorec.sig file has a format of "[extension] [offset] [signature]", can you teach me how to define a beginning signature and a end one?
Perhaps I didn't understand and that is not possible.
Anyways, I have one last question, please
pfi 0 "PhotoFiltre", 0x20, "Image"
I Understand that
looks for "PhotoFiltre" at 0. Is the other halfpfi 0 "PhotoFiltre"
looking for "Image" at 0x20?0x20, "Image"
-
- Posts: 2735
- Joined: 04 Jan 2019, 09:48
- Location: Hannover, Deutschland (Germany, Allemagne)
Re: wildcard for custom signature?
You are confusing me. You are talking about a signature anywhere in a file. This is most probably not a signature. Please specify the file type and the signature you want to rescue as your statements are on meta level and it appears that you don't understand my answer and we need to be more specific.alvaro wrote: ↑12 Aug 2021, 03:22 How can I get photorec to search the whole file for the provided signature?
I need to recover a lost file using a signature I already know. My problem is it could appear anywhere inside the file.
Can photorec be instructed to look the entire file for the signature provided? Is there a wildcard or way to achieve this function?
I already told you above:
There is no option for individual fingerprints at the end of a file because that either never exists or is already taken care of within the Photorec software for the most common file types.Photorec is using the signature to determine the beginning of the file and will end a file once the next signature appears.
Use a hex editor to search for a specific byte sequence anywhere on the disc.
Again, you expect the drive to be like
First sector - be beb e b e bebeb e -last sector
where "b" denotes beginning of a file and "e" denotes the end of a file.
The reality is more like
First sector - b6 b2 b1 b2 b5 b3b3 -last sector
where bx denotes the fingerprint of the beginning of a file and b1,b2,b3,b5 and b6 are various fingerprints of a couple of file types.
There is no end fingerprint available for you to define!
Photorec finalizes a file once it finds another starting fingerprint (as I already explained you above) and not any type of "end fingerprint".
You said:
Yes, both statements of you are correct.Perhaps I didn't understand and that is not possible.
You said:
Definitively not.I Understand that
pfi 0 "PhotoFiltre"
looks for "PhotoFiltre" at 0. Is the other half
0x20, "Image"
looking for "Image" at 0x20?
The manual states on page 44:
The signature can be written as
pfi 0 "PhotoFiltre Image"
or
pfi 0 "PhotoFiltre", 0x20, "Image"
0x20 is the hexadecimal representation of the decimal figure 32.
If you look up an ASCII table you learn that the space symbol " " is coded as 32.
pfi 0 "PhotoFiltre", 0x20, "Image"
only shows you how to incorporate special byte values into plain text.
If your fingerprint would contain the byte 128 (decimal) which corresponds to 0x80 (hexadecimal) you would be able to build it into the fingerprint without having to search a symbol on your keyboard that generates the number 128. Furthermore, there are different standards beyond symbol 127 how to use the remaining 128 possible symbols.
Did you read the manual?
The manual clearly states:
=> 1 name, 1 position and one signature string!The file must contain one signature definition per line.
A signature is composed of
• extension name
• offset of the signature
• signature or magic value
There is no complex definition containing multiple string at multiple locations. The way it is defined it could not be easier.
For more complex structures you would either need to program that yourself, extend Photorec or deliver sufficient satisfactory information so that Christophe Grenier will program that in a future version.
Sufficient satisfactory information means a couple of file samples to enable him to find the common denominator - the fingerprint!
Re: wildcard for custom signature?
You are right I need to be more specific.
I understand photorec already looks for this type of file, but I wanted to also search for the string 'ckey! that is found inside bitcoin wallets.
I'm trying to recover a bitcoin wallet from a formatted hard drive, filetype is Berkeley DB.Please specify the file type and the signature you want to rescue as your statements are on meta level and it appears that you don't understand my answer and we need to be more specific.
I understand photorec already looks for this type of file, but I wanted to also search for the string 'ckey! that is found inside bitcoin wallets.
-
- Posts: 2735
- Joined: 04 Jan 2019, 09:48
- Location: Hannover, Deutschland (Germany, Allemagne)
Re: wildcard for custom signature?
As your keyword seems to be located anywhere in your file it does not qualify as a signature. => Photorec can't help you further.
Use a hex editor to search strings.
Use a hex editor to search strings.