Recovering ZIP files with 100 bytes offset...

Using PhotoRec to recover lost data
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Locked
Message
Author
DarkSider
Posts: 2
Joined: 29 Mar 2016, 01:24

Recovering ZIP files with 100 bytes offset...

#1 Post by DarkSider »

Hello,

I need to carve several ZIP-Files from unallocated space (was ext3). Unfortunately those files are fragmented and traditional methods like extundelete fail due to the amount of deleted files.

However with this recovery comes a twist. The specific storage system stores 100bytes of metadata in front of the actual PK-Header. This affects only the very first cluster of each file/zip-archive.

I think I need to one or two source code modification to photorec to have it find those headers. I took a quick look at thte "file_zip.c" file however I have no in-depth knowledge of the photorec architecture.

So I wanted to kindly ask if someone could point me in the right direction what program pieces would need some modifaction. Maybe if the cluster-size is used for some length calculations it needs to be reduced by the 100 byte offset for the very first cluster of each file etc.

Maybe a general option to start the search for the header at a specific cluster offset might be a good idea.

Thanks for your feedback,

Darky

User avatar
cgrenier
Site Admin
Posts: 5432
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:

Re: Recovering ZIP files with 100 bytes offset...

#2 Post by cgrenier »

You can try to create a custom photorec.sig signature. It may be easier that modifing file_zip.c

Code: Select all

zip 100 0x50 0x4b 0x03 0x04

DarkSider
Posts: 2
Joined: 29 Mar 2016, 01:24

Re: Recovering ZIP files with 100 bytes offset...

#3 Post by DarkSider »

Hi,
cgrenier wrote:You can try to create a custom photorec.sig signature. It may be easier that modifing file_zip.c

Code: Select all

zip 100 0x50 0x4b 0x03 0x04
I thought about this already, however I was under the impression that the recovery in file_zip.c tries to find matching chunks of data-streams accross spread out clusters?

Locked