Hello,
I need to carve several ZIP-Files from unallocated space (was ext3). Unfortunately those files are fragmented and traditional methods like extundelete fail due to the amount of deleted files.
However with this recovery comes a twist. The specific storage system stores 100bytes of metadata in front of the actual PK-Header. This affects only the very first cluster of each file/zip-archive.
I think I need to one or two source code modification to photorec to have it find those headers. I took a quick look at thte "file_zip.c" file however I have no in-depth knowledge of the photorec architecture.
So I wanted to kindly ask if someone could point me in the right direction what program pieces would need some modifaction. Maybe if the cluster-size is used for some length calculations it needs to be reduced by the 100 byte offset for the very first cluster of each file etc.
Maybe a general option to start the search for the header at a specific cluster offset might be a good idea.
Thanks for your feedback,
Darky
Recovering ZIP files with 100 bytes offset...
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
- cgrenier
- Site Admin
- Posts: 5432
- Joined: 18 Feb 2012, 15:08
- Location: Le Perreux Sur Marne, France
- Contact:
Re: Recovering ZIP files with 100 bytes offset...
You can try to create a custom photorec.sig signature. It may be easier that modifing file_zip.c
Code: Select all
zip 100 0x50 0x4b 0x03 0x04
Re: Recovering ZIP files with 100 bytes offset...
Hi,
I thought about this already, however I was under the impression that the recovery in file_zip.c tries to find matching chunks of data-streams accross spread out clusters?cgrenier wrote:You can try to create a custom photorec.sig signature. It may be easier that modifing file_zip.cCode: Select all
zip 100 0x50 0x4b 0x03 0x04