wildcard for custom signature?

Using PhotoRec to recover lost data
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Locked
Message
Author
alvaro
Posts: 4
Joined: 12 Aug 2021, 02:47

wildcard for custom signature?

#1 Post by alvaro »

How can I get photorec to search the whole file for the provided signature?

I need to recover a lost file using a signature I already know. My problem is it could appear anywhere inside the file.

Can photorec be instructed to look the entire file for the signature provided? Is there a wildcard or way to achieve this function?

recuperation
Posts: 2720
Joined: 04 Jan 2019, 09:48
Location: Hannover, Deutschland (Germany, Allemagne)

Re: wildcard for custom signature?

#2 Post by recuperation »

Photorec is using the signature to determine the beginning of the file and will end a file once the next signature appears.
Use a hex editor to search for a specific byte sequence anywhere on the disc.

alvaro
Posts: 4
Joined: 12 Aug 2021, 02:47

Re: wildcard for custom signature?

#3 Post by alvaro »

Hi, recovery
Thanks for your response, I didn't think about that. I will make a copy of the disk and proceed that way.

I know .photorec.sig file has a format of "[extension] [offset] [signature]", can you teach me how to define a begining signature and a end one?

EDIT:
I found this example in docs:

pfi 0 "PhotoFiltre", 0x20, "Image"

Perhaps this would serve my purpose, but documentation does not explain any further. Could you please explain what is happening in that example?

Thank in advance

recuperation
Posts: 2720
Joined: 04 Jan 2019, 09:48
Location: Hannover, Deutschland (Germany, Allemagne)

Re: wildcard for custom signature?

#4 Post by recuperation »

alvaro wrote: 14 Aug 2021, 00:42 Hi, recovery
Thanks for your response, I didn't think about that. I will make a copy of the disk and proceed that way.

I know .photorec.sig file has a format of "[extension] [offset] [signature]", can you teach me how to define a begining signature and a end one?
Please reread my previous answer!

EDIT:
I found this example in docs:

pfi 0 "PhotoFiltre", 0x20, "Image"

Perhaps this would serve my purpose,
Of course not, because you are talking about a file signature that could be located anywhere in your file. Signatures are typically located at the beginning of a file, maybe also at the end because that location enables the associated software a quick verification if the software is able to process the content of the file.

Photorec requires a fixed position for manual signatures. This way there is no need to search the signature byte-wise at every possible position inside the hard drive which would not provide any advantage over searching strings with a hex editor.
but documentation does not explain any further. Could you please explain what is happening in that example?
If Photorec finds the string ""PhotoFiltre Image" at a location in the selected partition which could be the beginning of a file (0) start a file extraction from there and give it the extension "pfi".

alvaro
Posts: 4
Joined: 12 Aug 2021, 02:47

Re: wildcard for custom signature?

#5 Post by alvaro »

Thanks for your answer, recovery
I'm sorry I didn't explain myself appropriately here:
I know .photorec.sig file has a format of "[extension] [offset] [signature]", can you teach me how to define a beginning signature and a end one?
What I wanted to ask you for was a written example of defining both a beginning signature and an ending signature to search for, please.
Perhaps I didn't understand and that is not possible.

Anyways, I have one last question, please

pfi 0 "PhotoFiltre", 0x20, "Image"

I Understand that
pfi 0 "PhotoFiltre"
looks for "PhotoFiltre" at 0. Is the other half
0x20, "Image"
looking for "Image" at 0x20?

recuperation
Posts: 2720
Joined: 04 Jan 2019, 09:48
Location: Hannover, Deutschland (Germany, Allemagne)

Re: wildcard for custom signature?

#6 Post by recuperation »

alvaro wrote: 12 Aug 2021, 03:22 How can I get photorec to search the whole file for the provided signature?

I need to recover a lost file using a signature I already know. My problem is it could appear anywhere inside the file.

Can photorec be instructed to look the entire file for the signature provided? Is there a wildcard or way to achieve this function?
You are confusing me. You are talking about a signature anywhere in a file. This is most probably not a signature. Please specify the file type and the signature you want to rescue as your statements are on meta level and it appears that you don't understand my answer and we need to be more specific.

I already told you above:
Photorec is using the signature to determine the beginning of the file and will end a file once the next signature appears.
Use a hex editor to search for a specific byte sequence anywhere on the disc.
There is no option for individual fingerprints at the end of a file because that either never exists or is already taken care of within the Photorec software for the most common file types.

Again, you expect the drive to be like

First sector - be beb e b e bebeb e -last sector
where "b" denotes beginning of a file and "e" denotes the end of a file.
The reality is more like
First sector - b6 b2 b1 b2 b5 b3b3 -last sector
where bx denotes the fingerprint of the beginning of a file and b1,b2,b3,b5 and b6 are various fingerprints of a couple of file types.
There is no end fingerprint available for you to define!
Photorec finalizes a file once it finds another starting fingerprint (as I already explained you above) and not any type of "end fingerprint".
You said:
Perhaps I didn't understand and that is not possible.
Yes, both statements of you are correct.

You said:
I Understand that

pfi 0 "PhotoFiltre"

looks for "PhotoFiltre" at 0. Is the other half

0x20, "Image"

looking for "Image" at 0x20?
Definitively not.

The manual states on page 44:

The signature can be written as

pfi 0 "PhotoFiltre Image"
or
pfi 0 "PhotoFiltre", 0x20, "Image"

0x20 is the hexadecimal representation of the decimal figure 32.
If you look up an ASCII table you learn that the space symbol " " is coded as 32.

pfi 0 "PhotoFiltre", 0x20, "Image"
only shows you how to incorporate special byte values into plain text.
If your fingerprint would contain the byte 128 (decimal) which corresponds to 0x80 (hexadecimal) you would be able to build it into the fingerprint without having to search a symbol on your keyboard that generates the number 128. Furthermore, there are different standards beyond symbol 127 how to use the remaining 128 possible symbols.

Did you read the manual?

The manual clearly states:
The file must contain one signature definition per line.

A signature is composed of
• extension name
• offset of the signature
• signature or magic value
=> 1 name, 1 position and one signature string!

There is no complex definition containing multiple string at multiple locations. The way it is defined it could not be easier.

For more complex structures you would either need to program that yourself, extend Photorec or deliver sufficient satisfactory information so that Christophe Grenier will program that in a future version.
Sufficient satisfactory information means a couple of file samples to enable him to find the common denominator - the fingerprint!

alvaro
Posts: 4
Joined: 12 Aug 2021, 02:47

Re: wildcard for custom signature?

#7 Post by alvaro »

You are right I need to be more specific.
Please specify the file type and the signature you want to rescue as your statements are on meta level and it appears that you don't understand my answer and we need to be more specific.
I'm trying to recover a bitcoin wallet from a formatted hard drive, filetype is Berkeley DB.
I understand photorec already looks for this type of file, but I wanted to also search for the string 'ckey! that is found inside bitcoin wallets.

recuperation
Posts: 2720
Joined: 04 Jan 2019, 09:48
Location: Hannover, Deutschland (Germany, Allemagne)

Re: wildcard for custom signature?

#8 Post by recuperation »

As your keyword seems to be located anywhere in your file it does not qualify as a signature. => Photorec can't help you further.
Use a hex editor to search strings.

Locked