Where to go from here

Message

cohenrique · #1 Post by **cohenrique** » 19 Apr 2022, 08:02

I managed to successfully create a custom signature files for a particular type of file I was hoping to recover. Running PhotoRec over the disk in question yielding a number of possible files. The files are notably large. I imagine since there was no way of the program of knowing when the file ended.

I was wondering what tools or methods I might use to go about "trimming" my files so that they are properly restored to their original information. I have been able to identify a "signature" for the end of the files in question by looking at known files with hexdump. Having this information, how can I best use it to cut away the information after the "end" marker?

Also, to make sure, one of the files was particularly large (>400GB), what am I to make of this? Would it mean that no other file signature was recognized for that long of a sting of information?

How does PhotoRec know to "end" a file. Is it simply done when it recognizes the beginning of a new file? If so, might it make sense that the file in question simply was the last recognized file for a long time?

Thanks for the information, I really do appreciate the help, and find myself excited to learn more about these techniques and process. Feel free to enlighten me if there would have been a cleaner approach earlier in the process. Thanks!

For reference, the files were originally on a NTFS formatted drive (they typically range from 8 to 20MB in size in their proper form), and were recovered running PhotoRec on my copy of a PartedMagic live image.

#2 Post by **recuperation** » 19 Apr 2022, 19:13

cohenrique wrote: ↑19 Apr 2022, 08:02 I managed to successfully create a custom signature files for a particular type of file I was hoping to recover. Running PhotoRec over the disk in question yielding a number of possible files. The files are notably large. I imagine since there was no way of the program of knowing when the file ended.

I was wondering what tools or methods I might use to go about "trimming" my files so that they are properly restored to their original information. I have been able to identify a "signature" for the end of the files in question by looking at known files with hexdump. Having this information, how can I best use it to cut away the information after the "end" marker?

Enable those file types that you expect to be on your drive. Disabling the other file types will prevent them from indicating false file beginnings which will end the current file in recovery.

Also, to make sure, one of the files was particularly large (>400GB), what am I to make of this? Would it mean that no other file signature was recognized for that long of a sting of information?

Yes.

How does PhotoRec know to "end" a file. Is it simply done when it recognizes the beginning of a new file? If so, might it make sense that the file in question simply was the last recognized file for a long time?

Typically PhotoRec knows that it reached the end of a file once a new signature appears. As the manual states, modifying the program provides you with more options:

[...

12.5 Improved ﬁle recover
To control all aspects of the recovery (ﬁle content check, ﬁle size control, footer detection. . . ), the best way to add a
signature, if you are developer, is to modify PhotoRec itself.]
That shows that by programming you can control the moment where the file will be ended.

...]

cgsecurity.org

Where to go from here

Where to go from here

Re: Where to go from here