Where to go from here
Posted: 19 Apr 2022, 08:02
I managed to successfully create a custom signature files for a particular type of file I was hoping to recover. Running PhotoRec over the disk in question yielding a number of possible files. The files are notably large. I imagine since there was no way of the program of knowing when the file ended.
I was wondering what tools or methods I might use to go about "trimming" my files so that they are properly restored to their original information. I have been able to identify a "signature" for the end of the files in question by looking at known files with hexdump. Having this information, how can I best use it to cut away the information after the "end" marker?
Also, to make sure, one of the files was particularly large (>400GB), what am I to make of this? Would it mean that no other file signature was recognized for that long of a sting of information?
How does PhotoRec know to "end" a file. Is it simply done when it recognizes the beginning of a new file? If so, might it make sense that the file in question simply was the last recognized file for a long time?
Thanks for the information, I really do appreciate the help, and find myself excited to learn more about these techniques and process. Feel free to enlighten me if there would have been a cleaner approach earlier in the process. Thanks!
For reference, the files were originally on a NTFS formatted drive (they typically range from 8 to 20MB in size in their proper form), and were recovered running PhotoRec on my copy of a PartedMagic live image.
I was wondering what tools or methods I might use to go about "trimming" my files so that they are properly restored to their original information. I have been able to identify a "signature" for the end of the files in question by looking at known files with hexdump. Having this information, how can I best use it to cut away the information after the "end" marker?
Also, to make sure, one of the files was particularly large (>400GB), what am I to make of this? Would it mean that no other file signature was recognized for that long of a sting of information?
How does PhotoRec know to "end" a file. Is it simply done when it recognizes the beginning of a new file? If so, might it make sense that the file in question simply was the last recognized file for a long time?
Thanks for the information, I really do appreciate the help, and find myself excited to learn more about these techniques and process. Feel free to enlighten me if there would have been a cleaner approach earlier in the process. Thanks!
For reference, the files were originally on a NTFS formatted drive (they typically range from 8 to 20MB in size in their proper form), and were recovered running PhotoRec on my copy of a PartedMagic live image.