Custom Signature - adding size offset

Using PhotoRec to recover lost data
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Locked
Message
Author
jimbobsmith
Posts: 1
Joined: 20 Feb 2015, 18:50

Custom Signature - adding size offset

#1 Post by jimbobsmith »

Hey everyone.

Is it possible to add the offset of a file's size into a custom signature? For example, I wrote a carver for prefetch files for Windows 8. It gets the results, but some of the files are way too big. One of them was 4 gigs in size. Looking at the hex, the size is listed in the header accurately.

The way I was carving for the file was by adding the signatures to photorec.sig. I'm new to the tool, so I have no idea if there's another way to do things. Any help or advice would be appreciated! Thanks.
User avatar
cgrenier
Site Admin
Posts: 5438
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:

Re: Custom Signature - adding size offset

#2 Post by cgrenier »

Signature in photorec.sig can't use the filesize stored in some headers.
If you want, send me a few file samples and the information about the file format, I will add it to PhotoRec.
robtlee
Posts: 1
Joined: 25 Jun 2016, 22:56

Re: Custom Signature - adding size offset

#3 Post by robtlee »

For Prefetch files, there is a new carver written that will carve exact file sizes for "windows prefetch" files. These files are extremely useful in Incident Response cases as they can prove "evidence of execution" on a windows system.

Here is the patch by Ralf Almon -- can we get this added to the official distro for Photorec? This has been very useful in many cases.

From 82762b68c956111b9b127e25f270cbac744867e0 Mon Sep 17 00:00:00 2001
From: Ralf Almon <Ralf.Almon@usd.de>
Date: Fri, 8 Apr 2016 17:03:56 +0200
Subject: [PATCH] Added the windows prefetch file format

---
src/file_list.c | 2 +
src/file_pf.c | 118 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 120 insertions(+)
create mode 100644 src/file_pf.c

diff --git a/src/file_list.c b/src/file_list.c
index a785297..c55c6ac 100644
--- a/src/file_list.c
+++ b/src/file_list.c
@@ -337,6 +337,7 @@ extern const file_hint_t file_hint_xz;
extern const file_hint_t file_hint_z2d;
extern const file_hint_t file_hint_zip;
extern const file_hint_t file_hint_zpr;
+extern const file_hint_t file_hint_pf;

file_enable_t list_file_enable[]=
{
@@ -650,6 +651,7 @@ file_enable_t list_file_enable[]=
{ .enable=0, .file_hint=&file_hint_z2d },
{ .enable=0, .file_hint=&file_hint_zip },
{ .enable=0, .file_hint=&file_hint_zpr },
+ { .enable=0, .file_hint=&file_hint_pf },
{ .enable=0, .file_hint=NULL }
};

diff --git a/src/file_pf.c b/src/file_pf.c
new file mode 100644
index 0000000..9b09963
--- /dev/null
+++ b/src/file_pf.c
@@ -0,0 +1,118 @@
+/*
+
+ File: file_pf.c
+
+ Ralf Almon usd AG 2016
+
+ This software is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License along
+ with this program; if not, write the Free Software Foundation, Inc., 51
+ Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#ifdef HAVE_STRING_H
+#include <string.h>
+#endif
+#include <stdio.h>
+#include "types.h"
+#include "filegen.h"
+#include "common.h"
+
+static void register_header_check_pf(file_stat_t *file_stat);
+static int header_check_pf(const unsigned char *buffer, const unsigned int buffer_size, const unsigned int safe_header_only, const file_recovery_t *file_recovery, file_recovery_t *file_recovery_new);
+static void file_rename_pf(file_recovery_t *file_recovery);
+
+const file_hint_t file_hint_pf= {
+ .extension="pf",
+ .description="Windows prefetch file",
+ .max_filesize=PHOTOREC_MAX_FILE_SIZE,
+ .recover=1,
+ .enable_by_default=1,
+ .register_header_check=&register_header_check_pf
+};
+
+static const unsigned char pf_header[7] = {'\x00', '\x00', '\x00', '\x53', '\x43', '\x43', '\x41'};
+
+static void register_header_check_pf(file_stat_t *file_stat)
+{
+ register_header_check(1, pf_header,sizeof(pf_header), &header_check_pf, file_stat);
+}
+
+struct pf_header
+{
+ uint32_t version;
+ uint32_t magic;
+ uint32_t unknown;
+ uint32_t size;
+ char name[60];
+} __attribute__ ((gcc_struct, __packed__));
+
+static void file_rename_pf(file_recovery_t *file_recovery)
+{
+ file_recovery_t fr;
+ char utf_name[60];
+ char name[31];
+ int i,j;
+
+ reset_file_recovery(&fr);
+ if((fr.handle=fopen(file_recovery->filename, "rb"))==NULL)
+ return;
+
+ fr.file_size = 0;
+ fr.offset_error=0;
+
+ if(my_fseek(fr.handle, 16, SEEK_SET) < 0)
+ {
+ fclose(fr.handle);
+ return;
+ }
+
+
+ //Try to read the 60 bytes for the name
+ if (fread(&utf_name, 1, 60, fr.handle)==60) {
+ //Now comes some "nice" code for converting to ansi encoding
+ //TODO: Better way here?
+ j=0;
+ for (i=0;i<60;i+=2) {
+ name[j] = utf_name;
+ j++;
+ }
+
+ //Make sure string gets 0x00 terminated
+ name[30] = '\x00';
+ file_rename(file_recovery, name, 30, 0, "pf", 0);
+ }
+}
+
+static int header_check_pf(const unsigned char *buffer, const unsigned int buffer_size, const unsigned int safe_header_only, const file_recovery_t *file_recovery, file_recovery_t *file_recovery_new)
+{
+ const struct pf_header *pf=(const struct pf_header *)buffer;
+
+ if(buffer[1] == '\x00' && buffer[2]=='\x00' && buffer[3]=='\x00'
+ && buffer[4]=='\x53' && buffer[5]=='\x43' && buffer[6]=='\x43'
+ && buffer[7]=='\x41') {
+ reset_file_recovery(file_recovery_new);
+ file_recovery_new->extension=file_hint_pf.extension;
+ file_recovery_new->min_filesize=1;
+ file_recovery_new->calculated_file_size=(uint64_t)le32(pf->size);
+ file_recovery_new->file_rename=&file_rename_pf;
+ file_recovery_new->data_check=&data_check_size;
+ file_recovery_new->file_check=&file_check_size;
+
+ return 1;
+ }
+ return 0;
+}
--
2.7.4
User avatar
cgrenier
Site Admin
Posts: 5438
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:

Re: Custom Signature - adding size offset

#4 Post by cgrenier »

Thanks for your patch, it has been rewritten and integrated by the following commit
https://git.cgsecurity.org/cgit/testdis ... 1c8ec58b8a
Locked