Recovering ZIP files with 100 bytes offset...

Using PhotoRec to recover lost data
Post Reply
Message
Author
DarkSider
Posts: 2
Joined: 29 Mar 2016, 01:24

Recovering ZIP files with 100 bytes offset...

#1 Post by DarkSider » 29 Mar 2016, 01:32

Hello,

I need to carve several ZIP-Files from unallocated space (was ext3). Unfortunately those files are fragmented and traditional methods like extundelete fail due to the amount of deleted files.

However with this recovery comes a twist. The specific storage system stores 100bytes of metadata in front of the actual PK-Header. This affects only the very first cluster of each file/zip-archive.

I think I need to one or two source code modification to photorec to have it find those headers. I took a quick look at thte "file_zip.c" file however I have no in-depth knowledge of the photorec architecture.

So I wanted to kindly ask if someone could point me in the right direction what program pieces would need some modifaction. Maybe if the cluster-size is used for some length calculations it needs to be reduced by the 100 byte offset for the very first cluster of each file etc.

Maybe a general option to start the search for the header at a specific cluster offset might be a good idea.

Thanks for your feedback,

Darky

Sponsored links

User avatar
cgrenier
Site Admin
Posts: 3561
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:

Re: Recovering ZIP files with 100 bytes offset...

#2 Post by cgrenier » 29 Mar 2016, 06:27

You can try to create a custom photorec.sig signature. It may be easier that modifing file_zip.c

Code: Select all

zip 100 0x50 0x4b 0x03 0x04

DarkSider
Posts: 2
Joined: 29 Mar 2016, 01:24

Re: Recovering ZIP files with 100 bytes offset...

#3 Post by DarkSider » 02 Apr 2016, 19:01

Hi,
cgrenier wrote:You can try to create a custom photorec.sig signature. It may be easier that modifing file_zip.c

Code: Select all

zip 100 0x50 0x4b 0x03 0x04
I thought about this already, however I was under the impression that the recovery in file_zip.c tries to find matching chunks of data-streams accross spread out clusters?

Post Reply

Who is online

Users browsing this forum: No registered users and 0 guests