cgsecurity.org

Hello,

I need to carve several ZIP-Files from unallocated space (was ext3). Unfortunately those files are fragmented and traditional methods like extundelete fail due to the amount of deleted files.

However with this recovery comes a twist. The specific storage system stores 100bytes of metadata in front of the actual PK-Header. This affects only the very first cluster of each file/zip-archive.

I think I need to one or two source code modification to photorec to have it find those headers. I took a quick look at thte "file_zip.c" file however I have no in-depth knowledge of the photorec architecture.

So I wanted to kindly ask if someone could point me in the right direction what program pieces would need some modifaction. Maybe if the cluster-size is used for some length calculations it needs to be reduced by the 100 byte offset for the very first cluster of each file etc.

Maybe a general option to start the search for the header at a specific cluster offset might be a good idea.

Thanks for your feedback,

Darky

You can try to create a custom photorec.sig signature. It may be easier that modifing file_zip.c

Hi,

cgrenier wrote:You can try to create a custom photorec.sig signature. It may be easier that modifing file_zip.c

Code: Select all

zip 100 0x50 0x4b 0x03 0x04

I thought about this already, however I was under the impression that the recovery in file_zip.c tries to find matching chunks of data-streams accross spread out clusters?