Recovering DOS Executables

Using PhotoRec to recover lost data
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Post Reply
Message
Author
DaveJohnstone
Posts: 3
Joined: 16 Feb 2018, 12:31

Recovering DOS Executables

#1 Post by DaveJohnstone » 16 Feb 2018, 12:55

I have an image of a DOS disk which had bad sectors on it and it does not mount. I imaged it with ddrescue, Photorec discovered 2 partitions on the image and has recovered many files including custom image files (set up in photorec.sig) and many .exe files but only windows exe files. Is there a different signature required for DOS exe files? I see in the log many of the expected filenames but if I launch any recovered files they are windows executables. If I run testdisk on the same image it does not show any files.

Also, is there a way to tie up the filenames in the log to the recovered fnnnnnnn.exe files?

Any help much appreciated.

Sponsored links

User avatar
cgrenier
Site Admin
Posts: 4420
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:

Re: Recovering DOS Executables

#2 Post by cgrenier » 18 Feb 2018, 09:05

The "MZ" signature alone generates too many false positives. It's why only Win PE or DOS with COFF extension are recovered by PhotoRec.
If you really want those files, create a photorec.sig file with

Code: Select all

exe 0 "MZ"

DaveJohnstone
Posts: 3
Joined: 16 Feb 2018, 12:31

Re: Recovering DOS Executables

#3 Post by DaveJohnstone » 18 Feb 2018, 11:32

Unfortunately, there does not seem to be any other identifier for nailing a DOS executable so I did create the simple MZ signature earlier and ran Photorec again. This signature has given me a further 73 files to try after I manually exclude ones with "This program requires Microsoft Windows" or "This program cannot be run in DOS mode". Is there a way to perform a second check with the above strings in a .sig file?

As to my second question, is there a way to equate the recovered filename to the log? What does the 1st column tell me? Basically, is there a relationship between the log:
blocksize=32768, offset=12288
Elapsed time 0h00m00s
Pass 1 (blocksize=32768) STATUS_EXT2_OFF
* 24-599: (null)
600-5015: fat
5016-5783: exe
5784-9367: exe
9368-9431: exe
9432-10071: exe
10072-10391: exe
10392-10455: exe
10456-13591: exe
13592-13719: exe
13720-4999575: exe
4999552 sectors contains unknown data, 10 invalid files found and rejected.
Sector 600
2 drwxr-xr-x 0 0 0 20-Feb-1998 06:18 .
0 drwxr-xr-x 0 0 0 20-Feb-1998 06:18 ..
1400 -rwxr-xr-x 0 0 11208 31-May-1994 15:52 ATTRIB.EXE
1401 -rwxr-xr-x 0 0 12241 31-May-1994 15:52 CHKDSK.EXE
1402 -rwxr-xr-x 0 0 26936 31-May-1994 15:52 COUNTRY.SYS
12 -rwxr-xr-x 0 0 15920 31-May-1994 15:52 COUNTRY.TXT
1403 -rwxr-xr-x 0 0 15718 31-May-1994 15:52 DEBUG.EXE
14 -rwxr-xr-x 0 0 3114 31-May-1994 15:52 DOSSETUP.INI
1404 -rwxr-xr-x 0 0 66294 31-May-1994 15:52 DRVSPACE.BIN
1407 -rwxr-xr-x 0 0 413 31-May-1994 15:52 EDIT.COM
And my filenames fnnnnnnn.xxx (obviously, these aren't the files I need - just an extract from the log)?

Regards,

Dave.

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest