Hello,
Can someone help me with teh headers and/or footers of si4, sn4 and sg4
files?
I am using scarpel to recover files
Pass part of its configuration file:
Thanks
Esteban
# Scalpel configuration file
# This configuration file controls the
# types and sizes of files that are carved by Scalpel. Currently,
# Scalpel can read Foremost 0.69 configuration files, but Scalpel
# configuration files may not be backwards-compatible with Foremost.
# In particular, maximum file carve size under Foremost 0.69 is 4GB,
# while in the current version of Scalpel, it's 16EB (16 exabytes).
# For each file type, the configuration file
# describes the file's extension, whether the header and footer are
# case sensitive, the maximum file size, and the header and footer for
# the file. The footer field is optional, but header, size, case
# sensitivity, and extension are required. Any line that begins with a
# '#' is considered a comment and ignored. Thus, to skip a file type
# just put a '#' at the beginning of that line
# Headers and footers are decoded before use. To specify a value in
# hexadecimal use \x[0-f][0-f] and for octal use \[0-3][0-7][0-7].
# Spaces can be represented by \s. Example: "\x4F\123\I\sCCI" decodes
# to "OSI CCI". # To match any single character (aka a wildcard) use
# a '?'. If you need to search for the '?' character, you will need to
# change the 'wildcard' line *and* every occurrence of the old
# wildcard character in the configuration file. '
#
# Note: ?' is equal to 0x3f and \063.
#
# If you want files carved without filename extensions,
# use "NONE" in the extension column.
# The REVERSE keyword after a footer causes a search
# backwards starting from [size] bytes beyond the location of the header
# This is useful for files like PDFs that may contain multiple copies of
# the footer throughout the file. When using the REVERSE keyword you will
# extract bytes from the header to the LAST occurence of the footer (and
# including the footer in the carved file).
#
# The NEXT keyword after a footer results in file carves that
# include the header and all data BEFORE the first occurence of the
# footer (the footer is not included in the carved file). If no
# occurrence of the footer is discovered within maximum carve size bytes
# from the header, then a block of the disk image including the header
# and with length equal to the maximum carve size is carved. Use NEXT
# when there is no definitive footer for a file type, but you know which
# data should NOT be included in a carved file--e.g., the beginning of
# a subsequent file of the same type.
#
# FORWARD_NEXT is the default carve type and this keyword may be
# included after the footer, but is not required. For FORWARD_NEXT
# carves, a block of data including the header and the first footer
# (within the maximum carve size) are carved. If no footer appears
# after the header within the maximum carve size, then no carving is
# performed UNLESS the -b command line option is supplied. In this case,
# a block of max carve size bytes, including the header, is carved and a
# notation is made in the Scalpel log that the file was chopped.
# To redefine the wildcard character, change the setting below and all
# occurences in the formost.conf file.
#
#wildcard ?
# case size header footer
#extension sensitive
#
#---------------------------------------------------------------------
# EXAMPLE WITH NO SUFFIX
#---------------------------------------------------------------------
#
# Here is an example of how to use the no extension option. Any files
# beginning with the string "FOREMOST" are carved and no file extensions
# are used. No footer is defined and the max carve size is 1000 bytes.
#
# NONE y 1000 FOREMOST
#
#---------------------------------------------------------------------
# GRAPHICS FILES
#---------------------------------------------------------------------
#
#
# AOL ART files
# art y 150000 \x4a\x47\x04\x0e \xcf\xc7\xcb
# art y 150000 \x4a\x47\x03\x0e \xd0\xcb\x00\x00
#
# GIF and JPG files (very common)
# gif y 5000000 \x47\x49\x46\x38\x37\x61 \x00\x3b
# gif y 5000000 \x47\x49\x46\x38\x39\x61 \x00\x3b
# jpg y 200000000 \xff\xd8\xff\xe0\x00\x10 \xff\xd9
#
#
# PNG
# png y 20000000 \x50\x4e\x47? \xff\xfc\xfd\xfe
#
#
# BMP (used by MSWindows, use only if you have reason to think there are
# BMP files worth digging for. This often kicks back a lot of false
# positives
#
# bmp y 100000 BM??\x00\x00\x00
#
# TIFF
# tif y 200000000 \x49\x49\x2a\x00
# TIFF
# tif y 200000000 \x4D\x4D\x00\x2A
#
2011/7/4 Esteban Cervetto <estebancs...@gmail.com>
> Hello:
>
> Recently, I have been a serious problem with my hard disk, and lost great
> part of my data.
>
> Actually, I have a folder in a old disk where my scid databace was placed,
> until I cut and pasted on my new (and failed) HD.
> Nowadays, I am very angry with me for not perform a Copy-paste instead
> (why I have to cut! :'-(
>
> Fortunatelly, This old disk never used again, so I suppose I have de image
> of my database and may be can recover with soft like* PhotoRec*. (god
> please !)
>
> But I am concerned; scid format is not as popular as a pdf, so the formats
> that can recover PhotoRec doesn't include scid:
> http://www.cgsecurity.org/wiki/File_Formats_Recovered_By_PhotoRec
>
> But there're other recovery tool that I am sure it can: for example
> MagicRescue,
>
> ¿Can someone give me a hand to recover it?
>
> I searched this question in our mailarchive, but, I did not find anything.
> I believe then this is a good oportunity to resolve/explain how to recover a
> missed database, one of the worst fears for ours databases
>
> Regards
>
>
> Esteban
>
>
>
------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________
Scid-users mailing list
Scid-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/scid-users
