Finding a bzip2 file on a damaged hard drive

Jordan Curzon curzonj at gmail.com
Fri Apr 8 07:25:35 MDT 2005


There is a forensics tool called formost that searches an binary file
or block device and pulls out all the files that match their headers.
The site is at  http://sourceforge.net/projects/foremost/. It doesn't
have the signature for bzips but here is it:
"bz2 y   10000000        BZh?1AY&SY"

It will have some false positives but it will find every bzip on the
disk. Let me know if you have questions.

Jordan Curzon

On Apr 7, 2005 10:34 PM, James Clawson <jclawsonx at mac.com> wrote:
> Thank you for the suggestion.
> 
> I have read the manual, including the recovery section.  It deals
> with the recovery of non-corrupt blocks from a bzip2 archive with
> come corrupt blocks.  I believe that these bzip2 files are intact,
> but as I have no file table on the drive, I have to identify the
> length of each archive.  I was hoping to identify either a long which
> would identify the total number of bytes in the file, or an end of
> file marker.  I have not found either.  I am reviewing the bzip2
> source code, but have not found what I am looking for yet.
> 
> Jim
> 
> On Apr 7, 2005, at 10:29 PM, Jeff Schroeder wrote:
> 
> > James wrote:
> >
> >
> >> However, I do not know how to identify the end
> >> of each file.  Can you give me any information or suggestion on how I
> >>   might find out how long each bzip2 file should be?
> >>
> >
> > A quick Google search for "bzip2 file format" yielded this
> > documentation
> > page:
> >
> > http://www.digistar.com/bzip2/docs/manual_toc.html
> >
> > There's a section called "Recovering Data from Damaged Files" but the
> > link apparently isn't working.  Perhaps you could poke around the
> > net a
> > bit and find the documentation mirrored somewhere?
> >
> > HTH,
> > Jeff
> > .===================================.
> > | This has been a P.L.U.G. mailing. |
> > |      Don't Fear the Penguin.      |
> > |  IRC: #utah at irc.freenode.net   |
> > `==================================='
> >
> 
> .===================================.
> | This has been a P.L.U.G. mailing. |
> |      Don't Fear the Penguin.      |
> |  IRC: #utah at irc.freenode.net   |
> `==================================='
>



More information about the PLUG mailing list