Finding a bzip2 file on a damaged hard drive

James Clawson jclawsonx at mac.com
Fri Apr 8 11:41:22 MDT 2005 

Thank you for the reference!  I am downloading it as I type.

As the drive does not have a valid file table, how can the software  
identify the length of the file?  If this works well, I will be  
forever grateful.

Jim

On Apr 8, 2005, at 7:25 AM, Jordan Curzon wrote:

> There is a forensics tool called formost that searches an binary file
> or block device and pulls out all the files that match their headers.
> The site is at  http://sourceforge.net/projects/foremost/. It doesn't
> have the signature for bzips but here is it:
> "bz2 y   10000000        BZh?1AY&SY"
>
> It will have some false positives but it will find every bzip on the
> disk. Let me know if you have questions.
>
> Jordan Curzon
>
> On Apr 7, 2005 10:34 PM, James Clawson <jclawsonx at mac.com> wrote:
>
>> Thank you for the suggestion.
>>
>> I have read the manual, including the recovery section.  It deals
>> with the recovery of non-corrupt blocks from a bzip2 archive with
>> come corrupt blocks.  I believe that these bzip2 files are intact,
>> but as I have no file table on the drive, I have to identify the
>> length of each archive.  I was hoping to identify either a long which
>> would identify the total number of bytes in the file, or an end of
>> file marker.  I have not found either.  I am reviewing the bzip2
>> source code, but have not found what I am looking for yet.
>>
>> Jim
>>
>> On Apr 7, 2005, at 10:29 PM, Jeff Schroeder wrote:
>>
>>
>>> James wrote:
>>>
>>>
>>>
>>>> However, I do not know how to identify the end
>>>> of each file.  Can you give me any information or suggestion on  
>>>> how I
>>>>   might find out how long each bzip2 file should be?
>>>>
>>>>
>>>
>>> A quick Google search for "bzip2 file format" yielded this
>>> documentation
>>> page:
>>>
>>> http://www.digistar.com/bzip2/docs/manual_toc.html
>>>
>>> There's a section called "Recovering Data from Damaged Files" but  
>>> the
>>> link apparently isn't working.  Perhaps you could poke around the
>>> net a
>>> bit and find the documentation mirrored somewhere?
>>>
>>> HTH,
>>> Jeff
>>> .===================================.
>>> | This has been a P.L.U.G. mailing. |
>>> |      Don't Fear the Penguin.      |
>>> |  IRC: #utah at irc.freenode.net   |
>>> `==================================='
>>>
>>>
>>
>> .===================================.
>> | This has been a P.L.U.G. mailing. |
>> |      Don't Fear the Penguin.      |
>> |  IRC: #utah at irc.freenode.net   |
>> `==================================='
>>
>>
> .===================================.
> | This has been a P.L.U.G. mailing. |
> |      Don't Fear the Penguin.      |
> |  IRC: #utah at irc.freenode.net   |
> `==================================='
>

More information about the PLUG mailing list