Finding a bzip2 file on a damaged hard drive

Jordan Curzon curzonj at gmail.com
Fri Apr 8 21:59:03 MDT 2005


Many file types have a footer also, which the program looks for. Like
I said there are false positives, but I couldn't see that it missed
anything. With bzips there is no footer so you just have to set the
max file size to the biggest file you are looking for. Be ready
though, every file carved out will be the max file size. BZip handles
dropping the garbage off the end. With bzip, I found about %30 false
positive rate, but even small archives will be rendered at the max
size.

Jordan

On Apr 8, 2005 11:41 AM, James Clawson <jclawsonx at mac.com> wrote:
> Thank you for the reference!  I am downloading it as I type.
> 
> As the drive does not have a valid file table, how can the software
> identify the length of the file?  If this works well, I will be
> forever grateful.
> 
> Jim
> 
> On Apr 8, 2005, at 7:25 AM, Jordan Curzon wrote:
> 
> > There is a forensics tool called formost that searches an binary file
> > or block device and pulls out all the files that match their headers.
> > The site is at  http://sourceforge.net/projects/foremost/. It doesn't
> > have the signature for bzips but here is it:
> > "bz2 y   10000000        BZh?1AY&SY"
> >
> > It will have some false positives but it will find every bzip on the
> > disk. Let me know if you have questions.
> >
> > Jordan Curzon
> >
> > On Apr 7, 2005 10:34 PM, James Clawson <jclawsonx at mac.com> wrote:
> >
> >> Thank you for the suggestion.
> >>
> >> I have read the manual, including the recovery section.  It deals
> >> with the recovery of non-corrupt blocks from a bzip2 archive with
> >> come corrupt blocks.  I believe that these bzip2 files are intact,
> >> but as I have no file table on the drive, I have to identify the
> >> length of each archive.  I was hoping to identify either a long which
> >> would identify the total number of bytes in the file, or an end of
> >> file marker.  I have not found either.  I am reviewing the bzip2
> >> source code, but have not found what I am looking for yet.
> >>
> >> Jim
> >>
> >> On Apr 7, 2005, at 10:29 PM, Jeff Schroeder wrote:
> >>
> >>
> >>> James wrote:
> >>>
> >>>
> >>>
> >>>> However, I do not know how to identify the end
> >>>> of each file.  Can you give me any information or suggestion on
> >>>> how I
> >>>>   might find out how long each bzip2 file should be?
> >>>>
> >>>>
> >>>
> >>> A quick Google search for "bzip2 file format" yielded this
> >>> documentation
> >>> page:
> >>>
> >>> http://www.digistar.com/bzip2/docs/manual_toc.html
> >>>
> >>> There's a section called "Recovering Data from Damaged Files" but
> >>> the
> >>> link apparently isn't working.  Perhaps you could poke around the
> >>> net a
> >>> bit and find the documentation mirrored somewhere?
> >>>
> >>> HTH,
> >>> Jeff
> >>> .===================================.
> >>> | This has been a P.L.U.G. mailing. |
> >>> |      Don't Fear the Penguin.      |
> >>> |  IRC: #utah at irc.freenode.net   |
> >>> `==================================='
> >>>
> >>>
> >>
> >> .===================================.
> >> | This has been a P.L.U.G. mailing. |
> >> |      Don't Fear the Penguin.      |
> >> |  IRC: #utah at irc.freenode.net   |
> >> `==================================='
> >>
> >>
> > .===================================.
> > | This has been a P.L.U.G. mailing. |
> > |      Don't Fear the Penguin.      |
> > |  IRC: #utah at irc.freenode.net   |
> > `==================================='
> >
> 
>



More information about the PLUG mailing list