[brlug-general] forensics question: retrieving deleted data
Will Hill
williamhill2 at cox.net
Sat May 27 20:49:04 CDT 2006
Sorry to take so long, I was at a conference. No presentations from our
group, but we sucked up some cool ideas:
http://rma-symposium.engin.umich.edu/
I'll be happy to share the program, if I can find it. Google is spammed to
hell and back on the topic, so it will be easier to find on my old laptop.
Yep, there it was. The guy did not even put his name on it. That's OK,
because the code itself provides search terms. Mark Oskin probably wrote it
and has instructions here:
http://www.cs.washington.edu/homes/oskin/saveimg.html
Thanks Mark! Your code works very well for me.
# include <stdio.h>
# include <stdlib.h>
# include <unistd.h>
int
process_file(
FILE *raw)
{
unsigned char sector[512];
int i=0;
char of[128];
sprintf(of, "save_img_%3.3d.jpg", i);
FILE *img = fopen(of, "wb");
fread(sector, 1, 512, raw);
while(!feof(raw))
{
if ( sector[0] == 0xff &&
sector[1] == 0xd8 &&
sector[2] == 0xff &&
sector[3] == 0xe1
// sector[4] == 0x23 &&
// sector[5] == 0xfe &&
// sector[6] == 0x45 &&
// sector[7] == 0x78 &&
// sector[8] == 0x69 &&
// sector[9] == 0x66
)
{
fclose(img);
++i;
sprintf(of, "save_img_%3.3d.jpg", i);
img = fopen(of, "wb");
}
fwrite(sector, 1, 512, img);
fread(sector, 1, 512, raw);
}
fclose(raw);
fclose(img);
return(0);
}
int
main(
int argc,
char *argv[])
{
if(argc!=2)
{
printf("usage: %s rawfile\n", argv[0]);
return(1);
}
FILE *raw = fopen(argv[1], "rb");
process_file(raw);
}
On Monday 22 May 2006 10:45 am, Jeffrey Lee wrote:
> Would you possibly share this program? I deal with a number of people that
> always seem to be losing images on camera cards (none CF mostly SD though).
>
> Thanks,
> Jeffrey Lee
More information about the General
mailing list