[SGVLUG] Data carving and photo recovery (was: File system
corruption)
Emerson, Tom (*IC)
Tom.Emerson at wbconsultant.com
Tue Sep 18 18:15:13 PDT 2007
> -----Original Message----- Of John Lowry
>
> Emerson, Tom (*IC) wrote:
> >> -----Original Message----- Of John E. Kreznar
> >> Rich Pinder <rpinder at usc.edu> writes:
> >>
> >> I would like to recover the data on the drive, if possible
> > ... since you mentioned/inferred the
> > files you are missing are images (tif files?) I *do* have a fairly
> > good pointer for recovering [photo] data:
> > http://foremost.sourceforge.net/
> >
[...]
> Another program I have had success with recovery all kinds of
> stuff, and it does not care about filesystems, is photorec.
>
> http://www.cgsecurity.org/wiki/PhotoRec
Funny you should mention that...
I actually found the link to foremost from this blog page:
http://www.g-loaded.eu/2006/12/08/more-data-recovery-tools/
of several tools mentioned, I was just looking at the "photorec
challenge" link
http://www.dfrws.org/2006/challenge/submissions/grenier/index.html
Which was submitted to a "digital forensics research workshop" "data
carving" contest:
http://www.dfrws.org/2006/challenge/index.shtml
For 2006, a 50mb "raw" file [no distinct file system] containing 32
images, documents, and so on, was provided for participants to extract
said documents (*). For 2007, the filesize was increased to 330mb, and
only 5 entries were submitted [look for the 2007 link on the above page]
(*) one of the "techniques" used in 2006 was based on the fact that the
images used were drawn "from the public domain", so when someone found
"part" of a picture, they looked for the image "on the internet", found
the full picture, and then were able to find the "missing" parts. For
the 2007 challenge, this technique was expressly forbidden EXCEPT if you
fully automated it (no human intervention)
More information about the SGVLUG
mailing list