Das Werkstatt

what we do? everything.
http://das-werkstatt.com/forum/werkstatt/

Scalpel: Extracting JPEGs not working

http://das-werkstatt.com/forum/werkstatt/viewtopic.php?f=7&t=2234

Page 1 of 1

Scalpel: Extracting JPEGs not working

Posted: Wed Jul 01, 2015 12:04 am
by ^rooker
[PROBLEM]
I remember I've used Scalpel in the past to recover lost images on broken SD cards used in photo cameras.
For some (yet unknown) reason, it doesn't carve JPGs out of disk images properly anymore.

The config block in /etc/scalpel/scalpel.conf that comes with Ubuntu 12.04 (precise) by default is:

Code: Select all

# GIF and JPG files (very common)
#   gif y   5000000       \x47\x49\x46\x38\x37\x61    \x00\x3b
#   gif y   5000000       \x47\x49\x46\x38\x39\x61    \x00\x3b
    jpg y   200000000     \xff\xd8\xff\xe0\x00\x10    \xff\xd9
I've opened some JPEGs I had lying around using Bless (hex editor) - and they actually started with different hex numbers:

Code: Select all

FF D8 FF E1
So I looked at Scalpel 2.0's scalpel.conf
There it had an additional line for JPEGs that started had the 0xE1 instead of 0xE0:

Code: Select all

# GIF and JPG files (very common)
# gif y     5000000      \x47\x49\x46\x38\x37\x61    \x00\x3b
# gif y     5000000      \x47\x49\x46\x38\x39\x61    \x00\x00\x3b
# jpg y     200000000    \xff\xd8\xff\xe0\x00\x10    \xff\xd9
  jpg y     200000000    \xff\xd8\xff\xe1            \xff\xd9
Enabling the second JPG line did the trick. Almost...

The resulting JPGs were only 18 KB, because they contained the "0xFF 0xD9" footer sequence not only at the end :(
Since Scalpel v1.60 doesn't allow minimum carve size (like Scalpel 2.0 does), I've reduced the maximum carve size to 20 MB (20 000 000), and removed the footer bytes:

Code: Select all

  jpg y     20000000    \xff\xd8\xff\xe1
A bit rough, but it worked ;)
All times are UTC+02:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited