Any carver that store LBA addresses ?

Is there any file carver that let explore the bytes that surrounds the found segments ?

i.e. a low-level carver that

1) remembers addresses of carved contents

2) allow to open an hex editor that automatically "centers" to those addresses, showing bytes backs and forth and highlighting the carved sequence

Preferably running on Linux but solutions based on Windows also welcome.

First, I'm a bit unclear as to what this has to do with "LBA"…

Second, EnCase does this, not so much with carving but more with search hits.

I don't have EnCase so I wrote my own utility in Perl to replicate this functionality…for every search hit found, the script would grab 100 bytes on either side of the offset, and print this information to the console in hex editor-style format. As it's Perl, you should easily be able to replicate this in Perl on Linux.

HTH

I am not really sure to understand the question.

gsar
http//home.online.no/~tjaberg/
https://svn.osgeo.org/fdocore/branches/3.2.x/Thirdparty/gsar/man/cat1/gsar.1.txt

Will

• find a sequence of bytes
• output the position of hits
• optionally show a custom number of bytes before/after the hit

C\Downloaded\FEDIT>gsar -sx50x45x00x00 -B

Search buffer (ASCII) PE..
Length = 4 (Hex) 50 45 00 00
C\Downloaded\FEDIT>gsar -sx50x45x00x00 -b gsar.exe
gsar.exe 0x80
gsar.exe 1 match found
C\Downloaded\FEDIT>gsar -sx50x45x00x00 -b -x260 gsar.exe
gsar.exe 0x80
0x00000000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ.........ÿÿ..
0x00000010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ¸.......@.......
0x00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000030 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 ............€...
0x00000040 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 ..º..´.Í!¸.LÍ!Th
0x00000050 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f is program canno
0x00000060 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 t be run in DOS
0x00000070 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 mode....$.......
0x00000080 50 45 00 00 4c 01 05 00 86 ac 93 47 00 00 00 00 PE..L...†¬“G....
0x00000090 00 00 00 00 e0 00 0f 03 0b 01 02 38 00 2c 00 00 ....à......8.,..
0x000000a0 00 1e 00 00 00 1a 00 00 80 12 00 00 00 10 00 00 ........€.......
0x000000b0 00 40 00 00 00 00 40 00 00 10 00 00 00 02 00 00 .@....@.........
0x000000c0 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 ................
0x000000d0 00 a0 00 00 00 04 00 00 ac 89 00 00 03 00 00 00 . ......¬‰......
0x000000e0 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 .. .............
0x000000f0 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000100 00 90 00 00 ...
gsar.exe 1 match found(the board software shows the above "strangely", copy and paste in Notepad to see how it looks).

But wouldn't a "normal" Hex/Disk editor search be what you want?

jaclaz