Carving Issues Scalpel wont export all jpg headers

I thought FF D8 FF E1 was the header for EXIF rather than JFIF? While EXIF is technically a JPEG, if you are using the standard header/footer signatures that may not be included.

then is

FF D8 FF E0

Still the jpg format but the Exif which i am assuming is the format almost all digital cameras are now using is just indicated by one bit change to
FF D8 FF E1 ?

Thanks for the fast reply I am making my own carving engine, that auto removes benign files as part of a new project

are you searching for the header at a specific offset? FF D8 FF could generate quiet a few false positives. Have you tried locating the headers with sigfind?

yah basically theprogram loads the drive image then parses it until it hits ffd8ffe0 and then keeps note of it, however when i tell it to check for the e1 it never finds it. I however did finally get it to work just a few minutes ago, using the ffd8ff and have it not be as sensitive on the last value after tweeking the code a bit.

Thanks for all the help

IIRC you can encounter E0, E1, E3 and DB in JPEGS, especially if you carve for data from some of the mobile phones on the market. The JPEG footer (FF D9) remains the same however. Have you experimented with any of those strings?

Primarily i used E0 and E1, Do you know of any cheat sheet that has a list of devices\ manufactures that use the different header variant?

The only "cheat sheet" I know of is Gary Kessler's File Signatures Table.

I just had notes on the other strings from some research I was doing on a case with some mobile phones.

/etc/magic from the *nix utility "file" relies on the strings Exif or JFIF 6 bytes in. Ie

ffd8 ???? ???? 4a46 4946
ffd8 ???? ???? 4578 6966

This is the way we tend to go if needed, but you'll find that ffd8 at offset 0 will grab most anyway.

Ok thank you for all the help