Hi,
I'm wonder if there's some way to display in hexadecimal the first bytes of binary files, either as thumbnails in the file explorer or as tooltip "bubbles" when the file names are hovered.
If I remember, the header of Apple Mail's ".emlx" files displays on thumbnails in the file explorer of Ubuntu. (I'm using the 10.04 LTS.)
I am looking for similar thing, but for binary content, to help visually filtering valid files vs false positives after file carving. (As an alternative to grep command, a.s.o.)
I'm mostly looking for a Linux solution (and if possible free or cheap), but a Windows-based alternative would be useful too.
Thanks.
Can't you do something like thisls | grep something | perl -nle 'print $_;$m=`xxd $_ | head -n1`;print $m;' > output.txt
The textfile should look something like
file1.mkv
0000000 1a45 dfa3 a342 8681 0142 f781 0142 f281 .E...B...B...B..
file2.mkv
0000000 1a45 dfa3 a342 8681 0142 f781 0142 f281 .E...B...B...B..
file3.mkv
0000000 1a45 dfa3 a342 8681 0142 f781 0142 f281 .E...B...B...B..
I found this for Windows. It's a plugin for the Directory Opus file manager, but is a priori can a priori only display the beginning of text files http//
@adri Thanks for the command line. Sure that grep is powerful, but sometimes is also confortable to work without having to type text.
I am not sure if this answers your question.
My
0x38 91 or 0x83 76. The log can be sorted on this column.
This I find very useful when an unkown signature is found many times.
The logic for data recovery - if the signature does not match, then there is a chance that recovery is not correct. If they all match, recovery is probably OK
Hi Michael,
Thanks mentioning that your software is able to display the first two bytes for files of unknown type. Does this feature come with all versions ?
As most video formats start with "00 00" it could be useful if your software let display more bytes. I believe that the possibility to displaying 8 to 16 bytes (or custom) would be nice, as well as the possibility to skip N first bytes (specified by user).
Video formats like MOV files typically use several signatures that seem also depending on the acquisition device. If you know Linux, see scalpel's configuration file for instance. Also, some devices (e.g. Sony's Handycam) use more specific signatures, not always listed by scalpel.
When using several signatures to carve files, some signatures may output valid files and others ones will reveals a posteriori not being the right ones.
As the miscellaneous signature variants may share common first bytes, it could be useful to have the possibility to skip them and display only the bytes that distinguish the miscellaneous signatures.
Just an idea…
For Linux users, as the file explorer of Ubuntu is able to display the beginning of text files, it would maybe be possible to adapt its behaviour, so that binary files are displayed like text files, but in hexadecimal…
@Michael As I'm not a native English speaker, I'm not sure what you mean by "the log cab". Could you explain?
For 'cab' - read 'can' (I have edited entry, the keys are close together!)
Data carving video files has many possible problems. As you have discovered files can start with different signatures, and even 'segment' orders.
My best advice is to find a good known file and then assume that the rest of the files on the disk come from the same camera, and therefore the same parameters.
If the files have been moved to a hard drive (outside of the camera) then hopefully the files will be in sequence. On the camera, many files are recorded with FAT32, but the logical sequence of file sections is different to the physical sequence. Such deleted files cannot be recovered by carving alone.