Hi Guys,
I want to know how to recover images from dump if images are fragmented in memory.I mean 2 blocks are stored somewhere other 2 blocks are somewhere else in memory.In this case how to recover images?Are there any software that does this?
Adroit Photo Forensics
http//
Thanx for your reply.Yes I could find fragmented images from Digital-assemly .But how can I be sure if it is finding all the fragmented images from the dump.How do I crosscheck it ?
I want to learn how this image extraction process takes places from a dump.I want to learn technical details about it.Can any one tell good sources to read it.
You have a situation a bit like 'Put up your hand if you cannot hear me'
To be sure you will need to carve all the memory for jpeg headers, 0xFF 0xD8 0xFF 0xE0 or 0xE1.
It is very difficult to scan for blocks that may be in the middle of a jpeg as it is compressed data and could come from many sources.
You also have the situation that you may have a header, but none or only part of the possible file. I am not familair with memory dumps, but I guess they often contain areas of data just left behind. It will be very much like unallocated space on a disk drive, and the same principles will apply to carving and data reconstruction.
Are you looking for a known image or just trying to find any image that might be there?
H
Use WinHex or X-Ways to carve images from the memory dump. Other carvers may work as well. However, I had very good luck with WinHex.
Regards,
Chris