Recreating a binary file from slack/unallocated space?

You can find the structure of a .BMP file here,
http//en.wikipedia.org/wiki/BMP_file_format

There is a lot more information in the header that can be checked to eliminate false positives. These include the file size values and offset values. You should be able to range check these values for sanity. Further you can then check width / height values, etc..

But some carving tools already do this (including our own), so why not just use a tool that already does all this work for you.

Thank you Passmark. I am not aware of any of those programs. I'm currently using Paraben's P2 Commander, which I don't believe contains this functionality.

Which software do you use for this purpose? And, what is the name of your own?

Many thanks.

Greetings,

Scalpel and PhotoRec are perhaps the two best known tools for this purpose.

-David

Ours is OSForensics.

Pick "Deleted file search" from the menu,

In configure select the "File carving" and "Image Verification" check boxes & "All files" for quality setting.

Then click on search.

Also as an aside, it doesn't really make sense to look in file slack space for bitmaps. A typical disk cluster is 4KB. So the average useful slack space is just ~1KB. Plus due to the nature of file slack space you are always going to be missing the file header, as the start of the cluster will be overwritten. Bitmaps tend to be large as they not compressed. So getting only a ~1kb without the header isn't going to be of too much help.

1KB of bitmap data is just 15 x 15 pixels. Which just so happens to be exactly the size of this smiley, wink