"I would be happy to post a fully-detailed example but I'm mindful of the fact that my intention is not to give the OP the answer on a plate."
I'd look at it this way…posting a fully-detailed example is likely to be useful to many more on this list (and others), so giving the OP the answer on a plate would be a rather small consideration, I'd think.
Fair comment but I'll use an example that avoids a pdf.
This is based on carving a jpeg file from the image of a floppy. I've used xxd with grep but when I've done this with students I've used a hex editor with a GUI to locate the file signature, which shows the students more of the context of the signatures. Equally there's no need to use bc; this just keeps all the steps together.
# First, I locate candidates for the header
sandeggs@laptop-os~> xxd image.dd | grep ffd8
0006800 ffd8 ffe0 0010 4a46 4946 0001 0200 0064 ……JFIF…..d
001ba90 c0f2 ffd8 d3ee e0cd d0f6 e2c9 fff8 edff …………….
001cb60 7ffd c46f ffd8 93fb fff7 ffff f8ff feff …o…………
0049e80 4b00 e05a ffd8 2fb7 ddc6 6118 0ab6 8ffb K..Z../…a…..
006dde0 ffd8 9185 f2dc f165 ab32 a256 9e74 5d14 …….e.2.V.t].
006fb60 ffd8 2f13 2d39 7518 888a ffff e977 5e83 ../.-9u……w^.
00776f0 a421 eccc 76d9 ffd8 43f6 0167 abad 6fb7 .!..v…C..g..o.
007cd40 38aa 4bb3 ffd8 2f1b 3547 5520 8816 efff 8.K…/.5GU ….
0083600 ffd8 ffe0 0010 4a46 4946 0001 0200 0064 ……JFIF…..d
00ffd80 f6f6 f6f6 f6f6 f6f6 f6f6 f6f6 f6f6 f6f6 …………….
# Second, I convert the address from hex to denary
sandeggs@laptop-os~> echo "ibase=16; 0006800" | bc
26624
# Third, I locate footer candidates after the header but before subsequent headers
sandeggs@laptop-os~> xxd image.dd | grep ffd9
001ed60 6275 7a68 8292 faff ffd9 fdfd 7e94 9f78 buzh……..~..x
0024130 fdfe fcfb fcfa fdff fffc fbfd ffff ffd9 …………….
003d430 15d7 f62d efde 962b ae55 b3ac 651e ffd9 …-…+.U..e…
003dc90 b9bd f253 ffd9 d958 eb5c 9d8f dfa9 bc7a …S…X.\…..z
004b200 f49e 1a65 ffd9 9a4b d26e 5beb 87ad b924 …e…K.n[….$
004ee30 78c9 2eac f712 5b75 6b47 eb42 ffd9 8455 x…..[ukG.B…U
0052590 ed9b 1d98 cfb9 5ec2 23c6 f93a 7fa4 ffd9 ……^.#……
00589d0 28af de2b deb3 68bd f20c 83e7 ffd9 afb6 (..+..h………
007c530 8a93 ba69 946f 30cf 0b57 5c9e ffd9 b11e …i.o0..W\…..
00ffd90 f6f6 f6f6 f6f6 f6f6 f6f6 f6f6 f6f6 f6f6 …………….
# Again convert the address to denary
sandeggs@laptop-os~> echo "ibase=16; 001ED69" | bc
126313
# Take the latter from the former for the file size
sandeggs@laptop-os~> echo "126313 - 26624" | bc
99689
# Use dd to extract one block of 99689 bytes starting after the first 26624 bytes and saving it to a file called myjpegpic.
sandeggs@laptop-os~> dd if=image.dd bs=1 count=99689 skip=26624 of=myjpegpic
99689+0 records in
99689+0 records out
99689 bytes (109 kB) copied, 1.64528 s, 66.2 kB/s
I know that there are simpler ways but I'm demonstrating something to get the student's grey matter working and hopefully get them to understand what goes on behind the scenes in any tools they may later use.
Steak'n'Eggs
I second Beetle's comment…I would be very interested to see the process used to carve using dd or dcfldd.
Thank you.
It's relatively simple. The good thing about PDFs is that they are too large to be resident, so you're dealing with straight cluster carving. Identify the off-set to the file type header match, and then use DD with the BS, SKIP and COUNT parameters. Of course this isn't so great if you have fragmentation, but then nothing is good at fragmentation with no directory entries.
E.G., your drive uses 4k clusters, and you locate a hit for the file signature at cluster 50123. Determine a reasonable size for a carve, say 100k, and you get
> dd if=/jobs/case123/image123.dd of=/jobs/case123/export/carve0001.pdf bs=4k skip=50123 count=25
It's relatively simple to script something like that also to handle multiple file types.
If you have identified the offset of the PDF header, with presumably a hex editor, isn't it just easier to select a block from that point to where you think the file ends, copy it out and write out to a new file ala old style Norton disk editor deleted file recovery? Using dd as you set out would work but is an additional step with another tool that's not necessarily the most efficient approach. I suspect the exercise (assumed) was set by the instructor or teacher after the introduction of the various tools had been made during a lecture or class demonstration (this is all assuming this is some kind of class exercise) and that the point is to take these tools and effectively use them.
I never suggested that it's elegant, I simply demonstrated how to do it. And I wouldn't be working on the basis of manual inspection with a hex editor there, since clearly you'd use the editor to carve. I'm talking more of automating search and carve through scripting with a list of known file headers. I used a similar method around 10 years ago, but I wouldn't bother with the tools I have now.