needleinthehay.de

File recovery

Search for specific content

This is useful, e.g. if the file got deleted and it’s header bytes got destroyed, or if it is unclear/irrelevant what file the content is in.

  1. Extract all strings from the image, along with their decimal offset (-t d):
    srch_strings -t d image.dd > image.str
  2. Identify a meaning full string which can be used to search for in the image, e.g.
    • Use xxd for a hex view of a specific file, which we want to look for in the image (xxd myfile.pdf)
  3. Search for that string within the extracted strings
    grep -i "mytext" image.str
  4. Divide the decimal offset printed by the command above by the sector size (e.g. 512) to get the sector address.
  5. Use blkcat to view the content at this specific sector address of the image:
    blkcat -h image.dd 567553