File recovery
Search for specific content
This is useful, e.g. if the file got deleted and it’s header bytes got destroyed, or if it is unclear/irrelevant what file the content is in.
- Extract all strings from the image, along with their decimal offset (
-t d
):srch_strings -t d image.dd > image.str
- Identify a meaning full string which can be used to search for in the image, e.g.
- Use
xxd
for a hex view of a specific file, which we want to look for in the image (xxd myfile.pdf
)
- Use
- Search for that string within the extracted strings
grep -i "mytext" image.str
- Divide the decimal offset printed by the command above by the sector size (e.g. 512) to get the sector address.
- Use
blkcat
to view the content at this specific sector address of the image:blkcat -h image.dd 567553