Custom File Type Help

A forum on data recovery using the professional data recovery software R-STUDIO.
nickstiv
Posts: 2
Joined: Fri Jan 29, 2016 5:00 pm

Custom File Type Help

Post by nickstiv » Fri Jan 29, 2016 5:11 pm

I'm trying to create a custom file type for an encrypted file container. There is no static file header, but there is a footer.. kind of.

64 bytes before the end of the file we print the text MD5E, then print a bunch of zeros, and finally an md5sum value.

here is an example, this is the END of a file, the 'first' 3 lines are static, the last line will change as it's an md5sum of the file itself.

0003dd40 01 4d 44 35 45 00 00 00 00 00 00 00 00 00 00 00 |.MD5E...........| **STATIC**
0003dd50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| *STATIC**
0003dd60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| **STATIC**
0003dd70 08 82 54 31 80 9f be ed 6e fb 05 89 bd 35 e0 f7 |..T1....n....5..| *VARIABLE DATA**

so if i did this right here is my xml file, i defined an offset of 64 bytes for my end of file. If my understanding is right this tells the program to look 64 bytes back from the end of the file for the end of file signature? then the included signature is only be 48 bytes, as the last 16 bytes will be variable data.

<?xml version="1.0" encoding="UTF-8"?>
<FileTypeList version="2.0">
<FileType id="50001" group="DCM FILES" description="PFILE" features="" extension="C0W">
<Begin combine="OR"/>
<End combine="AND">
<Signature offset="64">\x01MD5E\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00</Signature>
</End>
</FileType>
</FileTypeList>


This isn't working and is not finding anything. So i must be doing soething wrong.

Data-Medics
Posts: 148
Joined: Tue Oct 20, 2015 10:13 am
Location: Providence, RI USA
Contact:

Re: Custom File Type Help

Post by Data-Medics » Sat Jan 30, 2016 4:40 pm

You need to define both the beginning and the end of the file. If there's no unique opening signature, how do you expect to find the beginning of the files? Just finding the end isn't likely to be much help unless you plan to manually go in and try to determine the starting sectors.

The only way I know how to do this is if the files are a relatively fixed size, in which case you can use the closing signature also as the starting value with an offset calculated to hit the beginning of the file. Do you have any sample files you can post that I could look at?

I assume these are WinACE archive files?

nickstiv
Posts: 2
Joined: Fri Jan 29, 2016 5:00 pm

Re: Custom File Type Help

Post by nickstiv » Sun Jan 31, 2016 1:01 pm

They are not fixed file size. We have an in house application that stores sensitive information in our own file container. I was hoping this would work without a beginning signature. Back to the drawing board.

Alt
Site Moderator
Posts: 2271
Joined: Tue Nov 11, 2008 2:13 pm
Contact:

Re: Custom File Type Help

Post by Alt » Mon Feb 01, 2016 10:51 am

Encrypted disk containers are really pain, say, in the neck for data recovery. Their contents is pseudo-random data, and good ones have no footers/headers at all.

Post Reply