my current recovery job requires to recover fragmented files (zip-archives) from unallocated space.
scalpel is usually my first-choice tool, however this particular machine stores 100 bytes of metadata infront of every file.
I do want to use cluster-aligned mode, since all data is perfectly cluster aligend.
My fear however is, that rewriting the header definition (e.g. preceeding it with 100 "?") of a zip-file within the scalpel.conf will break the zip-file handling.
My suggestion would be to introduce an offset (or a list of offests) that will be used to locate a file's header not only at byte 0 of a cluster but at any given offset.
Hello,
my current recovery job requires to recover fragmented files (zip-archives) from unallocated space. scalpel is usually my first-choice tool, however this particular machine stores 100 bytes of metadata infront of every file.
I do want to use cluster-aligned mode, since all data is perfectly cluster aligend.
My fear however is, that rewriting the header definition (e.g. preceeding it with 100 "?") of a zip-file within the scalpel.conf will break the zip-file handling.
My suggestion would be to introduce an offset (or a list of offests) that will be used to locate a file's header not only at byte 0 of a cluster but at any given offset.