Login/Register
Extracting jpegs from a disk dump
Asked Answered
Solved hexjpegdata-retrievaldata-recoverycomputer-forensics
I

5

5

I've got a 16GB memory card off someone that won't load properly (asks to be reformatted). I'm trying to get jpegs off it.

I've run dd to dump the contents to a file, which worked splendidly. The file won't mount and be read, so the contents are corrupt in someway.

Opening the dump in a hex editor shows that there is data on there, and by looking for the markers for the start and end of a jpeg (FFD8 and FFD9), I've been able to manually extract the first 3 jpegs.

Before I go and write some code to stream the file, find the offsets and dump the files, is there any existing way to do this? I can't find anything with a simple google search, but don't want to solve a problem which must have been solved many times before.

Does anyone know of either some software or a decent library (Python would be nice as I'm familiar with the language, though anything would do) that will easily let me extract the jpegs, or am I better off just writing the code myself?

Incapacity answered 25/2, 2012 at 17:45 Comment(0)
D
6

You want a computer forensics carving tool.

There are two obvious choices for this problem. The first is the open source photorec. The second is the commercial tool Adroit Photo Forensics. I've used both tools on many occasions. Adroit will recover files that are fragmented and does a better job eliminating false positives, but it is pricy. In all likelihood you'll be fine with photorec.

Duck answered 26/2, 2012 at 17:27 Comment(4)
Photorec is brilliant - jpeg extractor wasn't great, and my own code was too naive and awful - this is awesome! Hoping to get all the photos back, looking good so far!Incapacity
By the way, for future people finding this, using photorec against the card reckoned it would take 2 hours, running it against a copy made using dd is only 20 minutes.Incapacity
If anyone else is reading this and PhotoRec gives you problems, also try Scalpel or Foremost. Both can be installed via apt-get in Ubuntu.Georgettegeorgi
Don't use Foremost. It's not maintained. Scalpel is a false positive generator. We reviewed the various programs and found that PhotoRec did everything the others did and had fewer false positives.Duck
C
3

Here is a program that i wrote to do this using python, it reads a file that contains the image data and separates it into individual files. 

import hashlib

inputfile = 'data.txt'
marker = chr(0xFF)+chr(0xD8)

# Input data
imagedump = file(inputfile, "rb").read()

imagedump = imagedump.split(marker)

count=0
for photo in imagedump:
    name = hashlib.sha256(photo).hexdigest()[0:16]+".jpg"
    file(name, "wb").write(marker+photo)
    count=count+1
    print count

The script names the found images with their sha256 digest and all of the photos that it finds will be dumped in the current directory.

Here is a way that you can test the script to see if it is working correctly: type cd ~/images/ then make the folder mkdir test then dump a some jpegs into a singe file in the directory cat *.jpg > ./test/data.txt then cd test and put the script into the current directory, then run the script python extract.py and the jpegs will be jumped in the current folder.

Calorie answered 20/10, 2013 at 22:20 Comment(1)
Works and outputs all the images I was expecting to find, but also seem to output some extra files that aren't actually jpegs.Cellulosic
I
0

Well, after much searching, I found this:

http://www.digiater.nl/openvms/decus/vmslt02a/net/jpeg-extractor.html

It's finds a lot of rubbish on a 16GB card, I guess the probability of FFD8 and FFD9 showing up is high when you have that many bytes. So far it has found 50,000 images, but of those many are just coincidentally jpegs, and aren't images.

Hope this helps anyone else who has a programming bent, and tries to code everything, even when not needed!

Incapacity answered 25/2, 2012 at 18:9 Comment(0)
W
0

in windows there is a program FTK

http://accessdata.com/products/computer-forensics/ftk

also, its interesting an forensic editor like winhex http://www.x-ways.net/winhex/index-e.html

On linux plataform, there are some forensic distribution with a complete set of forensic tools helix (have to search the old free version) caine sleuth kit

you have to add the image file, there are browser functions depending on the file type

greetings alvaro

Whisk answered 2/3, 2012 at 7:25 Comment(0)
A
0

You can easily recover all your in-accessible jpeg images by using effective Photo Recovery Software. As this software is well helmeted with advanced and sophisticated techniques by the help of which it recover all data in its original file format.

Read more at: http://www.jpeg-recovery.org/undelete-lost-pct-images-after-cf-showing-memory-card-parameter-error-message

Arborescent answered 3/5, 2013 at 6:16 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.