Add your own extension to PhotoRec

From CGSecurity
Jump to: navigation, search

En.png english version It.png versione italiana


Since PhotoRec 6.12, it is possible to add your own custom signatures to PhotoRec. Custom signatures are enabled by default in the [FileOpts] menu:
Photorec FileOpts.png

Signature creation

How to verify if PhotoRec already detect the file format ?

  • Consult the list of file formats recovered by PhotoRec. More than 320 file extensions (about 200 file families) are referenced.
  • Start a console/terminal/shell (cmd Under Windows) and run fidentify with a file sample in parameter:
[kmaster@adsl ~]$ fidentify /home/kmaster/src/testfiles/sample.pfi
/home/kmaster/src/testfiles/sample.pfi: unknown

In this case, the file type is listed as unknown, so PhotoRec can't recover this kind of file, at least for the moment. We will check if it's possible to add a custom signature for it.

If instead of unknown an extension is listed, PhotoRec knows this file format but it may recover the file with another extension. Please contact the developer and provide a few file samples.

Signature Syntax

The file must contain one signature definition per line. A signature is composed of

  • extension name
  • offset of the signature
  • signature or magic value

The magic value can be composed of

  • a string, ie "data". Special characters can be escaped like "\b", "\n", "\r", "\t", "\0" or "\\".
  • hexadecimal data, ie 0x12, 0x1234, 0x123456... Note that 0x123456, 0x12 0x34 0x56 and 0x12, 0x34, 0x56 are equivalents.
  • space or comma delimiters are ignored

By using an hexadecimal editor, you can see that the pfi file from our example begins by a distinctive string PhotoFiltre Image at offset 0.

[kmaster@adsl ~]$ hexdump -C /home/kmaster/src/testfiles/sample.pfi | head
00000000  50 68 6f 74 6f 46 69 6c  74 72 65 20 49 6d 61 67  |PhotoFiltre Imag|
00000010  65 03 40 06 00 00 b0 04  00 00 40 19 01 00 40 19  |e.@.......@...@.|
00000020  01 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

The signature can be written as

pfi 0 "PhotoFiltre Image"

or

pfi 0 "PhotoFiltre", 0x20, "Image"

or if you prefer hexadecimal

pfi 0 0x50686f746f46696c74726520496d616765

From fidentify/PhotoRec point of view, the signatures are identical.

File location

PhotoRec searches for the signature file named

  • win.png photorec.sig in the USERPROFILE or HOMEPATH directory, ie. C:\Documents and Settings\bob\ or C:\Users\bob.
  • linux.png .photorec.sig in the HOME directory, ie. /home/bob
  • photorec.sig in the current directory

This file doesn't exist by default, you need to create one.
Using a text editor (ie. notepad, vim...), create the signature file and add the signature you have identified.

Check your custom signature with fidentify

fidentify now perfectly identify the file

[kmaster@adsl ~]$ fidentify /home/kmaster/src/testfiles/sample.pfi
/home/kmaster/src/testfiles/sample.pfi: pfi

If fidentify doesn't recognize the signature,

  • check your signature, it may be incorrect
  • verify that the signature file is a true ASCII text file. It must not begin by EF BB BF (UTF-8 Byte Order Mark) or FF FE (UTF-16 LE BOM) by example.
  • verify the filename of your signature file

Run PhotoRec

You are now ready to use PhotoRec with your custom signature to recover your files. If a signature file is present, PhotoRec will use it by default.

Improved file recovery

To control all aspects of the recovery (file content check, file size control, footer detection...), the best way to add a signature, if you are developer, is to modify PhotoRec itself.
Commercial support is also available from the author.