Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Carved files are often equal in size to the original file

See original GitHub issue

I have experienced this a couple times.

I will use binwalk to analyze a memory image or unknown data blob. When it carves files, the files are often close to the file from which they were carved in size, even if there are so many valid detections that is is simply not possible for all carved data to fit in the original file.

For example, I have a file – x that is 1.3 GB. x contains several contiguous zlib-compressed blobs. Binwalk will carve out that many _unextracted_ blobs, but all between 1.0 GB and 1.3 GB.

Unfortunately, I cannot share file x.

Issue Analytics

  • State:closed
  • Created 8 years ago
  • Comments:10 (1 by maintainers)

github_iconTop GitHub Comments

3reactions
E3V3Acommented, Oct 19, 2018

@CoffeeExpress Why was this issue closed? It doesn’t seem to have been fixed…

# mkdir testcarv
# cd testcarv/
# dd if=/dev/zero of=head bs=1 count=512
# dd if=/dev/zero of=junk bs=1 count=512000
# wget https://www.debian.org/logos/openlogo-100.jpg
# cat head openlogo-100.jpg junk > full
# ls -alh

-rw-rw-rw-+ 1 xxxx xxxx 509K Oct 19 08:20 full
-rw-rw-rw-+ 1 xxxx xxxx 512 Oct 19 08:19 head
-rw-rw-rw-+ 1 xxxx xxxx 500K Oct 19 08:19 junk
-rw-rw-rw-+ 1 xxxx xxxx 8.3K Jun  1 07:50 openlogo-100.jpg

# binwalk -z -C demo -D 'jpeg:jpg' full

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
512           0x200           JPEG image data, JFIF standard 1.02
1074          0x432           JPEG image data, JFIF standard 1.02

# ls -alhR demo/

-rw-rw-rw-+ 1 xxxx xxxx 509K Oct 19 08:20 200.jpg
-rw-rw-rw-+ 1 xxxx xxxx 508K Oct 19 08:20 432.jpg
0reactions
malaterrecommented, Nov 27, 2016

For anyone reading this, you need to use a recent p7zip implementation. binwalk expect the unzip implementation to read a file from the start, while some are reading file starting from the end. Leading to odd behavior. See for more info here.

Read more comments on GitHub >

github_iconTop Results From Across the Web

File carving | Infosec Resources
File carving is a great method for recovering files and fragments of files when directory entries are corrupt or missing. This is especially...
Read more >
File carving - Wikipedia
File carving is the process of reassembling computer files from fragments in the absence of ... File System, work with the concept of...
Read more >
File carving methods in data recovery
Header and size carving. This method is a variation of the fixed size method, where we use the size derived from the header...
Read more >
Carving and its Implementations in Digital Forensics - Belkasoft
The reason for the emergence of the slack space is that while the disk is divided into sectors of equal size, the files...
Read more >
File Carving and Data Recovery - Linux Hint
File carving is an excellent way to recover files and file fragments when text is damaged or missing. It is often used by...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Repacking of firmware after extraction

Next page

ImportError: No module named core.module