12. Creating custom signature for PhotoRec
PhotoRec recognizes numerous file formats. More than 480 file extensions (about 300 file families) are referenced. In example, PhotoRec is able to identify the JPEG file format and it can recover lost files using this format whatever the original file extension (jpg, jpeg, JPG…).
To check if a file format is already recognized, you can
consult the file formats.
submit a sample file to the PhotoRec online checker.
use fidentify on a file sample (See Running Fidentify under Windows or Running Fidentify under Linux or macOS)
[kmaster@adsl ~]$ fidentify /home/kmaster/src/testfiles/sample.pfi
/home/kmaster/src/testfiles/sample.pfi: unknown
In this case, the file type is listed as unknown, so PhotoRec can’t recover this kind of file, at least for the moment. We will check if it’s possible to add a custom signature for it.
If instead of unknown an extension is listed, PhotoRec knows this file format, it may recover the file with another extension than the extension you are used to.
12.1. Signature Syntax
The file must contain one signature definition per line. A signature is composed of
extension name
offset of the signature
signature or magic value
The magic value can be composed of
a string, e.g. “data”. Special characters can be escaped like “b”, “n”, “r”, “t”, “0” or “\”.
hexadecimal data, e.g. 0x12, 0x1234, 0x123456… Note that 0x123456, 0x12 0x34 0x56 and 0x12, 0x34, 0x56 are equivalents.
space or comma delimiters are ignored
By using an hexadecimal editor, you can see that the pfi file from our example begins by a distinctive string PhotoFiltre Image at offset 0.
[kmaster@adsl ~]$ hexdump -C /home/kmaster/src/testfiles/sample.pfi | head
00000000 50 68 6f 74 6f 46 69 6c 74 72 65 20 49 6d 61 67 |PhotoFiltre Imag|
00000010 65 03 40 06 00 00 b0 04 00 00 40 19 01 00 40 19 |e.@.......@...@.|
00000020 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
The signature can be written as
pfi 0 "PhotoFiltre Image"
or
pfi 0 "PhotoFiltre", 0x20, "Image"
or if you prefer hexadecimal
pfi 0 0x50686f746f46696c74726520496d616765
From fidentify/photorec point of view, the signatures are identical.
Warning
Be careful, hexdump displays non-printable chars as dots. The following signature is wrong:
pfi 0 "PhotoFiltre Image."
This signature using an hexadecimal value instead of a dot is correct:
pfi 0 "PhotoFiltre Image", 0x03
12.2. File location
PhotoRec searches for the signature file named
Windows:
photorec.sigin the USERPROFILE or HOMEPATH directory, e.g.C:\Documents and Settings\bob\orC:\Users\bob.Linux and macOS:
.photorec.sigin the HOME directory, e.g./home/bob
photorec.sigin the current directory
This file doesn’t exist by default, you need to create one. Using a text editor (e.g. notepad, vim…), create the signature file and add the signature you have identified.
12.3. Check your custom signature with fidentify
fidentify now perfectly identify the file
[kmaster@adsl ~]$ fidentify /home/kmaster/src/testfiles/sample.pfi
/home/kmaster/src/testfiles/sample.pfi: pfi
If fidentify doesn’t recognize the signature,
check your signature, it may be incorrect
verify that the signature file is a true ASCII text file. It must not begin by EF BB BF (UTF-8 Byte Order Mark) or FF FE (UTF-16 LE BOM) by example.
verify the filename of your signature file
12.4. Run PhotoRec
You are now ready to use PhotoRec with your custom signature to recover your files. If a signature file is present, PhotoRec will use it by default.
Warning
If you are using a .photorec.sig in your HOME directory, be warned that when running photorec as root (ie. via the sudo command), photorec will search in /root/.photorec.sig, not in your user home directory. So you may have to copy the .photorec.sig file first.
12.5. Improved file recover
To control all aspects of the recovery (file content check, file size control, footer detection…), the best way to add a signature, if you are developer, is to modify PhotoRec itself.
Commercial support is also available from the author grenier@cgsecurity.org.