Find file signature and offset in hex

85 pts.
Tags:
Data Recovery
digital forensics
I am trying to recover files off of a Mac OS internal hard drive that got updated. I have the drive plugged in externally at the moment to avoid over writing anything further. The program I'm using requires the signature and offset in order to add a custom file type to the recovery search list. The files i'm trying to recover are from several programs that have unique extensions (affinity photo, affinity designer, scrivener, and some other Mac apps) Any idea how I can find this for such an uncommon filetype? or how to read the Hex code in order to get the offset and signature?


Software/Hardware used:
Mac OS, Mojave, Remo recovery, Affinity designer, Affinity photo, Growly notes, logic pro X, scrivener,
1

Answer Wiki

Thanks. We'll let you know when a new response is added.

.

Discuss This Question: 14  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Subhendu Sen

    Some confusions are there. If your Mac OS HDD got updated, then why are you trying to recover this? Is it corrupted at the time of updating? Was it recommended by Mac? Is there shown an error?

    Please provide more details.

    140,480 pointsBadges:
    report
  • samuelm9
    oh right sorry for the lack of specificity. I intended to say that it was a failed update. Everything but my applications was either deleted or rendered unreadable for some reason (maybe corruption as you suggested). Anyway the drive shows up with storage being nearly empty as if all that is left is apps. I can confirm that there is still recoverable data (several hundred gigs worth) and I have been able to recover some of it, however some of the files I get are corrupted by the recovery program, partially because of the odd filetypes. I switched to a more intensive recovery software, The problem I have is when I'm trying to enter in a custom filetype for recovery it asks for the file signature (in hex) and the offset. I'm not super savvy with hex code so I have really no clue how to find those two things.
    85 pointsBadges:
    report
  • ToddN2000
    You can try a site like this one
    133,720 pointsBadges:
    report
  • ToddN2000
    Or this one on Wikipedia that has a bit more info including the offset.

    133,720 pointsBadges:
    report
  • samuelm9
    Tried both sites however the filetype Is not there. Again probably too rare of a filetype for anyone to have posted it.
    85 pointsBadges:
    report
  • ToddN2000
    Do you have the affinity designer and Photo software or are you looking to recover these to use in a different application ?
    133,720 pointsBadges:
    report
  • samuelm9
    I own the software. I have no idea why but my hard drive saved all of my apps, I just lost my files.
    85 pointsBadges:
    report
  • ToddN2000
    That sounds like a virus or malware. Hackers tend to target our personal data files. They are hoping you don't have a back up, and a lot of people don't, and will lose your data or they will hold it for ransom. With programs and apps you can always just reinstall or download them again. They are not usually a hackers primary target. 
    133,720 pointsBadges:
    report
  • samuelm9
    Ok but 
    1. I'm not sure why I would lose my data and not have any "ransom" requested and why would I even be targeted for that kind of attack. It only happened when I updated so unless I was specifically targeted I didn't download anything that could do that, and I check for malware/viruses rather often. though I suppose I'll check again today, since I'll admit the data loss was kind of unexpected.

    2. Since I've had success in recovering some of my data already and there appears to be much more on the drive (when I do a deep scan of the drive), how can I simply find the file signature and offset for a specific filetype so I can recover them. 
    85 pointsBadges:
    report
  • ToddN2000
    There were a few links that pointed to a bug when updating photos losing some EXIF data when exporting. They recommended applying the June software update. 
    133,720 pointsBadges:
    report
  • ToddN2000
    There was also a forums where someone was getting message that their files were corrupt.. Affinity was telling them they might be able to recover them. I guess it depends if you were working on the file locally or on their NAS. 

    133,720 pointsBadges:
    report
  • samuelm9
    ok I'll look into that. But also I still want to know how to find a file signature and offset, unless it's just too complicated, because I am still trying to recover other filetypes swell and need to add the custom file settings to my recovery software. 
    85 pointsBadges:
    report
  • TheRealRaven
    What "signature and offset" are you looking for? Essentially, if it's part of the file metadata, it should be found by the recovery software itself... unless the file header is corrupted. Further, they should be in the same locations in every file. Once corrupted, though, you might need to ask the developer/creator of each file type. I'm not sure who else would know 

    But other than that, it's not clear what you need.
    35,650 pointsBadges:
    report
  • ToddN2000
    You can also try this site. IT has sample code for doing it using Powershell.
     
    133,720 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.

Following

Share this item with your network: