Re: [Scid-users] recover a scid database

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hello,

Can someone help me with teh headers and/or footers of si4, sn4 and sg4
files?

I am using scarpel to recover files

Pass part of its configuration file:

Thanks

Esteban

# Scalpel configuration file

# This configuration file controls the
# types and sizes of files that are carved by Scalpel.  Currently,
# Scalpel can read Foremost 0.69 configuration files, but Scalpel
# configuration files may not be backwards-compatible with Foremost.
# In particular, maximum file carve size under Foremost 0.69 is 4GB,
# while in the current version of Scalpel, it's 16EB (16 exabytes).

# For each file type, the configuration file
# describes the file's extension, whether the header and footer are
# case sensitive, the maximum file size, and the header and footer for
# the file. The footer field is optional, but header, size, case
# sensitivity, and extension are required.  Any line that begins with a
# '#' is considered a comment and ignored. Thus, to skip a file type
# just put a '#' at the beginning of that line

# Headers and footers are decoded before use. To specify a value in
# hexadecimal use \x[0-f][0-f] and for octal use \[0-3][0-7][0-7].
# Spaces can be represented by \s. Example: "\x4F\123\I\sCCI" decodes
# to "OSI CCI".  # To match any single character (aka a wildcard) use
# a '?'. If you need to search for the '?' character, you will need to
# change the 'wildcard' line *and* every occurrence of the old
# wildcard character in the configuration file. '
#
# Note: ?' is equal to 0x3f and \063.
#
# If you want files carved without filename extensions,
# use "NONE" in the extension column.

# The REVERSE keyword after a footer causes a search
# backwards starting from [size] bytes beyond the location of the header
# This is useful for files like PDFs that may contain multiple copies of
# the footer throughout the file.  When using the REVERSE keyword you will
# extract bytes from the header to the LAST occurence of the footer (and
# including the footer in the carved file).
#
# The NEXT keyword after a footer results in file carves that
# include the header and all data BEFORE the first occurence of the
# footer (the footer is not included in the carved file).  If no
# occurrence of the footer is discovered within maximum carve size bytes
# from the header, then a block of the disk image including the header
# and with length equal to the maximum carve size is carved.  Use NEXT
# when there is no definitive footer for a file type, but you know which
# data should NOT be included in a carved file--e.g., the beginning of
# a subsequent file of the same type.
#
# FORWARD_NEXT is the default carve type and this keyword may be
# included after the footer, but is not required.  For FORWARD_NEXT
# carves, a block of data including the header and the first footer
# (within the maximum carve size) are carved.  If no footer appears
# after the header within the maximum carve size, then no carving is
# performed UNLESS the -b command line option is supplied.  In this case,
# a block of max carve size bytes, including the header, is carved and a
# notation is made in the Scalpel log that the file was chopped.

# To redefine the wildcard character, change the setting below and all
# occurences in the formost.conf file.
#
#wildcard  ?

#        case    size    header            footer
#extension   sensitive
#
#---------------------------------------------------------------------
# EXAMPLE WITH NO SUFFIX
#---------------------------------------------------------------------
#
# Here is an example of how to use the no extension option. Any files
# beginning with the string "FOREMOST" are carved and no file extensions
# are used. No footer is defined and the max carve size is 1000 bytes.
#
#      NONE     y      1000     FOREMOST
#
#---------------------------------------------------------------------
# GRAPHICS FILES
#---------------------------------------------------------------------
#
#
# AOL ART files
#    art    y    150000    \x4a\x47\x04\x0e    \xcf\xc7\xcb
#      art    y     150000    \x4a\x47\x03\x0e    \xd0\xcb\x00\x00
#
# GIF and JPG files (very common)
#    gif    y    5000000        \x47\x49\x46\x38\x37\x61    \x00\x3b
#      gif    y     5000000        \x47\x49\x46\x38\x39\x61    \x00\x3b
#     jpg    y    200000000    \xff\xd8\xff\xe0\x00\x10    \xff\xd9
#
#
# PNG
#      png    y    20000000    \x50\x4e\x47?    \xff\xfc\xfd\xfe
#
#
# BMP     (used by MSWindows, use only if you have reason to think there are
#          BMP files worth digging for. This often kicks back a lot of false
#    positives
#
#    bmp    y    100000    BM??\x00\x00\x00
#
# TIFF
#      tif    y    200000000    \x49\x49\x2a\x00
# TIFF
#    tif    y    200000000    \x4D\x4D\x00\x2A
#

2011/7/4 Esteban Cervetto <est...@gm...>

> Hello:
>
> Recently, I have been a serious problem with my hard disk, and lost great
> part of my data.
>
> Actually, I have a folder in a old disk where my scid databace was placed,
> until I cut and pasted on my new (and failed) HD.
> Nowadays, I am very angry with me for not perform a Copy-paste instead
> (why I have to cut!   :'-(
>
> Fortunatelly, This old disk never used again, so I suppose I have de image
> of my database and may be can recover with soft like* PhotoRec*. (god
> please !)
>
> But I am concerned; scid format is not as popular as a pdf, so the formats
> that can recover PhotoRec doesn't include scid:
>    http://www.cgsecurity.org/wiki/File_Formats_Recovered_By_PhotoRec
>
> But there're other recovery tool that I am sure it can: for example
> MagicRescue,
>
> ¿Can someone give me a hand to recover it?
>
> I searched this question in our mailarchive, but, I did not find anything.
> I believe then this is a good oportunity to resolve/explain how to recover a
> missed database, one of the worst fears for ours databases
>
>  Regards
>
>
> Esteban
>
>
>