English / Deutsch | Print version
Twitter
twitter

<< Previous
Remove empty directories

Table of Contents

Next >>
Files & Logs of hfsprescue

Find bytes from a file and/or an Unicode string


An additional debug/search feature is to find bytes from a file and/or Unicode strings. -ff and -fi can be used with the same command.

hfsprescue --find <device node|image file> [-ff <num bytes> <file1> [file2] [...]] [-fs <string>] [-o <offset in bytes>]


Find bytes of one or more files -ff

You can find the bytes of a file. This can be very useful when you lost the partition table and you have to calculate the offset of the partition. It makes no sense to search for the whole file. It can be fragmented and you will never get a hit. The file size of the source file is not limited by hfsprescue. Regardless to the file size is the maximum search buffer size 1MB. This this is really large. I suggest to use the block size as maximum search length.

The result of the search will be logged in the file 'hfsprescue-data/find.log'.

When you use '-o <offset in bytes>' then the search begins at the offset and skips the bytes before.

Find bytes example 1:

Command: hfsprescue --find /dev/sdb2 -ff 4096 PerfectPicture.jpg

Sample output:

File PerfectPicture.jpg: Bytes found at offset 746586112 + 28672 = 746614784 (0x2c800000 + 0x7000 = 0x2c807000)


Find bytes example 2: Multiple files

Command: hfsprescue --find /dev/sdb2 -ff 4096 PerfectPicture.jpg anyfile.doc

Sample output:

File anyfile.doc: Bytes found at offset 0 + 401408 = 401408 (0x0 + 0x62000 = 0x62000)
File PerfectPicture.jpg: Bytes found at offset 746586112 + 28672 = 746614784 (0x2c800000 + 0x7000 = 0x2c807000)


Find string -fs

This can be used to find an Unicode string. File names are encoded in Unicode. Its possible to find directory entries with this feature. The search string will be converted to Unicode by hfsprescue.

The result of the search will be logged in the file 'hfsprescue-data/find.log'.

When you use '-o <offset in bytes>' then the search begins at the offset and skips the bytes before.

Find string example:

Command: hfsprescue --find /dev/sdb2 -fs myimportantfile.doc

Sample output:

String "myimportantfile.doc" found at offset 1048576 + 326870 = 1375446 (0x100000 + 0x4fcd6 = 0x14fcd6)
String "myimportantfile.doc" found at offset 1048576 + 494446 = 1543022 (0x100000 + 0x78b6e = 0x178b6e)




<< Previous
Remove empty directories

Table of Contents

Next >>
Files & Logs of hfsprescue


© 2024 by Elmar Hanlhofer