1

I hope that someone could help me out with my file carving script. I want to find the file header and correspondant footer as an hexvalue in an image file in raw format (.dd).

For other headers and footers my script works pretty well but not for the headers and footers for JPG files: FFD8 and FFD9 Here's how i currently approach to it:

grep -obUaP "\xFF\xD8" image_file.dd

I want to get back the offset of the postition of the searched strings header and footer to extract them with dd later on. I handle the image file as a binary with grep.

When I for example take my pattern to look for the JFIF in the image with this search I find a lot of matches:

grep -obaUP "\x4A\x46\x49\x46" image_file.dd

but none with FFD8!

So is anyone able to give me a hint why I'm not able to find these simple hex values?

Nelly
  • 13
  • 4
  • Works for me, impossible to answer without seeing the file, at a guess though I'd say the string isn't in the file. – 123 Apr 23 '17 at 19:33
  • What version of `grep` are you using? – Rogus Apr 23 '17 at 19:35
  • I'm using grep (GNU grep) 2.25 – Nelly Apr 23 '17 at 19:57
  • this seems to work on the console but how do i implement this in my shell script...I got only error messages right now *sry I'm new to it ;) – Nelly Apr 23 '17 at 20:32
  • @123 When i disabled my locale setting, (e.g. my `echo $LC_ALL` prints nothing) - the `grep -obUaP "\xFF\xD9" file.jpg` prints the offset, e.g: `14349:??`... The same `grep`, in the terminal with enabled locales prints absolutely nothing. When i prepend the `grep` with `LC_ALL=C grep....` it prints the same `14349:??`... So... :) - thats the facts. – clt60 Apr 23 '17 at 20:55
  • @123 it has nothing with terminal, but with the locale. Even when the output from `grep` is piped to `od` or redirected to file it outputs nothing, when (any) UTF8 locale is active (e.g. even the `LC_ALL=en_US.UTF-8` prints nothing). The main point is - it works for the OP too - so, problem solved. :) :D – clt60 Apr 23 '17 at 21:41
  • @jm666 Fair enough, still can't get it to break but I guess if it works for OP then it doesn't really matter. – 123 Apr 23 '17 at 21:54

1 Answers1

1

Man grep says:

it can be helpful to use -a or to set LC_ALL='C' in the environment, in order to find more matches even if the matches are unsafe for direct display

So, try:

LC_ALL=C grep -obUaP "\xFF\xD9" file

in the script use the above, exactly as from the command line, just prepend your grep command with LC_ALL=C exactly as above.

clt60
  • 62,119
  • 17
  • 107
  • 194
  • My current script looks like this now: LC_ALL=C grep -obUaP ${carving_footer} ${image_file} | sort -n > ${carving_footer_txt} but I get the Error: grep: support for the -P option is not compiled into this --disable-perl-regexp binary – Nelly Apr 23 '17 at 20:38
  • I'm on ubuntu and I don't think it has it by default^^ – Nelly Apr 23 '17 at 20:41
  • 1
    @Nelly - hm.. so, if you want use the `-P` for the `grep` you need a grep with compiled `-P` options. But it is strange, because in the question you stated that the `grep -obaUP "\x4A\x46\x49\x46"` works for you, and it uses the `-P` too... so, sorry - but it isn't clear what do you doing. – clt60 Apr 23 '17 at 20:46
  • grep -obaUP "\x4A\x46\x49\x46" image_file.dd works for me in the script and in the console but when I searched for \xFF\xD8 it didn't work. Now when I type in the console LC_ALL=C grep -obaUP "\xFF\xD8" image_file.dd it works and prints the matches to the screen. But when I'm using this in the script it comes with the error message from above – Nelly Apr 23 '17 at 20:54
  • @Nelly Why in the script it prints such message - I havent idea. Maybe you have two different `grep`s installed and the script changes the `$PATH` or something similar. The main problem is solved. The `grep` prints the offset, as you want (at least when it is invoked from the console). – clt60 Apr 23 '17 at 21:01