[Resolvido] Recuperar arquivos .djvu de partição formatada

[Dapb]

Olá,

Alguém sabe como recuperar arquivos DJVU após formatação? Já tentei utilizar o scalpel e o foremost, porém nenhum deles reconhece essa extensão.

Dentre esses programas, o único que eu sei que pode ser modificado para incluir essa extensão é o scalpel, devido ao seu arquivo de configuração localizado em /etc/scalpel. Porém eu não sei como obter as informações para adicionar a linha de comando nesse arquivo (conteúdo original copiado logo abaixo). Alguém pode me ajudar a resolver esse problema?

Obrigado.

Código: [Selecionar]

# Scalpel configuration file

# This configuration file controls the
# types and sizes of files that are carved by Scalpel.  Currently,
# Scalpel can read Foremost 0.69 configuration files, but Scalpel
# configuration files may not be backwards-compatible with Foremost.
# In particular, maximum file carve size under Foremost 0.69 is 4GB,
# while in the current version of Scalpel, it's 16EB (16 exabytes).  

# For each file type, the configuration file
# describes the file's extension, whether the header and footer are
# case sensitive, the maximum file size, and the header and footer for
# the file. The footer field is optional, but header, size, case
# sensitivity, and extension are required.  Any line that begins with a
# '#' is considered a comment and ignored. Thus, to skip a file type
# just put a '#' at the beginning of that line

# Headers and footers are decoded before use. To specify a value in
# hexadecimal use \x[0-f][0-f] and for octal use \[0-3][0-7][0-7].
# Spaces can be represented by \s. Example: "\x4F\123\I\sCCI" decodes
# to "OSI CCI".  # To match any single character (aka a wildcard) use
# a '?'. If you need to search for the '?' character, you will need to
# change the 'wildcard' line *and* every occurrence of the old
# wildcard character in the configuration file. '
#
# Note: ?' is equal to 0x3f and \063.
#
# If you want files carved without filename extensions,
# use "NONE" in the extension column.

# The REVERSE keyword after a footer causes a search
# backwards starting from [size] bytes beyond the location of the header
# This is useful for files like PDFs that may contain multiple copies of
# the footer throughout the file.  When using the REVERSE keyword you will
# extract bytes from the header to the LAST occurence of the footer (and
# including the footer in the carved file).
#
# The NEXT keyword after a footer results in file carves that
# include the header and all data BEFORE the first occurence of the
# footer (the footer is not included in the carved file).  If no
# occurrence of the footer is discovered within maximum carve size bytes
# from the header, then a block of the disk image including the header
# and with length equal to the maximum carve size is carved.  Use NEXT
# when there is no definitive footer for a file type, but you know which
# data should NOT be included in a carved file--e.g., the beginning of
# a subsequent file of the same type.
#
# FORWARD_NEXT is the default carve type and this keyword may be
# included after the footer, but is not required.  For FORWARD_NEXT
# carves, a block of data including the header and the first footer
# (within the maximum carve size) are carved.  If no footer appears
# after the header within the maximum carve size, then no carving is
# performed UNLESS the -b command line option is supplied.  In this case,
# a block of max carve size bytes, including the header, is carved and a
# notation is made in the Scalpel log that the file was chopped.

# To redefine the wildcard character, change the setting below and all
# occurences in the formost.conf file.
#
#wildcard  ?

# case size header footer
#extension   sensitive
#
#---------------------------------------------------------------------
# EXAMPLE WITH NO SUFFIX
#---------------------------------------------------------------------
#
# Here is an example of how to use the no extension option. Any files
# beginning with the string "FOREMOST" are carved and no file extensions
# are used. No footer is defined and the max carve size is 1000 bytes.
#
#      NONE     y      1000     FOREMOST
#
#---------------------------------------------------------------------
# GRAPHICS FILES
#---------------------------------------------------------------------
#
#
# AOL ART files
# art y 150000 \x4a\x47\x04\x0e \xcf\xc7\xcb
#   art y 150000 \x4a\x47\x03\x0e \xd0\xcb\x00\x00
#
# GIF and JPG files (very common)
# gif y 5000000 \x47\x49\x46\x38\x37\x61 \x00\x3b
#   gif y 5000000 \x47\x49\x46\x38\x39\x61 \x00\x3b
  jpg y 200000000 \xff\xd8\xff\xe0\x00\x10 \xff\xd9
#
#
# PNG  
#   png y 20000000 \x50\x4e\x47? \xff\xfc\xfd\xfe
#
#
# BMP (used by MSWindows, use only if you have reason to think there are
#       BMP files worth digging for. This often kicks back a lot of false
# positives
#
# bmp y 100000 BM??\x00\x00\x00
#
# TIFF
#   tif y 200000000 \x49\x49\x2a\x00
# TIFF
# tif y 200000000 \x4D\x4D\x00\x2A
#
#---------------------------------------------------------------------
# ANIMATION FILES
#---------------------------------------------------------------------
#
# AVI (Windows animation and DiVX/MPEG-4 movies)
#   avi y 50000000 RIFF????AVI
#
# Apple Quicktime
#   These needles are based on the file command's magic.  I don't
#   recommend uncommenting the 4th and 5th Quicktime needles unless
#   you're sure you need to, because they generate HUGE numbers of
#   false positives.
#
# mov y 10000000 ????moov
# mov y 10000000 ????mdat
# mov y 10000000 ????widev
# mov y 10000000 ????skip
# mov y 10000000 ????free
# mov y 10000000 ????idsc
# mov y 10000000 ????pckg
#
# MPEG Video
# mpg y 50000000 \x00\x00\x01\xba \x00\x00\x01\xb9
# mpg     y 50000000 \x00\x00\x01\xb3 \x00\x00\x01\xb7
#
# Macromedia Flash
# fws y 4000000 FWS
#
#---------------------------------------------------------------------
# MICROSOFT OFFICE
#---------------------------------------------------------------------
#
# Word documents
#
#
# doc y 10000000  \xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1\x00\x00 \xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1\x00\x00 NEXT
# doc y 10000000  \xd0\xcf\x11\xe0\xa1\xb1
#
# Outlook files
# pst y 500000000 \x21\x42\x4e\xa5\x6f\xb5\xa6
# ost y 500000000 \x21\x42\x44\x4e
#
# Outlook Express
# dbx y 10000000 \xcf\xad\x12\xfe\xc5\xfd\x74\x6f
# idx y 10000000 \x4a\x4d\x46\x39
# mbx y 10000000 \x4a\x4d\x46\x36
#
#---------------------------------------------------------------------
# WORDPERFECT
#---------------------------------------------------------------------
#
# wpc y 1000000 ?WPC
#
#---------------------------------------------------------------------
# HTML
#---------------------------------------------------------------------
#
# htm n 50000   <html </html>
#
#---------------------------------------------------------------------
# ADOBE PDF
#---------------------------------------------------------------------
#
# pdf y 5000000 %PDF  %EOF\x0d REVERSE
# pdf y 5000000 %PDF  %EOF\x0a REVERSE
#
#---------------------------------------------------------------------
# AOL (AMERICA ONLINE)
#---------------------------------------------------------------------
#
# AOL Mailbox
# mail y 500000 \x41\x4f\x4c\x56\x4d
#
#
#
#---------------------------------------------------------------------
# PGP (PRETTY GOOD PRIVACY)
#---------------------------------------------------------------------
#
# PGP Disk Files
# pgd y 500000 \x50\x47\x50\x64\x4d\x41\x49\x4e\x60\x01
#
# Public Key Ring
# pgp y 100000 \x99\x00
# Security Ring
# pgp y 100000 \x95\x01
# pgp y 100000 \x95\x00
# Encrypted Data or ASCII armored keys
# pgp y 100000 \xa6\x00
# (there should be a trailer for this...)
# txt y 100000 -----BEGIN\040PGP
#
#
#---------------------------------------------------------------------
# RPM (Linux package format)
#---------------------------------------------------------------------
# rpm y 1000000 \xed\xab
#
#
#---------------------------------------------------------------------
# SOUND FILES
#---------------------------------------------------------------------
#
# wav     y 200000 RIFF????WAVE
#
# Real Audio Files
# ra y 1000000 \x2e\x72\x61\xfd
# ra y 1000000 .RMF
#
#---------------------------------------------------------------------
# WINDOWS REGISTRY FILES
#---------------------------------------------------------------------
#
# Windows NT registry
# dat y 4000000 regf
# Windows 95 registry
# dat y 4000000 CREG
#
#
#---------------------------------------------------------------------
# MISCELLANEOUS
#---------------------------------------------------------------------
#
# zip y 10000000 PK\x03\x04 \x3c\xac
#
# java y 1000000 \xca\xfe\xba\xbe
#
#---------------------------------------------------------------------
# ScanSoft PaperPort "Max" files
#---------------------------------------------------------------------
#      max   y     1000000    \x56\x69\x47\x46\x6b\x1a\x00\x00\x00\x00   \x00\x00\x05\x80\x00\x00
#---------------------------------------------------------------------
# PINs Password Manager program
#---------------------------------------------------------------------
#      pins  y     8000     \x50\x49\x4e\x53\x20\x34\x2e\x32\x30\x0d



[Dapb]

Problema resolvido com o photorec e com o foremost.

O photorec já reconhece o formato djvu por padrão. Após a recuperação basta renomear a extensão dos arquivos recuperados de djv para djvu.

Com o foremost, é necessário adicionar essas linhas no arquivo /etc/foremost.conf (terminal: sudo gedit /etc/foremost.conf) :

Código: [Selecionar]

#---------------------------------------------------------------------
# DJVU
#---------------------------------------------------------------------
#
djvu y 5000000 AT&TFORM
com a última linha não comentada (sem o #). Para identificar o header signature da extensão DJVU eu usei o WinHex (infelizmente não conheço o equivalente para o ubuntu...). Após salvar o arquivo, no terminal:

Código: [Selecionar]

sudo foremost -c foremost.conf -i /dev/sdx -o  /media/restoring
Eu fiz um teste e o foremost conseguiu recuperar 13/13 arquivos deletados.

Para mais informações sobre recuperação de arquivos de qualquer extensão: http://cheeky4n6monkey.blogspot.com.br/2012/02/monkey-carvings-of-unknown-file-types.html