In-depth technology research: finding new ways to recover data, accessing firmware, writing programs, reading bits off the platter, recovering data from dust.
Forum rules
Please
do not post questions about data recovery cases here (use
this forum instead). This forum is for topics on finding new ways to recover data. Accessing firmware, writing programs, reading bits off the platter, recovering data from dust...
October 21st, 2023, 0:16
I want to add custom file signature of a file in r-studio. I have tried many times as per process described in R-studio manual but I am unable to do the same and create xml file. Can someone pls. help. I can send test file in PM.
Thank You
October 21st, 2023, 4:25
Finally I have created 2 signatures .I have taken 2 hex strings since I don't know which one is right (how many hex characters to take)
can someone pls check & correct me
xml download link --
https://drive.google.com/file/d/1kFNsAa ... share_link
- Attachments
-
-
- 3333.PNG (3.89 KiB) Viewed 4897 times
-
-
October 21st, 2023, 9:27
I'd go with TAPE \x54\x41\x50\x45
If you don't have the spec you don't know how static rest of the 'header' is and so the larger the signature the more chance you will not pick up files with slightly different 'headers'.
OTOH if you know for a fact that for example first 20 bytes of a header are static, you go with that as it will reduce false positives.
October 21st, 2023, 10:23
Arch Stanton wrote:I'd go with TAPE \x54\x41\x50\x45
If you don't have the spec you don't know how static rest of the 'header' is and so the larger the signature the more chance you will not pick up files with slightly different 'headers'.
OTOH if you know for a fact that for example first 20 bytes of a header are static, you go with that as it will reduce false positives.
Hi Thank you Joep
This is my first case and I have this single file for analysis so could not compare common pattern .
Thanks a lot for pointing out that larger signature has less chances a valuable lesson.I have not added footers because there are none (all zeros)
Thank you
- Attachments
-
October 21st, 2023, 10:42
It's Microsoft Tape Format (MTF). See pages 29 and 34 of the following document.
Microsoft ™ Tape Format Specification Version 1.00a:
http://laytongraphics.com/mtf/MTF_100a.PDF
October 21st, 2023, 11:13
The Soft Filemark Descriptor Block (MTF_SFMB) is described on page 57. There is a list of Descriptor Blocks on page 30.
October 22nd, 2023, 10:21
WOW fzabkar
Thank you so much you have gone in depth. Though I didn't understood anything as its too low level it discusses this signature most profoundly.
October 22nd, 2023, 12:00
Find the TAPE header. The 16-bit word at offset 0x40 then tells you the size, in 512-byte sectors, of the SFMB descriptor block. In your case this is 1 sector.
Now locate the SFMB signature and count forwards by 0x200 bytes. That's the end of your file, IIUC.
October 24th, 2023, 7:37
fzabkar wrote:Find the TAPE header. The 16-bit word at offset 0x40 then tells you the size, in 512-byte sectors, of the SFMB descriptor block. In your case this is 1 sector.
Now locate the SFMB signature and count forwards by 0x200 bytes. That's the end of your file, IIUC.
Thanks much useful fzabkar
Powered by phpBB © phpBB Group.