Last active
June 6, 2020 00:05
-
-
Save stefanmrvic/49adb1d03ab1b2fac50defbd3bcb3cb9 to your computer and use it in GitHub Desktop.
Forensic program that restores deleted JPEGs (only from FAT memory)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <stdint.h> | |
| //Defining new file type as a BYTE to represent 8 bit int | |
| typedef uint8_t BYTE; | |
| int main(int argc, char *argv[1]) | |
| { | |
| //Checks if there is exactly 1 argument | |
| if (argc != 2) { | |
| printf("Usage: ./recover image\n"); | |
| return 1; | |
| } | |
| //opens the inputed file | |
| FILE *file = fopen(argv[1], "r"); | |
| if (file == NULL) { | |
| printf("Critical error, file pointer == NULL"); | |
| return 1; | |
| } | |
| //making an array to store 512 bytes | |
| BYTE buffer[512]; | |
| //reads the first 512 bytes and captures it into the var | |
| size_t elements_count = fread(buffer, sizeof(BYTE), 512, file); | |
| int filename_count = 0; | |
| while (elements_count == 512) { | |
| //checks if the buffer contains the JPEG signature in the first 4 bytes | |
| if ( | |
| buffer[0] == 0xff && | |
| buffer[1] == 0xd8 && | |
| buffer[2] == 0xff && | |
| (buffer[3] & 0xf0) == 0xe0) { | |
| //dynamicically creates a string for file name | |
| char *filename = malloc(8); | |
| //in case dynamically allocated memory pointer filename is == NULL | |
| if (filename == NULL) { | |
| printf("Critical error, pointer == NULL"); | |
| return 1; | |
| } | |
| //gives file name a 3 digit ordinal number | |
| sprintf(filename, "%03i.jpg", filename_count); | |
| //increases the file name ordinal number after it's created | |
| filename_count++; | |
| //opens the newly created .jpg file for writing | |
| FILE *img = fopen(filename, "w"); | |
| //writes bytes from the buffen into the .jpg file | |
| fwrite(buffer, sizeof(BYTE), 512, img); | |
| //closes the .jpg file after it's done writing | |
| fclose(img); | |
| //reads next 512 bytes | |
| elements_count = fread(buffer, sizeof(BYTE), 512, file); | |
| //checks if the newly loaded bytes contain the start of JPEG | |
| if (elements_count == 512 && | |
| buffer[0] == 0xff && | |
| buffer[1] == 0xd8 && | |
| buffer[2] == 0xff && | |
| (buffer[3] & 0xf0) == 0xe0) { | |
| //closes the current .jpg that's writing to | |
| fclose(img); | |
| //frees the allocated memory of .jpg | |
| free(filename); | |
| } | |
| //in case end of file is reached | |
| else if (elements_count != 512) { | |
| //closes the file that we're writing to | |
| fclose(img); | |
| //frees allocated memory of .jpg | |
| free(filename); | |
| break; | |
| } | |
| //if the newly loaded bytes doesn't contain start of JPEG | |
| else { | |
| //continue writing newly loaded bytes into the file we opened at start | |
| while (elements_count == 512) { | |
| //breaks the loop if we reach the start of new JPEG | |
| if (elements_count == 512 && | |
| buffer[0] == 0xff && | |
| buffer[1] == 0xd8 && | |
| buffer[2] == 0xff && | |
| (buffer[3] & 0xf0) == 0xe0) { | |
| break; | |
| } | |
| //opens our .jpg file for appending | |
| img = fopen(filename, "a"); | |
| //continue writing to our .jpg file | |
| fwrite(buffer, sizeof(BYTE), 512, img); | |
| //closes .jpg after it's done | |
| fclose(img); | |
| //reads next 512 bytes | |
| elements_count = fread(buffer, sizeof(BYTE), 512, file); | |
| } | |
| } | |
| } | |
| //if the buffers doesn't contain the start of JPEG file, read next 512 bytes | |
| else { | |
| //reads next 512 bytes | |
| elements_count = fread(buffer, sizeof(BYTE), 512, file); | |
| } | |
| } | |
| return 0; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment