In case if recovery software is unable to detect deleted files after QuickScan or SuperScan(for example, when directory area keeping file headers is wiped out or overwritten by other data), the only chance to recover files is to search for file signatures. In this case un-fragmented files can still be detected and recovered.
Active@ UNERASER comes with more than sixty predefined (internally programmed, very fast) file signatures to be analyzed and detected while SuperScan is in progress (MS Office Documents, Photo Camera Image formats, ZIP/RAR Archives, Music & Video MP3/MP4, etc..). For expert users there is advanced programming language which allows to define custom file signatures for UNERASER to search for specific data formats.
To search for standard file signatures:
Start Active@ UNERASER and choose a disk or volume to be inspected (place a cursor on it)
Launch SuperScan dialog box and define SuperScan options
Select All or Some file signatures to be recognized:
On a SuperScan Signatures Recognition tab verify signatures to be processed:
Click Start button and wait until something is recognized
Inspect specific groups in Signatures folder for files being detected
Preview and recover files (if detected) from specified groups
To preview, organize and recover files detected by signatures:
Select SuperScan node in the tree view on the left and Signature Files tab in the list view on the right
Expand general groups (Music, Documents) and specific sub-types (MP3, XLS,..) to inspect what is detected:
If file detected by signatures has some extended attributes, like AUTHOR, CREATED, TITLE, etc., these attributes will be displayed on the right. By default the only 5 first detected file attributes being displayed. To display more attributes, use Show Attributes drop down list
By default files are not sorted and displayed in the order of detection. To group files by attributes, click the column you want to sort on. If Subsequent Column Sorting option is turned ON, files are grouped & sorted on all columns followed the column you clicked. This could be convenient, for example, if you want to group music by Artist and then by Album
If you want to hide some attributes or change display order, click Reorganize Attributes button on the toolbar. Dialog appears and you can change the attribute for the particular file type (MP3, XLS, …) to be displayed in the particular column on the screen. For example, default column order for music is Artist, Album, Title, Genre, Year,... To group MP3 first by Year, then by Artist, then by Album, change column order this way:
And you will see:
To recover files detected by Signatures, select the particular file or group of files, or even all signature files and click Unerase button. On Unerase Options dialog use Organize by file meta-data option to group files in folders based on attributes (meta-data):
Use Attribute-based folder depth parameter to organize recovered files in a specified number of sub-folders. For example, for the MP3 files default columns are Artist, Album, Title and default folder depth is 2. When you recover MP3s using default parameters, your music files will be organized first by Artist, then by Album, so all album songs will be in one folder. If you reorganize columns display like in example above (Year, Artist, Album,…) and specify folder depth 3, after recovery you’ll have music grouped in folders first by Year, then by Artist, then by Album.
Custom File Signatures
Sometimes advanced users need to detect more specific file formats, not being described in standard set of file signatures.
Active@ UNERASER offers advanced tools to define user's templates for signatures to be analyzed. Signatures can be described using extended definition language which complies with RegExp (Regular Expressions). See language definition and syntax below.
To create and use a custom file signatures:
Create a text file containing one or multiple signatures definition (using syntax and examples below)
Launch Active@ UNERASER, select disk or volume to be inspected, and click SuperScan button
In SuperScan options, File types to be recognized based on signatures area, choose Some (Select)
Load created text file contents into Signatures Tree
Click Load Templates... button
Select created text file containing signatures definition
Find custom signatures in Signatures Tree and make sure that they are selected
Click Scan button to execute SuperScan
Inspect specific groups in Signatures Files panel for files being detected
Preview and recover files (if detected) from specified groups
Signatures definition language and examples:
; ===========================================================================================================
; Signature Templates Usage
; ===========================================================================================================
; Empty lines and lines starting with semicolon are ignored
; Sections order and lines order in sections are not important
; Letter case is not important (excepting RegExp fields)
; -----------------------------------------------------------------------------------------------------------
; Section TEMPLATES - required and contains fields numbering from one
; - TEMPLATE### - points to the section where signature template is described (numbered from one)
;
; -----------------------------------------------------------------------------------------------------------
; Section Template Header - required and contains fields:
; - BEGIN - required. Points to the section describing begin of the signature file
; - FOOTER - non required. Points to the section describing end of the signature file
; - MAX_SIZE - non required. Maximum file size to force file-end, if no file-end signature is detected. By default it is 64Kb.
; - GROUP - non required. If missed - template goes to User Defined templates group by default
; - DESCRIPTION - non required. This is a descriptive name of user template being displayed on a screen
; - EXTENSION - non required. This is a file extension to be assigned and displayed
; - SCRIPT - non required. Refers to the section where size of the file being calculated
; -----------------------------------------------------------------------------------------------------------
; Note: If field SCRIPT is present, then field FOOTER is ignored
;
; -----------------------------------------------------------------------------------------------------------
; Section describing file beginning (required), contains fields of the same type:
;
; = |
;
; signature - expression (regular or RegExp-compatible). Expression max length is 1024 bytes.
; offset_start - acceptable minimal signature offset from the beginning of the file
; offset_end - acceptable maximum signature offset from the beginning of the file
;
; If there are several fields listed in signature beginning, logical AND operation applied to confirm file start.
;
;------------------------------------------------------------------------------------------------------------
; Section calculating file size (not required), contains operators of four types:
; = (, )
; =
; IF () GOTO <label>
; GOTO <label>
;
; : READ, ENDIAN, SUM, SUB, MUL, DIV, SHR, SHL, AND, OR and XOR
; Most of commands are the same as in assembler programming language, except:
; READ - first argument - data type (size) to be read, second - offset from the beginning of the file
; ENDIAN - first argument - data type (size), second - expression, which byte order will be swapped
; First argument for commands READ and ENDIAN must be one of reserved data types: BYTE, WORD, DWORD, QWORD
; : can be either a named variable or a constant
; : can be the only named variable
; : can be one of : < <= == >= > != (meaning is the same as in C++)
; <label> : consists of label name followed by colon and it can precede any operator
;
; Label named EXIT has been reserved and instructs to complete the calculations
; Named variable SIZE has been reserved and keeps the file size
; Constants can be in Decimal form, Binary (followed by 'b'), Octal ('o'), and Hexadecimal ('h') or can be a text string
;
; -----------------------------------------------------------------------------------------------------------
; Section describing file end (not required), contains fields of the same type:
;
; [= ]
;
; signature - expression (regular or RegExp-compatible). Expression max length is 1024 bytes.
; bytes_to_append - not required. How many bytes to append to the file after the signature is found
;
; If there are several fields listed in signature, logical OR operation applied to define file end.
; ===========================================================================================================
; Examples
; ===========================================================================================================
[TEMPLATES]
TEMPLATE1 = PRIMITIVE_HTML
TEMPLATE2 = PRIMITIVE_JPG
TEMPLATE3 = QBW_HEADER
TEMPLATE4 = CHM_HEADER
TEMPLATE5 = SWF_HEADER
TEMPLATE6 = PST_HEADER
TEMPLATE7 = MRW_HEADER
TEMPLATE8 = MID_HEADER
TEMPLATE9 = CAB_HEADER
TEMPLATE10 = BMP_HEADER
TEMPLATE11 = DJV_HEADER
[PRIMITIVE_HTML]
DESCRIPTION = Primitive HTML Signature
EXTENSION = html
BEGIN=HTML_BEGIN
FOOTER=HTML_FOOTER
MAX_SIZE = 655360
[HTML_BEGIN]
<html = 0 | 512
<head = 0 | 1024
[HTML_FOOTER]
</html> = 2
[PRIMITIVE_JPG]
BEGIN=BEGIN.TEST.JPG
GROUP = Images and Camera RAW files
DESCRIPTION = Primitive JPG files
FOOTER=FOOTER-.TEST.JPG
EXTENSION = test.jpg
MAX_SIZE = 3221225472
[BEGIN.TEST.JPG]
\xFF\xD8\xFF = 0 | 0
[FOOTER-.TEST.JPG]
\xFF\xD9
[DJV_HEADER]
DESCRIPTION=DjVu Document
EXTENSION=djvu
BEGIN=DJV_BEGIN
SCRIPT=DJV_SCRIPT
[DJV_BEGIN]
AT&TFORM=0|0
[DJV_SCRIPT]
size = read(dword, 8)
size = endian(dword, size)
size = sum(size, 12)
[QBW_HEADER]
DESCRIPTION=QuickBooks Document
EXTENSION=qbw
BEGIN=QBW_BEGIN
SCRIPT=QBW_SCRIPT
[QBW_BEGIN]
MAUI=96|96
[QBW_SCRIPT]
data = read(dword, 36)
temp = read(dword, 52)
if (temp <= data) goto exit
size = sum(temp, 1)
size = shl(size, 10)
[CHM_HEADER]
DESCRIPTION=Microsoft CHM Help
EXTENSION=chm
BEGIN=CHM_BEGIN
SCRIPT=CHM_SCRIPT
[CHM_BEGIN]
ITSF=0|0
[CHM_SCRIPT]
version = read(dword, 4)
if (version == 0) goto exit
header = read(dword, 8)
if (header <= 1Ch) goto exit
temp = read(qword, header)
if (temp != 1FEh) goto exit
temp = sum(header, 8)
size = read(qword, temp)
temp = sum(header, 10h)
if (size > temp) goto exit
size = 0
[SWF_HEADER]
DESCRIPTION=Adobe Flash SWF
EXTENSION=swf
BEGIN=SWF_BEGIN
SCRIPT=SWF_SCRIPT
[SWF_BEGIN]
FWS=0|0
[SWF_SCRIPT]
data = read(byte, 3)
if (data <= 10h) goto exit
size = read(dword, 4)
if (size <= 8) goto exit
size = 0
[PST_HEADER]
DESCRIPTION=Outlook Archive
EXTENSION=pst
BEGIN=PST_BEGIN
SCRIPT=PST_SCRIPT
[PST_BEGIN]
!BDN=0|0
[PST_SCRIPT]
data = read(byte, 10)
if (data == 0Eh) goto valid
if (data != 17h) goto exit
size = read(dword, 184)
goto exit
valid:
size = read(dword, 168)
[MRW_HEADER]
DESCRIPTION=Minolta Camera Images
EXTENSION=mrw
BEGIN=MRW_BEGIN
SCRIPT=MRW_SCRIPT
[MRW_BEGIN]
\x00MRM=0|0
[MRW_SCRIPT]
data = read(dword, 4)
if (data == 0) goto exit
width = read(word, 24)
if (width == 0) goto exit
width = endian(word, width)
height = read(word, 26)
if (height == 0) goto exit
height = endian(word, height)
pixel = read(byte, 32)
if (pixel == 0) goto exit
pixel = mul(pixel, width)
pixel = mul(pixel, height)
pixel = div(pixel, 8)
size = endian(dword, data)
size = sum(size, pixel)
size = sum(size, 8)
[MID_HEADER]
DESCRIPTION=MIDI Audio
EXTENSION=mid
BEGIN=MID_BEGIN
SCRIPT=MID_SCRIPT
[MID_BEGIN]
MThd=0|0
[MID_SCRIPT]
next:
temp = read(dword, size)
if (temp == "MThd") goto valid
if (temp != "MTrk") goto exit
valid:
size = sum(size, 4)
temp = read(dword, size)
size = sum(size, 4)
temp = endian(dword, temp)
size = sum(size, temp)
goto next
[CAB_HEADER]
DESCRIPTION=Microsoft Compressed Archive CAB
EXTENSION=cab
BEGIN=CAB_BEGIN
SCRIPT=CAB_SCRIPT
[CAB_BEGIN]
MSCF=0|0
[CAB_SCRIPT]
version = read(word, 24)
if (version != 103h) goto exit
folders = read(word, 26)
folders = mul(folders, 8)
folders = sum(folders, 36)
files = read(word, 28)
files = mul(files, 16)
files = sum(files, folders)
temp = read(dword, 16)
if (temp < folders) goto exit
temp = read(dword, 8)
if (temp <= files) goto exit
flags = read(word, 30)
flags = and(flags, 4)
if (flags == 0) goto skip
flags = read(dword, 36)
if (flags != 20) goto skip
flags = read(dword, 44)
if (flags < temp) goto skip
size = flags
temp = read(dword, 48)
skip:
size = sum(temp, size)
[BMP_HEADER]
DESCRIPTION=Bitmap Images BMP
EXTENSION=bmp
BEGIN=BMP_BEGIN
SCRIPT=BMP_SCRIPT
[BMP_BEGIN]
BM=0|0
[BMP_SCRIPT]
width = read(dword, 12h)
if (width == 0) goto exit
height = read(dword, 16h)
if (height == 0) goto exit
pixel = read(word, 1ch)
if (pixel == 1) goto valid
if (pixel == 4) goto valid
if (pixel == 8) goto valid
if (pixel == 16) goto valid
if (pixel == 24) goto valid
if (pixel != 32) goto exit
valid:
pixel = mul(pixel, width)
pixel = mul(pixel, height)
pixel = div(pixel, 1000b)
rastr_size = read(dword, 22h)
if (rastr_size < pixel) goto exit
rastr_offset = read(dword, 0Ah)
if (rastr_offset < 38) goto exit
rastr_offset = sum(rastr_offset, rastr_size)
size = read(dword, 2)
if (size >= rastr_offset) goto exit
size = 0
Important!
Regular Expressions can be used while defining signature headers and footers. Please check RegExp syntax on a web, for example here.
This document is available in PDF format, which requires Adobe® Acrobat® Reader (Free download):
