I hope that someone could help me out with my file carving script. I want to find the file header and correspondant footer as an hexvalue in an image file in raw format (.dd).
For other headers and footers my script works pretty well but not for the headers and footers for JPG files: FFD8 and FFD9 Here's how i currently approach to it:
grep -obUaP "\xFF\xD8" image_file.dd
I want to get back the offset of the postition of the searched strings header and footer to extract them with dd later on. I handle the image file as a binary with grep.
When I for example take my pattern to look for the JFIF in the image with this search I find a lot of matches:
grep -obaUP "\x4A\x46\x49\x46" image_file.dd
but none with FFD8!
So is anyone able to give me a hint why I'm not able to find these simple hex values?
Man grep says:
it can be helpful to use -a or to set LC_ALL='C' in the environment, in order to find more matches even if the matches are unsafe for direct display
So, try:
LC_ALL=C grep -obUaP "\xFF\xD9" file
in the script use the above, exactly as from the command line, just prepend your grep command with LC_ALL=C exactly as above.