
Extracting RAW pictures from memory dumps - 2510c39011c5
http://w00tsec.blogspot.com/2015/02/extracting-raw-pictures-from-memory.html
======
ljoshua
Kind of OT, but does anyone know of decent resources for learning more about
and eventually correcting RAW images?

I have a collection of RAW photos that have, due to bad transfers or old
disks, become corrupted in ways where you can still see the original image,
but color casts are off for half the image (strong purple or orange casts) or
the image will suddenly jump and skip a few hundred pixels at random places.
It seems like I am just missing a portion in the middle or something is
misaligned, and I'd love to get these photos back. (I know that a JPG preview
is hidden inside the file, which I could extract, but it would be nice to have
the full image back as well.)

~~~
dr_zoidberg
What you mention sound like tipical corruption of JPG files with foreign data
in the middle. If you have access to the disk image, commercial software like
Adroit Photo Recovery could (in theory) help you. They've developed a
technique for recovery of photo files that is very robust and can handle
fragmentation.

On the more open source front... There's little. Adroits algorithms have been
published, be the implementation is proprietary. Poisel, Tjoa and Tavolato
implemented the algorithm in Python+C, but its quite difficult to get their
carver up and running, mostly due to "library rot" \-- last I tried, there was
no repo from where to download the particular version of PyQT they used and I
didn't have the time to fix and translate all the old calls to new ones.

You could also try PhotoRec, but for fragmented data it isn't the best
solution. Finally, you could try custom code to try and find the JPG blocks in
the images and then all the combinations until you find something that makes
sense.

Welcome to the beautiful and monstrous world of file/data carving!

------
simscitizen
We wrote a tool like this in my last job to guess the width of raw images like
these. First, we were dealing with iOS, and there are certain constraints on
the platform which help with guessing width (bitmaps are generally 32-bit
BGRA, and the rows in iOS bitmap images are aligned to 32 bytes). Because of
the alignment constraint you only have to guess the width in 8-pixel
increments. Then pick the width that minimizes the average pixel difference
between adjacent rows in the image. This usually guessed the width of the
original image (or an integer multiple of the actual width), at least when the
original image was a UI element (as UI elements generally have large
rectangular blocks of color in them).

------
userbinator
Also fun to try cat'ing a process' memory to /dev/audio. Works best if the
process is a media player.

------
reacweb
In the end of the eighties I needed to replace the fancy patterns available in
spreadsheet graphics on PC1512 (gem) by more serious patterns (the client was
a bank). I have done a small visualisation program in turbo pascal to find
them and I have patched the binary.

------
spydum
pretty wild, im used to running strings on process dumps and such.. never
imagined opening an image editor to get something useful!

~~~
mkesper
I remember doing such things on Amiga with Action Replay cartridge. You could
even measure heights of life bars etc. and search for memory cells containing
that data.

~~~
effdee
Sweet memories... _sigh_ :)

There was also a program called ScreenJaeger [1] to grab images from memory.

[1] ftp://ftp.de.netbsd.org/aminet/gfx/misc/ScreenJaeger.readme

------
shironinja
Just wanted to say I loved your off the cuff humor and thought it was an
enjoyable article.

