Esta página está atualmente no estágio de tradução.
Desculpe pelo inconveniente.

How to create custom search rules for raw recovery

creation of custom scanning rules for raw data recovery with ufs explorer program

In the majority of cases, UFS Explorer performs thorough analysis of the file system structures and interprets this information to locate and recover the missing data. Yet, under certain circumstances, crucial service records may get severely damaged or even overwritten, like during formatting, initialization or other manipulations with the storage.

This makes it impossible to achieve satisfactory recovery result using the mentioned approach. To solve this problem or to expand the obtained result, one can enable IntelliRAW or the method of "raw recovery". This technique encompasses the search for predefined fragments of file content or the so-called file signatures (also "magic numbers"). These binary sequences are encountered at a certain offset at the beginning and sometimes at the end of the file as well, and can be used to identify files of a certain type.

UFS Explorer already contains a broad set of IntelliRAW rules with signatures for most common types of files, like documents, images, multimedia, archives, etc. Yet, working with rare or proprietary file formats, one might want to extend the available list with custom rules that can be employed during the process of raw recovery.

The procedure of setting up a custom file type consists of three separate stages: determining text or binary signatures that are characteristic for the given format, defining a rule based on which they will be detected by the program and applying it upon the specification of parameters for the storage scan.

Discovery of a file’s signature

To get the signatures of your file type that can be used for creating a custom search rule, complete the following steps:

  1. Decide on the means you will use for examining the hexadecimal content of files for the presence of file signatures. Refer to the article on opening a data source for further hex analysis in UFS Explorer, or employ any other alternative tool of your preference.

  2. Open the hexadecimal representations of several sample files of the needed format. As an illustrative example, we have five simple JPEG images.

    five simple JPEG images as samples to find identical file patterns with haxadecimal viewer of ufs explorer program

  3. Explore the binary data of each opened file to find identical patterns, especially at the very beginning and at the end. In case of a text-based file format, use the text representation field. For more accurate results, you will need to examine as many files as possible. In our samples, we can see that each of the files starts with the signature FF D8 FF(˙Ř˙) and ends with FF D9 (˙Ů).

    signature at the start of hexadecimal content of sample image in hexadecimal viewer of ufs explorer program

    signature at the end of hexadecimal content of sample image in hexadecimal viewer of ufs explorer program

    Note: In some cases, it might be difficult to tell the difference between the true file signatures and simply similar data patterns that contain service information. If possible, try taking sample files that are not closely related, for instance, videos recorded by different cameras.

  4. Select the signature found closer to the start of your sample files and copy it to the clipboard using the tool for copying raw (hexadecimal) data. If your signature is not binary, employ the tool for copying text data instead. Paste and save this sequence to any safe location in order to be able to use it later.

    Note the position of your signature indicated in the "Selection start" field. In our case, it is 0x0, but your signature may not be necessarily located at the very beginning.

    tools to copy hexadecimal contents in hexadecimal viewer of ufs explorer program

  5. If you’ve spotted a signature at the end of your sample files, perform the copying operation for this signature as well.

Creating a search rule based on the identified signatures

Now that you've obtained the needed file signatures, you can define a custom search rule that will be used by UFS Explorer for their recognition.

Starting from version 9.4, the software offers a graphical in-built editor that makes it possible to create, view and edit such rules directly in the program. It can also be used to load a custom file type from the existing *.xml file of any supported third-party format.

Those who didn’t update their products may download a special free utility called IntelliRAW rules editor and follow the instruction for creating custom search rules in older versions of UFS Explorer (up to version 9.3).

If you use a contemporary version of the program, proceed as follows:

  1. Run UFS Explorer and, if necessary, change its settings in the corresponding pane.

  2. Open the "Tools" item from the main menu and choose the "IntelliRAW rules" option to launch the embedded editor.

    option intelliraw rules under tools tab of main menu of ufs explorer program

  3. In the opened dialog, you will see the list of file types that are enabled in the software by default. Please note that the pre-defined rules cannot be viewed or modified.

    window of intelliraw rules in ufs explorer program

  4. To create your own file type, press the "New type" button from the toolbar at the top.

    option new type on top toolbar of intelliraw rules window in ufs explorer program

  5. Choose the type of rule you are going to define, depending on the format of your signatures (hexadecimal sequences or text strings).

    option rule for binary data in intelliraw rule type selection popup in ufs explorer program

    option rule for text files in intelliraw rule type selection popup in ufs explorer program

  6. Specify a file extension that will be used for the found files of the given format.

    file type name field in user-defined rule configuration window in ufs explorer program

  7. Provide a name for your custom file type in the respective field. This name will also be assigned to the container for these files in the results of raw recovery.

    file extension field in user-defined rule configuration window in ufs explorer program

  8. If you use a text-based signature, you may choose the required encoding via the drop-down list next to the "Text format" property.

    text format drop-down list in user-defined rule configuration window in ufs explorer program

  9. Press the "Add rule" button found at the top and insert the first signature obtained at the previous stage into the field next to the "Value" property.

    add rule button in user-defined rule configuration window in ufs explorer program

    value field in advanced-hex match window in ufs explorer program

  10. In case of a hexadecimal signature, provide its position in the "Rule offset" field.

    rule offset field in advanced-hex match window in ufs explorer program

    In case of a text-based one, you may enable case-sensitivity to distinguish between uppercase and lowercase characters.

    option to enable case-sensitivity in text-based rules advanced configuration window in ufs explorer program

  11. Once you press "OK", the specified rule will get listed in the bottom pane. It can be edited anytime using the "View/Edit" button.

    view edit button in user-defined rule configuration window in ufs explorer program

  12. If you have another signature, press the "Add rule" button again and repeat the previous steps.

    add rule button to add more signatures in user-defined rule configuration window in ufs explorer program

  13. Define the conditions that must be true for a match to take place: use the "Rules logic" property to establish whether all of the signatures or at least one of them must be present in the content of a file.

    rules logics parameter in user-defined rule configuration window in ufs explorer program

  14. Hit "OK", and the created custom file type will be added to the available set of IntelliRAW rules. It will be indicated with a different color and have "User-defined" property.

    user defined rule in list of intelliraw rules in ufs explorer program

  15. New rules get enabled by default immediately after their creation. You may deactivate your rule by selecting it in the list and pressing the "Disable" button from the toolbar at the top and use the "Enable" button later for its activation.

    disable button in intelliraw rules window in ufs explorer program

    enable button in intelliraw rules window in ufs explorer program

After that, the editor can be closed. The defined custom file type will remain in the program after its restart. You may also refer to this component later if you want to edit, disable or delete it.

Moreover, you can use the "Export" tool to save it as an *.xml file for backup purposes or for further import in UFS Explorer launched on another computer.

Implementation of the custom rules during a scan

To look for your own custom file type when scanning a storage with UFS Explorer, follow the given procedure:

  1. At the stage of setting up a scan, enable the "Yes, I’m interested in the result of recovery by known content" option.

    option to activate intelliraw search in scan configuration window of ufs explorer program

  2. Right after that, another option that allows using your own data search rules will emerge. Tick it off as well.

    option to enable custom search rules in scan configuration window of ufs explorer program

  3. The software will display the number of custom rules that are currently defined. If you need to make any adjustments to them, use the "Manage rules" option. If not, proceed to the scan right away.

    manage rules option in scan configuration window of ufs explorer program

UFS Explorer will use your rule and provide the files found with its help in the $Custom folder. The files will be automatically assigned new names, as this information is not available with raw recovery. Also, you should be aware that this method has its flaws and provides poor results in case of extensive file fragmentation. Moreover, if there is no clear signature for the end of the file, many of them may appear to be damaged.

Last update: March 22, 2022

Compartilhe: