@jcoutinho
já tentei isso e nada
@ bruno bernardino
desde já obrigado pela resposta.
tudo o que instalei foi em pens ou discos externos, para não agravar mais as coisas.
A configuração que tenho é a seguinte:
Citar:# Scalpel configuration file
# This configuration file controls the
# types and sizes of files that are carved by Scalpel. Currently,
# Scalpel can read Foremost 0.69 configuration files, but Scalpel
# configuration files may not be backwards-compatible with Foremost.
# In particular, maximum file carve size under Foremost 0.69 is 4GB,
# while in the current version of Scalpel, it's 16EB (16 exabytes).
# For each file type, the configuration file
# describes the file's extension, whether the header and footer are
# case sensitive, the maximum file size, and the header and footer for
# the file. The footer field is optional, but header, size, case
# sensitivity, and extension are required. Any line that begins with a
# '#' is considered a comment and ignored. Thus, to skip a file type
# just put a '#' at the beginning of that line
# Headers and footers are decoded before use. To specify a value in
# hexadecimal use \x[0-f][0-f] and for octal use \[0-3][0-7][0-7].
# Spaces can be represented by \s. Example: "\x4F\123\I\sCCI" decodes
# to "OSI CCI". # To match any single character (aka a wildcard) use
# a '?'. If you need to search for the '?' character, you will need to
# change the 'wildcard' line *and* every occurrence of the old
# wildcard character in the configuration file. '
#
# Note: ?' is equal to 0x3f and \063.
#
# If you want files carved without filename extensions,
# use "NONE" in the extension column.
# The REVERSE keyword after a footer causes a search
# backwards starting from [size] bytes beyond the location of the header
# This is useful for files like PDFs that may contain multiple copies of
# the footer throughout the file. When using the REVERSE keyword you will
# extract bytes from the header to the LAST occurence of the footer (and
# including the footer in the carved file).
#
# The NEXT keyword after a footer results in file carves that
# include the header and all data BEFORE the first occurence of the
# footer (the footer is not included in the carved file). If no
# occurrence of the footer is discovered within maximum carve size bytes
# from the header, then a block of the disk image including the header
# and with length equal to the maximum carve size is carved. Use NEXT
# when there is no definitive footer for a file type, but you know which
# data should NOT be included in a carved file--e.g., the beginning of
# a subsequent file of the same type.
#
# FORWARD_NEXT is the default carve type and this keyword may be
# included after the footer, but is not required. For FORWARD_NEXT
# carves, a block of data including the header and the first footer
# (within the maximum carve size) are carved. If no footer appears
# after the header within the maximum carve size, then no carving is
# performed UNLESS the -b command line option is supplied. In this case,
# a block of max carve size bytes, including the header, is carved and a
# notation is made in the Scalpel log that the file was chopped.
# To redefine the wildcard character, change the setting below and all
# occurences in the formost.conf file.
#
#wildcard ?
# case size header footer
#extension sensitive
#
#---------------------------------------------------------------------
# EXAMPLE WITH NO SUFFIX
#---------------------------------------------------------------------
#
# Here is an example of how to use the no extension option. Any files
# beginning with the string "FOREMOST" are carved and no file extensions
# are used. No footer is defined and the max carve size is 1000 bytes.
#
# NONE y 1000 FOREMOST
#
#---------------------------------------------------------------------
# GRAPHICS FILES
#---------------------------------------------------------------------
#
#
# AOL ART files
# art y 150000 \x4a\x47\x04\x0e \xcf\xc7\xcb
# art y 150000 \x4a\x47\x03\x0e \xd0\xcb\x00\x00
#
# GIF and JPG files (very common)
# gif y 5000000 \x47\x49\x46\x38\x37\x61 \x00\x3b
# gif y 5000000 \x47\x49\x46\x38\x39\x61 \x00\x3b
# jpg y 200000000 \xff\xd8\xff\xe0\x00\x10 \xff\xd9
#
#
# PNG
# png y 20000000 \x50\x4e\x47? \xff\xfc\xfd\xfe
#
#
# BMP (used by MSWindows, use only if you have reason to think there are
# BMP files worth digging for. This often kicks back a lot of false
# positives
#
# bmp y 100000 BM??\x00\x00\x00
#
# TIFF
# tif y 200000000 \x49\x49\x2a\x00
# TIFF
# tif y 200000000 \x4D\x4D\x00\x2A
#
#---------------------------------------------------------------------
# ANIMATION FILES
#---------------------------------------------------------------------
#
# AVI (Windows animation and DiVX/MPEG-4 movies)
# avi y 50000000 RIFF????AVI
#
# Apple Quicktime
# These needles are based on the file command's magic. I don't
# recommend uncommenting the 4th and 5th Quicktime needles unless
# you're sure you need to, because they generate HUGE numbers of
# false positives.
#
# mov y 10000000 ????moov
# mov y 10000000 ????mdat
# mov y 10000000 ????widev
# mov y 10000000 ????skip
# mov y 10000000 ????free
# mov y 10000000 ????idsc
# mov y 10000000 ????pckg
#
# MPEG Video
# mpg y 50000000 \x00\x00\x01\xba \x00\x00\x01\xb9
# mpg y 50000000 \x00\x00\x01\xb3 \x00\x00\x01\xb7
#
# Macromedia Flash
# fws y 4000000 FWS
#
#---------------------------------------------------------------------
# MICROSOFT OFFICE
#---------------------------------------------------------------------
#
# Word documents
#
#
doc y 10000000 \xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1\x00\x00 \xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1\x00\x00 NEXT
doc y 10000000 \xd0\xcf\x11\xe0\xa1\xb1
docx y 10000000 \xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1\x00\x00 \xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1\x00\x00 NEXT
docx y 10000000 \xd0\xcf\x11\xe0\xa1\xb1
#
# Outlook files
# pst y 500000000 \x21\x42\x4e\xa5\x6f\xb5\xa6
# ost y 500000000 \x21\x42\x44\x4e
#
# Outlook Express
# dbx y 10000000 \xcf\xad\x12\xfe\xc5\xfd\x74\x6f
# idx y 10000000 \x4a\x4d\x46\x39
# mbx y 10000000 \x4a\x4d\x46\x36
#
#---------------------------------------------------------------------
# WORDPERFECT
#---------------------------------------------------------------------
#
# wpc y 1000000 ?WPC
#
#---------------------------------------------------------------------
# HTML
#---------------------------------------------------------------------
#
# htm n 50000 <html </html>
#
#---------------------------------------------------------------------
# ADOBE PDF
#---------------------------------------------------------------------
#
pdf y 5000000 %PDF %EOF\x0d REVERSE
pdf y 5000000 %PDF %EOF\x0a REVERSE
#
#---------------------------------------------------------------------
# AOL (AMERICA ONLINE)
#---------------------------------------------------------------------
#
# AOL Mailbox
# mail y 500000 \x41\x4f\x4c\x56\x4d
#
#
#
#---------------------------------------------------------------------
# PGP (PRETTY GOOD PRIVACY)
#---------------------------------------------------------------------
#
# PGP Disk Files
# pgd y 500000 \x50\x47\x50\x64\x4d\x41\x49\x4e\x60\x01
#
# Public Key Ring
# pgp y 100000 \x99\x00
# Security Ring
# pgp y 100000 \x95\x01
# pgp y 100000 \x95\x00
# Encrypted Data or ASCII armored keys
# pgp y 100000 \xa6\x00
# (there should be a trailer for this...)
# txt y 100000 -----BEGIN\040PGP
#
#
#---------------------------------------------------------------------
# RPM (Linux package format)
#---------------------------------------------------------------------
# rpm y 1000000 \xed\xab
#
#
#---------------------------------------------------------------------
# SOUND FILES
#---------------------------------------------------------------------
#
# wav y 200000 RIFF????WAVE
#
# Real Audio Files
# ra y 1000000 \x2e\x72\x61\xfd
# ra y 1000000 .RMF
#
#---------------------------------------------------------------------
# WINDOWS REGISTRY FILES
#---------------------------------------------------------------------
#
# Windows NT registry
# dat y 4000000 regf
# Windows 95 registry
# dat y 4000000 CREG
#
#
#---------------------------------------------------------------------
# MISCELLANEOUS
#---------------------------------------------------------------------
#
# zip y 10000000 PK\x03\x04 \x3c\xac
#
# java y 1000000 \xca\xfe\xba\xbe
#
#---------------------------------------------------------------------
# ScanSoft PaperPort "Max" files
#---------------------------------------------------------------------
# max y 1000000 \x56\x69\x47\x46\x6b\x1a\x00\x00\x00\x00 \x00\x00\x05\x80\x00\x00
#---------------------------------------------------------------------
# PINs Password Manager program
#---------------------------------------------------------------------
# pins y 8000 \x50\x49\x4e\x53\x20\x34\x2e\x32\x30\x0d
Isto foi a configuração que usei para recuperar pdfs (recuperei muitos com grande taxa de sucesso) e doc e docx (que quase todos estão corrompidos e não abrem.
O docx apenas alterei a extensão e meti o resto dos doc, presumo que esteja mal certo?
O que queria saber é:
1- Quais as linhas a adicionar para que me apareçam ficheiros docx, excel e powerpoint.
2- no caso dos doc e docx que encontrei o máximo de tamanho que encontrei nesse ficheiros foi 9.5 mb, e eu tinha ficheiros bem maiores, o que tenho de alterar para que me apareçam os ficheiros maiores?
Obrigado pela ajuda
