BlockHashLoc - Recover files using lists of blocks hashes, bypassing the File System entirely

  •        4

The purpose of BlockHashLoc is to enable the recovery of files after total loss of File System structures, or without even knowing what FS was used in the first place.The way it can recover a given file is by keeping a (small) parallel BHL file with a list of crypto-hashes of all the blocks (of selectable size) that compose it. So it's then possible to read blocks from a disk image/volume, calculate their hashes, compare them with the saved ones and rebuild the original file.



Related Projects

SeqBox - A single file container/archive that can be reconstructed even after total loss of file system structures

  •    Python

An SBX container exists both as a normal file in a mounted file system, and as a collection of recognizable blocks at a lower level.SBX blocks have a size sub-multiple/equal to that of a sector, so they can survive any level of fragmentation. Each block have a minimal header that include a unique file identifier, block sequence number, checksum, version. Additional, non critical info/metadata are contained in block 0 (like name, file size, crypto-hash, other attributes, etc.).

Kickass Undelete

  •    CSharp

Kickass Undelete is a free, fully featured, file recovery tool for Windows. Accidentally deleted a file? Never fear; the data is probably still on your drive and may be recoverable. Kickass Undelete finds all of the deleted files on your hard drive, flash drive or SD card and allows you to recover them.


  •    C

Ext3FS/Ext2FS File Recovery or Semantic File Carving tool.Recovers GIF/JPEG/MS-Word/PNG/HTML/JAVA/MP3 doc fileslt;48KB if default block size=4kb.(if default size=8kb then recovers 96kb file)Identifying and recovering files based on analysis of file for


  •    C

LibCarvpath is a library for computer forensics carving tools.It provides the low level needs of zero-storage carving using virtual paths. These virtual file paths can be used in conjunction with the CarvFS filesystem.

ROPMEMU - ROPMEMU is a framework to analyze, dissect and decompile complex code-reuse attacks.

  •    Python

ROPMEMU is a framework to analyze, dissect and decompile complex code-reuse attacks. It adopts a set of different techniques to analyze ROP chains and reconstruct their equivalent code in a form that can be analyzed by traditional reverse engineering tools. In particular, it is based on memory forensics (as its input is a physical memory dump), code emulation (to faithfully rebuild the original ROP chain), multi-path execution (to extract the ROP chain payload), CFG recovery (to rebuild the original control flow), and a number of compiler transformations (to simplify the final instructions of the ROP chain). Specifically, the memory forensics part is based on Volatility [1] plugins. The emulation and the multi-path part is implemented through the Unicorn emulator [2].

FlashBack - Digital Image Recovery

  •    CSharp

FlashBack is an JPG image recovery application for flash cards. It will attempt to recover the original image and preserve metadata. Currently it only recovers JPG files. Soon it will it will recover most raw formats.

DMZS-Biatchux Bootable CD Distro

  •    C

Bootable CD Forensics/Virus Scanning/Recovery/PenTesting platform

autopsy - Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools

  •    Java

Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It can be used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera's memory card. Installers can be found at:

torus - Torus - distributed storage system

  •    Go

Torus provides a resource pool and basic file primitives from a set of daemons running atop multiple nodes. These primitives are made consistent by being append-only and coordinated by [etcd]. From these primitives, a Torus server can support multiple types of volumes, the semantics of which can be broken into subprojects. It ships with a simple block-device volume plugin, but is extensible to more. Sharding is done via a consistent hash function, controlled in the simple case by a hash ring algorithm, but fully extensible to arbitrary maps, rack-awareness, and other nice features. The project name comes from this: a hash 'ring' plus a 'volume' is a torus.

QRL - Quantum Resistant Ledger

  •    Python

Python-based blockchain ledger utilizing hash-based one-time merkle tree signature scheme (XMSS) instead of ECDSA. Proof-of-work block selection via the cryptonight algorithm. Future transition to POS with signed iterative hash chain reveal scheme which is both probabilistic and random ( Hash-based signatures means larger transactions (3kb per tx, binary), longer keypair generation times and the need to record 'state' of transactions as each keypair can only be used once safely. Merkle tree usage enables a single address to be used for signing numerous transactions (up to 2^13 computationally easily enough). Currently XMSS/W-OTS+ are natively supported with extensible support for further cryptographic schemes inbuilt.


  •    Python

Vinetto is a tool intended for forensics examinations. It is a console program to extract thumbnail images and their metadata from those thumbs.db files generated under Microsoft Windows. Vinetto works under Linux, Cygwin(win32) and Mac OS X.

johm - JOhm is a Object-hash mapping library for Java for storing objects in Redis

  •    Java

JOhm is a blazingly fast Object-Hash Mapping library for Java inspired by the awesome Ohm. The JOhm OHM is a modern-day avatar of the old ORM's like Hibernate with the difference being that we are not dealing with an RDBMS here but with a NoSQL rockstar.JOhm is a library for storing objects in Redis, a persistent key-value database. JOhm is designed to be minimally-invasive and relies wholly on reflection aided by annotation hooks for persistence. The fundamental idea is to allow large existing codebases to easily plug into Redis without the need to extend framework base classes or provide excessive configuration metadata.

Emails Outlook Mac Recovery Software That Is Provenly Better Than Others


Recover OLM Emails with Outlook Mac Recovery Software that restore Mac OLM files as well as Convert OLM files in EML and DBX file format.

TomP2P - A P2P-based high performance key-value pair storage library

  •    Java

TomP2P is a P2P library and a distributed hash table (DHT) implementation which provides a decentralized key-value infrastructure for distributed applications. Each peer has a table that can be configured either to be disk-based or memory-based to store its values. TomP2P stores key-value pairs in a distributed manner. To find the peers to store the data in the distributed hash table, TomP2P uses an iterative routing to find the closest peers. Since TomP2P uses non-blocking communication, a future object is required to keep track of future results. This key concept is used for all the communication (iterative routing and DHT operations, such as storing a value on multiple peers) in TomP2P and it is also exposed in the API. Thus, an operation such as get or put will return immediately and the user can either block the operation to wait for the completion or add a listener that gets notified when the operation completes.

keyshuffling - Keyshuffling Attack for Persistent Early Code Execution in the Nintendo 3DS Secure Bootchain

  •    TeX

We demonstrate an attack on the secure bootchain of the Nintendo 3DS in order to gain early code execution. The attack utilizes the block shuffling vulnerability of the ECB cipher mode to rearrange keys in the Nintendo 3DS's encrypted keystore. Because the shuffled keys will deterministically decrypt the encrypted firmware binary to incorrect plaintext data and execute it, and because the device's memory contents are kept between hard reboots, it is possible to reliably reach a branching instruction to a payload in memory. This payload, due to its execution by a privileged processor and its early execution, is able to extract the hash of hardware secrets necessary to decrypt the device's encrypted keystore and set up a persistent exploit of the system. Information in this article (especially the keyshuffling vulnerability) is original, independent work unless cited otherwise. Note that the keyshuffling vulnerability detailed here is the same one documented publicly by much of this team including "stuckpixel" (also known as "dark_samus") on sites such as 3DBrew. Additionally, note that the persistence vulnerability detailed here is the same one documented publicly as "arm9loaderhax" by "plutoo", "derrek", and "smea" at the 2015 32c3 conference.

S2 Services Excel Recovery


MS recommended Excel recovery methods in one GUI - adds 4 of its own.


  •    C

Fugenschnitzer is a quick and easy to use Seam Carving program. Fugenschnitzer -- Seam Carving for everyone.

Seamstress seam carving library

  •    C

A program and library for content-aware image resizing using seam carving.

caire - Content aware image resize library

  •    Go

Caire is a content aware image resize library based on Seam Carving for Content-Aware Image Resizing paper. The library is capable detecting human faces prior resizing the images via, which does not require to have OpenCV installed.