- PRODUCTSFREEWAREFOR COMMERCIAL USEFOR PERSONAL AND BUSINESS USEBackup and System Restore:PC Privacy and Security:
- BUY ONLINE
- DISTRIBUTION
- Contents
- Index
- Introduction to R-Studio
-
Data Recovery Using R-Studio
- Basic File Recovery
- Advanced Data Recovery
- Mass File Recovery
-
Volume Sets and RAIDs
- Volume Sets, Stripe Sets, and Mirrors
- Basic RAID 4 and RAID 5 Operations
- Working with RAID6 (Double Xor) Presets
- Working with RAID 6 Presets
- Working with RAIDs with Parity Delays
- Working with Advanced RAID Layouts
- Nested and Non-Standard RAID Levels
- Finding RAID Parameters
- Checking RAID Consistency
- Syntax of a Description File for RAID Configurations
- Description Files for RAID Configurations
- Various Disk and Volume Managers
- Mounting Virtual Objects in the System as Virtual Drives
- Data Recovery over Network
- R-Studio Technician/T80+
- Text/hexadecimal Editor
- Technical Information and Troubleshooting
- R-Studio Emergency
- R-Studio Agent Emergency
© 2023 R-Tools Technology Inc.
All rights reserved.
Pattern Example I
Below is an example of a commented pattern parsing an AVI file.
<?xml version="1.0" encoding="utf-8"?>
<!-- A pattern section. The pattern name is AVI File . -->
<template name="AVI File">
<!-- A template signature section. Alignment is 1. -->
<signature align="1">
<!-- A 4-byte signature at offset 0x00. -->
<field offset="0x00">52 49 46 46</field> <!-- ANSI: RIFF -->
<!-- A 4-byte signature at offset 0x08. -->
<field offset="0x08">41 56 49 20</field> <!-- ANSI: LIST -->
</signature>
<!-- A data section. Its name is AVI File . This is the main data section. It is not shown in the parsing tree as a section (its name is ignored). -->
<section name="AVI File">
<!-- The first 4 bytes are read and shown as an ANSI string. -->
<field type="char" size="4" name="Signature: RIFF" var="signature"/>
<!-- The current position is moved to the beginning of the file. -->
<goto offset="-4"/>
<!-- The first 4 bytes in the file are read and shown as an unsigned integer. The internal variable signature gets the value of the field. -->
<field type="uint32" base="hex" name="Signature RIFF as unsigned integer in hex format" var="signature"/>
<!-- A test against the condition ( signature == RIFF ) -->
<if test="signature == 0x46464952"> <!-- ANSI: RIFF -->
<!-- The next 4 bytes are read and shown as an unsigned integer. The internal variable dataSize gets the value of the field. -->
<field type="uint32" name="Size of the data in file" var="dataSize"/>
<!-- A new internal variable endOfFile is created and the expr field evaluates its value.-->
<setvar var="endOfFile" expr="offset + dataSize - 8"/>
<!-- The next 4 bytes is read and shown as an ANSI string. -->
<field type="char" size="4" name="File type"/>
<!-- A new section named DATA is created -->
<section name="DATA">
<!-- A new internal variable chunksOffset is created, the expr filed evaluating its value. This variable gets the absolute value of template offset. -->
<setvar var="chunksOffset" expr="start_position"/>
<!-- A loop is created. Its condition is set in the test field (while the endOfFile variable is greater then the current position.) -->
<repeat test="endOfFile > offset">
<!-- 4 bytes are read and shown as an ANSI string. -->
<field type="char" size="4" name="Signature"/>
<!-- The current position is moved backwards by 4 bytes. -->
<goto offset="-4"/>
<!-- The same 4 bytes are read and shown as an unsigned integer. The internal variable signature gets this value. -->
<field type="uint32" name="Signature as unsigned integer" var="signature"/>
<!-- A test against the condition ( signature == LIST ) -->
<if test="signature == 1414744396"> <!-- ANSI: LIST -->
<!-- The section is shown. Its name is LIST -->
<section name="LIST">
<!-- The current position is moved backward by 4 bytes. -->
<goto offset="-4"/>
<!-- The 4 bytes are read and shown as an unsigned hexadecimal integer. This field has the attributes offset and assigned-template . If the user double-clicks this field, the AVI File LIST pattern will be invoked and the current pattern position will be moved to the address specified in as-offset .-->
<field type="uint32" base="hex" name="Signature LIST as unsigned integer in hex format" as-offset="start_position + offset - 4" assigned-template="AVI File LIST"/>
<!-- The next 4 bytes are read and shown as an unsigned integer. The listSize variable gets its value. -->
<field type="uint32" name="Size of the data in the list" var="listSize"/>
<!-- The 4 bytes are read and shown as an ANSI string. -->
<field type="char" size="4" name="List type"/>
<!-- The current position is moved backward by 4 bytes. -->
<goto offset="-4"/>
<!-- The same 4 bytes are shown as an unsigned hexadecimal integer. The listType variable gets its value.-->
<field type="uint32" base="hex" name="List type as unsigned integer in hex format" var="listType"/>
<!-- A test against condition ( type == movi ) -->
<if test="listType == 0x69766f6d"> <!-- ANSI: movi -->
<!-- The chunksOffset variable gets the value evaluated in the expr attribute. -->
<setvar var="chunksOffset" expr="start_position + offset - 4"/>
</if>
<!-- The current position is moved to the address evaluated in the address attribute. -->
<goto address="offset + listSize - 4"/>
</section>
</if>
<!-- A test against condition ( signature == JUNK ) -->
<if test="signature == 1263424842"> <!-- ANSI: JUNK -->
<!-- The section is shown with the JUNK name. -->
<section name="JUNK">
<!-- The next 4 bytes are read and shown as an unsigned integer. The internal variable junkSize gets its value. -->
<field type="uint32" name="Size of the data of the junk" var="junkSize"/>
<!-- The current position is moved by junkSize bytes forward. -->
<goto offset="junkSize"/>
</section>
</if>
<!-- A test against condition ( signature == idx1 ) -->
<if test="signature == 829973609"> <!-- ANSI: idx1 -->
<!-- The section is shown with the idx1 name. -->
<section name="idx1">
<!-- The next 4 bytes are read and shown as an unsigned integer. The internal variable idxSize gets its value. -->
<field type="uint32" name="Size of the data of the idx1" var="idxSize"/>
<!-- The section is shown with the First AVIINDEXENTRY name. -->
<section name="First AVIINDEXENTRY">
<!-- The 4 bytes are read and shown as an ANSI string. -->
<field type="char" size="4" name="Chunck id"/>
<!-- The next 4 bytes are read and shown as an unsigned hexadecimal integer. -->
<field type="uint32" base="hex" name="Flags"/>
<!-- The next 4 bytes are read ans shown as an unsigned hexadecimal integer. The offset attribute is evaluated for this field as a sum of the chunksOffset variable and valued of this field. -->
<field type="uint32" base="hex" name="Chunk offset" as-offset="chunksOffset + this"/>
<!-- The next 4 bytes are read and shown as an unsigned integer. -->
<field type="uint32" name="Chunk size"/>
</section>
<!-- The current position is moved by idxSiz bytes forward. -->
<goto offset="idxSize"/>
</section>
</if>
<!-- A test against the condition. && is a logical AND ( && ) -->
<if test="signature != 1414744396 && signature != 1263424842 && signature != 829973609">
<!-- An empty section is shown. Its name is Unknown signature found -->
<section name="Unknown signature found">
</section>
<!-- The current position is moved to the address set in the endOfFile variable. -->
<goto address="endOfFile"/>
</if>
</repeat>
</section>
</if>
</section>
</template>
- Data Recovery Guide
- Why R-Studio?
- R-Studio for Forensic and Data Recovery Business
- R-STUDIO Review on TopTenReviews
- File Recovery Specifics for SSD devices
- How to recover data from NVMe devices
- Predicting Success of Common Data Recovery Cases
- Recovery of Overwritten Data
- Emergency File Recovery Using R-Studio Emergency
- RAID Recovery Presentation
- R-Studio: Data recovery from a non-functional computer
- File Recovery from a Computer that Won't Boot
- Clone Disks Before File Recovery
- HD Video Recovery from SD cards
- File Recovery from an Unbootable Mac Computer
- The best way to recover files from a Mac system disk
- Data Recovery from an Encrypted Linux Disk after a System Crash
- Data Recovery from Apple Disk Images (.DMG files)
- File Recovery after Re-installing Windows
- R-Studio: Data Recovery over Network
- How To Use R-Studio Corporate Package
- Data Recovery from a Re-Formatted NTFS Disk
- Data Recovery from an ReFS disk
- Data Recovery from a Re-Formatted exFAT/FAT Disk
- Data Recovery from an Erased HFS Disk
- Data Recovery from an Erased APFS Disk
- Data Recovery from a Re-Formatted Ext2/3/4FS Disk
- Data Recovery from an XFS Disk
- Data Recovery from a Simple NAS
- How to connect virtual RAID and LVM/LDM volumes to the operating system
- Specifics of File Recovery After a Quick Format
- Data Recovery After Partition Manager Crash
- File Recovery vs. File Repair
- Data Recovery from Virtual Machines
- Emergency Data Recovery over Network
- Data Recovery over the Internet
- Creating a Custom Known File Type for R-Studio
- Finding RAID parameters
- Recovering Partitions on a Damaged Disk
- NAT and Firewall Traversal for Remote Data Recovery
- Data Recovery from an External Disk with a Damaged File System
- File Recovery Basics
- Default Parameters of Software Stripe Sets (RAID 0) in Mac OS X
- Data Recovery from Virtual Hard Disk (VHD/VHDX) Files
- Data Recovery from Various File Container Formats and Encrypted Disks
- Automatic RAID Parameter Detection
- IntelligentScan Data Recovery Technology
- Multi-pass imaging in R-Studio
- Runtime Imaging in R-Studio
- Linear Imaging vs Runtime Imaging vs Multi-Pass Imaging
- USB Stabilizer Tech for unstable USB devices
- Joint work of R-Studio and PC-3000 UDMA hardware
- Joint work of R-Studio and HDDSuperClone
- R-Studio T80+ - A Professional Data Recovery and Forensic Solution for Small Business and Individuals Just for 1 USD/day
- Backup Articles
- R-Drive Image Standalone and Corporate license transferring
- Backup with Confidence
- R-Drive Image as a free powerful partition manager
- Computer Recovery and System Restore
- Disk Cloning and Mass System Deployment
- Accessing Individual Files or Folders on a Backed Up Disk Image
- Creating a Data Consistent, Space Efficient Data Backup Plan for a Small Business Server
- How to Move the Already Installed Windows from an Old HDD to a New SSD Device and Create a Hybrid Data Storage System
- How to Move an Installed Windows to a Larger Disk
- How to Move a BitLocker-Encrypted System Disk to a New Storage Device
- How to backup and restore disks on Linux and Mac computers using R-Drive Image
- Undelete Articles
- Get Deleted Files Back
- Free Recovery from SD and Memory cards
- R-Undelete: Video Recovery
- Recovery from an External Device with a Damaged File System
- File recovery from a non-functional computer
- Free File Recovery from an Android Phone Memory Card
- Free Photo and Video File Recovery Tutorial
- Easy file recovery in three steps