Signature-Based Recovery

Most data recovery techniques work by reading the file system. The Master File Table on NTFS, the FAT tables on FAT32, the inode tables on ext4, and the catalog on APFS all serve the same purpose: they list every file on the drive along with where its data is stored. Recovery tools that work with the file system can preserve file names, paths, timestamps, and folder structure because all that information is in the metadata. Signature-based recovery does something fundamentally different: it ignores the file system entirely and finds files by scanning the raw storage for the distinctive byte patterns inside the files themselves.¹

The technique in one sentence

Every file format begins with a specific sequence of bytes (the file signature, also called a magic number) that identifies what type of file it is. Signature-based recovery scans for those byte patterns across the entire storage device, and when it finds one, extracts the data that follows as a file of that type.

When it’s the right approach

Signature-based recovery is the technique to use when:

• The file system is missing or corrupted: if the partition has been formatted, deleted, or had its metadata damaged, file-system-based recovery can’t work but signature-based recovery still can.
• The drive shows as RAW: a RAW partition has no working file system. Signature-based recovery doesn’t need one.
• You need to recover from unallocated space: deleted files in unallocated space have no file system entries pointing to them, but their content is still there until overwritten.
• You’re working with a partial or damaged image: a disk image that’s missing the file system area but contains the data area can still yield files via signature recovery.
• File-system recovery has failed or recovered too few files: a second pass with signature-based recovery often finds files the file-system approach missed.

Relationship to file carving

The terms “signature-based recovery” and “file carving” overlap heavily. File carving is the broader umbrella for any technique that recovers files from raw data without file system metadata. Signature-based recovery is the most common form of file carving, where the carver uses byte-pattern signatures to locate files. In practice, most modern file carving is signature-based; the terms are used interchangeably in much of the recovery industry. This entry focuses on the signature-recognition aspect specifically.

Historical origin

Magic numbers as a file-identification mechanism originated in 1979 with Seventh Edition Unix (V7) and have been part of computing standard practice ever since.² The first widely-used file carving tool was Foremost, originally developed by the U.S. Air Force Office of Special Investigations in 2001. Scalpel, an improved version of Foremost, was introduced by Richard and Roussev in 2005. PhotoRec, by Christophe Grenier (the same developer behind TestDisk), became the dominant cross-platform tool over time and is still actively maintained.

The core idea is simple: file formats need to be self-identifying. When you double-click a file, the operating system needs to know what application to open it with. Looking at the file extension is one method, but extensions can be wrong or missing. Looking at the actual bytes inside the file is more reliable, which is why file formats include identifying byte patterns at known locations.³

Common file signatures

Each file format has its own signature. A small sample of widely-used formats:

Format	Header (hex)	Footer (if any)
JPEG	FF D8 FF	FF D9
PNG	89 50 4E 47 0D 0A 1A 0A	49 45 4E 44 AE 42 60 82
GIF	47 49 46 38 37 61 or 47 49 46 38 39 61	00 3B
PDF	25 50 44 46	25 25 45 4F 46
ZIP	50 4B 03 04	Variable; uses central directory
MP3	FF FB or 49 44 33 (ID3)	None reliable
MP4	00 00 00 ?? 66 74 79 70	None reliable
DOCX (and other Office)	50 4B 03 04 (ZIP-based)	Same as ZIP
EXE / DLL	4D 5A (MZ)	None reliable
RAR	52 61 72 21 1A 07 00	None reliable

Why headers are reliable but footers aren’t always

The header is at a known location: the very start of the file. Every JPEG begins with FF D8 FF; this is part of the format specification. Footers are less reliable because not every format has a defined end marker. JPEG and PNG do (FF D9 and the IEND chunk respectively), and recovery tools can use those to determine where the file ends. PDF has %%EOF. But many formats (executables, audio, video) have no footer; the file simply ends when its declared length runs out. For formats without footers, signature-based recovery has to either read a calculated length from the header or guess based on what comes next.

Files without recognizable signatures

Some content can’t be located by signature scanning:

• Plain text files have no magic number; ASCII or Unicode text doesn’t have an identifying signature.
• Encrypted files appear as random bytes after encryption; if the magic number is encrypted along with the rest, it’s no longer recognizable.
• Custom application formats may not have signatures registered with carving tools’ databases.
• Compressed files where the compression destroys the signature pattern can be missed unless the carver knows about the wrapper format.

Signature-based recovery follows a consistent algorithm regardless of which tool implements it. Understanding the steps clarifies what the technique can and can’t do.⁴

Step 1: Sequential sector scan

The tool reads the storage device (or disk image) sequentially, sector by sector, comparing the contents of each sector against its database of known file signatures. The scan operates at the raw byte level, not at the file system level. It doesn’t care whether sectors are marked as allocated or free; it scans everything. This is why the technique works against unallocated space, deleted partitions, and damaged file systems.

Step 2: Signature matching

When a sector contains a byte sequence matching a known signature, the tool flags that location as a potential file start. For some formats (JPEG, PNG), the signature is at offset 0 within the file; for others (PDF), the signature might be a few bytes in. Modern carving tools handle these offset variations from format definitions in their configuration databases.

Step 3: Validation

A signature match alone isn’t enough to confirm a real file; the byte sequence might appear coincidentally in other content. Sophisticated carvers perform validation checks: parsing additional bytes after the signature to confirm the structure looks like a real file of that type.⁵ A JPEG signature followed by valid JPEG markers is much more likely to be a real JPEG than a random match.

Step 4: Determining file length

Three approaches:

• Footer search: for formats with reliable footers (JPEG, PNG, PDF), scan forward from the header until the matching footer is found. Everything between is the file.
• Length from header: some formats (BMP, MP4) include the file length in the header. The tool reads the length and extracts that many bytes.
• Maximum size limit: for formats without footers or length fields, extract up to a configured maximum size and assume the file ends there or at the next signature.

Step 5: Output

Each recovered file is written to a destination (an output directory or another drive) with a sequential generated name (file001.jpg, file002.jpg) and grouped by file type into subfolders. The tool produces a log of what was recovered, where on the source it came from, and any validation warnings.

Common signature-based recovery tools

Tool	Platform	Strengths
PhotoRec	Windows, macOS, Linux	Most widely used; supports hundreds of formats; user-friendly menu interface
Foremost	Linux primarily	The original (2001); fast; configurable signature definitions
Scalpel	Linux primarily	Improved Foremost (2005); better performance and flexibility
Bulk_extractor	Cross-platform	Forensic-focused; finds emails, credit cards, URLs alongside files
R-Studio / EaseUS / DiskGenius	Cross-platform	Commercial tools with signature recovery as one mode
Recoverit / Disk Drill	Cross-platform	User-friendly commercial tools combining file system and signature recovery

The single most-asked question about signature-based recovery: where did all the original file names go? The answer reveals an important fact about how file systems actually store files.⁶

File names live in the file system, not in the file

When you create a file called “vacation_2024.jpg”, the file’s content is the JPEG image data starting with FF D8 FF. The name “vacation_2024.jpg” isn’t part of that content at all. It’s stored separately in the file system: in an MFT record on NTFS, in a directory entry on FAT32, in a directory inode on ext4. The file system links the name to the location on disk where the JPEG content actually lives.

Signature-based recovery scans the data regions where JPEG content lives. It never reads the MFT or directory entries because those are separate. The recovered JPEG content is intact, but the link from name to content has been lost.

What metadata gets lost

Signature recovery loses everything that lives in the file system rather than the file content:

• Original filename (“vacation_2024.jpg” → recovered as “file00001.jpg”).
• Folder path (“Pictures/Vacations/2024/Hawaii/” → recovered to a flat output directory by file type).
• Creation timestamp, modification timestamp, access timestamp.
• File system attributes (read-only, hidden, system).
• Owner and permission information on systems that track those.
• Alternate data streams on NTFS or extended attributes on macOS.

What does survive

Information embedded inside the file content survives because it’s part of what gets recovered:

• EXIF metadata in photos: camera model, GPS coordinates, date the photo was taken (this is inside the JPEG, not in the file system).
• ID3 tags in MP3 files: artist, album, track name, embedded album art.
• PDF document metadata: title, author, creation date as recorded by the PDF creator (inside the PDF, not the file system).
• Office document metadata embedded in the file format itself.
• Image content, audio content, video content intact in their entirety.

Why this matters for users

Users approaching signature-based recovery should understand the result format in advance. Recovery of 50,000 photos with names like img00001.jpg through img50000.jpg, grouped only by file type, can be overwhelming. Plan for the post-recovery work of identifying which files actually matter; tools like image deduplication software, EXIF-based date sorting, and visual review can help organize the recovered output. For files where the original name was the only way to identify content (named documents, project files), signature recovery may be only partially useful.

The biggest technical limitation of signature-based recovery is its difficulty with fragmented files. Understanding why reveals an important limitation that no tool fully solves.⁷

The contiguity assumption

Signature-based recovery’s basic algorithm assumes file data is stored contiguously: find the header, read forward until the footer or calculated length, that’s the file. This works well when files are stored in unbroken sequences of sectors. It breaks when files are fragmented across multiple non-contiguous regions.

Imagine a 10 MB JPEG that was stored in two fragments: 6 MB at sector 1000 and 4 MB at sector 50000, with sectors 1000-1999 belonging to the JPEG, sectors 2000-2999 belonging to a different file (a Word document, say), and sectors 3000+ belonging to yet other files. Signature recovery finds the JPEG header at sector 1000 and reads forward, but at sector 2000 it starts reading the Word document content as if it were JPEG data. The result: a recovered file that’s 6 MB of valid JPEG followed by 4+ MB of corrupted content, or a partial JPEG that ends prematurely.

Why fragmentation happens

File systems fragment files when there isn’t enough contiguous free space for the entire file. As drives fill up with files of various sizes that get created, deleted, and modified, contiguous free regions become scarce. A new large file ends up split across whatever free fragments are available.

• Heavily-used drives fragment more than fresh drives.
• SSDs handle fragmentation differently from HDDs at the physical level (no seek penalty), but the file system still records fragmented allocations.
• Some file systems (APFS, ext4) actively fight fragmentation; FAT32 notoriously doesn’t.
• Large files are more likely to be fragmented than small files.

What types of files survive fragmentation best

Files that recover well via signature-based methods share characteristics:

• Photos: usually small enough (under 10 MB) to fit in contiguous free space.
• Audio files: typically stored contiguously by media applications.
• Short videos: if they fit in contiguous space.
• Individual documents: small documents tend to be contiguous.

Files that recover poorly:

• Large videos that span multiple fragments.
• Large databases with extensive fragmentation.
• Virtual machine disk images that are typically multi-GB and fragmented.
• Frequently-edited large files that have grown over time.

State-of-the-art fragmentation handling

Research and modern tools have improved fragmentation handling over basic header-to-footer carving. Sequential hypothesis testing (Pal, Sencar, Memon) detects fragmentation points statistically. Some tools attempt fragment reassembly: identifying multiple fragments that might belong together and reassembling them in the correct order. None of these techniques fully solves the fragmentation problem; for heavily fragmented files, file-system-based recovery remains the only path that reliably preserves file integrity.