Solution: Indeed it was EncFs file level encryption.
Thanks a lot for everyone helping!
Original post below:
Hope it is ok to ask technical questions in this channel!
I found a folder of files on one of my back drives which was copied from a very old cell phone or a SAMSUNG Galaxy S2.
The folder is called DCIM and in a sub folder called Camera there are files with a .jpg extension.
This files are not standard JPG files. They start with the following header:
0000000 0000 0000 3900 c0d8 ac5f d196 2d63 2421
0000010 0003 0200 0000 0010 0200 2d8c 0904 0103
0000020 0000 0000 0000 0000 e960 2861 7025 ba0e
0000030 2424 dcfa 3e3b ee64 0800 c87b a43a a90d
0000040 7287 b815 7ca4 9680 ed65 6216 5f08 4f43
0000050 534e 4c4f 0045 0000 9000 b3e9 1333 92b9
0000060 0002 0000 0000 0000 0000 0000 0000 0000
0000070 0000 0000 0000 0000 0000 0000 0000 0000
(obtained via hexdump -n 1024 filename.jpg).
The file command just returns ‘data’. The jpgrecovery command simply does not process this files. If I open the file in a file viewer (shotwell), I get the error that the file starts with 0 0, which is correct, as seen in the above hexdump.
All this commands were executed on Debian 12.
I have hundreds of files with this JPG extension and for each file the header isstarting with 0 0 in this folder, so I assume the problem is not corruption of one file.
My questions:
- What kind of file format is this?
- How can I convert the files to JPGs?
Listen to the people who say it’s probably encryption. I’d agree with that. And you can try all sorts of programs and ways to fix corrupted files… It won’t help if it’s encryption. You’d need to find out the specifics, see if there is a script floating around or some tutorial for your specific phone model that tells you how to decrypt them.
So the header for a JPEG should start with FF D8 and end in FF D9
So maybe check if the files at least end correctly, if they do you could try adding the magic bytes back.
I’d secondly try opening the file in as many applications as possible, one might be a bit more lenient/smarter in pulling the image out of a not-quite-right file.
Finally you suggest they’re all the same header, is everything else on the drive fine? Is there a chance some cryptolocker malware has had a chance to run over the drive? I’m suggesting as the files could have been encrypted in some way and this is what’s preventing you from reading them
Edit: worth noting I used an S2 years ago and had no problems getting the images off back then
Thanks for your suggestions: Can confirm start/end bytes are wrong. Tried to open in Shotwell, GIMP, Firefox, Google Chrome w/o results.
I assume the hard drive is ok: I also have some git repositories on the drive and the checksums for git are correct. Every other file on the drive is ok, so cryptolocker malware could have only been on my phone at that time.
That’s unfortunate to hear, I’m afraid that’s me out of ideas then really. Very strange that they’re all corrupted in the same way, I’ll let you know if any other ideas pop into my head as to how this could have happened.
maybe it’s one of the so called raw formats that conrain more data from the camara, of which only a portion is useful in the end.
if you have access to a windows computer, or perhaps wine can work?, there might be a solution in the bottom of this thread where someone had a similar problem
https://superuser.com/questions/972013/how-to-repair-corrupt-jpeg-files
haven’t tested it, so do some antivirus checks on the tool before you decide to test it just to be sure.
good luck, hope you get it sorted
or you might be unable to decrypt them at all
or, if it was a LG phone, could they be encrypted?
if so, perhaps this will help https://github.com/kamicater/LG-Gallery-Decryptor