Solution: Indeed it was EncFs file level encryption.

Thanks a lot for everyone helping!

Original post below:

Hope it is ok to ask technical questions in this channel!

I found a folder of files on one of my back drives which was copied from a very old cell phone or a SAMSUNG Galaxy S2.

The folder is called DCIM and in a sub folder called Camera there are files with a .jpg extension.

This files are not standard JPG files. They start with the following header:

0000000 0000 0000 3900 c0d8 ac5f d196 2d63 2421
0000010 0003 0200 0000 0010 0200 2d8c 0904 0103
0000020 0000 0000 0000 0000 e960 2861 7025 ba0e
0000030 2424 dcfa 3e3b ee64 0800 c87b a43a a90d
0000040 7287 b815 7ca4 9680 ed65 6216 5f08 4f43
0000050 534e 4c4f 0045 0000 9000 b3e9 1333 92b9
0000060 0002 0000 0000 0000 0000 0000 0000 0000
0000070 0000 0000 0000 0000 0000 0000 0000 0000

(obtained via hexdump -n 1024 filename.jpg).

The file command just returns ‘data’. The jpgrecovery command simply does not process this files. If I open the file in a file viewer (shotwell), I get the error that the file starts with 0 0, which is correct, as seen in the above hexdump.

All this commands were executed on Debian 12.

I have hundreds of files with this JPG extension and for each file the header isstarting with 0 0 in this folder, so I assume the problem is not corruption of one file.

My questions:

  1. What kind of file format is this?
  2. How can I convert the files to JPGs?
  • rufus@discuss.tchncs.de
    link
    fedilink
    arrow-up
    0
    ·
    5 months ago

    Listen to the people who say it’s probably encryption. I’d agree with that. And you can try all sorts of programs and ways to fix corrupted files… It won’t help if it’s encryption. You’d need to find out the specifics, see if there is a script floating around or some tutorial for your specific phone model that tells you how to decrypt them.

  • 9point6@lemmy.world
    link
    fedilink
    arrow-up
    0
    ·
    edit-2
    5 months ago

    So the header for a JPEG should start with FF D8 and end in FF D9

    So maybe check if the files at least end correctly, if they do you could try adding the magic bytes back.

    I’d secondly try opening the file in as many applications as possible, one might be a bit more lenient/smarter in pulling the image out of a not-quite-right file.

    Finally you suggest they’re all the same header, is everything else on the drive fine? Is there a chance some cryptolocker malware has had a chance to run over the drive? I’m suggesting as the files could have been encrypted in some way and this is what’s preventing you from reading them

    Edit: worth noting I used an S2 years ago and had no problems getting the images off back then

    • wolf@lemmy.zipOP
      link
      fedilink
      English
      arrow-up
      0
      ·
      5 months ago

      Thanks for your suggestions: Can confirm start/end bytes are wrong. Tried to open in Shotwell, GIMP, Firefox, Google Chrome w/o results.

      I assume the hard drive is ok: I also have some git repositories on the drive and the checksums for git are correct. Every other file on the drive is ok, so cryptolocker malware could have only been on my phone at that time.

      • 9point6@lemmy.world
        link
        fedilink
        arrow-up
        0
        ·
        5 months ago

        That’s unfortunate to hear, I’m afraid that’s me out of ideas then really. Very strange that they’re all corrupted in the same way, I’ll let you know if any other ideas pop into my head as to how this could have happened.