I had a situation where I needed to recover some MYOB backup files from a corrupt Norton Ghost (version 8.0) file. Ghost Explorer wouldn’t open the backups, due to some form of corruption, somewhere. There was little information that was available, despite the file corruption being a common problem. Ghost is no longer a supported product, and future versions were essentially a completely new program. I read a thread on corrupt ghost images that discussed my problem in depth. Praise to Nigel who provided the inspiration to try what I did, although unfortunately the header fix program was simply slack data when I downloaded it… sabotage?
Out of desperation I used HxD to search for the file header of a MYOB backup. It was tedious and took a while, particularly considering I was sifting through 20gB of hexadecimal data.
If I get some time I would like to produce a program that can automatically recover these files (and others, especially .jpeg) from a corrupt ghost image. In summary however, if you are trying to recover data from a norton ghost image file that seems to have become corrupt. Here is a brief overview of what you’ll need to do to recover the data.
- Load it in HxD
- Search for the file beginning
- Write down this location
- Search for the file end
- Write down this location
- Select between the start and end locations
- Copy it, then paste it into a new Hex file
- Save it
If everything went correctly, you’ll be left the file you were trying to recover.
You may be asking “What is the file start/end?”.
I would say that is a good question – this is what took me a while to figure out.
For MYOB:
version 13, file start “6D 79 6F 62 31 33 2F 50 4B 03 04 0A”
version 18, file start “6D 79 6F 62 31 38 2F 50 4B 03 04 0A”
You will notice that the 6th byte is the only thing that changes between the two. Thats because its specifying the version number. In hex, 0×31=1, 0×33=3, 0×38=8.
The end of the MYOB files was always “50 4B 01 02 14 0B 14″ followed by a large null padding (…00 00 00 00 00 00…), although the amount of padding varied from file to file.
Generally I selected a few zeros after the file end so… “50 4B 01 02 14 0B 14 00 00 00 00″.
I successfully recovered 8 backups doing this manually.
Feel free to contact me via email if you would like a more in depth tutorial on recovering files from Ghost backups, or donating if I just saved you!