Package: foremost Version: 1.5.7-8 If foremost is launched with "-t all" option then recovered zip files has an extra byte.
Prepare a test file dd if=/dev/urandom of=random.data bs=1k count=1000 zip test.zip random.dat cp -pi test.zip test.img truncate --size 1025000 test.img Try to recover the zip file foremost -o result-orig -t all test.img Compare ls -l test.zip result-orig/zip/00000000.zip -rw-rw-r-- 1 user user 1024333 Apr 27 18:58 result-orig/zip 00000000.zip -rw-rw-r-- 1 user user 1024332 Apr 27 18:56 test.zip 7z t result-orig/zip/00000000.zip ... WARNINGS: There are data after the end of archive -- Path = result-orig/zip/00000000.zip Type = zip WARNINGS: There are data after the end of archive Physical Size = 1024332 Tail Size = 1 Everything is Ok ... "-t zip" works correctly foremost -o result-orig-zip -t zip test.img ls -l result-orig-zip/zip/00000000.zip -rw-rw-r-- 1 user user 1024332 Apr 27 19:21 result-orig-zip/zip/00000000.zip I think it happens due to different description of signatures used for "zip" and for "all" mode in the state.c file: 301 init_builtin(state, 302 ZIP, 303 "zip", 304 "\x50\x4B\x03\x04", 305 "\x4b\x05\x06\x00", 306 4, 307 4, 308 100 * MEGABYTE, 309 TRUE); 548 init_builtin(s, 549 ZIP, 550 "zip", 551 "\x50\x4B\x03\x04", 552 "\x50\x4b\x05\x06", 553 4, 554 4, 555 max_file_size, 556 TRUE); I suggest to apply the following patch: cat debian/patches/avoid-zip-tail-byte.patch --- a/state.c +++ b/state.c @@ -302,7 +302,7 @@ ZIP, "zip", "\x50\x4B\x03\x04", - "\x4b\x05\x06\x00", + "\x50\x4b\x05\x06", 4, 4, 100 * MEGABYTE,