Hi all! I've noticed that the osquery file carver adds a 512 bytes of metadata to the beginning of each file I carve, and pads the file at the end with a lot of 0-bytes. I need a way to figure out the exact original size of the carved file, so I can remove all data added by osquery and get the original file. I tried to seek this value in the metadata block at the beginning of the file, but I couldn't figure it out. 😞

I'm not sure if there's something else in between on your side, but looking at the code the carver takes the files as they are and then creates a tar. The uploaded file is either an uncompressed tar or a compressed one with zstd.

You're right, it is indeed an uncompressed tar, and I was unfamiliar with this format. Thanks a lot!