Is it possible to recover a file from a disk image (dd image) if File Header/Footer, Signature has been altered/modified or removed?
I mean for example if signature of the bitmap image (0x42 0x4d) or even first 30 bytes has been removed or changed?
If no what is alternative way of recovering that file not based on the file signature? If it is possible how is it done?
You can analyze the residual filesystem structure instead.
For example, the the FAT family of filesystems indicate a file has been deleted by over-writing the first byte of the filename in a directory entry with the byte value 0x3F. The rest of the metadata (including most of the filename) will still be there immediately after deletion, so a program that accesses the disk directly rather than through the operating system can easily find the file, which is how the DOS "undelete" command works.
Other filesystems are similar, though generally less information is available -- the FAT family are especially easy to recover files from.
You could if you had some idea of what to look for and where to look. A bitmap (uncompressed) has specific statistical properties and you might be able to reconstruct it.
Knowing beforehand a likely range for image width would be for example immensely beneficial. Knowing its approximate chromaticity would also help.
The real problem will likely be that the file itself may be broken up into noncontiguous sectors and the information required to put it back together might have been erased as well. A bitmap small enough to fit into a single filesystem cluster would have the best chances.
Another very real possibility to be considered is that whatever erased the first bytes also did erase the remaining ones, or a significant enough portion thereof, making recovery unworthwhile if at all possible.
To attempt a recovery of an uncompressed DIB bitmap, you would look for byte sequences with the property that the values vary in triplets (i.e., given a sequence of N bytes, the correlation between pixels taken with index modulo three is significantly higher than with any other index not multiple of three). Then you would check whether a similar correlation exists with a higher index which is the row width rounded to the closest multiple of four. More analysis is required to determine row start/stop.
Without knowing more about the specific case (filesystem, real bitmap format used, bitmap size, how it was deleted/overwritten, dd image size, reason for the operation), I couldn't give you more than a "perhaps" as to the chances of recovery.
