How to prefix remover for data recovery & forensics
- Step 1Stage the recovered archive locally — Pull the carved or recovered archive from your evidence store onto the workstation. The tool reads it from disk via the browser File API; nothing transits a network.
- Step 2Hash it first — Before flattening, run the checksum generator to record a SHA-256 manifest of the original archive's entries for your chain of custody.
- Step 3Confirm the true format — Carved files often have misleading extensions. Run the auto format detector to verify the real type — the prefix remover detects by magic bytes anyway, but logging the type helps your notes.
- Step 4Flatten the wrapper — Open the Path Prefix Remover, drop the archive, and leave Prefix to strip empty to auto-detect the single recovery folder, or type the exact wrapper name (e.g.
recovered_0001/). Click Process. - Step 5Read the result metrics — The panel reports the prefix it stripped and how many entries were renamed. Record these in your case notes — they document precisely what changed.
- Step 6Hash the output and hand off — Download the
-flattened.zip, run the checksum generator again on it, and attach both manifests to the case. The flattened ZIP feeds into your analysis tooling like any standard archive.
What changes vs what is preserved
For evidence handling, it matters which bytes the tool touches. Only path strings change; file payloads do not.
| Property | Effect of flattening | Implication for forensics |
|---|---|---|
| File contents | Unchanged, byte-for-byte | Content hashes of individual files stay identical |
| Entry paths | Wrapping prefix removed | Document the stripped prefix and renamed count in case notes |
| Archive-level hash | Changes (new ZIP container) | Capture before/after archive manifests, not just one |
| Entry timestamps | Rebuild time, not original | Use the timestamp normalizer if a fixed value is required |
| Compression | Re-compressed at fflate level 6 | Output size may differ from the original archive — expected |
Tier limits for recovery work
Recovered drive images can yield large or entry-dense archives. Both the size cap and the per-archive entry cap apply.
| Tier | Max size per archive | Max entries per archive | Files per job |
|---|---|---|---|
| Free | 50 MB | 500 | 1 |
| Pro | 500 MB | 50,000 | 20 |
| Pro-Media | 2 GB | 500,000 | 100 |
| Developer | 2 GB | 500,000 | unlimited |
Cookbook
Recovery-shaped examples. File and case identifiers are illustrative; the path transformations are exactly what the tool performs.
Strip a recovery-tool wrapper
A carving tool wrapped the recovered files in one folder. Auto-detect removes it because there is a single top segment.
Input: recovered_0001.zip (Prefix to strip = empty) Before After recovered_0001/photo_001.jpg -> photo_001.jpg recovered_0001/docs/note.txt -> docs/note.txt Result panel: Prefix stripped: recovered_0001/ Entries renamed: 2
Two carve buckets — name the one to flatten
When recovery produced two top folders, auto-detect declines. Specify the bucket to flatten and leave the other intact for comparison.
Input: case-2026-04.zip (Prefix to strip = drive-A/) Before After drive-A/img/p1.jpg -> img/p1.jpg drive-A/img/p2.jpg -> img/p2.jpg drive-B/img/p1.jpg -> drive-B/img/p1.jpg (kept)
Flatten a carved 7z
Carving can yield 7z containers. libarchive reads them; the flattened output is a ZIP for your analysis pipeline.
Input: carved_block.7z (Prefix to strip = empty) Before After block/registry.hiv -> registry.hiv block/users/ntuser.dat -> users/ntuser.dat Download: carved_block-flattened.zip
Chain-of-custody manifest pattern
Hash before and after so the case file documents exactly what the flatten step changed.
1) checksum-generator on recovered_0001.zip -> manifest-before.txt (per-entry SHA-256) 2) path-prefix-remover -> recovered_0001-flattened.zip 3) checksum-generator on the flattened ZIP -> manifest-after.txt Diff: entry paths shortened; per-file content hashes identical
Damaged archive — stop and repair first
If the central directory is corrupt, flattening fails outright. Route through the repair tool before retrying.
Input: drive-dump.zip (corrupt central directory) Path Prefix Remover -> Error: cannot read archive Recovery path: 1) corrupted-zip-repair -> drive-dump-repaired.zip 2) path-prefix-remover on the repaired archive
Edge cases and what actually happens
Archive-level hash changes after flattening
Expected (new container)Flattening rebuilds the ZIP, so the whole-archive hash differs even though per-file contents are identical. Record both before and after manifests; do not treat the archive hash change as tampering.
Corrupt central directory on recovered ZIP
Error (cannot read)A damaged directory blocks extraction and no output is produced. Run the corrupted ZIP repair tool first, then flatten the recovered archive.
Multiple carve buckets, empty prefix
Stopped — no prefix detectedWith several top folders and no prefix, the tool refuses to guess and produces nothing. This is the safe choice for evidence — name the exact bucket to flatten.
Carved file with wrong extension
Supported (detected by bytes)Magic-byte detection means a mislabeled carve (a .dat that is really a ZIP) is handled by its true type. Log the detected type with the auto format detector.
Encrypted recovered ZIP
Supported (read via zip.js)Encrypted entries are read through zip.js if you supply nothing extra — but the rebuilt ZIP is unencrypted. Re-protect with the encrypted ZIP creator before storing if policy requires it.
Entry-dense recovered image over the entry cap
Rejected (entry limit)A drive carve can produce tens of thousands of small files. Free caps at 500 entries per archive; Pro 50,000; Pro-Media and Developer 500,000. Use a higher tier or split the archive.
Output smaller or larger than input
Expected (re-compressed)The tool re-compresses at fflate level 6, so already-compressed media may grow slightly and uncompressed text may shrink. Size change is normal and does not indicate data loss.
Timestamps reset to rebuild time
By designThe rebuilt ZIP carries rebuild timestamps, not the recovered originals. If your analysis depends on archive timestamps, capture them before flattening or use the timestamp normalizer.
ISO image recovered from the drive
Supported (read-only)libarchive reads ISO 9660, so a directory tree wrapped in a recovered ISO can be flattened to a ZIP for analysis. The tool never writes ISO.
Prefix typed does not match any entry
Preserved (zero renamed)If your typed wrapper name does not match the carve's actual top folder, nothing is renamed and the output mirrors the input tree. Verify the exact folder name and trailing slash.
Frequently asked questions
Is recovered evidence uploaded anywhere?
No. The archive is read and rebuilt in WebAssembly inside the browser tab. No bytes leave the workstation, so the regulated boundary does not move when an analyst uses the tool — it is equivalent to running a local utility.
Does flattening alter the file contents?
No. Only entry path strings change. Each file's payload is preserved byte-for-byte, so per-file content hashes are identical before and after.
Why does the whole-archive hash change?
The tool rebuilds the ZIP container, so the archive-level hash differs even when contents do not. For chain of custody, capture per-entry manifests before and after rather than relying on one archive hash.
How do I document what changed?
The result panel reports the stripped prefix and the count of renamed entries. Record those plus before/after SHA-256 manifests from the checksum generator in your case notes.
Can it open carved 7z and RAR?
Yes — 7z, RAR, BZ2, XZ, TAR variants and ISO are read via the libarchive WASM bridge. The flattened output is always a ZIP.
What if the recovered archive is corrupt?
Flattening will fail to read a damaged central directory. Run the corrupted ZIP repair tool first, then flatten the recovered archive.
What are the size and entry limits?
Free is 50 MB and 500 entries per archive; Pro 500 MB and 50,000; Pro-Media and Developer 2 GB and 500,000 entries. The entry cap matters because drive carves are often many tiny files.
Can multiple analysts use it at once?
Yes — each browser tab is an independent instance with no shared server state. Tier limits apply per session.
Does it preserve original timestamps?
No — the rebuilt ZIP uses rebuild timestamps. Capture originals before flattening, or normalize with the timestamp normalizer for a fixed value.
Is the manual prefix override gated behind a paid tier?
No. The Prefix to strip input is available on every tier including Free; only the size and entry limits differ between tiers.
Is the output re-encrypted if the source was encrypted?
No. Encrypted ZIPs are read via zip.js and the rebuilt ZIP is unencrypted. Re-encrypt with the encrypted ZIP creator if your evidence handling requires it.
Can it batch many recovered archives?
Not this tool — it processes one archive per job. For pulling specific paths out of many archives, see the selective extractor or the batch tools.
Privacy first
Every JAD Archive tool runs entirely in your browser using fflate, @zip.js/zip.js, and the libarchive WASM bridge. Your archives never leave your device — verified by zero outbound network requests during processing.