# Scalpel configuration file # This configuration file controls the types an

1. # Scalpel configuration file
2.  
3. # This configuration file controls the types and sizes of files that
4. # are carved by Scalpel. NOTE THAT THE FORMAT OF THIS FILE WAS
5. # EXTENDED in Scalpel 1.90-->!
6.  
7. # For each file type, the configuration file describes the file's
8. # extension, whether the header and footer are case sensitive, the
9. # min/maximum file size, and the header and footer for the file. The
10. # footer field is optional, but extension, case sensitivity, size, and
11. # footer are required. Any line that begins with a '#' is considered
12. # a comment and ignored. Thus, to skip a file type just put a '#' at
13. # the beginning of the line containing the rule for the file type.
14.  
15. # If you want files carved without filename extensions, use "NONE" in
16. # the extension column.
17.  
18. # Beginning with Scalpel 1.90, HEADERS AND/OR FOOTERS MAY BE EITHER
19. # FIXED STRINGS OR REGULAR EXPRESSIONS.
20.  
21. # Headers and footers are decoded before use, unless they are regular
22. # expressions. To specify a value in hexadecimal use \x[0-f][0-f] and
23. # for octal use \[0-3][0-7][0-7]. Spaces can be represented by
24. # \s. Example: "\x4F\123\I\sCCI" decodes to "OSI CCI".
25.  
26. # To match any single character (aka a wildcard) in a non-regular
27. # expression header/footer, use a '?'. If you need to search for the
28. # '?' character, you will need to change the 'wildcard' line *and*
29. # every occurrence of the old wildcard character in the configuration
30. # file.
31.  
32. # Regular expressions in extended format can be specified for headers
33. # or footers by bracketing a header or footer with //, e.g., /GGG[^G]/
34. # matches a string of three G characters, followed by a character
35. # other than G. To clarify, here is a complete rule for a file type
36. # that should be at most 100000 characters, must begin with three G's
37. # followed by a non-G character and terminate with at least one digit
38. # character (0-9) followed by five H characters:
39.  
40. # XXX y 100000 /GGG[^G]/ /[0-9]HHHHH/
41.  
42. # Beginning with Scalpel 1.90, minimum carve sizes may be specified
43. # for each file type using this format for the size parameter:
44. # smallest:largest e.g.,
45.  
46. jpg y 5000:100000 \xff\xd8\xff\xe0\x00\x10 \xff\xd9
47.  
48. # carves JPG format image files between 5000 and 100000 bytes in
49. # length, ignoring files smaller than 5000 bytes. If the minimum
50. # carve size is not specified, 0 is assumed. This maintains
51. # compatibility with Scalpel configuration files created prior to
52. # 1.90.
53.  
54. # The REVERSE keyword after a footer causes a search
55. # backwards starting from [size] bytes beyond the location of the header
56. # This is useful for files like PDFs that may contain multiple copies of
57. # the footer throughout the file. When using the REVERSE keyword you will
58. # extract bytes from the header to the LAST occurence of the footer (and
59. # including the footer in the carved file).
60.  
61. # The NEXT keyword after a footer results in file carves that
62. # include the header and all data BEFORE the first occurence of the
63. # footer (the footer is not included in the carved file). If no
64. # occurrence of the footer is discovered within maximum carve size bytes
65. # from the header, then a block of the disk image including the header
66. # and with length equal to the maximum carve size is carved. Use NEXT
67. # when there is no definitive footer for a file type, but you know which
68. # data should NOT be included in a carved file--e.g., the beginning of
69. # a subsequent file of the same type.
70.  
71. # FORWARD_NEXT is the default carve type and this keyword may be
72. # included after the footer, but is not required. For FORWARD_NEXT
73. # carves, a block of data including the header and the first footer
74. # (within the maximum carve size) are carved. If no footer appears
75. # after the header within the maximum carve size, then no carving is
76. # performed UNLESS the -b command line option is supplied. In this case,
77. # a block of max carve size bytes, including the header, is carved and a
78. # notation is made in the Scalpel log that the file was chopped.
79.  
80. # To redefine the wildcard character, change the setting below and all
81. # occurences in the formost.conf file.
82.  
83. #wildcard ?
84.  
85. # case size header footer
86. #extension sensitive
87.  
88. #---------------------------------------------------------------------
89. # EXAMPLE WITH NO SUFFIX
90. #---------------------------------------------------------------------
91.  
92. # Here is an example of how to use the no extension option. Any files
93. # beginning with the string "FOREMOST" are carved and no file extensions
94. # are used. No footer is defined and the max carve size is 1000 bytes.
95.  
96. # NONE y 1000 FOREMOST
97.  
98. #---------------------------------------------------------------------
99. # GRAPHICS FILES
100. #---------------------------------------------------------------------
101.  
102.  
103. # AOL ART files
104. art y 150000 \x4a\x47\x04\x0e \xcf\xc7\xcb
105. art y 150000 \x4a\x47\x03\x0e \xd0\xcb\x00\x00
106.  
107. # GIF and JPG files (very common)
108. gif y 5000000 \x47\x49\x46\x38\x37\x61 \x00\x3b
109. gif y 5000000 \x47\x49\x46\x38\x39\x61 \x00\x00\x3b
110. jpg y 200000000 \xff\xd8\xff\xe0\x00\x10 \xff\xd9
111. jpg y 200000000 \xff\xd8\xff\xe1 \xff\xd9
112.  
113.  
114.  
115. # PNG
116. png y 20000000 \x50\x4e\x47? \xff\xfc\xfd\xfe
117.  
118.  
119. # BMP (used by MSWindows, use only if you have reason to think there are
120. # BMP files worth digging for. This often kicks back a lot of false
121. # positives
122.  
123. bmp y 100000 BM??\x00\x00\x00
124.  
125. # TIFF
126. tif y 200000000 \x49\x49\x2a\x00
127. # TIFF
128. tif y 200000000 \x4D\x4D\x00\x2A
129.  
130. #---------------------------------------------------------------------
131. # VIDEO AND AUDIO FILES
132. #---------------------------------------------------------------------
133.  
134. # AVI (Windows animation and DiVX/MPEG-4 movies)
135. avi y 50000000 RIFF????AVI
136.  
137. # APPLE QUICKTIME
138. # These needles are based on the file command's magic. I don't
139. # recommend uncommenting the 4th and 5th Quicktime needles unless
140. # you're sure you need to, because they generate HUGE numbers of
141. # false positives.
142.  
143. mov y 10000000 ????moov
144. mov y 10000000 ????mdat
145. mov y 10000000 ????widev
146. mov y 10000000 ????skip
147. mov y 10000000 ????free
148. mov y 10000000 ????idsc
149. mov y 10000000 ????pckg
150.  
151. # MPEG Video
152. mpg y 50000000 \x00\x00\x01\xba \x00\x00\x01\xb9
153. mpg y 50000000 \x00\x00\x01\xb3 \x00\x00\x01\xb7
154.  
155. # FLASH
156. fws y 4000000 FWS
157.  
158. # WAV format
159. wav y 200000 RIFF????WAVE
160.  
161. # REAL AUDIO
162. ra y 1000000 .RMF
163. ra y 1000000 \x2e\x72\x61\xfd
164.  
165. asf y 8000000 \x30\x26\xB2\x75\x8E\x66\xCF\x11\xA6\xD9\x00\xAA\x00\x62\xCE\x6C
166.  
167. # WMV/WMA
168. wmv y 20000000 \x30\x26\xB2\x75\x8E\x66\xCF\x11\xA6\xD9\x00\xAA\x00\x62\xCE\x6C
169.  
170. wma y 8000000 \x30\x26\xB2\x75 \x00\x00\x00\xFF
171.  
172. wma y 8000000 \x30\x26\xB2\x75 \x52\x9A\x12\x46
173.  
174. # MP3
175. # mp3 y 8000000 \xFF\xFB??\x44\x00\x00
176. # mp3 y 8000000 \x57\x41\x56\45 \x00\x00\xFF\
177. # mp3 y 8000000 \xFF\xFB\xD0\ \xD1\x35\x51\xCC\
178. # mp3 y 8000000 \x49\x44\x33\
179. # mp3 y 8000000 \x4C\x41\x4D\x45\
180.  
181. #---------------------------------------------------------------------
182. # MICROSOFT OFFICE
183. #---------------------------------------------------------------------
184.  
185. # Word documents
186.  
187. doc y 10000000 \xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1\x00\x00 \xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1\x00\x00 NEXT
188. doc y 10000000 \xd0\xcf\x11\xe0\xa1\xb1
189.  
190. # Outlook files
191. pst y 500000000 \x21\x42\x4e\xa5\x6f\xb5\xa6
192. ost y 500000000 \x21\x42\x44\x4e
193.  
194. # Outlook Express
195. dbx y 10000000 \xcf\xad\x12\xfe\xc5\xfd\x74\x6f
196. idx y 10000000 \x4a\x4d\x46\x39
197. mbx y 10000000 \x4a\x4d\x46\x36
198.  
199. #---------------------------------------------------------------------
200. # WORDPERFECT
201. #---------------------------------------------------------------------
202.  
203. wpc y 1000000 ?WPC
204.  
205. #---------------------------------------------------------------------
206. # HTML
207. #---------------------------------------------------------------------
208.  
209. htm n 50000 <html </html>
210.  
211. #---------------------------------------------------------------------
212. # ADOBE PDF
213. #---------------------------------------------------------------------
214.  
215. pdf y 5000000 %PDF %EOF\x0d REVERSE
216. pdf y 5000000 %PDF %EOF\x0a REVERSE
217.  
218. #---------------------------------------------------------------------
219. # AOL (AMERICA ONLINE)
220. #---------------------------------------------------------------------
221.  
222. # AOL Mailbox
223. mail y 500000 \x41\x4f\x4c\x56\x4d
224.  
225. #---------------------------------------------------------------------
226. # RPM (Linux package format)
227. #---------------------------------------------------------------------
228. rpm y 1000000 \xed\xab
229. #---------------------------------------------------------------------
230. # WINDOWS REGISTRY FILES
231. #---------------------------------------------------------------------
232.  
233. # Windows NT registry
234. dat y 4000000 regf
235. # Windows 95 registry
236. dat y 4000000 CREG
237.  
238. #---------------------------------------------------------------------
239. # MISCELLANEOUS
240. #---------------------------------------------------------------------
241.  
242. zip y 10000000 PK\x03\x04 \x3c\xac
243. rar y 10000000 Rar!
244. java y 1000000 \xca\xfe\xba\xbe
245.  
246. #---------------------------------------------------------------------
247. # ScanSoft PaperPort "Max" files
248. #---------------------------------------------------------------------
249. max y 1000000 \x56\x69\x47\x46\x6b\x1a\x00\x00\x00\x00 \x00\x00\x05\x80\x00\x00
250. #---------------------------------------------------------------------
251. # PINs Password Manager program
252. #---------------------------------------------------------------------
253. pins y 8000 \x50\x49\x4e\x53\x20\x34\x2e\x32\x30\x0d
254. #---------------------------------------------------------------------
255. # Experimental header for Virtual Box disks
256. vbox y 10000000000 <<<????????????????????????????????????????????????????????????\x00\x7f\x10\xda\xbe
257. #---------------------------------------------------------------------
258. # Tar/gzip files
259. tgz y 2000000 \x1f\x8b\x08\x08
260. #---------------------------------------------------------------------
261. # 7-zip (courtesy of Brandon de Graaf)
262. # 7z y 2147483648 \x37\x7a\xbc\xaf\x27\x1c
263. #---------------------------------------------------------------------
264. # OGG (courtesy of Daniek Weuthen)
265. ogg y 15728640 x4fx67x67x53x00x02 x4fx67x67x53x00x02 NEXT
266. #---------------------------------------------------------------------
267. # LNK files (courtesy of Christina Dijkshoorn)
268.  
269. # lnk y 4000 \x4c\x00\x00\x00\x01\x14\x02\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46
270. #---------------------------------------------------------------------
271. # Print spool files (courtesy of Christina Dijkshoorn)
272.  
273. # Windows XP
274. shd y 2000 \x67\x49\x00\x00
275. # Windows 98
276. shd y 2000 \x4B\x49\x00\x00
277. #---------------------------------------------------------------------
278. # Blender 3D and Finale Music (courtesy of Rick Spoketire)
279. # blend y 1000000000 BLENDER_v ENDB
280.  
281. mus y 1000000000 ENIGMA\x20BINARY\x20FILE \x13\x00\x06\x00\x00\x00
282.  
283. #---------------------------------------------------------------------
284. #---------------------------------------------------------------------
285. #---------------------------------------------------------------------
286. # iPhone headers/footers w/ associated explanations, courtesy of
287. # Jonathan A. Zdziarski
288.  
289.  
290. # Dynamic dictionary files are keyboard caches used for learning
291. # specific spellings of words used frequently by the iPhone’s
292. # user
293.  
294. dat y 8192 DynamicDictionary
295.  
296. # The AMR codec is an audio codec designed by Ericsson. It yields high
297. # quality audio playback for voice content. AMR is used on the iPhone to
298. # deliver voicemail messages. To extract longer chunks of voicemail
299. # messages, adjust the file size specified above.
300.  
301. amr y 65535 #!AMR
302.  
303. # A .plist file is a configuration file used heavily in the Mac OS
304. # world, including the iPhone. Many preloaded applications, as well as
305. # Apple’s operating system components, use .plist files to store
306. # anything from basic configuration data to history and cache
307. # information. By examining these files, the technician can get an idea
308. # of what websites the suspect may have previously visited, even after
309. # deleting a cache. Other useful information may include location lookup
310. # caches (revealing maps the suspect has looked up), mail server
311. # information, etc.
312.  
313. # plist y 4096 <plist </plist
314.  
315. # Simple email header
316.  
317. # email y 4096 From:
318.  
319. #---------------------------------------------------------------------
320. #---------------------------------------------------------------------
321. #---------------------------------------------------------------------