SHARE
TWEET

Untitled

a guest Mar 8th, 2016 100 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # Scalpel configuration file
  2.  
  3. # This configuration file controls the types and sizes of files that
  4. # are carved by Scalpel.  NOTE THAT THE FORMAT OF THIS FILE WAS
  5. # EXTENDED in Scalpel 1.90-->!
  6.  
  7. # For each file type, the configuration file describes the file's
  8. # extension, whether the header and footer are case sensitive, the
  9. # min/maximum file size, and the header and footer for the file. The
  10. # footer field is optional, but extension, case sensitivity, size, and
  11. # footer are required.  Any line that begins with a '#' is considered
  12. # a comment and ignored. Thus, to skip a file type just put a '#' at
  13. # the beginning of the line containing the rule for the file type.
  14.  
  15. # If you want files carved without filename extensions, use "NONE" in
  16. # the extension column.
  17.  
  18. # Beginning with Scalpel 1.90, HEADERS AND/OR FOOTERS MAY BE EITHER
  19. # FIXED STRINGS OR REGULAR EXPRESSIONS.
  20.  
  21. # Headers and footers are decoded before use, unless they are regular
  22. # expressions. To specify a value in hexadecimal use \x[0-f][0-f] and
  23. # for octal use \[0-3][0-7][0-7].  Spaces can be represented by
  24. # \s. Example: "\x4F\123\I\sCCI" decodes to "OSI CCI".  
  25.  
  26. # To match any single character (aka a wildcard) in a non-regular
  27. # expression header/footer, use a '?'. If you need to search for the
  28. # '?' character, you will need to change the 'wildcard' line *and*
  29. # every occurrence of the old wildcard character in the configuration
  30. # file.
  31.  
  32. # Regular expressions in extended format can be specified for headers
  33. # or footers by bracketing a header or footer with //, e.g., /GGG[^G]/
  34. # matches a string of three G characters, followed by a character
  35. # other than G.  To clarify, here is a complete rule for a file type
  36. # that should be at most 100000 characters, must begin with three G's
  37. # followed by a non-G character and terminate with at least one digit
  38. # character (0-9) followed by five H characters:
  39.  
  40. #         XXX        y        100000        /GGG[^G]/    /[0-9]HHHHH/
  41.  
  42. # Beginning with Scalpel 1.90, minimum carve sizes may be specified
  43. # for each file type using this format for the size parameter:
  44. # smallest:largest e.g.,
  45.  
  46.         jpg        y        5000:100000        \xff\xd8\xff\xe0\x00\x10        \xff\xd9
  47.  
  48. # carves JPG format image files between 5000 and 100000 bytes in
  49. # length, ignoring files smaller than 5000 bytes.  If the minimum
  50. # carve size is not specified, 0 is assumed.  This maintains
  51. # compatibility with Scalpel configuration files created prior to
  52. # 1.90.
  53.  
  54. # The REVERSE keyword after a footer causes a search
  55. # backwards starting from [size] bytes beyond the location of the header
  56. # This is useful for files like PDFs that may contain multiple copies of
  57. # the footer throughout the file.  When using the REVERSE keyword you will
  58. # extract bytes from the header to the LAST occurence of the footer (and
  59. # including the footer in the carved file).
  60.  
  61. # The NEXT keyword after a footer results in file carves that
  62. # include the header and all data BEFORE the first occurence of the
  63. # footer (the footer is not included in the carved file).  If no
  64. # occurrence of the footer is discovered within maximum carve size bytes
  65. # from the header, then a block of the disk image including the header
  66. # and with length equal to the maximum carve size is carved.  Use NEXT
  67. # when there is no definitive footer for a file type, but you know which
  68. # data should NOT be included in a carved file--e.g., the beginning of
  69. # a subsequent file of the same type.
  70.  
  71. # FORWARD_NEXT is the default carve type and this keyword may be
  72. # included after the footer, but is not required.  For FORWARD_NEXT
  73. # carves, a block of data including the header and the first footer
  74. # (within the maximum carve size) are carved.  If no footer appears
  75. # after the header within the maximum carve size, then no carving is
  76. # performed UNLESS the -b command line option is supplied.  In this case,
  77. # a block of max carve size bytes, including the header, is carved and a
  78. # notation is made in the Scalpel log that the file was chopped.
  79.  
  80. # To redefine the wildcard character, change the setting below and all
  81. # occurences in the formost.conf file.
  82.  
  83. #wildcard  ?
  84.  
  85. #        case        size        header                        footer
  86. #extension   sensitive        
  87.  
  88. #---------------------------------------------------------------------
  89. # EXAMPLE WITH NO SUFFIX
  90. #---------------------------------------------------------------------
  91.  
  92. # Here is an example of how to use the no extension option. Any files
  93. # beginning with the string "FOREMOST" are carved and no file extensions
  94. # are used. No footer is defined and the max carve size is 1000 bytes.
  95.  
  96. #      NONE     y      1000     FOREMOST
  97.  
  98. #---------------------------------------------------------------------
  99. # GRAPHICS FILES
  100. #---------------------------------------------------------------------        
  101.  
  102.  
  103. # AOL ART files
  104.         art        y        150000        \x4a\x47\x04\x0e        \xcf\xc7\xcb
  105.         art        y         150000        \x4a\x47\x03\x0e        \xd0\xcb\x00\x00
  106.  
  107. # GIF and JPG files (very common)
  108.         gif        y        5000000                \x47\x49\x46\x38\x37\x61        \x00\x3b
  109.         gif        y         5000000                \x47\x49\x46\x38\x39\x61        \x00\x00\x3b
  110.         jpg        y        200000000        \xff\xd8\xff\xe0\x00\x10        \xff\xd9
  111.         jpg     y       200000000       \xff\xd8\xff\xe1                \xff\xd9
  112.  
  113.  
  114.  
  115. # PNG  
  116.         png        y        20000000        \x50\x4e\x47?        \xff\xfc\xfd\xfe
  117.  
  118.  
  119. # BMP         (used by MSWindows, use only if you have reason to think there are
  120. #              BMP files worth digging for. This often kicks back a lot of false
  121. #        positives
  122.  
  123.         bmp        y        100000        BM??\x00\x00\x00
  124.  
  125. # TIFF
  126.         tif        y        200000000        \x49\x49\x2a\x00
  127. # TIFF
  128.         tif        y        200000000        \x4D\x4D\x00\x2A
  129.  
  130. #---------------------------------------------------------------------        
  131. # VIDEO AND AUDIO FILES
  132. #---------------------------------------------------------------------        
  133.  
  134. # AVI (Windows animation and DiVX/MPEG-4 movies)
  135.         avi        y        50000000 RIFF????AVI
  136.  
  137. # APPLE QUICKTIME
  138. #   These needles are based on the file command's magic.  I don't
  139. #   recommend uncommenting the 4th and 5th Quicktime needles unless
  140. #   you're sure you need to, because they generate HUGE numbers of
  141. #   false positives.
  142.  
  143.         mov        y        10000000        ????moov
  144.         mov        y        10000000        ????mdat
  145.         mov        y        10000000        ????widev
  146.         mov        y        10000000        ????skip
  147.         mov        y        10000000        ????free
  148.         mov        y        10000000        ????idsc
  149.         mov        y        10000000        ????pckg
  150.  
  151. # MPEG Video
  152.         mpg        y        50000000        \x00\x00\x01\xba        \x00\x00\x01\xb9
  153.         mpg     y         50000000        \x00\x00\x01\xb3        \x00\x00\x01\xb7
  154.  
  155. # FLASH
  156.         fws        y        4000000        FWS
  157.  
  158. # WAV format
  159.         wav     y        200000        RIFF????WAVE
  160.  
  161. # REAL AUDIO
  162.         ra      y       1000000 .RMF
  163.         ra        y        1000000        \x2e\x72\x61\xfd
  164.  
  165.         asf     y       8000000  \x30\x26\xB2\x75\x8E\x66\xCF\x11\xA6\xD9\x00\xAA\x00\x62\xCE\x6C
  166.  
  167. # WMV/WMA
  168.         wmv     y       20000000 \x30\x26\xB2\x75\x8E\x66\xCF\x11\xA6\xD9\x00\xAA\x00\x62\xCE\x6C
  169.  
  170.         wma     y       8000000  \x30\x26\xB2\x75    \x00\x00\x00\xFF
  171.  
  172.         wma     y       8000000  \x30\x26\xB2\x75    \x52\x9A\x12\x46
  173.  
  174. # MP3
  175. #       mp3     y       8000000 \xFF\xFB??\x44\x00\x00
  176. #       mp3     y       8000000 \x57\x41\x56\45            \x00\x00\xFF\
  177. #       mp3     y       8000000 \xFF\xFB\xD0\            \xD1\x35\x51\xCC\
  178. #       mp3     y       8000000 \x49\x44\x33\
  179. #       mp3     y       8000000 \x4C\x41\x4D\x45\
  180.  
  181. #---------------------------------------------------------------------        
  182. # MICROSOFT OFFICE
  183. #---------------------------------------------------------------------        
  184.  
  185. # Word documents
  186.  
  187.         doc        y        10000000  \xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1\x00\x00 \xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1\x00\x00 NEXT
  188.         doc        y        10000000  \xd0\xcf\x11\xe0\xa1\xb1
  189.  
  190. # Outlook files
  191.         pst        y        500000000        \x21\x42\x4e\xa5\x6f\xb5\xa6
  192.         ost        y        500000000         \x21\x42\x44\x4e
  193.  
  194. # Outlook Express
  195.         dbx        y        10000000        \xcf\xad\x12\xfe\xc5\xfd\x74\x6f
  196.         idx        y        10000000        \x4a\x4d\x46\x39
  197.         mbx        y        10000000        \x4a\x4d\x46\x36
  198.  
  199. #---------------------------------------------------------------------        
  200. # WORDPERFECT
  201. #---------------------------------------------------------------------
  202.  
  203.         wpc        y        1000000        ?WPC
  204.  
  205. #---------------------------------------------------------------------        
  206. # HTML
  207. #---------------------------------------------------------------------        
  208.  
  209.         htm        n        50000   <html                        </html>
  210.  
  211. #---------------------------------------------------------------------        
  212. # ADOBE PDF
  213. #---------------------------------------------------------------------        
  214.  
  215.         pdf        y        5000000        %PDF  %EOF\x0d        REVERSE
  216.         pdf        y        5000000        %PDF  %EOF\x0a        REVERSE
  217.  
  218. #---------------------------------------------------------------------        
  219. # AOL (AMERICA ONLINE)
  220. #---------------------------------------------------------------------        
  221.  
  222. # AOL Mailbox
  223.         mail        y        500000         \x41\x4f\x4c\x56\x4d
  224.  
  225. #---------------------------------------------------------------------        
  226. # RPM (Linux package format)
  227. #---------------------------------------------------------------------        
  228.         rpm        y        1000000        \xed\xab
  229. #---------------------------------------------------------------------        
  230. # WINDOWS REGISTRY FILES
  231. #---------------------------------------------------------------------        
  232.  
  233. # Windows NT registry
  234.         dat        y        4000000        regf
  235. # Windows 95 registry
  236.         dat        y        4000000        CREG
  237.  
  238. #---------------------------------------------------------------------        
  239. # MISCELLANEOUS
  240. #---------------------------------------------------------------------        
  241.  
  242.         zip        y        10000000        PK\x03\x04        \x3c\xac
  243.         rar     y       10000000        Rar!
  244.         java        y        1000000        \xca\xfe\xba\xbe
  245.  
  246. #---------------------------------------------------------------------        
  247. # ScanSoft PaperPort "Max" files
  248. #---------------------------------------------------------------------        
  249.         max   y     1000000    \x56\x69\x47\x46\x6b\x1a\x00\x00\x00\x00   \x00\x00\x05\x80\x00\x00
  250. #---------------------------------------------------------------------        
  251. # PINs Password Manager program
  252. #---------------------------------------------------------------------        
  253.         pins  y     8000     \x50\x49\x4e\x53\x20\x34\x2e\x32\x30\x0d
  254. #---------------------------------------------------------------------        
  255. # Experimental header for Virtual Box disks
  256.         vbox  y     10000000000     <<<????????????????????????????????????????????????????????????\x00\x7f\x10\xda\xbe
  257. #---------------------------------------------------------------------        
  258. # Tar/gzip files                                                                        
  259.         tgz   y         2000000     \x1f\x8b\x08\x08
  260. #---------------------------------------------------------------------        
  261. # 7-zip (courtesy of Brandon de Graaf)
  262. #          7z   y      2147483648     \x37\x7a\xbc\xaf\x27\x1c
  263. #---------------------------------------------------------------------        
  264. # OGG (courtesy of Daniek Weuthen)
  265.         ogg         y         15728640  x4fx67x67x53x00x02 x4fx67x67x53x00x02    NEXT
  266. #---------------------------------------------------------------------        
  267. # LNK files (courtesy of Christina Dijkshoorn)
  268.  
  269. # lnk     y       4000   \x4c\x00\x00\x00\x01\x14\x02\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46
  270. #---------------------------------------------------------------------        
  271. # Print spool files (courtesy of Christina Dijkshoorn)
  272.  
  273. #       Windows XP
  274.         shd     y       2000    \x67\x49\x00\x00
  275. #       Windows 98
  276.         shd     y       2000    \x4B\x49\x00\x00
  277. #---------------------------------------------------------------------        
  278. # Blender 3D and Finale Music (courtesy of Rick Spoketire)
  279. #       blend  y 1000000000 BLENDER_v   ENDB
  280.  
  281.         mus    y 1000000000 ENIGMA\x20BINARY\x20FILE \x13\x00\x06\x00\x00\x00
  282.  
  283. #---------------------------------------------------------------------
  284. #---------------------------------------------------------------------
  285. #---------------------------------------------------------------------
  286. # iPhone headers/footers w/ associated explanations, courtesy of
  287. # Jonathan A. Zdziarski
  288.  
  289.  
  290. # Dynamic dictionary files are keyboard caches used for learning
  291. # specific spellings of words used frequently by the iPhone’s
  292. # user
  293.  
  294.         dat        y    8192  DynamicDictionary
  295.  
  296. # The AMR codec is an audio codec designed by Ericsson. It yields high
  297. # quality audio playback for voice content. AMR is used on the iPhone to
  298. # deliver voicemail messages. To extract longer chunks of voicemail
  299. # messages, adjust the file size specified above.
  300.  
  301.         amr        y     65535      #!AMR
  302.  
  303. # A .plist file is a configuration file used heavily in the Mac OS
  304. # world, including the iPhone. Many preloaded applications, as well as
  305. # Apple’s operating system components, use .plist files to store
  306. # anything from basic configuration data to history and cache
  307. # information. By examining these files, the technician can get an idea
  308. # of what websites the suspect may have previously visited, even after
  309. # deleting a cache. Other useful information may include location lookup
  310. # caches (revealing maps the suspect has looked up), mail server
  311. # information, etc.
  312.  
  313. #    plist      y     4096  <plist  </plist
  314.  
  315. # Simple email header
  316.  
  317. #    email       y      4096      From:
  318.  
  319. #---------------------------------------------------------------------
  320. #---------------------------------------------------------------------
  321. #---------------------------------------------------------------------
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top