Author: Not specified Language: text
Description: Not specified Timestamp: 2012-05-01 06:16:18 -0400
View raw paste Reply
  1. # Scalpel configuration file
  2.  
  3. # This configuration file controls the
  4. # types and sizes of files that are carved by Scalpel.  Currently,
  5. # Scalpel can read Foremost 0.69 configuration files, but Scalpel
  6. # configuration files may not be backwards-compatible with Foremost.
  7. # In particular, maximum file carve size under Foremost 0.69 is 4GB,
  8. # while in the current version of Scalpel, it's 16EB (16 exabytes).  
  9.  
  10. # For each file type, the configuration file
  11. # describes the file's extension, whether the header and footer are
  12. # case sensitive, the maximum file size, and the header and footer for
  13. # the file. The footer field is optional, but header, size, case
  14. # sensitivity, and extension are required.  Any line that begins with a
  15. # '#' is considered a comment and ignored. Thus, to skip a file type
  16. # just put a '#' at the beginning of that line
  17.  
  18. # Headers and footers are decoded before use. To specify a value in
  19. # hexadecimal use \x[0-f][0-f] and for octal use \[0-3][0-7][0-7].
  20. # Spaces can be represented by \s. Example: "\x4F\123\I\sCCI" decodes
  21. # to "OSI CCI".  # To match any single character (aka a wildcard) use
  22. # a '?'. If you need to search for the '?' character, you will need to
  23. # change the 'wildcard' line *and* every occurrence of the old
  24. # wildcard character in the configuration file. '
  25. #
  26. # Note: ?' is equal to 0x3f and \063.
  27. #
  28. # If you want files carved without filename extensions,
  29. # use "NONE" in the extension column.
  30.  
  31. # The REVERSE keyword after a footer causes a search
  32. # backwards starting from [size] bytes beyond the location of the header
  33. # This is useful for files like PDFs that may contain multiple copies of
  34. # the footer throughout the file.  When using the REVERSE keyword you will
  35. # extract bytes from the header to the LAST occurence of the footer (and
  36. # including the footer in the carved file).
  37. #
  38. # The NEXT keyword after a footer results in file carves that
  39. # include the header and all data BEFORE the first occurence of the
  40. # footer (the footer is not included in the carved file).  If no
  41. # occurrence of the footer is discovered within maximum carve size bytes
  42. # from the header, then a block of the disk image including the header
  43. # and with length equal to the maximum carve size is carved.  Use NEXT
  44. # when there is no definitive footer for a file type, but you know which
  45. # data should NOT be included in a carved file--e.g., the beginning of
  46. # a subsequent file of the same type.
  47. #
  48. # FORWARD_NEXT is the default carve type and this keyword may be
  49. # included after the footer, but is not required.  For FORWARD_NEXT
  50. # carves, a block of data including the header and the first footer
  51. # (within the maximum carve size) are carved.  If no footer appears
  52. # after the header within the maximum carve size, then no carving is
  53. # performed UNLESS the -b command line option is supplied.  In this case,
  54. # a block of max carve size bytes, including the header, is carved and a
  55. # notation is made in the Scalpel log that the file was chopped.
  56.  
  57. # To redefine the wildcard character, change the setting below and all
  58. # occurences in the formost.conf file.
  59. #
  60. #wildcard  ?
  61.  
  62. #               case    size    header                  footer
  63. #extension   sensitive 
  64. #
  65. #---------------------------------------------------------------------
  66. # EXAMPLE WITH NO SUFFIX
  67. #---------------------------------------------------------------------
  68. #
  69. # Here is an example of how to use the no extension option. Any files
  70. # beginning with the string "FOREMOST" are carved and no file extensions
  71. # are used. No footer is defined and the max carve size is 1000 bytes.
  72. #
  73. #      NONE     y      1000     FOREMOST
  74. #
  75. #---------------------------------------------------------------------
  76. # GRAPHICS FILES
  77. #--------------------------------------------------------------------- 
  78. #
  79. #
  80. # AOL ART files
  81. #       art     y       150000  \x4a\x47\x04\x0e        \xcf\xc7\xcb
  82. #       art     y       150000  \x4a\x47\x03\x0e        \xd0\xcb\x00\x00
  83. #
  84. # GIF and JPG files (very common)
  85. #       gif     y       5000000         \x47\x49\x46\x38\x37\x61        \x00\x3b
  86. #       gif     y       5000000         \x47\x49\x46\x38\x39\x61        \x00\x3b
  87. #       jpg     y       200000000       \xff\xd8\xff\xe0\x00\x10        \xff\xd9
  88. #
  89. #
  90. # PNG  
  91. #       png     y       20000000        \x50\x4e\x47?   \xff\xfc\xfd\xfe
  92. #
  93. #
  94. # BMP   (used by MSWindows, use only if you have reason to think there are
  95. #       BMP files worth digging for. This often kicks back a lot of false
  96. #       positives
  97. #
  98. #       bmp     y       100000  BM??\x00\x00\x00
  99. #
  100. # TIFF
  101. #       tif     y       200000000       \x49\x49\x2a\x00
  102. # TIFF
  103. #       tif     y       200000000       \x4D\x4D\x00\x2A
  104. #
  105. #--------------------------------------------------------------------- 
  106. # ANIMATION FILES
  107. #--------------------------------------------------------------------- 
  108. #
  109. # AVI (Windows animation and DiVX/MPEG-4 movies)
  110. #       avi     y       50000000 RIFF????AVI
  111. #
  112. # Apple Quicktime
  113. #   These needles are based on the file command's magic.  I don't
  114. #   recommend uncommenting the 4th and 5th Quicktime needles unless
  115. #   you're sure you need to, because they generate HUGE numbers of
  116. #   false positives.
  117. #
  118. #       mov     y       10000000        ????moov
  119. #       mov     y       10000000        ????mdat
  120. #       mov     y       10000000        ????widev
  121. #       mov     y       10000000        ????skip
  122. #       mov     y       10000000        ????free
  123. #       mov     y       10000000        ????idsc
  124. #       mov     y       10000000        ????pckg
  125. #
  126. # MPEG Video
  127. #       mpg     y       50000000        \x00\x00\x01\xba        \x00\x00\x01\xb9
  128. #       mpg     y       50000000        \x00\x00\x01\xb3        \x00\x00\x01\xb7
  129. #
  130. # Macromedia Flash
  131. #       fws     y       4000000 FWS
  132. #
  133. #--------------------------------------------------------------------- 
  134. # MICROSOFT OFFICE
  135. #--------------------------------------------------------------------- 
  136. #
  137. # Word documents
  138. #
  139. #
  140. #       doc     y       10000000  \xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1\x00\x00 \xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1\x00\x00 NEXT
  141. #       doc     y       10000000  \xd0\xcf\x11\xe0\xa1\xb1
  142. #
  143. # Outlook files
  144. #       pst     y       500000000       \x21\x42\x4e\xa5\x6f\xb5\xa6
  145. #       ost     y       500000000       \x21\x42\x44\x4e
  146. #
  147. # Outlook Express
  148. #       dbx     y       10000000        \xcf\xad\x12\xfe\xc5\xfd\x74\x6f
  149. #       idx     y       10000000        \x4a\x4d\x46\x39
  150. #       mbx     y       10000000        \x4a\x4d\x46\x36
  151. #
  152. #--------------------------------------------------------------------- 
  153. # WORDPERFECT
  154. #---------------------------------------------------------------------
  155. #
  156. #       wpc     y       1000000 ?WPC
  157. #
  158. #--------------------------------------------------------------------- 
  159. # HTML
  160. #--------------------------------------------------------------------- 
  161. #
  162. #       htm     n       50000   <html                   </html>
  163. #
  164. #--------------------------------------------------------------------- 
  165. # ADOBE PDF
  166. #--------------------------------------------------------------------- 
  167. #
  168. #       pdf     y       5000000 %PDF  %EOF\x0d  REVERSE
  169. #       pdf     y       5000000 %PDF  %EOF\x0a  REVERSE
  170. #
  171. #--------------------------------------------------------------------- 
  172. # AOL (AMERICA ONLINE)
  173. #--------------------------------------------------------------------- 
  174. #
  175. # AOL Mailbox
  176. #       mail    y       500000   \x41\x4f\x4c\x56\x4d
  177. #
  178. #
  179. #      
  180. #--------------------------------------------------------------------- 
  181. # PGP (PRETTY GOOD PRIVACY)
  182. #--------------------------------------------------------------------- 
  183. #
  184. # PGP Disk Files
  185. #       pgd     y       500000  \x50\x47\x50\x64\x4d\x41\x49\x4e\x60\x01
  186. #
  187. # Public Key Ring
  188. #       pgp     y       100000  \x99\x00
  189. # Security Ring
  190. #       pgp     y       100000  \x95\x01
  191. #       pgp     y       100000  \x95\x00
  192. # Encrypted Data or ASCII armored keys
  193. #       pgp     y       100000  \xa6\x00
  194. # (there should be a trailer for this...)
  195. #       txt     y       100000  -----BEGIN\040PGP
  196. #
  197. #
  198. #--------------------------------------------------------------------- 
  199. # RPM (Linux package format)
  200. #--------------------------------------------------------------------- 
  201. #       rpm     y       1000000 \xed\xab
  202. #
  203. #
  204. #--------------------------------------------------------------------- 
  205. # SOUND FILES
  206. #--------------------------------------------------------------------- 
  207. #
  208. #       wav     y       200000  RIFF????WAVE
  209. #
  210. # Real Audio Files
  211. #       ra      y       1000000 \x2e\x72\x61\xfd
  212. #       ra      y       1000000 .RMF
  213. #
  214. #--------------------------------------------------------------------- 
  215. # WINDOWS REGISTRY FILES
  216. #--------------------------------------------------------------------- 
  217. #
  218. # Windows NT registry
  219. #       dat     y       4000000 regf
  220. # Windows 95 registry
  221. #       dat     y       4000000 CREG
  222. #
  223. #
  224. #--------------------------------------------------------------------- 
  225. # MISCELLANEOUS
  226. #--------------------------------------------------------------------- 
  227. #
  228. #       zip     y       10000000        PK\x03\x04      \x3c\xac
  229. #
  230. #       java    y       1000000 \xca\xfe\xba\xbe
  231. #
  232. #--------------------------------------------------------------------- 
  233. # ScanSoft PaperPort "Max" files
  234. #--------------------------------------------------------------------- 
  235. #      max   y     1000000    \x56\x69\x47\x46\x6b\x1a\x00\x00\x00\x00   \x00\x00\x05\x80\x00\x00
  236. #--------------------------------------------------------------------- 
  237. # PINs Password Manager program
  238. #--------------------------------------------------------------------- 
  239. #      pins  y     8000     \x50\x49\x4e\x53\x20\x34\x2e\x32\x30\x0d
View raw paste Reply