File: foremost.conf

package info (click to toggle)
foremost 0.69-1
  • links: PTS
  • area: main
  • in suites: sarge
  • size: 148 kB
  • ctags: 153
  • sloc: ansic: 1,297; makefile: 108
file content (225 lines) | stat: -rwxr-xr-x 8,384 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
 
#
# Foremost configuration file
#-------------------------------------------------------------------------
#
# The configuration file is used to control what types of files foremost
# searches for. A sample configuration file, foremost.conf, is included with
# this distribution. For each file type, the configuration file describes
# the file's extension, whether the header and footer are case sensitive,
# the maximum file size, and the header and footer for the file. The footer
# field is optional, but header, size, case sensitivity, and extension are
# not!
#
# Any line that begins with a '#' is considered a comment and ignored. Thus,
# to skip a file type just put a '#' at the beginning of that line
#

# Headers and footers are decoded before use. To specify a value in
# hexadecimal use \x[0-f][0-f], and for octal use \[0-3][0-7][0-7].  Spaces
# can be represented by \s. Example: "\x4F\123\I\sCCI" decodes to "OSI CCI".
#
# To match any single character (aka a wildcard) use a '?'. If you need to
# search for the '?' character, you will need to change the 'wildcard' line
# *and* every occurrence of the old wildcard character in the configuration
# file. Don't forget those hex and octal values! '?' is equal to 0x3f and
# \063.
#
# If you would like to extract files without an extension enter the value
# "NONE" in the extension column (note: you can change the value of this
# "no suffix" flag by setting the variable FOREMOST_NOEXTENSION_SUFFIX
# in foremost.h and recompiling).
#
# The REVERSE keyword after a footer instructs foremost to search backwards 
# starting from [size] bytes in the extraction buffer and working towards the 
# beginning. This is useful for files like PDF's that have multiple copies of
# the footer throughout the file.  When using the REVERSE keyword you will 
# extract bytes from the header to the LAST occurence of your footer within the
# window determined by the [size] of your extraction.
#
# The NEXT keyword after a footer instructs foremost to search forwards for data 
# that starts with the header provided and terminates or is followed by data in 
# the footer -- the footer data is not included in the output.  The data in the 
# footer, when used with the NEXT keyword effectively allows you to search for 
# data that you know for sure should not be in the output file.  This method for 
# example, lets you search for two 'starting' headers in a document that doesn't 
# have a good ending footer and you can't say exactly what the footer is, but 
# you know if you see another header, that should end the search and an output
# file should be written.

# To redefine the wildcard character, change the setting below and all
# occurances in the formost.conf file.
#
#wildcard  ?

#		case	size	header			footer
#extension   sensitive	
#
#---------------------------------------------------------------------
# EXAMPLE WITH NO SUFFIX
#---------------------------------------------------------------------
#
# Here is an example of how to use the no extension option. Any files 
# containing the string "FOREMOST" would be extracted to a file without 
# an extension (eg: 00000000,00000001)
#      NONE     y      1000     FOREMOST
#
#---------------------------------------------------------------------
# GRAPHICS FILES
#---------------------------------------------------------------------	
#
#
# AOL ART files
#	art	y	150000	\x4a\x47\x04\x0e	\xcf\xc7\xcb
#  	art	y 	150000	\x4a\x47\x03\x0e	\xd0\xcb\x00\x00
#
# GIF and JPG files (very common)
#	gif	y	155000000	\x47\x49\x46\x38\x37\x61	\x00\x3b
#  	gif	y 	155000000	\x47\x49\x46\x38\x39\x61	\x00\x00\x3b
#  	jpg	y	200000000	\xff\xd8\xff\xe0\x00\x10	\xff\xd9
#
# PNG   (used in web pages)
#  	png	y	200000	\x50\x4e\x47?	\xff\xfc\xfd\xfe
#
#
# BMP 	(used by MSWindows, use only if you have reason to think there are
#      	BMP files worth digging for. This often kicks back a lot of false
#	positives
#
#	bmp	y	100000	BM??\x00\x00\x00
#
# TIF
#  	tif	y	200000000	\x49\x49\x2a\x00
#
#---------------------------------------------------------------------	
# ANIMATION FILES
#---------------------------------------------------------------------	
#
# AVI (Windows animation and DiVX/MPEG-4 movies)
#  	avi	y	4000000 RIFF????AVI
#
# Apple Quicktime
#   Some users have reported that when using these headers that the
#   headers repeat inside the files. This can generate lots of smaller
#   output files. You may want to consider using the -q (quick mode)
#   flag to avoid this problem.
#
#	mov	y	4000000	????????\x6d\x6f\x6f\x76
#	mov	y	4000000	????????\x6d\x64\x61\x74
#
# MPEG Video
#	mpg	y	4000000	\x00\x00\x01\xba	\x00\x00\x01\xb9
#	mpg     y 	4000000	\x00\x00\x01\xb3	\x00\x00\x01\xb7
#
# Macromedia Flash
#	fws	y	4000000	FWS
#
#---------------------------------------------------------------------	
# MICROSOFT OFFICE 
#---------------------------------------------------------------------	
#
# Word documents
#
# look for begin tag and then wait until the next one (NEXT TAG) -- usually word documents
# and other Ole2 structured storage files are 'near' each other.  Just make the file
# size large enough to catch our maximium size file.  Look in the audit file to see if any were chopped.
#
#	doc	y	12500000  \xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1\x00\x00 \xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1\x00\x00 NEXT
#	doc	y	12500000  \xd0\xcf\x11\xe0\xa1\xb1
#
# Outlook files
#	pst	y	400000000	\x21\x42\x4e\xa5\x6f\xb5\xa6
#	ost	y	400000000 \x21\x42\x44\x4e
#
# Outlook Express
#	dbx	y	4000000	\xcf\xad\x12\xfe\xc5\xfd\x74\x6f
#	idx	y	4000000	\x4a\x4d\x46\x39
#	mbx	y	4000000	\x4a\x4d\x46\x36
#
#---------------------------------------------------------------------	
# WORDPERFECT
#---------------------------------------------------------------------
#
#	wpc	y	100000	?WPC
#
#---------------------------------------------------------------------	
# HTML
#---------------------------------------------------------------------	
#
#	htm	n	50000   <html			</html>
#
#---------------------------------------------------------------------	
# ADOBE PDF
#---------------------------------------------------------------------	
#
#	pdf	y	5000000	%PDF  %EOF\x0d	REVERSE
#
#
#---------------------------------------------------------------------	
# AOL (AMERICA ONLINE)
#---------------------------------------------------------------------	
#
# AOL Mailbox
#	mail	y	500000	 \x41\x4f\x4c\x56\x4d
#
#
#	
#---------------------------------------------------------------------	
# PGP (PRETTY GOOD PRIVACY)
#---------------------------------------------------------------------	
#
# PGP Disk Files
#	pgd	y	500000	\x50\x47\x50\x64\x4d\x41\x49\x4e\x60\x01
#
# Public Key Ring
#	pgp	y	100000	\x99\x00
# Security Ring
#	pgp	y	100000	\x95\x01
#	pgp	y	100000	\x95\x00
# Encrypted Data or ASCII armored keys
#	pgp	y	100000	\xa6\x00
# (there should be a trailer for this...)
#	txt	y	100000	-----BEGIN\040PGP
#
#
#---------------------------------------------------------------------	
# RPM (Linux package format)
#---------------------------------------------------------------------	
#	rpm	y	1000000	\xed\xab
#
#
#---------------------------------------------------------------------	
# SOUND FILES
#---------------------------------------------------------------------	
#
#	wav     y	200000	RIFF????WAVE
#
# Real Audio Files
#	ra	y	1000000	\x2e\x72\x61\xfd
#	ra	y	1000000	.RMF
#
#---------------------------------------------------------------------	
# WINDOWS REGISTRY FILES
#---------------------------------------------------------------------	
# 
# Windows NT registry
#	dat	y	4000000	regf
# Windows 95 registry
#	dat	y	4000000	CREG
#
#
#---------------------------------------------------------------------	
# MISCELLANEOUS
#---------------------------------------------------------------------	
#
#	zip	y	10000000	PK\x03\x04	\x3c\xac
#
#	java	y	1000000	\xca\xfe\xba\xbe
#
#---------------------------------------------------------------------	
# ScanSoft PaperPort "Max" files
#---------------------------------------------------------------------	
#      max   y     1000000    \x56\x69\x47\x46\x6b\x1a\x00\x00\x00\x00   \x00\x00\x05\x80\x00\x00 
#---------------------------------------------------------------------	
# PINs Password Manager program
#---------------------------------------------------------------------	
#      pins  y     8000     \x50\x49\x4e\x53\x20\x34\x2e\x32\x30\x0d