File: scalpel.conf

package info (click to toggle)
scalpel 1.60-6
  • links: PTS, VCS
  • area: main
  • in suites: buster
  • size: 556 kB
  • sloc: ansic: 4,031; makefile: 61
file content (240 lines) | stat: -rw-r--r-- 8,669 bytes parent folder | download | duplicates (4)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
# Scalpel configuration file

# This configuration file controls the
# types and sizes of files that are carved by Scalpel.  Currently,
# Scalpel can read Foremost 0.69 configuration files, but Scalpel
# configuration files may not be backwards-compatible with Foremost.
# In particular, maximum file carve size under Foremost 0.69 is 4GB,
# while in the current version of Scalpel, it's 16EB (16 exabytes).

# For each file type, the configuration file
# describes the file's extension, whether the header and footer are
# case sensitive, the maximum file size, and the header and footer for
# the file. The footer field is optional, but header, size, case
# sensitivity, and extension are required.  Any line that begins with a
# '#' is considered a comment and ignored. Thus, to skip a file type
# just put a '#' at the beginning of that line

# Headers and footers are decoded before use. To specify a value in
# hexadecimal use \x[0-f][0-f] and for octal use \[0-3][0-7][0-7].
# Spaces can be represented by \s. Example: "\x4F\123\I\sCCI" decodes
# to "OSI CCI".  # To match any single character (aka a wildcard) use
# a '?'. If you need to search for the '?' character, you will need to
# change the 'wildcard' line *and* every occurrence of the old
# wildcard character in the configuration file. '
#
# Note: ?' is equal to 0x3f and \063.
#
# If you want files carved without filename extensions,
# use "NONE" in the extension column.

# The REVERSE keyword after a footer causes a search
# backwards starting from [size] bytes beyond the location of the header
# This is useful for files like PDFs that may contain multiple copies of
# the footer throughout the file.  When using the REVERSE keyword you will
# extract bytes from the header to the LAST occurence of the footer (and
# including the footer in the carved file).
#
# The NEXT keyword after a footer results in file carves that
# include the header and all data BEFORE the first occurence of the
# footer (the footer is not included in the carved file).  If no
# occurrence of the footer is discovered within maximum carve size bytes
# from the header, then a block of the disk image including the header
# and with length equal to the maximum carve size is carved.  Use NEXT
# when there is no definitive footer for a file type, but you know which
# data should NOT be included in a carved file--e.g., the beginning of
# a subsequent file of the same type.
#
# FORWARD_NEXT is the default carve type and this keyword may be
# included after the footer, but is not required.  For FORWARD_NEXT
# carves, a block of data including the header and the first footer
# (within the maximum carve size) are carved.  If no footer appears
# after the header within the maximum carve size, then no carving is
# performed UNLESS the -b command line option is supplied.  In this case,
# a block of max carve size bytes, including the header, is carved and a
# notation is made in the Scalpel log that the file was chopped.

# To redefine the wildcard character, change the setting below and all
# occurences in the formost.conf file.
#
#wildcard  ?

#		case	size	header			footer
#extension   sensitive
#
#---------------------------------------------------------------------
# EXAMPLE WITH NO SUFFIX
#---------------------------------------------------------------------
#
# Here is an example of how to use the no extension option. Any files
# beginning with the string "FOREMOST" are carved and no file extensions
# are used. No footer is defined and the max carve size is 1000 bytes.
#
#      NONE     y      1000     FOREMOST
#
#---------------------------------------------------------------------
# GRAPHICS FILES
#---------------------------------------------------------------------
#
#
# AOL ART files
#	art	y	150000	\x4a\x47\x04\x0e	\xcf\xc7\xcb
#  	art	y 	150000	\x4a\x47\x03\x0e	\xd0\xcb\x00\x00
#
# GIF and JPG files (very common)
#	gif	y	5000000		\x47\x49\x46\x38\x37\x61	\x00\x3b
#  	gif	y 	5000000		\x47\x49\x46\x38\x39\x61	\x00\x3b
#	jpg	y	5242880		\xff\xd8\xff???Exif		\xff\xd9	REVERSE
#	jpg	y	5242880		\xff\xd8\xff???JFIF		\xff\xd9	REVERSE
#
#
# PNG
#  	png	y	20000000	\x50\x4e\x47?	\xff\xfc\xfd\xfe
#
#
# BMP 	(used by MSWindows, use only if you have reason to think there are
#      	BMP files worth digging for. This often kicks back a lot of false
#	positives
#
#	bmp	y	100000	BM??\x00\x00\x00
#
# TIFF
#  	tif	y	200000000	\x49\x49\x2a\x00
# TIFF
#	tif	y	200000000	\x4D\x4D\x00\x2A
#
#---------------------------------------------------------------------
# ANIMATION FILES
#---------------------------------------------------------------------
#
# AVI (Windows animation and DiVX/MPEG-4 movies)
#  	avi	y	50000000 RIFF????AVI
#
# Apple Quicktime
#   These needles are based on the file command's magic.  I don't
#   recommend uncommenting the 4th and 5th Quicktime needles unless
#   you're sure you need to, because they generate HUGE numbers of
#   false positives.
#
#	mov	y	10000000	????moov
#	mov	y	10000000	????mdat
#	mov	y	10000000	????widev
#	mov	y	10000000	????skip
#	mov	y	10000000	????free
#	mov	y	10000000	????idsc
#	mov	y	10000000	????pckg
#
# MPEG Video
#	mpg	y	50000000	\x00\x00\x01\xba	\x00\x00\x01\xb9
#	mpg     y 	50000000	\x00\x00\x01\xb3	\x00\x00\x01\xb7
#
# Macromedia Flash
#	fws	y	4000000	FWS
#
#---------------------------------------------------------------------
# MICROSOFT OFFICE
#---------------------------------------------------------------------
#
# Word documents
#
#
#	doc	y	10000000  \xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1\x00\x00 \xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1\x00\x00 NEXT
#	doc	y	10000000  \xd0\xcf\x11\xe0\xa1\xb1
#
# Outlook files
#	pst	y	500000000	\x21\x42\x4e\xa5\x6f\xb5\xa6
#	ost	y	500000000 	\x21\x42\x44\x4e
#
# Outlook Express
#	dbx	y	10000000	\xcf\xad\x12\xfe\xc5\xfd\x74\x6f
#	idx	y	10000000	\x4a\x4d\x46\x39
#	mbx	y	10000000	\x4a\x4d\x46\x36
#
#---------------------------------------------------------------------
# WORDPERFECT
#---------------------------------------------------------------------
#
#	wpc	y	1000000	?WPC
#
#---------------------------------------------------------------------
# HTML
#---------------------------------------------------------------------
#
#	htm	n	50000   <html			</html>
#
#---------------------------------------------------------------------
# ADOBE PDF
#---------------------------------------------------------------------
#
#	pdf	y	5000000	%PDF  %EOF\x0d	REVERSE
#	pdf	y	5000000	%PDF  %EOF\x0a	REVERSE
#
#---------------------------------------------------------------------
# AOL (AMERICA ONLINE)
#---------------------------------------------------------------------
#
# AOL Mailbox
#	mail	y	500000	 \x41\x4f\x4c\x56\x4d
#
#
#
#---------------------------------------------------------------------
# PGP (PRETTY GOOD PRIVACY)
#---------------------------------------------------------------------
#
# PGP Disk Files
#	pgd	y	500000	\x50\x47\x50\x64\x4d\x41\x49\x4e\x60\x01
#
# Public Key Ring
#	pgp	y	100000	\x99\x00
# Security Ring
#	pgp	y	100000	\x95\x01
#	pgp	y	100000	\x95\x00
# Encrypted Data or ASCII armored keys
#	pgp	y	100000	\xa6\x00
# (there should be a trailer for this...)
#	txt	y	100000	-----BEGIN\040PGP
#
#
#---------------------------------------------------------------------
# RPM (Linux package format)
#---------------------------------------------------------------------
#	rpm	y	1000000	\xed\xab
#
#
#---------------------------------------------------------------------
# SOUND FILES
#---------------------------------------------------------------------
#
#	wav     y	200000	RIFF????WAVE
#
# Real Audio Files
#	ra	y	1000000	\x2e\x72\x61\xfd
#	ra	y	1000000	.RMF
#
#---------------------------------------------------------------------
# WINDOWS REGISTRY FILES
#---------------------------------------------------------------------
#
# Windows NT registry
#	dat	y	4000000	regf
# Windows 95 registry
#	dat	y	4000000	CREG
#
#
#---------------------------------------------------------------------
# MISCELLANEOUS
#---------------------------------------------------------------------
#
#	zip	y	10000000	PK\x03\x04	\x3c\xac
#
#	java	y	1000000		\xca\xfe\xba\xbe
#
#---------------------------------------------------------------------
# ScanSoft PaperPort "Max" files
#---------------------------------------------------------------------
#      max   y     1000000    \x56\x69\x47\x46\x6b\x1a\x00\x00\x00\x00   \x00\x00\x05\x80\x00\x00
#---------------------------------------------------------------------
# PINs Password Manager program
#---------------------------------------------------------------------
#      pins  y     8000     \x50\x49\x4e\x53\x20\x34\x2e\x32\x30\x0d