# Scalpel configuration file # This configuration file controls the # types and sizes of files that are carved by Scalpel. Currently, # Scalpel can read Foremost 0.69 configuration files, but Scalpel # configuration files may not be backwards-compatible with Foremost. # In particular, maximum file carve size under Foremost 0.69 is 4GB, # while in the current version of Scalpel, it's 16EB (16 exabytes). # For each file type, the configuration file # describes the file's extension, whether the header and footer are # case sensitive, the maximum file size, and the header and footer for # the file. The footer field is optional, but header, size, case # sensitivity, and extension are required. Any line that begins with a # '#' is considered a comment and ignored. Thus, to skip a file type # just put a '#' at the beginning of that line # Headers and footers are decoded before use. To specify a value in # hexadecimal use \x[0-f][0-f] and for octal use \[0-3][0-7][0-7]. # Spaces can be represented by \s. Example: "\x4F\123\I\sCCI" decodes # to "OSI CCI". # To match any single character (aka a wildcard) use # a '?'. If you need to search for the '?' character, you will need to # change the 'wildcard' line *and* every occurrence of the old # wildcard character in the configuration file. ' # # Note: ?' is equal to 0x3f and \063. # # If you want files carved without filename extensions, # use "NONE" in the extension column. # The REVERSE keyword after a footer causes a search # backwards starting from [size] bytes beyond the location of the header # This is useful for files like PDFs that may contain multiple copies of # the footer throughout the file. When using the REVERSE keyword you will # extract bytes from the header to the LAST occurence of the footer (and # including the footer in the carved file). # # The NEXT keyword after a footer results in file carves that # include the header and all data BEFORE the first occurence of the # footer (the footer is not included in the carved file). If no # occurrence of the footer is discovered within maximum carve size bytes # from the header, then a block of the disk image including the header # and with length equal to the maximum carve size is carved. Use NEXT # when there is no definitive footer for a file type, but you know which # data should NOT be included in a carved file--e.g., the beginning of # a subsequent file of the same type. # # FORWARD_NEXT is the default carve type and this keyword may be # included after the footer, but is not required. For FORWARD_NEXT # carves, a block of data including the header and the first footer # (within the maximum carve size) are carved. If no footer appears # after the header within the maximum carve size, then no carving is # performed UNLESS the -b command line option is supplied. In this case, # a block of max carve size bytes, including the header, is carved and a # notation is made in the Scalpel log that the file was chopped. # To redefine the wildcard character, change the setting below and all # occurences in the formost.conf file. # #wildcard ? # case size header footer #extension sensitive # #--------------------------------------------------------------------- # EXAMPLE WITH NO SUFFIX #--------------------------------------------------------------------- # # Here is an example of how to use the no extension option. Any files # beginning with the string "FOREMOST" are carved and no file extensions # are used. No footer is defined and the max carve size is 1000 bytes. # # NONE y 1000 FOREMOST # #--------------------------------------------------------------------- # GRAPHICS FILES #--------------------------------------------------------------------- # # # AOL ART files # art y 150000 \x4a\x47\x04\x0e \xcf\xc7\xcb # art y 150000 \x4a\x47\x03\x0e \xd0\xcb\x00\x00 # # GIF and JPG files (very common) # gif y 5000000 \x47\x49\x46\x38\x37\x61 \x00\x3b # gif y 5000000 \x47\x49\x46\x38\x39\x61 \x00\x3b # jpg y 200000000 \xff\xd8\xff\xe0\x00\x10 \xff\xd9 # # # PNG # png y 20000000 \x50\x4e\x47? \xff\xfc\xfd\xfe # # # BMP (used by MSWindows, use only if you have reason to think there are # BMP files worth digging for. This often kicks back a lot of false # positives # # bmp y 100000 BM??\x00\x00\x00 # # TIFF # tif y 200000000 \x49\x49\x2a\x00 # TIFF # tif y 200000000 \x4D\x4D\x00\x2A # #--------------------------------------------------------------------- # ANIMATION FILES #--------------------------------------------------------------------- # # AVI (Windows animation and DiVX/MPEG-4 movies) # avi y 50000000 RIFF????AVI # # Apple Quicktime # These needles are based on the file command's magic. I don't # recommend uncommenting the 4th and 5th Quicktime needles unless # you're sure you need to, because they generate HUGE numbers of # false positives. # # mov y 10000000 ????moov # mov y 10000000 ????mdat # mov y 10000000 ????widev # mov y 10000000 ????skip # mov y 10000000 ????free # mov y 10000000 ????idsc # mov y 10000000 ????pckg # # MPEG Video # mpg y 50000000 \x00\x00\x01\xba \x00\x00\x01\xb9 # mpg y 50000000 \x00\x00\x01\xb3 \x00\x00\x01\xb7 # # Macromedia Flash # fws y 4000000 FWS # #--------------------------------------------------------------------- # MICROSOFT OFFICE #--------------------------------------------------------------------- # # Word documents # # # doc y 10000000 \xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1\x00\x00 \xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1\x00\x00 NEXT # doc y 10000000 \xd0\xcf\x11\xe0\xa1\xb1 # # Outlook files # pst y 500000000 \x21\x42\x4e\xa5\x6f\xb5\xa6 # ost y 500000000 \x21\x42\x44\x4e # # Outlook Express # dbx y 10000000 \xcf\xad\x12\xfe\xc5\xfd\x74\x6f # idx y 10000000 \x4a\x4d\x46\x39 # mbx y 10000000 \x4a\x4d\x46\x36 # #--------------------------------------------------------------------- # WORDPERFECT #--------------------------------------------------------------------- # # wpc y 1000000 ?WPC # #--------------------------------------------------------------------- # HTML #--------------------------------------------------------------------- # # htm n 50000 # #--------------------------------------------------------------------- # ADOBE PDF #--------------------------------------------------------------------- # # pdf y 5000000 %PDF %EOF\x0d REVERSE # pdf y 5000000 %PDF %EOF\x0a REVERSE # #--------------------------------------------------------------------- # AOL (AMERICA ONLINE) #--------------------------------------------------------------------- # # AOL Mailbox # mail y 500000 \x41\x4f\x4c\x56\x4d # # # #--------------------------------------------------------------------- # PGP (PRETTY GOOD PRIVACY) #--------------------------------------------------------------------- # # PGP Disk Files # pgd y 500000 \x50\x47\x50\x64\x4d\x41\x49\x4e\x60\x01 # # Public Key Ring # pgp y 100000 \x99\x00 # Security Ring # pgp y 100000 \x95\x01 # pgp y 100000 \x95\x00 # Encrypted Data or ASCII armored keys # pgp y 100000 \xa6\x00 # (there should be a trailer for this...) # txt y 100000 -----BEGIN\040PGP # # #--------------------------------------------------------------------- # RPM (Linux package format) #--------------------------------------------------------------------- # rpm y 1000000 \xed\xab # # #--------------------------------------------------------------------- # SOUND FILES #--------------------------------------------------------------------- # # wav y 200000 RIFF????WAVE # # Real Audio Files # ra y 1000000 \x2e\x72\x61\xfd # ra y 1000000 .RMF # #--------------------------------------------------------------------- # WINDOWS REGISTRY FILES #--------------------------------------------------------------------- # # Windows NT registry # dat y 4000000 regf # Windows 95 registry # dat y 4000000 CREG # # #--------------------------------------------------------------------- # MISCELLANEOUS #--------------------------------------------------------------------- # # zip y 10000000 PK\x03\x04 \x3c\xac # # java y 1000000 \xca\xfe\xba\xbe # #--------------------------------------------------------------------- # ScanSoft PaperPort "Max" files #--------------------------------------------------------------------- # max y 1000000 \x56\x69\x47\x46\x6b\x1a\x00\x00\x00\x00 \x00\x00\x05\x80\x00\x00 #--------------------------------------------------------------------- # PINs Password Manager program #--------------------------------------------------------------------- # pins y 8000 \x50\x49\x4e\x53\x20\x34\x2e\x32\x30\x0d