Wiki Ubuntu-it

Indice
Partecipa
FAQ
Wiki Blog
------------------
Ubuntu-it.org
Forum
Chiedi
Chat
Cerca
Planet
  • Immutable Page
  • Info
  • Attachments
  • attachment:scalpel.conf of AmministrazioneSistema/RecuperoDati/Estrazione

Attachment 'scalpel.conf'

Download

# Scalpel configuration file 

# This configuration file controls the
# types and sizes of files that are carved by Scalpel.  Currently,
# Scalpel can read Foremost 0.69 configuration files, but Scalpel
# configuration files may not be backwards-compatible with Foremost.
# In particular, maximum file carve size under Foremost 0.69 is 4GB,
# while in the current version of Scalpel, it's 16EB (16 exabytes).  

# For each file type, the configuration file
# describes the file's extension, whether the header and footer are
# case sensitive, the maximum file size, and the header and footer for
# the file. The footer field is optional, but header, size, case
# sensitivity, and extension are required.  Any line that begins with a
# '#' is considered a comment and ignored. Thus, to skip a file type
# just put a '#' at the beginning of that line

# Headers and footers are decoded before use. To specify a value in
# hexadecimal use \x[0-f][0-f] and for octal use \[0-3][0-7][0-7].
# Spaces can be represented by \s. Example: "\x4F\123\I\sCCI" decodes
# to "OSI CCI".  # To match any single character (aka a wildcard) use
# a '?'. If you need to search for the '?' character, you will need to
# change the 'wildcard' line *and* every occurrence of the old
# wildcard character in the configuration file. '
#
# Note: ?' is equal to 0x3f and \063. 
#
# If you want files carved without filename extensions, 
# use "NONE" in the extension column.

# The REVERSE keyword after a footer causes a search
# backwards starting from [size] bytes beyond the location of the header
# This is useful for files like PDFs that may contain multiple copies of 
# the footer throughout the file.  When using the REVERSE keyword you will
# extract bytes from the header to the LAST occurence of the footer (and
# including the footer in the carved file).
#
# The NEXT keyword after a footer results in file carves that
# include the header and all data BEFORE the first occurence of the
# footer (the footer is not included in the carved file).  If no
# occurrence of the footer is discovered within maximum carve size bytes
# from the header, then a block of the disk image including the header
# and with length equal to the maximum carve size is carved.  Use NEXT
# when there is no definitive footer for a file type, but you know which
# data should NOT be included in a carved file--e.g., the beginning of
# a subsequent file of the same type.
#
# FORWARD_NEXT is the default carve type and this keyword may be 
# included after the footer, but is not required.  For FORWARD_NEXT
# carves, a block of data including the header and the first footer 
# (within the maximum carve size) are carved.  If no footer appears
# after the header within the maximum carve size, then no carving is
# performed UNLESS the -b command line option is supplied.  In this case,
# a block of max carve size bytes, including the header, is carved and a
# notation is made in the Scalpel log that the file was chopped.

# To redefine the wildcard character, change the setting below and all
# occurences in the formost.conf file.
#
#wildcard  ?

#               case    size    header                  footer
#extension   sensitive  
#
#---------------------------------------------------------------------
# EXAMPLE WITH NO SUFFIX
#---------------------------------------------------------------------
#
# Here is an example of how to use the no extension option. Any files 
# beginning with the string "FOREMOST" are carved and no file extensions
# are used. No footer is defined and the max carve size is 1000 bytes.
#
#      NONE     y      1000     FOREMOST
#
#---------------------------------------------------------------------
# GRAPHICS FILES
#---------------------------------------------------------------------  
#
#
# AOL ART files
#       art     y       150000  \x4a\x47\x04\x0e        \xcf\xc7\xcb
#       art     y       150000  \x4a\x47\x03\x0e        \xd0\xcb\x00\x00
#
# GIF and JPG files (very common)
#       gif     y       5000000         \x47\x49\x46\x38\x37\x61        \x00\x3b
#       gif     y       5000000         \x47\x49\x46\x38\x39\x61        \x00\x3b
#       jpg     y       200000000       \xff\xd8\xff\xe0\x00\x10        \xff\xd9
#
#
# PNG   
#       png     y       20000000        \x50\x4e\x47?   \xff\xfc\xfd\xfe
#
#
# BMP   (used by MSWindows, use only if you have reason to think there are
#       BMP files worth digging for. This often kicks back a lot of false
#       positives
#
#       bmp     y       100000  BM??\x00\x00\x00
#
# TIFF
#       tif     y       200000000       \x49\x49\x2a\x00
# TIFF
#       tif     y       200000000       \x4D\x4D\x00\x2A
#
#---------------------------------------------------------------------  
# ANIMATION FILES
#---------------------------------------------------------------------  
#
# AVI (Windows animation and DiVX/MPEG-4 movies)
#       avi     y       50000000 RIFF????AVI
#
# Apple Quicktime
#   These needles are based on the file command's magic.  I don't
#   recommend uncommenting the 4th and 5th Quicktime needles unless 
#   you're sure you need to, because they generate HUGE numbers of 
#   false positives.
#
#       mov     y       10000000        ????moov
#       mov     y       10000000        ????mdat
#       mov     y       10000000        ????widev
#       mov     y       10000000        ????skip
#       mov     y       10000000        ????free
#       mov     y       10000000        ????idsc
#       mov     y       10000000        ????pckg
#
# MPEG Video
#       mpg     y       50000000        \x00\x00\x01\xba        \x00\x00\x01\xb9
#       mpg     y       50000000        \x00\x00\x01\xb3        \x00\x00\x01\xb7
#
# Macromedia Flash
#       fws     y       4000000 FWS
#
#---------------------------------------------------------------------  
# MICROSOFT OFFICE 
#---------------------------------------------------------------------  
#
# Word documents
#
#
#       doc     y       10000000  \xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1\x00\x00 \xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1\x00\x00 NEXT
#       doc     y       10000000  \xd0\xcf\x11\xe0\xa1\xb1
#
# Outlook files
#       pst     y       500000000       \x21\x42\x4e\xa5\x6f\xb5\xa6
#       ost     y       500000000       \x21\x42\x44\x4e
#
# Outlook Express
#       dbx     y       10000000        \xcf\xad\x12\xfe\xc5\xfd\x74\x6f
#       idx     y       10000000        \x4a\x4d\x46\x39
#       mbx     y       10000000        \x4a\x4d\x46\x36
#
#---------------------------------------------------------------------  
# WORDPERFECT
#---------------------------------------------------------------------
#
#       wpc     y       1000000 ?WPC
#
#---------------------------------------------------------------------  
# HTML
#---------------------------------------------------------------------  
#
#       htm     n       50000   <html                   </html>
#
#---------------------------------------------------------------------  
# ADOBE PDF
#---------------------------------------------------------------------  
#
#       pdf     y       5000000 %PDF  %EOF\x0d  REVERSE
#       pdf     y       5000000 %PDF  %EOF\x0a  REVERSE
#
#---------------------------------------------------------------------  
# AOL (AMERICA ONLINE)
#---------------------------------------------------------------------  
#
# AOL Mailbox
#       mail    y       500000   \x41\x4f\x4c\x56\x4d
#
#
#       
#---------------------------------------------------------------------  
# PGP (PRETTY GOOD PRIVACY)
#---------------------------------------------------------------------  
#
# PGP Disk Files
#       pgd     y       500000  \x50\x47\x50\x64\x4d\x41\x49\x4e\x60\x01
#
# Public Key Ring
#       pgp     y       100000  \x99\x00
# Security Ring
#       pgp     y       100000  \x95\x01
#       pgp     y       100000  \x95\x00
# Encrypted Data or ASCII armored keys
#       pgp     y       100000  \xa6\x00
# (there should be a trailer for this...)
#       txt     y       100000  -----BEGIN\040PGP
#
#
#---------------------------------------------------------------------  
# RPM (Linux package format)
#---------------------------------------------------------------------  
#       rpm     y       1000000 \xed\xab
#
#
#---------------------------------------------------------------------  
# SOUND FILES
#---------------------------------------------------------------------  
#
#       wav     y       200000  RIFF????WAVE
#
# Real Audio Files
#       ra      y       1000000 \x2e\x72\x61\xfd
#       ra      y       1000000 .RMF
#
#---------------------------------------------------------------------  
# WINDOWS REGISTRY FILES
#---------------------------------------------------------------------  
# 
# Windows NT registry
#       dat     y       4000000 regf
# Windows 95 registry
#       dat     y       4000000 CREG
#
#
#---------------------------------------------------------------------  
# MISCELLANEOUS
#---------------------------------------------------------------------  
#
#       zip     y       10000000        PK\x03\x04      \x3c\xac
#
#       java    y       1000000 \xca\xfe\xba\xbe
#
#---------------------------------------------------------------------  
# ScanSoft PaperPort "Max" files
#---------------------------------------------------------------------  
#      max   y     1000000    \x56\x69\x47\x46\x6b\x1a\x00\x00\x00\x00   \x00\x00\x05\x80\x00\x00 
#---------------------------------------------------------------------  
# PINs Password Manager program
#---------------------------------------------------------------------  
#      pins  y     8000     \x50\x49\x4e\x53\x20\x34\x2e\x32\x30\x0d

Attached Files

To refer to attachments on a page, use attachment:filename, as shown below in the list of files. Do NOT use the URL of the [get] link, since this is subject to change and can break easily.
  • [get | view] (21/01/2011 18.29.18, 8.5 KB) [[attachment:scalpel.conf]]
 All files | Selected Files: delete move to page copy to page

You are not allowed to attach a file to this page.