|
|
@@ -241,6 +241,28 @@ export const FILE_SIGNATURES = {
|
|
|
],
|
|
|
extractor: null
|
|
|
},
|
|
|
+ {
|
|
|
+ name: "The GIMP image",
|
|
|
+ extension: "xcf",
|
|
|
+ mime: "image/x-xcf",
|
|
|
+ description: "",
|
|
|
+ signature: {
|
|
|
+ 0: 0x67, // gimp xcf
|
|
|
+ 1: 0x69,
|
|
|
+ 2: 0x6d,
|
|
|
+ 3: 0x70,
|
|
|
+ 4: 0x20,
|
|
|
+ 5: 0x78,
|
|
|
+ 6: 0x63,
|
|
|
+ 7: 0x66,
|
|
|
+ 8: 0x20,
|
|
|
+ 9: [0x66, 0x76],
|
|
|
+ 10: [0x69, 0x30],
|
|
|
+ 11: [0x6c, 0x30],
|
|
|
+ 12: [0x65, 0x31, 0x32, 0x33]
|
|
|
+ },
|
|
|
+ extractor: null
|
|
|
+ },
|
|
|
{
|
|
|
name: "Icon image",
|
|
|
extension: "ico",
|
|
|
@@ -363,10 +385,40 @@ export const FILE_SIGNATURES = {
|
|
|
3: 0x00
|
|
|
},
|
|
|
extractor: null
|
|
|
+ },
|
|
|
+ {
|
|
|
+ name: "Joint Photographic Experts Group image (under Base64)",
|
|
|
+ extension: "B64",
|
|
|
+ mime: "application/octet-stream",
|
|
|
+ description: "",
|
|
|
+ signature: {
|
|
|
+ 0: 0x2f,
|
|
|
+ 1: 0x39,
|
|
|
+ 2: 0x6a,
|
|
|
+ 3: 0x2f,
|
|
|
+ 4: 0x34
|
|
|
+ },
|
|
|
+ extractor: null
|
|
|
+ },
|
|
|
+ {
|
|
|
+ name: "Portable Network Graphics image (under Base64)",
|
|
|
+ extension: "B64",
|
|
|
+ mime: "application/octet-stream",
|
|
|
+ description: "",
|
|
|
+ signature: {
|
|
|
+ 0: 0x69,
|
|
|
+ 1: 0x56,
|
|
|
+ 2: 0x42,
|
|
|
+ 3: 0x4f,
|
|
|
+ 4: 0x52,
|
|
|
+ 5: 0x77,
|
|
|
+ 6: 0x30
|
|
|
+ },
|
|
|
+ extractor: null
|
|
|
}
|
|
|
],
|
|
|
"Video": [
|
|
|
- { // Place before webm
|
|
|
+ {
|
|
|
name: "Matroska Multimedia Container",
|
|
|
extension: "mkv",
|
|
|
mime: "video/x-matroska",
|
|
|
@@ -392,7 +444,28 @@ export const FILE_SIGNATURES = {
|
|
|
0: 0x1a,
|
|
|
1: 0x45,
|
|
|
2: 0xdf,
|
|
|
- 3: 0xa3
|
|
|
+ 3: 0xa3,
|
|
|
+ 4: 0x01,
|
|
|
+ 5: 0x00,
|
|
|
+ 6: 0x00,
|
|
|
+ 7: 0x00
|
|
|
+ },
|
|
|
+ extractor: null
|
|
|
+ },
|
|
|
+ { // Place before MPEG-4
|
|
|
+ name: "Flash MP4 video",
|
|
|
+ extension: "f4v",
|
|
|
+ mime: "video/mp4",
|
|
|
+ description: "",
|
|
|
+ signature: {
|
|
|
+ 4: 0x66,
|
|
|
+ 5: 0x74,
|
|
|
+ 6: 0x79,
|
|
|
+ 7: 0x70,
|
|
|
+ 8: [0x66, 0x46],
|
|
|
+ 9: 0x34,
|
|
|
+ 10: [0x76, 0x56],
|
|
|
+ 11: 0x20
|
|
|
},
|
|
|
extractor: null
|
|
|
},
|
|
|
@@ -766,6 +839,41 @@ export const FILE_SIGNATURES = {
|
|
|
},
|
|
|
extractor: extractPDF
|
|
|
},
|
|
|
+ {
|
|
|
+ name: "Portable Document Format (under Base64)",
|
|
|
+ extension: "B64",
|
|
|
+ mime: "application/octet-stream",
|
|
|
+ description: "",
|
|
|
+ signature: {
|
|
|
+ 0: 0x41,
|
|
|
+ 1: 0x4a,
|
|
|
+ 2: 0x56,
|
|
|
+ 3: 0x42,
|
|
|
+ 4: 0x45,
|
|
|
+ 5: 0x52,
|
|
|
+ 6: 0x69
|
|
|
+ },
|
|
|
+ extractor: null
|
|
|
+ },
|
|
|
+ { // Place before PostScript
|
|
|
+ name: "Adobe PostScript",
|
|
|
+ extension: "ps,eps,ai,pfa",
|
|
|
+ mime: "application/postscript",
|
|
|
+ description: "",
|
|
|
+ signature: {
|
|
|
+ 0: 0x25,
|
|
|
+ 1: 0x21,
|
|
|
+ 2: 0x50,
|
|
|
+ 3: 0x53,
|
|
|
+ 4: 0x2d,
|
|
|
+ 5: 0x41,
|
|
|
+ 6: 0x64,
|
|
|
+ 7: 0x6f,
|
|
|
+ 8: 0x62,
|
|
|
+ 9: 0x65
|
|
|
+ },
|
|
|
+ extractor: null
|
|
|
+ },
|
|
|
{
|
|
|
name: "PostScript",
|
|
|
extension: "ps",
|
|
|
@@ -792,7 +900,7 @@ export const FILE_SIGNATURES = {
|
|
|
extractor: extractRTF
|
|
|
},
|
|
|
{
|
|
|
- name: "Microsoft Office documents/OLE2",
|
|
|
+ name: "Microsoft Office document/OLE2",
|
|
|
extension: "ole2,doc,xls,dot,ppt,xla,ppa,pps,pot,msi,sdw,db,vsd,msg",
|
|
|
mime: "application/msword,application/vnd.ms-excel,application/vnd.ms-powerpoint",
|
|
|
description: "Microsoft Office documents",
|
|
|
@@ -809,7 +917,24 @@ export const FILE_SIGNATURES = {
|
|
|
extractor: null
|
|
|
},
|
|
|
{
|
|
|
- name: "Microsoft Office 2007+ documents",
|
|
|
+ name: "Microsoft Office document/OLE2 (under Base64)",
|
|
|
+ extension: "B64",
|
|
|
+ mime: "application/octet-stream",
|
|
|
+ description: "",
|
|
|
+ signature: {
|
|
|
+ 0: 0x30,
|
|
|
+ 1: 0x4d,
|
|
|
+ 2: 0x38,
|
|
|
+ 3: 0x52,
|
|
|
+ 4: 0x34,
|
|
|
+ 5: 0x4b,
|
|
|
+ 6: 0x47,
|
|
|
+ 7: 0x78
|
|
|
+ },
|
|
|
+ extractor: null
|
|
|
+ },
|
|
|
+ {
|
|
|
+ name: "Microsoft Office 2007+ document",
|
|
|
extension: "docx,xlsx,pptx",
|
|
|
mime: "application/vnd.openxmlformats-officedocument.wordprocessingml.document,application/vnd.openxmlformats-officedocument.spreadsheetml.sheet,application/vnd.openxmlformats-officedocument.presentationml.presentation",
|
|
|
description: "",
|
|
|
@@ -828,6 +953,131 @@ export const FILE_SIGNATURES = {
|
|
|
},
|
|
|
extractor: extractZIP
|
|
|
},
|
|
|
+ {
|
|
|
+ name: "Microsoft Access database",
|
|
|
+ extension: "mdb,mda,mde,mdt,fdb,psa",
|
|
|
+ mime: "application/msaccess",
|
|
|
+ description: "",
|
|
|
+ signature: {
|
|
|
+ 0: 0x00,
|
|
|
+ 1: 0x01,
|
|
|
+ 2: 0x00,
|
|
|
+ 3: 0x00,
|
|
|
+ 4: 0x53, // Standard Jet
|
|
|
+ 5: 0x74,
|
|
|
+ 6: 0x61,
|
|
|
+ 7: 0x6e,
|
|
|
+ 8: 0x64,
|
|
|
+ 9: 0x61,
|
|
|
+ 10: 0x72,
|
|
|
+ 11: 0x64,
|
|
|
+ 12: 0x20,
|
|
|
+ 13: 0x4a,
|
|
|
+ 14: 0x65,
|
|
|
+ 15: 0x74
|
|
|
+ },
|
|
|
+ extractor: null
|
|
|
+ },
|
|
|
+ {
|
|
|
+ name: "Microsoft Access 2007+ database",
|
|
|
+ extension: "accdb,accde,accda,accdu",
|
|
|
+ mime: "application/msaccess",
|
|
|
+ description: "",
|
|
|
+ signature: {
|
|
|
+ 0: 0x00,
|
|
|
+ 1: 0x01,
|
|
|
+ 2: 0x00,
|
|
|
+ 3: 0x00,
|
|
|
+ 4: 0x53, // Standard ACE DB
|
|
|
+ 5: 0x74,
|
|
|
+ 6: 0x61,
|
|
|
+ 7: 0x6e,
|
|
|
+ 8: 0x64,
|
|
|
+ 9: 0x61,
|
|
|
+ 10: 0x72,
|
|
|
+ 11: 0x64,
|
|
|
+ 12: 0x20,
|
|
|
+ 13: 0x41,
|
|
|
+ 14: 0x43,
|
|
|
+ 15: 0x45,
|
|
|
+ 16: 0x20
|
|
|
+ },
|
|
|
+ extractor: null
|
|
|
+ },
|
|
|
+ {
|
|
|
+ name: "Microsoft OneNote document",
|
|
|
+ extension: "one",
|
|
|
+ mime: "application/onenote",
|
|
|
+ description: "",
|
|
|
+ signature: {
|
|
|
+ 0: 0xe4,
|
|
|
+ 1: 0x52,
|
|
|
+ 2: 0x5c,
|
|
|
+ 3: 0x7b,
|
|
|
+ 4: 0x8c,
|
|
|
+ 5: 0xd8,
|
|
|
+ 6: 0xa7,
|
|
|
+ 7: 0x4d,
|
|
|
+ 8: 0xae,
|
|
|
+ 9: 0xb1,
|
|
|
+ 10: 0x53,
|
|
|
+ 11: 0x78,
|
|
|
+ 12: 0xd0,
|
|
|
+ 13: 0x29,
|
|
|
+ 14: 0x96,
|
|
|
+ 15: 0xd3
|
|
|
+ },
|
|
|
+ extractor: null
|
|
|
+ },
|
|
|
+ {
|
|
|
+ name: "Outlook Express database",
|
|
|
+ extension: "dbx",
|
|
|
+ mime: "application/octet-stream",
|
|
|
+ description: "",
|
|
|
+ signature: {
|
|
|
+ 0: 0xcf,
|
|
|
+ 1: 0xad,
|
|
|
+ 2: 0x12,
|
|
|
+ 3: 0xfe,
|
|
|
+ 4: [0x30, 0xc5, 0xc6, 0xc7],
|
|
|
+ 11: 0x11
|
|
|
+ },
|
|
|
+ extractor: null
|
|
|
+ },
|
|
|
+ {
|
|
|
+ name: "Personal Storage Table (Outlook)",
|
|
|
+ extension: "pst,ost,fdb,pab",
|
|
|
+ mime: "application/octet-stream",
|
|
|
+ description: "",
|
|
|
+ signature: {
|
|
|
+ 0: 0x21, // !BDN
|
|
|
+ 1: 0x42,
|
|
|
+ 2: 0x44,
|
|
|
+ 3: 0x4e
|
|
|
+ },
|
|
|
+ extractor: null
|
|
|
+ },
|
|
|
+ {
|
|
|
+ name: "Microsoft Exchange Database",
|
|
|
+ extension: "edb",
|
|
|
+ mime: "application/octet-stream",
|
|
|
+ description: "",
|
|
|
+ signature: {
|
|
|
+ 4: 0xef,
|
|
|
+ 5: 0xcd,
|
|
|
+ 6: 0xab,
|
|
|
+ 7: 0x89,
|
|
|
+ 8: [0x20, 0x23],
|
|
|
+ 9: 0x06,
|
|
|
+ 10: 0x00,
|
|
|
+ 11: 0x00,
|
|
|
+ 12: [0x00, 0x01],
|
|
|
+ 13: 0x00,
|
|
|
+ 14: 0x00,
|
|
|
+ 15: 0x00
|
|
|
+ },
|
|
|
+ extractor: null
|
|
|
+ },
|
|
|
{
|
|
|
name: "EPUB e-book",
|
|
|
extension: "epub",
|
|
|
@@ -897,6 +1147,36 @@ export const FILE_SIGNATURES = {
|
|
|
},
|
|
|
extractor: extractELF
|
|
|
},
|
|
|
+ {
|
|
|
+ name: "MacOS Mach-O object file",
|
|
|
+ extension: "dylib",
|
|
|
+ mime: "application/octet-stream",
|
|
|
+ description: "",
|
|
|
+ signature: {
|
|
|
+ 0: 0xca,
|
|
|
+ 1: 0xfe,
|
|
|
+ 2: 0xba,
|
|
|
+ 3: 0xbe,
|
|
|
+ 4: 0x00,
|
|
|
+ 5: 0x00,
|
|
|
+ 6: 0x00,
|
|
|
+ 7: [0x01, 0x02, 0x03]
|
|
|
+ },
|
|
|
+ extractor: null
|
|
|
+ },
|
|
|
+ {
|
|
|
+ name: "MacOS Mach-O 64-bit object file",
|
|
|
+ extension: "dylib",
|
|
|
+ mime: "application/octet-stream",
|
|
|
+ description: "",
|
|
|
+ signature: {
|
|
|
+ 0: 0xcf,
|
|
|
+ 1: 0xfa,
|
|
|
+ 2: 0xed,
|
|
|
+ 3: 0xfe
|
|
|
+ },
|
|
|
+ extractor: null
|
|
|
+ },
|
|
|
{
|
|
|
name: "Adobe Flash",
|
|
|
extension: "swf",
|
|
|
@@ -905,7 +1185,7 @@ export const FILE_SIGNATURES = {
|
|
|
signature: {
|
|
|
0: [0x43, 0x46],
|
|
|
1: 0x57,
|
|
|
- 2: 0x53
|
|
|
+ 2: 0x53,
|
|
|
},
|
|
|
extractor: null
|
|
|
},
|
|
|
@@ -967,13 +1247,28 @@ export const FILE_SIGNATURES = {
|
|
|
},
|
|
|
extractor: extractZIP
|
|
|
},
|
|
|
+ {
|
|
|
+ name: "PKZIP archive (under Base64)",
|
|
|
+ extension: "B64",
|
|
|
+ mime: "application/octet-stream",
|
|
|
+ description: "",
|
|
|
+ signature: {
|
|
|
+ 0: 0x55,
|
|
|
+ 1: 0x45,
|
|
|
+ 2: 0x73,
|
|
|
+ 3: 0x44,
|
|
|
+ 4: 0x42,
|
|
|
+ 5: 0x42
|
|
|
+ },
|
|
|
+ extractor: null
|
|
|
+ },
|
|
|
{
|
|
|
name: "TAR archive",
|
|
|
extension: "tar",
|
|
|
mime: "application/x-tar",
|
|
|
description: "",
|
|
|
signature: {
|
|
|
- 257: 0x75,
|
|
|
+ 257: 0x75, // ustar
|
|
|
258: 0x73,
|
|
|
259: 0x74,
|
|
|
260: 0x61,
|
|
|
@@ -1111,7 +1406,45 @@ export const FILE_SIGNATURES = {
|
|
|
signature: {
|
|
|
0: 0x4b,
|
|
|
1: 0x44,
|
|
|
- 2: 0x4d
|
|
|
+ 2: 0x4d,
|
|
|
+ 3: 0x56,
|
|
|
+ 5: 0x00,
|
|
|
+ 6: 0x00,
|
|
|
+ 7: 0x00
|
|
|
+ },
|
|
|
+ extractor: null
|
|
|
+ },
|
|
|
+ {
|
|
|
+ name: "Virtual Hard Drive",
|
|
|
+ extension: "vhd",
|
|
|
+ mime: "application/x-vhd",
|
|
|
+ description: "",
|
|
|
+ signature: {
|
|
|
+ 0: 0x63, // conectix
|
|
|
+ 1: 0x6f,
|
|
|
+ 2: 0x6e,
|
|
|
+ 3: 0x65,
|
|
|
+ 4: 0x63,
|
|
|
+ 5: 0x74,
|
|
|
+ 6: 0x69,
|
|
|
+ 7: 0x78
|
|
|
+ },
|
|
|
+ extractor: null
|
|
|
+ },
|
|
|
+ {
|
|
|
+ name: "Macintosh disk image",
|
|
|
+ extension: "dmf,dmg",
|
|
|
+ mime: "application/octet-stream",
|
|
|
+ description: "",
|
|
|
+ signature: {
|
|
|
+ 0: 0x78,
|
|
|
+ 1: 0x01,
|
|
|
+ 2: 0x73,
|
|
|
+ 3: 0x0d,
|
|
|
+ 4: 0x62,
|
|
|
+ 5: 0x62,
|
|
|
+ 6: 0x60,
|
|
|
+ 7: 0x60
|
|
|
},
|
|
|
extractor: null
|
|
|
},
|
|
|
@@ -1218,7 +1551,37 @@ export const FILE_SIGNATURES = {
|
|
|
9: 0x2d
|
|
|
},
|
|
|
extractor: null
|
|
|
- }
|
|
|
+ },
|
|
|
+ {
|
|
|
+ name: "Microsoft Cabinet file",
|
|
|
+ extension: "cab",
|
|
|
+ mime: "vnd.ms-cab-compressed",
|
|
|
+ description: "",
|
|
|
+ signature: {
|
|
|
+ 0: 0x4d,
|
|
|
+ 1: 0x53,
|
|
|
+ 2: 0x43,
|
|
|
+ 3: 0x46,
|
|
|
+ 4: 0x00,
|
|
|
+ 5: 0x00,
|
|
|
+ 6: 0x00,
|
|
|
+ 7: 0x00
|
|
|
+ },
|
|
|
+ extractor: null
|
|
|
+ },
|
|
|
+ {
|
|
|
+ name: "Jar Archive",
|
|
|
+ extension: "jar",
|
|
|
+ mime: "application/java-archive",
|
|
|
+ description: "",
|
|
|
+ signature: {
|
|
|
+ 0: 0x5f,
|
|
|
+ 1: 0x27,
|
|
|
+ 2: 0xa8,
|
|
|
+ 3: 0x89
|
|
|
+ },
|
|
|
+ extractor: null
|
|
|
+ },
|
|
|
],
|
|
|
"Miscellaneous": [
|
|
|
{
|
|
|
@@ -1398,7 +1761,213 @@ export const FILE_SIGNATURES = {
|
|
|
}
|
|
|
],
|
|
|
extractor: null
|
|
|
- }
|
|
|
+ },
|
|
|
+ {
|
|
|
+ name: "Cryptocurrency wallet",
|
|
|
+ extension: "wallet",
|
|
|
+ mime: "application/octet-stream",
|
|
|
+ description: "",
|
|
|
+ signature: {
|
|
|
+ 0: 0x00,
|
|
|
+ 1: 0x00,
|
|
|
+ 2: 0x00,
|
|
|
+ 3: 0x00,
|
|
|
+ 4: 0x01,
|
|
|
+ 5: 0x00,
|
|
|
+ 6: 0x00,
|
|
|
+ 7: 0x00,
|
|
|
+ 8: 0x00,
|
|
|
+ 9: 0x00,
|
|
|
+ 10: 0x00,
|
|
|
+ 11: 0x00,
|
|
|
+ 12: 0x62,
|
|
|
+ 13: 0x31,
|
|
|
+ 14: 0x05,
|
|
|
+ 15: 0x00
|
|
|
+ },
|
|
|
+ extractor: null
|
|
|
+ },
|
|
|
+ {
|
|
|
+ name: "Registry fragment",
|
|
|
+ extension: "hbin",
|
|
|
+ mime: "application/octet-stream",
|
|
|
+ description: "",
|
|
|
+ signature: {
|
|
|
+ 0: 0x68, // hbin
|
|
|
+ 1: 0x62,
|
|
|
+ 2: 0x69,
|
|
|
+ 3: 0x6e,
|
|
|
+ 4: 0x00
|
|
|
+ },
|
|
|
+ extractor: null
|
|
|
+ },
|
|
|
+ {
|
|
|
+ name: "Registry script",
|
|
|
+ extension: "rgs",
|
|
|
+ mime: "application/octet-stream",
|
|
|
+ description: "",
|
|
|
+ signature: {
|
|
|
+ 0: 0x48, // HKCR
|
|
|
+ 1: 0x4b,
|
|
|
+ 2: 0x43,
|
|
|
+ 3: 0x52,
|
|
|
+ 4: 0x0d,
|
|
|
+ 5: 0x0a,
|
|
|
+ 6: 0x5c,
|
|
|
+ 7: 0x7b
|
|
|
+ },
|
|
|
+ extractor: null
|
|
|
+ },
|
|
|
+ {
|
|
|
+ name: "WinNT Registry Hive",
|
|
|
+ extension: "registry",
|
|
|
+ mime: "application/octet-stream",
|
|
|
+ description: "",
|
|
|
+ signature: {
|
|
|
+ 0: 0x72,
|
|
|
+ 1: 0x65,
|
|
|
+ 2: 0x67,
|
|
|
+ 3: 0x66
|
|
|
+ },
|
|
|
+ extractor: null
|
|
|
+ },
|
|
|
+ {
|
|
|
+ name: "Windows Event Log",
|
|
|
+ extension: "evt",
|
|
|
+ mime: "application/octet-stream",
|
|
|
+ description: "",
|
|
|
+ signature: {
|
|
|
+ 0: 0x30,
|
|
|
+ 1: 0x00,
|
|
|
+ 2: 0x00,
|
|
|
+ 3: 0x00,
|
|
|
+ 4: 0x4c,
|
|
|
+ 5: 0x66,
|
|
|
+ 6: 0x4c,
|
|
|
+ 7: 0x65
|
|
|
+ },
|
|
|
+ extractor: null
|
|
|
+ },
|
|
|
+ {
|
|
|
+ name: "Windows Event Log",
|
|
|
+ extension: "evtx",
|
|
|
+ mime: "application/octet-stream",
|
|
|
+ description: "",
|
|
|
+ signature: {
|
|
|
+ 0: 0x45, // ElfFile
|
|
|
+ 1: 0x6c,
|
|
|
+ 2: 0x66,
|
|
|
+ 3: 0x46,
|
|
|
+ 4: 0x69,
|
|
|
+ 5: 0x6c,
|
|
|
+ 6: 0x65
|
|
|
+ },
|
|
|
+ extractor: null
|
|
|
+ },
|
|
|
+ {
|
|
|
+ name: "Windows Pagedump",
|
|
|
+ extension: "dmp",
|
|
|
+ mime: "application/octet-stream",
|
|
|
+ description: "",
|
|
|
+ signature: {
|
|
|
+ 0: 0x50, // PAGEDU(MP|64)
|
|
|
+ 1: 0x41,
|
|
|
+ 2: 0x47,
|
|
|
+ 3: 0x45,
|
|
|
+ 4: 0x44,
|
|
|
+ 5: 0x55,
|
|
|
+ 6: [0x4d, 0x36],
|
|
|
+ 7: [0x50, 0x34]
|
|
|
+ },
|
|
|
+ extractor: null
|
|
|
+ },
|
|
|
+ {
|
|
|
+ name: "Windows Prefetch",
|
|
|
+ extension: "pf",
|
|
|
+ mime: "application/x-pf",
|
|
|
+ description: "",
|
|
|
+ signature: {
|
|
|
+ 0: [0x11, 0x17, 0x1a],
|
|
|
+ 1: 0x0,
|
|
|
+ 2: 0x0,
|
|
|
+ 3: 0x0,
|
|
|
+ 4: 0x53,
|
|
|
+ 5: 0x43,
|
|
|
+ 6: 0x43,
|
|
|
+ 7: 0x41
|
|
|
+ },
|
|
|
+ extractor: null
|
|
|
+ },
|
|
|
+ {
|
|
|
+ name: "Windows Prefetch (Win 10)",
|
|
|
+ extension: "pf",
|
|
|
+ mime: "application/x-pf",
|
|
|
+ description: "",
|
|
|
+ signature: {
|
|
|
+ 0: 0x4d,
|
|
|
+ 1: 0x41,
|
|
|
+ 2: 0x4d,
|
|
|
+ 3: 0x04,
|
|
|
+ 7: 0x0
|
|
|
+ },
|
|
|
+ extractor: null
|
|
|
+ },
|
|
|
+ {
|
|
|
+ name: "PList (XML)",
|
|
|
+ extension: "plist",
|
|
|
+ mime: "application/xml",
|
|
|
+ description: "",
|
|
|
+ signature: {
|
|
|
+ 39: 0x3c, // <!DOCTYPE plist
|
|
|
+ 40: 0x21,
|
|
|
+ 41: 0x44,
|
|
|
+ 42: 0x4f,
|
|
|
+ 43: 0x43,
|
|
|
+ 44: 0x54,
|
|
|
+ 45: 0x59,
|
|
|
+ 46: 0x50,
|
|
|
+ 47: 0x45,
|
|
|
+ 48: 0x20,
|
|
|
+ 49: 0x70,
|
|
|
+ 50: 0x6c,
|
|
|
+ 51: 0x69,
|
|
|
+ 52: 0x73,
|
|
|
+ 53: 0x74
|
|
|
+ },
|
|
|
+ extractor: extractPListXML
|
|
|
+ },
|
|
|
+ {
|
|
|
+ name: "PList (binary)",
|
|
|
+ extension: "bplist,plist,ipmeta,abcdp,mdbackup,mdinfo,strings,nib,ichat,qtz,webbookmark,webhistory",
|
|
|
+ mime: "application/x-plist",
|
|
|
+ description: "",
|
|
|
+ signature: {
|
|
|
+ 0: 0x62, // bplist00
|
|
|
+ 1: 0x70,
|
|
|
+ 2: 0x6c,
|
|
|
+ 3: 0x69,
|
|
|
+ 4: 0x73,
|
|
|
+ 5: 0x74,
|
|
|
+ 6: 0x30,
|
|
|
+ 7: 0x30
|
|
|
+ },
|
|
|
+ extractor: null
|
|
|
+ },
|
|
|
+ {
|
|
|
+ name: "MacOS X Keychain",
|
|
|
+ extension: "keychain",
|
|
|
+ mime: "application/octet-stream",
|
|
|
+ description: "",
|
|
|
+ signature: {
|
|
|
+ 0: 0x6b, // keych
|
|
|
+ 1: 0x79,
|
|
|
+ 2: 0x63,
|
|
|
+ 3: 0x68,
|
|
|
+ 4: 0x00,
|
|
|
+ 5: 0x01
|
|
|
+ },
|
|
|
+ extractor: null
|
|
|
+ },
|
|
|
]
|
|
|
};
|
|
|
|
|
|
@@ -1732,6 +2301,24 @@ export function extractRTF(bytes, offset) {
|
|
|
}
|
|
|
|
|
|
|
|
|
+/**
|
|
|
+ * PList (XML) extractor.
|
|
|
+ *
|
|
|
+ * @param {Uint8Array} bytes
|
|
|
+ * @param {number} offset
|
|
|
+ * @returns {Uint8Array}
|
|
|
+ */
|
|
|
+export function extractPListXML(bytes, offset) {
|
|
|
+ const stream = new Stream(bytes.slice(offset));
|
|
|
+
|
|
|
+ // Find closing tag (</plist>\n)
|
|
|
+ stream.continueUntil([0x3c, 0x2f, 0x70, 0x6c, 0x69, 0x73, 0x74, 0x3e, 0x0a]);
|
|
|
+ stream.moveForwardsBy(9);
|
|
|
+
|
|
|
+ return stream.carve();
|
|
|
+}
|
|
|
+
|
|
|
+
|
|
|
/**
|
|
|
* GZIP extractor.
|
|
|
*
|
n1474335