diff options
Diffstat (limited to 'magic/Magdir/database')
-rw-r--r-- | magic/Magdir/database | 886 |
1 files changed, 886 insertions, 0 deletions
diff --git a/magic/Magdir/database b/magic/Magdir/database new file mode 100644 index 0000000..03ac423 --- /dev/null +++ b/magic/Magdir/database @@ -0,0 +1,886 @@ + +#------------------------------------------------------------------------------ +# $File: database,v 1.69 2023/01/12 00:14:04 christos Exp $ +# database: file(1) magic for various databases +# +# extracted from header/code files by Graeme Wilford (eep2gw@ee.surrey.ac.uk) +# +# +# GDBM magic numbers +# Will be maintained as part of the GDBM distribution in the future. +# <downsj@teeny.org> +0 belong 0x13579acd GNU dbm 1.x or ndbm database, big endian, 32-bit +!:mime application/x-gdbm +0 belong 0x13579ace GNU dbm 1.x or ndbm database, big endian, old +!:mime application/x-gdbm +0 belong 0x13579acf GNU dbm 1.x or ndbm database, big endian, 64-bit +!:mime application/x-gdbm +0 lelong 0x13579acd GNU dbm 1.x or ndbm database, little endian, 32-bit +!:mime application/x-gdbm +0 lelong 0x13579ace GNU dbm 1.x or ndbm database, little endian, old +!:mime application/x-gdbm +0 lelong 0x13579acf GNU dbm 1.x or ndbm database, little endian, 64-bit +!:mime application/x-gdbm +0 string GDBM GNU dbm 2.x database +!:mime application/x-gdbm +# +# Berkeley DB +# +# Ian Darwin's file /etc/magic files: big/little-endian version. +# +# Hash 1.85/1.86 databases store metadata in network byte order. +# Btree 1.85/1.86 databases store the metadata in host byte order. +# Hash and Btree 2.X and later databases store the metadata in host byte order. + +0 long 0x00061561 Berkeley DB +!:mime application/x-dbm +>8 belong 4321 +>>4 belong >2 1.86 +>>4 belong <3 1.85 +>>4 belong >0 (Hash, version %d, native byte-order) +>8 belong 1234 +>>4 belong >2 1.86 +>>4 belong <3 1.85 +>>4 belong >0 (Hash, version %d, little-endian) + +0 belong 0x00061561 Berkeley DB +>8 belong 4321 +>>4 belong >2 1.86 +>>4 belong <3 1.85 +>>4 belong >0 (Hash, version %d, big-endian) +>8 belong 1234 +>>4 belong >2 1.86 +>>4 belong <3 1.85 +>>4 belong >0 (Hash, version %d, native byte-order) + +0 long 0x00053162 Berkeley DB 1.85/1.86 +>4 long >0 (Btree, version %d, native byte-order) +0 belong 0x00053162 Berkeley DB 1.85/1.86 +>4 belong >0 (Btree, version %d, big-endian) +0 lelong 0x00053162 Berkeley DB 1.85/1.86 +>4 lelong >0 (Btree, version %d, little-endian) + +12 long 0x00061561 Berkeley DB +>16 long >0 (Hash, version %d, native byte-order) +12 belong 0x00061561 Berkeley DB +>16 belong >0 (Hash, version %d, big-endian) +12 lelong 0x00061561 Berkeley DB +>16 lelong >0 (Hash, version %d, little-endian) + +12 long 0x00053162 Berkeley DB +>16 long >0 (Btree, version %d, native byte-order) +12 belong 0x00053162 Berkeley DB +>16 belong >0 (Btree, version %d, big-endian) +12 lelong 0x00053162 Berkeley DB +>16 lelong >0 (Btree, version %d, little-endian) + +12 long 0x00042253 Berkeley DB +>16 long >0 (Queue, version %d, native byte-order) +12 belong 0x00042253 Berkeley DB +>16 belong >0 (Queue, version %d, big-endian) +12 lelong 0x00042253 Berkeley DB +>16 lelong >0 (Queue, version %d, little-endian) + +# From Max Bowsher. +12 long 0x00040988 Berkeley DB +>16 long >0 (Log, version %d, native byte-order) +12 belong 0x00040988 Berkeley DB +>16 belong >0 (Log, version %d, big-endian) +12 lelong 0x00040988 Berkeley DB +>16 lelong >0 (Log, version %d, little-endian) + +# +# +# Round Robin Database Tool by Tobias Oetiker <oetiker@ee.ethz.ch> +0 string/b RRD\0 RRDTool DB +>4 string/b x version %s + +>>10 short !0 16bit aligned +>>>10 bedouble 8.642135e+130 big-endian +>>>>18 short x 32bit long (m68k) + +>>10 short 0 +>>>12 long !0 32bit aligned +>>>>12 bedouble 8.642135e+130 big-endian +>>>>>20 long 0 64bit long +>>>>>20 long !0 32bit long +>>>>12 ledouble 8.642135e+130 little-endian +>>>>>24 long 0 64bit long +>>>>>24 long !0 32bit long (i386) +>>>>12 string \x43\x2b\x1f\x5b\x2f\x25\xc0\xc7 middle-endian +>>>>>24 short !0 32bit long (arm) + +>>8 quad 0 64bit aligned +>>>16 bedouble 8.642135e+130 big-endian +>>>>24 long 0 64bit long (s390x) +>>>>24 long !0 32bit long (hppa/mips/ppc/s390/SPARC) +>>>16 ledouble 8.642135e+130 little-endian +>>>>28 long 0 64bit long (alpha/amd64/ia64) +>>>>28 long !0 32bit long (armel/mipsel) + +#---------------------------------------------------------------------- +# ROOT: file(1) magic for ROOT databases +# +0 string root\0 ROOT file +>4 belong x Version %d +>33 belong x (Compression: %d) + +# XXX: Weak magic. +# Alex Ott <ott@jet.msk.su> +## Paradox file formats +#2 leshort 0x0800 Paradox +#>0x39 byte 3 v. 3.0 +#>0x39 byte 4 v. 3.5 +#>0x39 byte 9 v. 4.x +#>0x39 byte 10 v. 5.x +#>0x39 byte 11 v. 5.x +#>0x39 byte 12 v. 7.x +#>>0x04 byte 0 indexed .DB data file +#>>0x04 byte 1 primary index .PX file +#>>0x04 byte 2 non-indexed .DB data file +#>>0x04 byte 3 non-incrementing secondary index .Xnn file +#>>0x04 byte 4 secondary index .Ynn file +#>>0x04 byte 5 incrementing secondary index .Xnn file +#>>0x04 byte 6 non-incrementing secondary index .XGn file +#>>0x04 byte 7 secondary index .YGn file +#>>>0x04 byte 8 incrementing secondary index .XGn file + +## XBase database files +# updated by Joerg Jenderek at Feb 2013 +# https://www.dbase.com/Knowledgebase/INT/db7_file_fmt.htm +# https://www.clicketyclick.dk/databases/xbase/format/dbf.html +# inspect VVYYMMDD , where 1<= MM <= 12 and 1<= DD <= 31 +0 ubelong&0x0000FFFF <0x00000C20 +!:strength +10 +# skip Infocom game Z-machine +>2 ubyte >0 +# skip Androids *.xml +>>3 ubyte >0 +>>>3 ubyte <32 +# 1 < version VV +>>>>0 ubyte >1 +# skip HELP.CA3 by test for reserved byte ( NULL ) +>>>>>27 ubyte 0 +# reserved bytes not always 0 ; also found 0x3901 (T4.DBF) ,0x7101 (T5.DBF,T6.DBF) +#>>>>>30 ubeshort x 30NULL?%x +# possible production flag,tag numbers(<=0x30),tag length(<=0x20), reserved (NULL) +>>>>>>24 ubelong&0xffFFFFff >0x01302000 +# .DBF or .MDX +>>>>>>24 ubelong&0xffFFFFff <0x01302001 +# for Xbase Database file (*.DBF) reserved (NULL) for multi-user +>>>>>>>24 ubelong&0xffFFFFff =0 +# test for 2 reserved NULL bytes,transaction and encryption byte flag +>>>>>>>>12 ubelong&0xFFFFfEfE 0 +# test for MDX flag +>>>>>>>>>28 ubyte x +>>>>>>>>>28 ubyte&0xf8 0 +# header size >= 32 +>>>>>>>>>>8 uleshort >31 +# skip PIC15736.PCX by test for language driver name or field name +>>>>>>>>>>>32 ubyte >0 +#!:mime application/x-dbf; charset=unknown-8bit ?? +#!:mime application/x-dbase +>>>>>>>>>>>>0 use xbase-type +# database file +>>>>>>>>>>>>28 ubyte&0x04 =0 \b DBF +!:ext dbf +>>>>>>>>>>>>28 ubyte&0x04 =4 \b DataBaseContainer +!:ext dbc +>>>>>>>>>>>>4 lelong 0 \b, no records +>>>>>>>>>>>>4 lelong >0 \b, %d record +# plural s appended +>>>>>>>>>>>>>4 lelong >1 \bs +# https://www.clicketyclick.dk/databases/xbase/format/dbf_check.html#CHECK_DBF +# 1 <= record size <= 4000 (dBase 3,4) or 32 * KB (=0x8000) +>>>>>>>>>>>>10 uleshort x * %d +# file size = records * record size + header size +>>>>>>>>>>>>1 ubyte x \b, update-date +>>>>>>>>>>>>1 use xbase-date +# https://msdn.microsoft.com/de-de/library/cc483186(v=vs.71).aspx +#>>>>>>>>>>>>29 ubyte =0 \b, codepage ID=%#x +# 2~cp850 , 3~cp1252 , 0x1b~?? ; what code page is 0x1b ? +>>>>>>>>>>>>29 ubyte >0 \b, codepage ID=%#x +#>>>>>>>>>>>>28 ubyte&0x01 0 \b, no index file +# MDX or CDX index +>>>>>>>>>>>>28 ubyte&0x01 1 \b, with index file .MDX +>>>>>>>>>>>>28 ubyte&0x02 2 \b, with memo .FPT +#>>>>>>>>>>>>28 ubyte&0x04 4 \b, DataBaseContainer +# 1st record offset + 1 = header size +>>>>>>>>>>>>8 uleshort >0 +>>>>>>>>>>>>(8.s+1) ubyte >0 +>>>>>>>>>>>>>8 uleshort >0 \b, at offset %d +>>>>>>>>>>>>>(8.s+1) ubyte >0 +>>>>>>>>>>>>>>&-1 string >\0 1st record "%s" +# for multiple index files (*.MDX) Production flag,tag numbers(<=0x30),tag length(<=0x20), reserved (NULL) +>>>>>>>24 ubelong&0x0133f7ff >0 +# test for reserved NULL byte +>>>>>>>>47 ubyte 0 +# test for valid TAG key format (0x10 or 0) +>>>>>>>>>559 ubyte&0xeF 0 +# test MM <= 12 +>>>>>>>>>>45 ubeshort <0x0C20 +>>>>>>>>>>>45 ubyte >0 +>>>>>>>>>>>>46 ubyte <32 +>>>>>>>>>>>>>46 ubyte >0 +#!:mime application/x-mdx +>>>>>>>>>>>>>>0 use xbase-type +>>>>>>>>>>>>>>0 ubyte x \b MDX +>>>>>>>>>>>>>>1 ubyte x \b, creation-date +>>>>>>>>>>>>>>1 use xbase-date +>>>>>>>>>>>>>>44 ubyte x \b, update-date +>>>>>>>>>>>>>>44 use xbase-date +# No.of tags in use (1,2,5,12) +>>>>>>>>>>>>>>28 uleshort x \b, %d +# No. of entries in tag (0x30) +>>>>>>>>>>>>>>25 ubyte x \b/%d tags +# Length of tag +>>>>>>>>>>>>>>26 ubyte x * %d +# 1st tag name_ +>>>>>>>>>>>>>548 string x \b, 1st tag "%.11s" +# 2nd tag name +#>>>>>>>>>>>>(26.b+548) string x \b, 2nd tag "%.11s" +# +# Print the xBase names of different version variants +0 name xbase-type +>0 ubyte <2 +# 1 < version +>0 ubyte >1 +>>0 ubyte 0x02 FoxBase +!:mime application/x-dbf +# like: ACCESS.DBF USER.DBF dbase3date.dbf mitarbei.dbf produkte.dbf umlaut-test-v2.dbf +# FoxBase+/dBaseIII+, no memo +>>0 ubyte 0x03 FoxBase+/dBase III +!:mime application/x-dbf +# like: 92DATA.DBF MSCATLOG.DBF SYLLABI2.DBF SYLLABUS.DBF T4.DBF Teleadr.dbf us_city.dbf +# dBASE IV no memo file +>>0 ubyte 0x04 dBase IV +!:mime application/x-dbf +# like: Quattro-test11.dbf umlaut-test-v4.dbf +# dBASE V no memo file +>>0 ubyte 0x05 dBase V +!:mime application/x-dbf +# like: dbase4double.dbf Quattro-test2.dbf umlaut-test7.dbf +!:ext dbf +# probably Apollo Database Server 9.7? xBase (0x6) +>>0 ubyte 0x06 Apollo +!:mime application/x-dbf +# like: ALIAS.DBF CRYPT.DBF PROCS.DBF USERS.DBF +# https://docs.microsoft.com/en-us/previous-versions/visualstudio/foxpro/st4a0s68(v=vs.80) +>>0 ubyte 0x2F FoxBase+/Dbase III plus, no memo +!:mime application/x-dbf +# no example +>>0 ubyte 0x30 Visual FoxPro +!:mime application/x-dbf +# like: 26FRX.DBF 30DBC.DBF 30DBCPRO.DBF BEHINDSC.DBF USER_LEV.DBF +# Microsoft Visual FoxPro Database Container File like: FOXPRO-DB-TEST.DBC TESTDATA.DBC TASTRADE.DBC +>>0 ubyte 0x31 Visual FoxPro, autoincrement +!:mime application/x-dbf +# like: AI_Table.DBF dbase_31.dbf w_cityFoxpro.dbf +# Visual FoxPro, with field type Varchar or Varbinary +>>0 ubyte 0x32 Visual FoxPro, with field type Varchar +!:mime application/x-dbf +# like: dbase_32.dbf +# dBASE IV SQL, no memo;dbv memo var size (Flagship) +>>0 ubyte 0x43 dBase IV, with SQL table +!:mime application/x-dbf +# like: ASSEMBLY.DBF INVENTRY.DBF STAFF.DBF +# https://docs.microsoft.com/en-us/previous-versions/visualstudio/foxpro/st4a0s68(v=vs.80) +>>0 ubyte 0x62 dBase IV, with SQL table +#!:mime application/x-dbf +# no example +# dBASE IV, with memo!! +>>0 ubyte 0x7b dBase IV, with memo +!:mime application/x-dbf +# like: test3memo.DBF dbase5.DBF +# https://docs.microsoft.com/en-us/previous-versions/visualstudio/foxpro/st4a0s68(v=vs.80) +>>0 ubyte 0x82 dBase IV, with SQL system +#!:mime application/x-dbf +# no example +# FoxBase+/dBaseIII+ with memo .DBT! +>>0 ubyte 0x83 FoxBase+/dBase III, with memo .DBT +!:mime application/x-dbf +# like: T2.DBF t3.DBF biblio.dbf dbase_83.dbf dbase3dbt0_4.dbf fsadress.dbf stop.dbf +# VISUAL OBJECTS (first 1.0 versions) for the Dbase III files (NTX clipper driver); memo file +>>0 ubyte 0x87 VISUAL OBJECTS, with memo file +!:mime application/x-dbf +# like: ACCESS.DBF dbase3date.dbf dbase3float.dbf holdings.dbf mitarbei.dbf +# https://docs.microsoft.com/en-us/previous-versions/visualstudio/foxpro/st4a0s68(v=vs.80) +>>0 ubyte 0x8A FoxBase+/dBase III, with memo .DBT +#!:mime application/x-dbf +# no example +# dBASE IV with memo! +>>0 ubyte 0x8B dBase IV, with memo .DBT +!:mime application/x-dbf +# like: animals.dbf archive.dbf callin.dbf dbase_8b.dbf phnebook.dbf t6.dbf +# dBase IV with SQL Table,no memo? +>>0 ubyte 0x8E dBase IV, with SQL table +!:mime application/x-dbf +# like: dbase5.DBF test3memo.DBF test-memo.DBF +# .dbv and .dbt memo (Flagship)? +>>0 ubyte 0xB3 Flagship +!:mime application/x-dbf +# no example +# https://docs.microsoft.com/en-us/previous-versions/visualstudio/foxpro/st4a0s68(v=vs.80) +>>0 ubyte 0xCA dBase IV with memo .DBT +#!:mime application/x-dbf +# no example +# dBASE IV with SQL table, with memo .DBT +>>0 ubyte 0xCB dBase IV with SQL table, with memo .DBT +!:mime application/x-dbf +# like: dbase5.DBF test3memo.DBF test-memo.DBF +# HiPer-Six format;Clipper SIX, with SMT memo file +>>0 ubyte 0xE5 Clipper SIX with memo +!:mime application/x-dbf +# like: dbase5.DBF test3memo.DBF test-memo.DBF testClipper.dbf DATA.DBF +# https://docs.microsoft.com/en-us/previous-versions/visualstudio/foxpro/st4a0s68(v=vs.80) +>>0 ubyte 0xF4 dBase IV, with SQL table, with memo +#!:mime application/x-dbf +# no example +>>0 ubyte 0xF5 FoxPro with memo +!:mime application/x-dbf +# like: CUSTOMER.DBF FOXUSER1.DBF Invoice.DBF NG.DBF OBJSAMP.DBF dbase_f5.dbf kunde.dbf +# probably Apollo Database Server 9.7 with SQL and memo mask? xBase (0xF6) +>>0 ubyte 0xF6 Apollo, with SQL table with memo +!:mime application/x-dbf +# like: SCRIPTS.DBF +# https://docs.microsoft.com/en-us/previous-versions/visualstudio/foxpro/st4a0s68(v=vs.80) +#>>0 ubyte 0xFA FoxPro 2.x, with memo +#!:mime application/x-dbf +# no example +# unknown version (should not happen) +>>0 default x xBase +!:mime application/x-dbf +>>>0 ubyte x (%#x) +# flags in version byte +# DBT flag (with dBASE III memo .DBT)!! +# >>0 ubyte&0x80 >0 DBT_FLAG=%x +# memo flag ?? +# >>0 ubyte&0x08 >0 MEMO_FLAG=%x +# SQL flag ?? +# >>0 ubyte&0x70 >0 SQL_FLAG=%x +# test and print the date of xBase .DBF .MDX +0 name xbase-date +# inspect YYMMDD , where 1<= MM <= 12 and 1<= DD <= 31 +>0 ubelong x +>1 ubyte <13 +>>1 ubyte >0 +>>>2 ubyte >0 +>>>>2 ubyte <32 +>>>>>0 ubyte x +# YY is interpreted as 20YY or 19YY +>>>>>>0 ubyte <100 \b %.2d +# YY is interpreted 1900+YY; TODO: display yy or 20yy instead 1YY +>>>>>>0 ubyte >99 \b %d +>>>>>1 ubyte x \b-%d +>>>>>2 ubyte x \b-%d + +# dBase memo files .DBT or .FPT +# https://msdn.microsoft.com/en-us/library/8599s21w(v=vs.80).aspx +16 ubyte <4 +>16 ubyte !2 +>>16 ubyte !1 +# next free block index is positive +>>>0 ulelong >0 +# skip many JPG. ZIP, BZ2 by test for reserved bytes NULL , 0|2 , 0|1 , low byte of block size +>>>>17 ubelong&0xFFfdFEff 0x00000000 +# skip many RAR by test for low byte 0 ,high byte 0|2|even of block size, 0|a|e|d7 , 0|64h +>>>>>20 ubelong&0xFF01209B 0x00000000 +# dBASE III +>>>>>>16 ubyte 3 +# skip with invalid "low" 1st item "\0\0\0\0" StateRepository-Deployment.srd-shm "\001\010\0\0" gcry_cast5.mod +>>>>>>>512 ubyte >040 +# skip with valid 1st item "rintf" keylayouts.mod +# by looking for valid terminating character Ctrl-Z like in test.dbt +>>>>>>>>513 search/3308 \032 +# skip GRUB plan9.mod with invalid second terminating character 007 +# by checking second terminating character Ctrl-Z like in test.dbt +>>>>>>>>>&0 ubyte 032 +# dBASE III DBT with two Ctr-Z terminating characters +>>>>>>>>>>0 use dbase3-memo-print +# second terminating character \0 like in dbase-memo.dbt or GRUB nativedisk.mod +>>>>>>>>>&0 ubyte 0 +# skip GRUB nativedisk.mod with grub_mod_init\0grub_mod_fini\0grub_fs_autoload_hook\0 +>>>>>>>>>>0x1ad string !grub_mod_init +# like dbase-memo.dbt +>>>>>>>>>>>0 use dbase3-memo-print +# dBASE III DBT without version, dBASE IV DBT , FoxPro FPT , or many ZIP , DBF garbage +>>>>>>16 ubyte 0 +# unusual dBASE III DBT like angest.dbt, dBASE IV DBT with block size 0 , FoxPro FPT , or garbage PCX DBF +>>>>>>>20 uleshort 0 +# FoxPro FPT , unusual dBASE III DBT like biblio.dbt or garbage +>>>>>>>>8 ulong =0 +>>>>>>>>>6 ubeshort >0 +# skip emacs.PIF +>>>>>>>>>>4 ushort 0 +# check for valid FoxPro field type +>>>>>>>>>>>512 ubelong <3 +# skip LXMDCLN4.OUT LXMDCLN6.OUT LXMDALG6.OUT with invalid blocksize 170=AAh +>>>>>>>>>>>>6 ubeshort&0x002f 0 +>>>>>>>>>>>>>0 use foxpro-memo-print +# dBASE III DBT , garbage +# skip WORD1XW.DOC with improbably high free block index +>>>>>>>>>0 ulelong <0x400000 +# skip WinStore.App.exe by looking for printable 2nd character of 1st memo item +>>>>>>>>>>513 ubyte >037 +# skip DOS executables CPQ0TD.DRV E30ODI.COM IBM0MONO.DRV by looking for printable 1st character of 1st memo item +>>>>>>>>>>>512 ubyte >037 +# skip few (14/758) Microsoft Event Trace Logs (boot_BASE+CSWITCH_1.etl DlTel-Merge.etl UpdateUx.006.etl) with invalid "high" 1st item \377\377 +>>>>>>>>>>>>512 ubyte <0377 +# skip some Commodore 64 Art Studio (Deep_Strike.aas dragon's_lair_ii.aas), some Atari DEGAS Elite bitmap (ELEPHANT.PC3 ST.PC2) +# some probably old GRUB modules (part_sun.mod) and virtual-boy-wario-land.vb. +# by looking for valid terminating character Ctrl-Z +>>>>>>>>>>>>>513 search/523 \032 +# Atari DEGAS bitmap ST.PC2 with 0370 as second terminating character +#>>>>>>>>>>>>>>&0 ubyte x 2ND_CHAR_IS=%o +# dBASE III DBT with two Ctr-Z terminating characters like dbase3dbt0_1.dbt dbase_83.dbt +>>>>>>>>>>>>>>&0 ubyte 032 +>>>>>>>>>>>>>>>0 use dbase3-memo-print +# second terminating character \0 like in pcidump.mod or fsadress.dbt umlaut-dbf-cmd.dbt +>>>>>>>>>>>>>>&0 ubyte 0 +# look for old GRUB module pcidump.mod with specific content "pcidump\0Show raw dump of the PCI configuration space" +>>>>>>>>>>>>>>>514 search/0x11E pcidump\0Show +# dBASE III DBT with Ctr-Z + \0 terminating characters like fsadress.dbt +>>>>>>>>>>>>>>>514 default x +# unusual dBASE III DBT like fsadress.dbt umlaut-dbf-cmd.dbt +>>>>>>>>>>>>>>>>0 use dbase3-memo-print +# dBASE III DBT like angest.dbt, or garbage PCX DBF +>>>>>>>>8 ubelong !0 +# skip PCX and some DBF by test for for reserved NULL bytes +>>>>>>>>>510 ubeshort 0 +# skip bad symples with improbably high free block index above 2 GiB file limit +>>>>>>>>>>0 ulelong <0x400000 +# skip AI070GEP.EPS by printable 1st character of 1st memo item +>>>>>>>>>>>512 ubyte >037 +# skip some Microsoft Visual C, OMF library like: BZ2.LIB WATTCPWL.LIB ZLIB.LIB +>>>>>>>>>>>>512 ubyte <0200 +# skip gluon-ffhat-1.0-tp-link-tl-wr1043n-nd-v2-sysupgrade.bin by printable 2nd character +>>>>>>>>>>>>>513 ubyte >037 +# skip few (8/758) Microsoft Event Trace Logs (WBEngine.3.etl Wifi.etl) with valid 1st item like +# "9600.20369.amd64fre.winblue_ltsb_escrow.220427-1727" +# "9600.19846.amd64fre.winblue_ltsb_escrow.200923-1735" +# "10586.494.amd64fre.th2_release_sec.160630-1736" +# by looking for valid terminating character Ctrl-Z +>>>>>>>>>>>>>>513 search/0x11E \032 +# followed by second character Ctrl-Z implies typical DBT +>>>>>>>>>>>>>>>&0 ubyte 032 +# examples like: angest.dbt +>>>>>>>>>>>>>>>>0 use dbase3-memo-print +>>>>>>>>>>>>>>>&0 ubyte 0 +# no example found here with terminating sequence CTRL-Z + \0 +>>>>>>>>>>>>>>>>0 use dbase3-memo-print +# dBASE IV DBT with positive block size +>>>>>>>20 uleshort >0 +# dBASE IV DBT with valid block length like 512, 1024 +# multiple of 2 in between 16 and 16 K ,implies upper and lower bits are zero +# skip also 3600h 3E00h size +>>>>>>>>20 uleshort&0xE00f 0 +>>>>>>>>>0 use dbase4-memo-print + +# Print the information of dBase III DBT memo file +0 name dbase3-memo-print +>0 ubyte x dBase III DBT +!:mime application/x-dbt +!:ext dbt +# instead 3 as version number 0 for unusual examples like biblio.dbt +>16 ubyte !3 \b, version number %u +# Number of next available block for appending data +#>0 lelong =0 \b, next free block index %u +>0 lelong !0 \b, next free block index %u +# no positive block length +#>20 uleshort =0 \b, block length %u +>20 uleshort !0 \b, block length %u +# dBase III memo field terminated often by \032\032 +# like: "WHAT IS XBASE" test.dbt "Borges, Malte" biblio.dbt "First memo\032\032" T2.DBT +>512 string >\0 \b, 1st item "%s" +# For DEBUGGING +#>512 ubelong x \b, 1ST item %#8.8x +#>513 search/0x225 \032 FOUND_TERMINATOR +#>>&0 ubyte 032 2xCTRL_Z +# fsadress.dbt has 1 Ctrl-Z terminator followed by nil byte +#>>&0 ubyte 0 1xCTRL_Z + +# https://www.clicketyclick.dk/databases/xbase/format/dbt.html +# Print the information of dBase IV DBT memo file +0 name dbase4-memo-print +>0 lelong x dBase IV DBT +!:mime application/x-dbt +!:ext dbt +# 8 character shorted main name of corresponding dBASE IV DBF file +>8 ubelong >0x20000000 +# skip unusual like for angest.dbt +>>20 uleshort >0 +>>>8 string >\0 \b of %-.8s.DBF +# value 0 implies 512 as size +#>4 ulelong =0 \b, blocks size %u +# size of blocks not reliable like 0x2020204C in angest.dbt +>4 ulelong !0 +>>4 ulelong&0x0000003f 0 \b, blocks size %u +# dBase IV DBT with positive block length (found 512 , 1024) +>20 uleshort >0 \b, block length %u +# next available block +#>0 lelong =0 \b, next free block index %u +>0 lelong !0 \b, next free block index %u +>20 uleshort >0 +>>(20.s) ubelong x +>>>&-4 use dbase4-memofield-print +# unusual dBase IV DBT without block length (implies 512 as length) +>20 uleshort =0 +>>512 ubelong x +>>>&-4 use dbase4-memofield-print +# Print the information of dBase IV memo field +0 name dbase4-memofield-print +# free dBase IV memo field +>0 ubelong !0xFFFF0800 +>>0 lelong x \b, next free block %u +>>4 lelong x \b, next used block %u +# used dBase IV memo field +>0 ubelong =0xFFFF0800 +# length of memo field +>>4 lelong x \b, field length %d +>>>8 string >\0 \b, 1st used item "%s" +# http://www.dbfree.org/webdocs/1-documentation/0018-developers_stuff_(advanced)/os_related_stuff/xbase_file_format.htm +# Print the information of FoxPro FPT memo file +0 name foxpro-memo-print +>0 belong x FoxPro FPT +!:mime application/x-fpt +!:ext fpt +# Size of blocks for FoxPro ( 64,256 ); probably a multiple of two +>6 ubeshort x \b, blocks size %u +# next available block +#>0 belong =0 \b, next free block index %u +>0 belong !0 \b, next free block index %u +# field type ( 0~picture, 1~memo, 2~object ) +>512 ubelong <3 \b, field type %u +# length of memo field +>512 ubelong 1 +>>516 belong >0 \b, field length %d +>>>520 string >\0 \b, 1st item "%s" + +# Summary: DBASE Compound Index file *.CDX and FoxPro index *.IDX +# From: Joerg Jenderek +# URL: https://www.clicketyclick.dk/databases/xbase/format/cdx.html +# https://www.clicketyclick.dk/databases/xbase/format/idx.html +# https://www.clicketyclick.dk/databases/xbase/format/idx_comp.html +# Reference: https://mark0.net/download/triddefs_xml.7z/defs/s/sybase-ianywhere-cdx.trid.xml +# https://mark0.net/download/triddefs_xml.7z/defs/c/cdx-vfp7.trid.xml +# like: kunde.cdx +0 ulelong 0x1C00 +>0 use xbase-index +# like: SYLLABI2.CDX SYLLABUS.CDX +0 ulelong 0x0800 +>0 use xbase-index +# often in xBase index pointer to root node 400h +0 ulelong 0x0400 +# skip most Maple help database *.hdb with version tag handled by ./maple +>1028 string !version +# skip Maple help database hsum.hdb checking for valid reserved area +>>492 quad =0 +# skip remaining Maple help database *.hdb by checking key length +#>>>12 uleshort !0x000F KEY_LENGTHVALID +>>>0 use xbase-index +# display information about dBase/FoxPro index +0 name xbase-index +>0 ulelong x xBase +!:mime application/x-dbase-index +>14 ubyte &0x40 compound index +# DCX for FoxPro database index like: TESTDATA.DCX +!:ext cdx/dcx +>14 ubyte ^0x40 index +# only 1 example like: TEST.IDX +!:ext idx +# pointer to root node like: 1C00h 800h often 400h +>0 ulelong !0x400 \b, root pointer %#x +# Pointer to free node list: often 0 but -1 if not present +>4 ulelong !0 \b, free node pointer %#x +# MAYBE number of pages in file (Foxbase, FoxPro 1.x) or +# http://www.foxpert.com/foxpro/knowlbits/files/knowlbits_200708_1.HTM +# Whenever Visual FoxPro updates the index file it increments this reserved field +# Reserved for internal use like: 02000000h 03000000h 460c0000h 780f0000h 89000000h 9fdc0100h often 0 +>8 ulelong !0 \b, reserved counter %#x +# length of key like: mostly 000Ah 0028h (TEST.IDX) +>12 uleshort !0x000A \b, key length %#x +# index options like: 24h E0h E8h +# 1~a unique index 8~index has FOR clause 32~compact index format 64~compound index header +# 16~Bit vector (SoftC) 128~Structure index (FoxPro) +>14 ubyte x \b, index options (%#x +>14 ubyte &0x01 \b, unique +>14 ubyte &0x08 \b, has FOR clause +>14 ubyte &0x10 \b, bit vector (SoftC) +>14 ubyte &0x20 \b, compact format +#>14 ubyte &0x40 \b, compound header +>14 ubyte &0x80 \b, structure +>14 ubyte x \b) +# WHAT EXACTLY IS THAT? index signature like: 0 (sybase-ianywhere-cdx.trid.xml) 1 (cdx-vfp7.trid.xml) +>15 ubyte !0 \b, index signature %u +# reserved area (0-bytes) til about 500, but not for uncompressed Index files *.idx +>16 quad !0 \b, at 16 reserved %#llx +>492 quad !0 \b, at 492 reserved %#llx +# for IDX variant +#>14 ubyte ^0x40 IDX +# for CDX variant +>14 ubyte &0x40 +# Ascending or descending: 0~ascending 1~descending +>>502 uleshort x \b, sort order %u +# Total expression length (FoxPro 2) like: 0 1 +>>504 uleshort !0 \b, expression length %u +# FOR expression pool length like: 1 +>>506 uleshort !1 \b, FOR expression pool length %#x +# reserved for internal use like: 0 +>>508 uleshort !0 \b, at 0x508 reserved %#x +# Key expression pool length like: 1 +>>510 uleshort !1 \b, key expression pool length %#x +# 512 - 1023 Key & FOR expression pool (uncompiled) +>>512 quad !0 \b, key expression pool %#llx +#>>520 quad !0 \b, key expression pool %#llx + +# Summary: dBASE IV Printer Form *.PRF +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/.dbf#Other_file_types_found_in_dBASE +# Reference: https://mark0.net/download/triddefs_xml.7z/defs/p/prf-dbase.trid.xml +0 ubeshort 0x0400 +# skip some Xbase Index files *.ndx and Infocom (Z-machine 4) *.z4 handled by ./adventure +# by looking for valid printer driver name extension +>0x58 search/8 .PR2 +>>0 use xbase-prf +# display information of dbase print form like printer driver *.PR2 +0 name xbase-prf dBase Printer Form +!:mime application/x-dbase-prf +!:ext prf +# MAYBE version? like: 4~DBASE IV +#>0 ubyte x \b, version %u +# MAYBE flag like: 1~with output file name 0~not +#>2 ubyte !0 \b, flag %u +# optional printer text output file name like E:\DBASE\IV\T6.txt +>3 string >\0 \b, output file %s +# probably padding with nils til 0x53 +#>0x48 uquad !0 \b, at 0x48 padding %#llx +# dBASE IV printer driver name like: Generic.PR2 ASCII.PR2 +>0x56 string >\0 \b, using printer driver %s +# 2 is probably last character of previous dBASE printer driver name +#>0x60 ubyte !0x32 \b, at 0x60 %#x +# probably padding with nils til 0xa8 +#>0x61 uquad !0 \b, at 0x61 padding %#llx +# unknown 0x03020300 0x03020100 at 0xa8 +>0xa8 ubelong x \b, at 0xa8 unknown %#8.8x +# probably padding with nils til 0x2aa +#>0x2a0 uquad !0 \b, at 0x2a0 padding %#llx +# unknown 0x100ff7f01000001 at 0x2AB +>0x2ab ubequad !0x100ff7f01000001 \b, at 0x2ab unknown %#llx +# unknown 0x0042 at 0x2b3 +>0x2b3 ubeshort !0x0042 \b, at 0x2b3 unknown %#4.4x +# unknown last 4 bytes at 0x2b6 like: 0 0x23 +>0x2b6 ubelong !0 \b, at 0x2b6 unknown %#8.8x + +# TODO: +# DBASE index file *.NDX +# dBASE compiled Format *.FMO +# FoxPro Database memo file *.DCT +# FoxPro Forms Memo *.SCT +# FoxPro Generated Menu Program *.MPR +# FoxPro Report *.FRX +# FoxPro Report Memo *.FRT +# Foxpro Generated Screen Program *.SPR +# Foxpro memo *.PJT +## End of XBase database stuff + +# MS Access database +4 string Standard\ Jet\ DB Microsoft Access Database +!:mime application/x-msaccess +4 string Standard\ ACE\ DB Microsoft Access Database +!:mime application/x-msaccess + +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Extensible_Storage_Engine +# Reference: https://github.com/libyal/libesedb/archive/master.zip +# libesedb-master/documentation/ +# Extensible Storage Engine (ESE) Database File (EDB) format.asciidoc +# Note: also known as "JET Blue". Used by numerous Windows components such as +# Windows Search, Mail, Exchange and Active Directory. +4 ubelong 0xefcdab89 +# unknown1 +>132 ubelong 0 Extensible storage engine +!:mime application/x-ms-ese +# file_type 0~database 1~stream +>>12 ulelong 0 DataBase +# Security DataBase (sdb) +!:ext edb/sdb +>>12 ulelong 1 STreaMing +!:ext stm +# format_version 620h +>>8 uleshort x \b, version %#x +>>10 uleshort >0 revision %#4.4x +>>0 ubelong x \b, checksum %#8.8x +# Page size 4096 8192 32768 +>>236 ulequad x \b, page size %lld +# database_state +>>52 ulelong 1 \b, JustCreated +>>52 ulelong 2 \b, DirtyShutdown +#>>52 ulelong 3 \b, CleanShutdown +>>52 ulelong 4 \b, BeingConverted +>>52 ulelong 5 \b, ForceDetach +# Windows NT major version when the databases indexes were updated. +>>216 ulelong x \b, Windows version %d +# Windows NT minor version +>>220 ulelong x \b.%d + +# From: Joerg Jenderek +# URL: https://forensicswiki.org/wiki/Windows_Application_Compatibility +# Note: files contain application compatibility fixes, application compatibility modes and application help messages. +8 string sdbf +>7 ubyte 0 +# TAG_TYPE_LIST+TAG_INDEXES +>>12 uleshort 0x7802 Windows application compatibility Shim DataBase +# version? 2 3 +#>>>0 ulelong x \b, version %d +!:mime application/x-ms-sdb +!:ext sdb + +# TDB database from Samba et al - Martin Pool <mbp@samba.org> +0 string TDB\ file TDB database +>32 lelong 0x2601196D version 6, little-endian +>>36 lelong x hash size %d bytes + +# SE Linux policy database +0 lelong 0xf97cff8c SE Linux policy +>16 lelong x v%d +>20 lelong 1 MLS +>24 lelong x %d symbols +>28 lelong x %d ocons + +# ICE authority file data (Wolfram Kleff) +2 string ICE ICE authority data + +# X11 Xauthority file (Wolfram Kleff) +10 string MIT-MAGIC-COOKIE-1 X11 Xauthority data +11 string MIT-MAGIC-COOKIE-1 X11 Xauthority data +12 string MIT-MAGIC-COOKIE-1 X11 Xauthority data +13 string MIT-MAGIC-COOKIE-1 X11 Xauthority data +14 string MIT-MAGIC-COOKIE-1 X11 Xauthority data +15 string MIT-MAGIC-COOKIE-1 X11 Xauthority data +16 string MIT-MAGIC-COOKIE-1 X11 Xauthority data +17 string MIT-MAGIC-COOKIE-1 X11 Xauthority data +18 string MIT-MAGIC-COOKIE-1 X11 Xauthority data + +# From: Maxime Henrion <mux@FreeBSD.org> +# PostgreSQL's custom dump format, Maxime Henrion <mux@FreeBSD.org> +0 string PGDMP PostgreSQL custom database dump +>5 byte x - v%d +>6 byte x \b.%d +>5 beshort <0x101 \b-0 +>5 beshort >0x100 +>>7 byte x \b-%d + +# Type: Advanced Data Format (ADF) database +# URL: https://www.grc.nasa.gov/WWW/cgns/adf/ +# From: Nicolas Chauvat <nicolas.chauvat@logilab.fr> +0 string @(#)ADF\ Database CGNS Advanced Data Format + +# Tokyo Cabinet magic data +# http://tokyocabinet.sourceforge.net/index.html +0 string ToKyO\ CaBiNeT\n Tokyo Cabinet +>14 string x \b (%s) +>32 byte 0 \b, Hash +!:mime application/x-tokyocabinet-hash +>32 byte 1 \b, B+ tree +!:mime application/x-tokyocabinet-btree +>32 byte 2 \b, Fixed-length +!:mime application/x-tokyocabinet-fixed +>32 byte 3 \b, Table +!:mime application/x-tokyocabinet-table +>33 byte &1 \b, [open] +>33 byte &2 \b, [fatal] +>34 byte x \b, apow=%d +>35 byte x \b, fpow=%d +>36 byte &0x01 \b, [large] +>36 byte &0x02 \b, [deflate] +>36 byte &0x04 \b, [bzip] +>36 byte &0x08 \b, [tcbs] +>36 byte &0x10 \b, [excodec] +>40 lequad x \b, bnum=%lld +>48 lequad x \b, rnum=%lld +>56 lequad x \b, fsiz=%lld + +# Type: QDBM Quick Database Manager +# From: Benoit Sibaud <bsibaud@april.org> +0 string \\[depot\\]\n\f Quick Database Manager, little endian +0 string \\[DEPOT\\]\n\f Quick Database Manager, big endian + +# Type: TokyoCabinet database +# URL: http://tokyocabinet.sourceforge.net/ +# From: Benoit Sibaud <bsibaud@april.org> +0 string ToKyO\ CaBiNeT\n TokyoCabinet database +>14 string x (version %s) + +# From: Stephane Blondon https://www.yaal.fr +# Database file for Zope (done by FileStorage) +0 string FS21 Zope Object Database File Storage v3 (data) +0 string FS30 Zope Object Database File Storage v4 (data) + +# Cache file for the database of Zope (done by ClientStorage) +0 string ZEC3 Zope Object Database Client Cache File (data) + +# IDA (Interactive Disassembler) database +0 string IDA1 IDA (Interactive Disassembler) database + +# Hopper (reverse engineering tool) https://www.hopperapp.com/ +0 string hopperdb Hopper database + +# URL: https://en.wikipedia.org/wiki/Panorama_(database_engine) +# Reference: http://www.provue.com/Panorama/ +# From: Joerg Jenderek +# NOTE: test only versions 4 and 6.0 with Windows +# length of Panorama database name +5 ubyte >0 +# look after database name for "some" null bits +>(5.B+7) ubelong&0xF3ffF000 0 +# look for first keyword +>>&1 search/2 DESIGN Panorama database +#!:mime application/x-panorama-database +!:apple KASXZEPD +!:ext pan +# database name +>>>5 pstring x \b, "%s" + +# +# +# askSam Database by Stefan A. Haubenthal <polluks@web.de> +0 string askw40\0 askSam DB + +# +# +# MUIbase Database Tool by Stefan A. Haubenthal <polluks@web.de> +0 string MBSTV\040 MUIbase DB +>6 string x version %s + +# +# CDB database +0 string NBCDB\012 NetBSD Constant Database +>7 byte x \b, version %d +>8 string x \b, for '%s' +>24 lelong x \b, datasize %d +>28 lelong x \b, entries %d +>32 lelong x \b, index %d +>36 lelong x \b, seed %#x + +# +# Redis RDB - https://redis.io/topics/persistence +0 string REDIS Redis RDB file, +>5 regex [0-9][0-9][0-9][0-9] version %s + +# Mork database. +# Used by older versions of Mozilla Suite and Firefox, +# and current versions of Thunderbird. +# From: David Korth <gerbilsoft@gerbilsoft.com> +0 string //\ <!--\ <mdb:mork:z\ v=" Mozilla Mork database +>23 string x \b, version %.3s + +# URL: https://en.wikipedia.org/wiki/Management_Information_Format +# Reference: https://www.dmtf.org/sites/default/files/standards/documents/DSP0005.pdf +# From: Joerg Jenderek +# Note: only tested with monitor asset reports of Dell Display Manager +# skip start like Language=fr|CA|iso8859-1 +0 search/27/C Start\040Component DMI Management Information Format +#!:mime text/plain +!:mime text/x-dmtf-mif +!:ext mif + |