diff --git a/src/core/lib/FileSignatures.mjs b/src/core/lib/FileSignatures.mjs
index 613e82b2..afb4b6e0 100644
--- a/src/core/lib/FileSignatures.mjs
+++ b/src/core/lib/FileSignatures.mjs
@@ -241,6 +241,28 @@ export const FILE_SIGNATURES = {
],
extractor: null
},
+ {
+ name: "The GIMP image",
+ extension: "xcf",
+ mime: "image/x-xcf",
+ description: "",
+ signature: {
+ 0: 0x67, // gimp xcf
+ 1: 0x69,
+ 2: 0x6d,
+ 3: 0x70,
+ 4: 0x20,
+ 5: 0x78,
+ 6: 0x63,
+ 7: 0x66,
+ 8: 0x20,
+ 9: [0x66, 0x76],
+ 10: [0x69, 0x30],
+ 11: [0x6c, 0x30],
+ 12: [0x65, 0x31, 0x32, 0x33]
+ },
+ extractor: null
+ },
{
name: "Icon image",
extension: "ico",
@@ -363,10 +385,40 @@ export const FILE_SIGNATURES = {
3: 0x00
},
extractor: null
+ },
+ {
+ name: "Joint Photographic Experts Group image (under Base64)",
+ extension: "B64",
+ mime: "application/octet-stream",
+ description: "",
+ signature: {
+ 0: 0x2f,
+ 1: 0x39,
+ 2: 0x6a,
+ 3: 0x2f,
+ 4: 0x34
+ },
+ extractor: null
+ },
+ {
+ name: "Portable Network Graphics image (under Base64)",
+ extension: "B64",
+ mime: "application/octet-stream",
+ description: "",
+ signature: {
+ 0: 0x69,
+ 1: 0x56,
+ 2: 0x42,
+ 3: 0x4f,
+ 4: 0x52,
+ 5: 0x77,
+ 6: 0x30
+ },
+ extractor: null
}
],
"Video": [
- { // Place before webm
+ {
name: "Matroska Multimedia Container",
extension: "mkv",
mime: "video/x-matroska",
@@ -392,7 +444,28 @@ export const FILE_SIGNATURES = {
0: 0x1a,
1: 0x45,
2: 0xdf,
- 3: 0xa3
+ 3: 0xa3,
+ 4: 0x01,
+ 5: 0x00,
+ 6: 0x00,
+ 7: 0x00
+ },
+ extractor: null
+ },
+ { // Place before MPEG-4
+ name: "Flash MP4 video",
+ extension: "f4v",
+ mime: "video/mp4",
+ description: "",
+ signature: {
+ 4: 0x66,
+ 5: 0x74,
+ 6: 0x79,
+ 7: 0x70,
+ 8: [0x66, 0x46],
+ 9: 0x34,
+ 10: [0x76, 0x56],
+ 11: 0x20
},
extractor: null
},
@@ -766,6 +839,41 @@ export const FILE_SIGNATURES = {
},
extractor: extractPDF
},
+ {
+ name: "Portable Document Format (under Base64)",
+ extension: "B64",
+ mime: "application/octet-stream",
+ description: "",
+ signature: {
+ 0: 0x41,
+ 1: 0x4a,
+ 2: 0x56,
+ 3: 0x42,
+ 4: 0x45,
+ 5: 0x52,
+ 6: 0x69
+ },
+ extractor: null
+ },
+ { // Place before PostScript
+ name: "Adobe PostScript",
+ extension: "ps,eps,ai,pfa",
+ mime: "application/postscript",
+ description: "",
+ signature: {
+ 0: 0x25,
+ 1: 0x21,
+ 2: 0x50,
+ 3: 0x53,
+ 4: 0x2d,
+ 5: 0x41,
+ 6: 0x64,
+ 7: 0x6f,
+ 8: 0x62,
+ 9: 0x65
+ },
+ extractor: null
+ },
{
name: "PostScript",
extension: "ps",
@@ -792,7 +900,7 @@ export const FILE_SIGNATURES = {
extractor: extractRTF
},
{
- name: "Microsoft Office documents/OLE2",
+ name: "Microsoft Office document/OLE2",
extension: "ole2,doc,xls,dot,ppt,xla,ppa,pps,pot,msi,sdw,db,vsd,msg",
mime: "application/msword,application/vnd.ms-excel,application/vnd.ms-powerpoint",
description: "Microsoft Office documents",
@@ -809,7 +917,24 @@ export const FILE_SIGNATURES = {
extractor: null
},
{
- name: "Microsoft Office 2007+ documents",
+ name: "Microsoft Office document/OLE2 (under Base64)",
+ extension: "B64",
+ mime: "application/octet-stream",
+ description: "",
+ signature: {
+ 0: 0x30,
+ 1: 0x4d,
+ 2: 0x38,
+ 3: 0x52,
+ 4: 0x34,
+ 5: 0x4b,
+ 6: 0x47,
+ 7: 0x78
+ },
+ extractor: null
+ },
+ {
+ name: "Microsoft Office 2007+ document",
extension: "docx,xlsx,pptx",
mime: "application/vnd.openxmlformats-officedocument.wordprocessingml.document,application/vnd.openxmlformats-officedocument.spreadsheetml.sheet,application/vnd.openxmlformats-officedocument.presentationml.presentation",
description: "",
@@ -828,6 +953,131 @@ export const FILE_SIGNATURES = {
},
extractor: extractZIP
},
+ {
+ name: "Microsoft Access database",
+ extension: "mdb,mda,mde,mdt,fdb,psa",
+ mime: "application/msaccess",
+ description: "",
+ signature: {
+ 0: 0x00,
+ 1: 0x01,
+ 2: 0x00,
+ 3: 0x00,
+ 4: 0x53, // Standard Jet
+ 5: 0x74,
+ 6: 0x61,
+ 7: 0x6e,
+ 8: 0x64,
+ 9: 0x61,
+ 10: 0x72,
+ 11: 0x64,
+ 12: 0x20,
+ 13: 0x4a,
+ 14: 0x65,
+ 15: 0x74
+ },
+ extractor: null
+ },
+ {
+ name: "Microsoft Access 2007+ database",
+ extension: "accdb,accde,accda,accdu",
+ mime: "application/msaccess",
+ description: "",
+ signature: {
+ 0: 0x00,
+ 1: 0x01,
+ 2: 0x00,
+ 3: 0x00,
+ 4: 0x53, // Standard ACE DB
+ 5: 0x74,
+ 6: 0x61,
+ 7: 0x6e,
+ 8: 0x64,
+ 9: 0x61,
+ 10: 0x72,
+ 11: 0x64,
+ 12: 0x20,
+ 13: 0x41,
+ 14: 0x43,
+ 15: 0x45,
+ 16: 0x20
+ },
+ extractor: null
+ },
+ {
+ name: "Microsoft OneNote document",
+ extension: "one",
+ mime: "application/onenote",
+ description: "",
+ signature: {
+ 0: 0xe4,
+ 1: 0x52,
+ 2: 0x5c,
+ 3: 0x7b,
+ 4: 0x8c,
+ 5: 0xd8,
+ 6: 0xa7,
+ 7: 0x4d,
+ 8: 0xae,
+ 9: 0xb1,
+ 10: 0x53,
+ 11: 0x78,
+ 12: 0xd0,
+ 13: 0x29,
+ 14: 0x96,
+ 15: 0xd3
+ },
+ extractor: null
+ },
+ {
+ name: "Outlook Express database",
+ extension: "dbx",
+ mime: "application/octet-stream",
+ description: "",
+ signature: {
+ 0: 0xcf,
+ 1: 0xad,
+ 2: 0x12,
+ 3: 0xfe,
+ 4: [0x30, 0xc5, 0xc6, 0xc7],
+ 11: 0x11
+ },
+ extractor: null
+ },
+ {
+ name: "Personal Storage Table (Outlook)",
+ extension: "pst,ost,fdb,pab",
+ mime: "application/octet-stream",
+ description: "",
+ signature: {
+ 0: 0x21, // !BDN
+ 1: 0x42,
+ 2: 0x44,
+ 3: 0x4e
+ },
+ extractor: null
+ },
+ {
+ name: "Microsoft Exchange Database",
+ extension: "edb",
+ mime: "application/octet-stream",
+ description: "",
+ signature: {
+ 4: 0xef,
+ 5: 0xcd,
+ 6: 0xab,
+ 7: 0x89,
+ 8: [0x20, 0x23],
+ 9: 0x06,
+ 10: 0x00,
+ 11: 0x00,
+ 12: [0x00, 0x01],
+ 13: 0x00,
+ 14: 0x00,
+ 15: 0x00
+ },
+ extractor: null
+ },
{
name: "EPUB e-book",
extension: "epub",
@@ -897,6 +1147,36 @@ export const FILE_SIGNATURES = {
},
extractor: extractELF
},
+ {
+ name: "MacOS Mach-O object file",
+ extension: "dylib",
+ mime: "application/octet-stream",
+ description: "",
+ signature: {
+ 0: 0xca,
+ 1: 0xfe,
+ 2: 0xba,
+ 3: 0xbe,
+ 4: 0x00,
+ 5: 0x00,
+ 6: 0x00,
+ 7: [0x01, 0x02, 0x03]
+ },
+ extractor: null
+ },
+ {
+ name: "MacOS Mach-O 64-bit object file",
+ extension: "dylib",
+ mime: "application/octet-stream",
+ description: "",
+ signature: {
+ 0: 0xcf,
+ 1: 0xfa,
+ 2: 0xed,
+ 3: 0xfe
+ },
+ extractor: null
+ },
{
name: "Adobe Flash",
extension: "swf",
@@ -905,7 +1185,7 @@ export const FILE_SIGNATURES = {
signature: {
0: [0x43, 0x46],
1: 0x57,
- 2: 0x53
+ 2: 0x53,
},
extractor: null
},
@@ -967,13 +1247,28 @@ export const FILE_SIGNATURES = {
},
extractor: extractZIP
},
+ {
+ name: "PKZIP archive (under Base64)",
+ extension: "B64",
+ mime: "application/octet-stream",
+ description: "",
+ signature: {
+ 0: 0x55,
+ 1: 0x45,
+ 2: 0x73,
+ 3: 0x44,
+ 4: 0x42,
+ 5: 0x42
+ },
+ extractor: null
+ },
{
name: "TAR archive",
extension: "tar",
mime: "application/x-tar",
description: "",
signature: {
- 257: 0x75,
+ 257: 0x75, // ustar
258: 0x73,
259: 0x74,
260: 0x61,
@@ -1111,7 +1406,45 @@ export const FILE_SIGNATURES = {
signature: {
0: 0x4b,
1: 0x44,
- 2: 0x4d
+ 2: 0x4d,
+ 3: 0x56,
+ 5: 0x00,
+ 6: 0x00,
+ 7: 0x00
+ },
+ extractor: null
+ },
+ {
+ name: "Virtual Hard Drive",
+ extension: "vhd",
+ mime: "application/x-vhd",
+ description: "",
+ signature: {
+ 0: 0x63, // conectix
+ 1: 0x6f,
+ 2: 0x6e,
+ 3: 0x65,
+ 4: 0x63,
+ 5: 0x74,
+ 6: 0x69,
+ 7: 0x78
+ },
+ extractor: null
+ },
+ {
+ name: "Macintosh disk image",
+ extension: "dmf,dmg",
+ mime: "application/octet-stream",
+ description: "",
+ signature: {
+ 0: 0x78,
+ 1: 0x01,
+ 2: 0x73,
+ 3: 0x0d,
+ 4: 0x62,
+ 5: 0x62,
+ 6: 0x60,
+ 7: 0x60
},
extractor: null
},
@@ -1218,7 +1551,37 @@ export const FILE_SIGNATURES = {
9: 0x2d
},
extractor: null
- }
+ },
+ {
+ name: "Microsoft Cabinet file",
+ extension: "cab",
+ mime: "vnd.ms-cab-compressed",
+ description: "",
+ signature: {
+ 0: 0x4d,
+ 1: 0x53,
+ 2: 0x43,
+ 3: 0x46,
+ 4: 0x00,
+ 5: 0x00,
+ 6: 0x00,
+ 7: 0x00
+ },
+ extractor: null
+ },
+ {
+ name: "Jar Archive",
+ extension: "jar",
+ mime: "application/java-archive",
+ description: "",
+ signature: {
+ 0: 0x5f,
+ 1: 0x27,
+ 2: 0xa8,
+ 3: 0x89
+ },
+ extractor: null
+ },
],
"Miscellaneous": [
{
@@ -1398,7 +1761,213 @@ export const FILE_SIGNATURES = {
}
],
extractor: null
- }
+ },
+ {
+ name: "Cryptocurrency wallet",
+ extension: "wallet",
+ mime: "application/octet-stream",
+ description: "",
+ signature: {
+ 0: 0x00,
+ 1: 0x00,
+ 2: 0x00,
+ 3: 0x00,
+ 4: 0x01,
+ 5: 0x00,
+ 6: 0x00,
+ 7: 0x00,
+ 8: 0x00,
+ 9: 0x00,
+ 10: 0x00,
+ 11: 0x00,
+ 12: 0x62,
+ 13: 0x31,
+ 14: 0x05,
+ 15: 0x00
+ },
+ extractor: null
+ },
+ {
+ name: "Registry fragment",
+ extension: "hbin",
+ mime: "application/octet-stream",
+ description: "",
+ signature: {
+ 0: 0x68, // hbin
+ 1: 0x62,
+ 2: 0x69,
+ 3: 0x6e,
+ 4: 0x00
+ },
+ extractor: null
+ },
+ {
+ name: "Registry script",
+ extension: "rgs",
+ mime: "application/octet-stream",
+ description: "",
+ signature: {
+ 0: 0x48, // HKCR
+ 1: 0x4b,
+ 2: 0x43,
+ 3: 0x52,
+ 4: 0x0d,
+ 5: 0x0a,
+ 6: 0x5c,
+ 7: 0x7b
+ },
+ extractor: null
+ },
+ {
+ name: "WinNT Registry Hive",
+ extension: "registry",
+ mime: "application/octet-stream",
+ description: "",
+ signature: {
+ 0: 0x72,
+ 1: 0x65,
+ 2: 0x67,
+ 3: 0x66
+ },
+ extractor: null
+ },
+ {
+ name: "Windows Event Log",
+ extension: "evt",
+ mime: "application/octet-stream",
+ description: "",
+ signature: {
+ 0: 0x30,
+ 1: 0x00,
+ 2: 0x00,
+ 3: 0x00,
+ 4: 0x4c,
+ 5: 0x66,
+ 6: 0x4c,
+ 7: 0x65
+ },
+ extractor: null
+ },
+ {
+ name: "Windows Event Log",
+ extension: "evtx",
+ mime: "application/octet-stream",
+ description: "",
+ signature: {
+ 0: 0x45, // ElfFile
+ 1: 0x6c,
+ 2: 0x66,
+ 3: 0x46,
+ 4: 0x69,
+ 5: 0x6c,
+ 6: 0x65
+ },
+ extractor: null
+ },
+ {
+ name: "Windows Pagedump",
+ extension: "dmp",
+ mime: "application/octet-stream",
+ description: "",
+ signature: {
+ 0: 0x50, // PAGEDU(MP|64)
+ 1: 0x41,
+ 2: 0x47,
+ 3: 0x45,
+ 4: 0x44,
+ 5: 0x55,
+ 6: [0x4d, 0x36],
+ 7: [0x50, 0x34]
+ },
+ extractor: null
+ },
+ {
+ name: "Windows Prefetch",
+ extension: "pf",
+ mime: "application/x-pf",
+ description: "",
+ signature: {
+ 0: [0x11, 0x17, 0x1a],
+ 1: 0x0,
+ 2: 0x0,
+ 3: 0x0,
+ 4: 0x53,
+ 5: 0x43,
+ 6: 0x43,
+ 7: 0x41
+ },
+ extractor: null
+ },
+ {
+ name: "Windows Prefetch (Win 10)",
+ extension: "pf",
+ mime: "application/x-pf",
+ description: "",
+ signature: {
+ 0: 0x4d,
+ 1: 0x41,
+ 2: 0x4d,
+ 3: 0x04,
+ 7: 0x0
+ },
+ extractor: null
+ },
+ {
+ name: "PList (XML)",
+ extension: "plist",
+ mime: "application/xml",
+ description: "",
+ signature: {
+ 39: 0x3c, // \n)
+ stream.continueUntil([0x3c, 0x2f, 0x70, 0x6c, 0x69, 0x73, 0x74, 0x3e, 0x0a]);
+ stream.moveForwardsBy(9);
+
+ return stream.carve();
+}
+
+
/**
* GZIP extractor.
*
diff --git a/src/core/operations/DetectFileType.mjs b/src/core/operations/DetectFileType.mjs
index 7ddef0f9..4ffaa5ff 100644
--- a/src/core/operations/DetectFileType.mjs
+++ b/src/core/operations/DetectFileType.mjs
@@ -23,10 +23,10 @@ class DetectFileType extends Operation {
this.module = "Default";
this.description = "Attempts to guess the MIME (Multipurpose Internet Mail Extensions) type of the data based on 'magic bytes'.
Currently supports the following file types: " +
Object.keys(FILE_SIGNATURES).map(cat =>
- FILE_SIGNATURES[cat].map(sig =>
- sig.extension.split(",")[0]
- ).join(", ")
- ).join(", ") + ".";
+ [].concat.apply([], FILE_SIGNATURES[cat].map(sig =>
+ sig.extension.split(",")
+ )).unique().join(", ")
+ ).unique().join(", ") + ".";
this.infoURL = "https://wikipedia.org/wiki/List_of_file_signatures";
this.inputType = "ArrayBuffer";
this.outputType = "string";