From 22028b074a1757810b243b2298390b6604207afc Mon Sep 17 00:00:00 2001 From: n1474335 Date: Tue, 1 Oct 2019 16:54:19 +0100 Subject: [PATCH] Added support for many more file types to file signature operations --- src/core/lib/FileSignatures.mjs | 605 ++++++++++++++++++++++++- src/core/operations/DetectFileType.mjs | 8 +- 2 files changed, 600 insertions(+), 13 deletions(-) diff --git a/src/core/lib/FileSignatures.mjs b/src/core/lib/FileSignatures.mjs index 613e82b2..afb4b6e0 100644 --- a/src/core/lib/FileSignatures.mjs +++ b/src/core/lib/FileSignatures.mjs @@ -241,6 +241,28 @@ export const FILE_SIGNATURES = { ], extractor: null }, + { + name: "The GIMP image", + extension: "xcf", + mime: "image/x-xcf", + description: "", + signature: { + 0: 0x67, // gimp xcf + 1: 0x69, + 2: 0x6d, + 3: 0x70, + 4: 0x20, + 5: 0x78, + 6: 0x63, + 7: 0x66, + 8: 0x20, + 9: [0x66, 0x76], + 10: [0x69, 0x30], + 11: [0x6c, 0x30], + 12: [0x65, 0x31, 0x32, 0x33] + }, + extractor: null + }, { name: "Icon image", extension: "ico", @@ -363,10 +385,40 @@ export const FILE_SIGNATURES = { 3: 0x00 }, extractor: null + }, + { + name: "Joint Photographic Experts Group image (under Base64)", + extension: "B64", + mime: "application/octet-stream", + description: "", + signature: { + 0: 0x2f, + 1: 0x39, + 2: 0x6a, + 3: 0x2f, + 4: 0x34 + }, + extractor: null + }, + { + name: "Portable Network Graphics image (under Base64)", + extension: "B64", + mime: "application/octet-stream", + description: "", + signature: { + 0: 0x69, + 1: 0x56, + 2: 0x42, + 3: 0x4f, + 4: 0x52, + 5: 0x77, + 6: 0x30 + }, + extractor: null } ], "Video": [ - { // Place before webm + { name: "Matroska Multimedia Container", extension: "mkv", mime: "video/x-matroska", @@ -392,7 +444,28 @@ export const FILE_SIGNATURES = { 0: 0x1a, 1: 0x45, 2: 0xdf, - 3: 0xa3 + 3: 0xa3, + 4: 0x01, + 5: 0x00, + 6: 0x00, + 7: 0x00 + }, + extractor: null + }, + { // Place before MPEG-4 + name: "Flash MP4 video", + extension: "f4v", + mime: "video/mp4", + description: "", + signature: { + 4: 0x66, + 5: 0x74, + 6: 0x79, + 7: 0x70, + 8: [0x66, 0x46], + 9: 0x34, + 10: [0x76, 0x56], + 11: 0x20 }, extractor: null }, @@ -766,6 +839,41 @@ export const FILE_SIGNATURES = { }, extractor: extractPDF }, + { + name: "Portable Document Format (under Base64)", + extension: "B64", + mime: "application/octet-stream", + description: "", + signature: { + 0: 0x41, + 1: 0x4a, + 2: 0x56, + 3: 0x42, + 4: 0x45, + 5: 0x52, + 6: 0x69 + }, + extractor: null + }, + { // Place before PostScript + name: "Adobe PostScript", + extension: "ps,eps,ai,pfa", + mime: "application/postscript", + description: "", + signature: { + 0: 0x25, + 1: 0x21, + 2: 0x50, + 3: 0x53, + 4: 0x2d, + 5: 0x41, + 6: 0x64, + 7: 0x6f, + 8: 0x62, + 9: 0x65 + }, + extractor: null + }, { name: "PostScript", extension: "ps", @@ -792,7 +900,7 @@ export const FILE_SIGNATURES = { extractor: extractRTF }, { - name: "Microsoft Office documents/OLE2", + name: "Microsoft Office document/OLE2", extension: "ole2,doc,xls,dot,ppt,xla,ppa,pps,pot,msi,sdw,db,vsd,msg", mime: "application/msword,application/vnd.ms-excel,application/vnd.ms-powerpoint", description: "Microsoft Office documents", @@ -809,7 +917,24 @@ export const FILE_SIGNATURES = { extractor: null }, { - name: "Microsoft Office 2007+ documents", + name: "Microsoft Office document/OLE2 (under Base64)", + extension: "B64", + mime: "application/octet-stream", + description: "", + signature: { + 0: 0x30, + 1: 0x4d, + 2: 0x38, + 3: 0x52, + 4: 0x34, + 5: 0x4b, + 6: 0x47, + 7: 0x78 + }, + extractor: null + }, + { + name: "Microsoft Office 2007+ document", extension: "docx,xlsx,pptx", mime: "application/vnd.openxmlformats-officedocument.wordprocessingml.document,application/vnd.openxmlformats-officedocument.spreadsheetml.sheet,application/vnd.openxmlformats-officedocument.presentationml.presentation", description: "", @@ -828,6 +953,131 @@ export const FILE_SIGNATURES = { }, extractor: extractZIP }, + { + name: "Microsoft Access database", + extension: "mdb,mda,mde,mdt,fdb,psa", + mime: "application/msaccess", + description: "", + signature: { + 0: 0x00, + 1: 0x01, + 2: 0x00, + 3: 0x00, + 4: 0x53, // Standard Jet + 5: 0x74, + 6: 0x61, + 7: 0x6e, + 8: 0x64, + 9: 0x61, + 10: 0x72, + 11: 0x64, + 12: 0x20, + 13: 0x4a, + 14: 0x65, + 15: 0x74 + }, + extractor: null + }, + { + name: "Microsoft Access 2007+ database", + extension: "accdb,accde,accda,accdu", + mime: "application/msaccess", + description: "", + signature: { + 0: 0x00, + 1: 0x01, + 2: 0x00, + 3: 0x00, + 4: 0x53, // Standard ACE DB + 5: 0x74, + 6: 0x61, + 7: 0x6e, + 8: 0x64, + 9: 0x61, + 10: 0x72, + 11: 0x64, + 12: 0x20, + 13: 0x41, + 14: 0x43, + 15: 0x45, + 16: 0x20 + }, + extractor: null + }, + { + name: "Microsoft OneNote document", + extension: "one", + mime: "application/onenote", + description: "", + signature: { + 0: 0xe4, + 1: 0x52, + 2: 0x5c, + 3: 0x7b, + 4: 0x8c, + 5: 0xd8, + 6: 0xa7, + 7: 0x4d, + 8: 0xae, + 9: 0xb1, + 10: 0x53, + 11: 0x78, + 12: 0xd0, + 13: 0x29, + 14: 0x96, + 15: 0xd3 + }, + extractor: null + }, + { + name: "Outlook Express database", + extension: "dbx", + mime: "application/octet-stream", + description: "", + signature: { + 0: 0xcf, + 1: 0xad, + 2: 0x12, + 3: 0xfe, + 4: [0x30, 0xc5, 0xc6, 0xc7], + 11: 0x11 + }, + extractor: null + }, + { + name: "Personal Storage Table (Outlook)", + extension: "pst,ost,fdb,pab", + mime: "application/octet-stream", + description: "", + signature: { + 0: 0x21, // !BDN + 1: 0x42, + 2: 0x44, + 3: 0x4e + }, + extractor: null + }, + { + name: "Microsoft Exchange Database", + extension: "edb", + mime: "application/octet-stream", + description: "", + signature: { + 4: 0xef, + 5: 0xcd, + 6: 0xab, + 7: 0x89, + 8: [0x20, 0x23], + 9: 0x06, + 10: 0x00, + 11: 0x00, + 12: [0x00, 0x01], + 13: 0x00, + 14: 0x00, + 15: 0x00 + }, + extractor: null + }, { name: "EPUB e-book", extension: "epub", @@ -897,6 +1147,36 @@ export const FILE_SIGNATURES = { }, extractor: extractELF }, + { + name: "MacOS Mach-O object file", + extension: "dylib", + mime: "application/octet-stream", + description: "", + signature: { + 0: 0xca, + 1: 0xfe, + 2: 0xba, + 3: 0xbe, + 4: 0x00, + 5: 0x00, + 6: 0x00, + 7: [0x01, 0x02, 0x03] + }, + extractor: null + }, + { + name: "MacOS Mach-O 64-bit object file", + extension: "dylib", + mime: "application/octet-stream", + description: "", + signature: { + 0: 0xcf, + 1: 0xfa, + 2: 0xed, + 3: 0xfe + }, + extractor: null + }, { name: "Adobe Flash", extension: "swf", @@ -905,7 +1185,7 @@ export const FILE_SIGNATURES = { signature: { 0: [0x43, 0x46], 1: 0x57, - 2: 0x53 + 2: 0x53, }, extractor: null }, @@ -967,13 +1247,28 @@ export const FILE_SIGNATURES = { }, extractor: extractZIP }, + { + name: "PKZIP archive (under Base64)", + extension: "B64", + mime: "application/octet-stream", + description: "", + signature: { + 0: 0x55, + 1: 0x45, + 2: 0x73, + 3: 0x44, + 4: 0x42, + 5: 0x42 + }, + extractor: null + }, { name: "TAR archive", extension: "tar", mime: "application/x-tar", description: "", signature: { - 257: 0x75, + 257: 0x75, // ustar 258: 0x73, 259: 0x74, 260: 0x61, @@ -1111,7 +1406,45 @@ export const FILE_SIGNATURES = { signature: { 0: 0x4b, 1: 0x44, - 2: 0x4d + 2: 0x4d, + 3: 0x56, + 5: 0x00, + 6: 0x00, + 7: 0x00 + }, + extractor: null + }, + { + name: "Virtual Hard Drive", + extension: "vhd", + mime: "application/x-vhd", + description: "", + signature: { + 0: 0x63, // conectix + 1: 0x6f, + 2: 0x6e, + 3: 0x65, + 4: 0x63, + 5: 0x74, + 6: 0x69, + 7: 0x78 + }, + extractor: null + }, + { + name: "Macintosh disk image", + extension: "dmf,dmg", + mime: "application/octet-stream", + description: "", + signature: { + 0: 0x78, + 1: 0x01, + 2: 0x73, + 3: 0x0d, + 4: 0x62, + 5: 0x62, + 6: 0x60, + 7: 0x60 }, extractor: null }, @@ -1218,7 +1551,37 @@ export const FILE_SIGNATURES = { 9: 0x2d }, extractor: null - } + }, + { + name: "Microsoft Cabinet file", + extension: "cab", + mime: "vnd.ms-cab-compressed", + description: "", + signature: { + 0: 0x4d, + 1: 0x53, + 2: 0x43, + 3: 0x46, + 4: 0x00, + 5: 0x00, + 6: 0x00, + 7: 0x00 + }, + extractor: null + }, + { + name: "Jar Archive", + extension: "jar", + mime: "application/java-archive", + description: "", + signature: { + 0: 0x5f, + 1: 0x27, + 2: 0xa8, + 3: 0x89 + }, + extractor: null + }, ], "Miscellaneous": [ { @@ -1398,7 +1761,213 @@ export const FILE_SIGNATURES = { } ], extractor: null - } + }, + { + name: "Cryptocurrency wallet", + extension: "wallet", + mime: "application/octet-stream", + description: "", + signature: { + 0: 0x00, + 1: 0x00, + 2: 0x00, + 3: 0x00, + 4: 0x01, + 5: 0x00, + 6: 0x00, + 7: 0x00, + 8: 0x00, + 9: 0x00, + 10: 0x00, + 11: 0x00, + 12: 0x62, + 13: 0x31, + 14: 0x05, + 15: 0x00 + }, + extractor: null + }, + { + name: "Registry fragment", + extension: "hbin", + mime: "application/octet-stream", + description: "", + signature: { + 0: 0x68, // hbin + 1: 0x62, + 2: 0x69, + 3: 0x6e, + 4: 0x00 + }, + extractor: null + }, + { + name: "Registry script", + extension: "rgs", + mime: "application/octet-stream", + description: "", + signature: { + 0: 0x48, // HKCR + 1: 0x4b, + 2: 0x43, + 3: 0x52, + 4: 0x0d, + 5: 0x0a, + 6: 0x5c, + 7: 0x7b + }, + extractor: null + }, + { + name: "WinNT Registry Hive", + extension: "registry", + mime: "application/octet-stream", + description: "", + signature: { + 0: 0x72, + 1: 0x65, + 2: 0x67, + 3: 0x66 + }, + extractor: null + }, + { + name: "Windows Event Log", + extension: "evt", + mime: "application/octet-stream", + description: "", + signature: { + 0: 0x30, + 1: 0x00, + 2: 0x00, + 3: 0x00, + 4: 0x4c, + 5: 0x66, + 6: 0x4c, + 7: 0x65 + }, + extractor: null + }, + { + name: "Windows Event Log", + extension: "evtx", + mime: "application/octet-stream", + description: "", + signature: { + 0: 0x45, // ElfFile + 1: 0x6c, + 2: 0x66, + 3: 0x46, + 4: 0x69, + 5: 0x6c, + 6: 0x65 + }, + extractor: null + }, + { + name: "Windows Pagedump", + extension: "dmp", + mime: "application/octet-stream", + description: "", + signature: { + 0: 0x50, // PAGEDU(MP|64) + 1: 0x41, + 2: 0x47, + 3: 0x45, + 4: 0x44, + 5: 0x55, + 6: [0x4d, 0x36], + 7: [0x50, 0x34] + }, + extractor: null + }, + { + name: "Windows Prefetch", + extension: "pf", + mime: "application/x-pf", + description: "", + signature: { + 0: [0x11, 0x17, 0x1a], + 1: 0x0, + 2: 0x0, + 3: 0x0, + 4: 0x53, + 5: 0x43, + 6: 0x43, + 7: 0x41 + }, + extractor: null + }, + { + name: "Windows Prefetch (Win 10)", + extension: "pf", + mime: "application/x-pf", + description: "", + signature: { + 0: 0x4d, + 1: 0x41, + 2: 0x4d, + 3: 0x04, + 7: 0x0 + }, + extractor: null + }, + { + name: "PList (XML)", + extension: "plist", + mime: "application/xml", + description: "", + signature: { + 39: 0x3c, // \n) + stream.continueUntil([0x3c, 0x2f, 0x70, 0x6c, 0x69, 0x73, 0x74, 0x3e, 0x0a]); + stream.moveForwardsBy(9); + + return stream.carve(); +} + + /** * GZIP extractor. * diff --git a/src/core/operations/DetectFileType.mjs b/src/core/operations/DetectFileType.mjs index 7ddef0f9..4ffaa5ff 100644 --- a/src/core/operations/DetectFileType.mjs +++ b/src/core/operations/DetectFileType.mjs @@ -23,10 +23,10 @@ class DetectFileType extends Operation { this.module = "Default"; this.description = "Attempts to guess the MIME (Multipurpose Internet Mail Extensions) type of the data based on 'magic bytes'.

Currently supports the following file types: " + Object.keys(FILE_SIGNATURES).map(cat => - FILE_SIGNATURES[cat].map(sig => - sig.extension.split(",")[0] - ).join(", ") - ).join(", ") + "."; + [].concat.apply([], FILE_SIGNATURES[cat].map(sig => + sig.extension.split(",") + )).unique().join(", ") + ).unique().join(", ") + "."; this.infoURL = "https://wikipedia.org/wiki/List_of_file_signatures"; this.inputType = "ArrayBuffer"; this.outputType = "string";