From a4772941a7a69e2f48ed971b8286408610ac6bf8 Mon Sep 17 00:00:00 2001
From: n1073645 <n1073645@gmail.com>
Date: Fri, 8 Nov 2019 14:56:54 +0000
Subject: [PATCH 1/4] Added WAV extractor.

---
 src/core/lib/FileSignatures.mjs | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/src/core/lib/FileSignatures.mjs b/src/core/lib/FileSignatures.mjs
index d4f0ee22..38712717 100644
--- a/src/core/lib/FileSignatures.mjs
+++ b/src/core/lib/FileSignatures.mjs
@@ -736,7 +736,7 @@ export const FILE_SIGNATURES = {
                 10: 0x56,
                 11: 0x45
             },
-            extractor: null
+            extractor: extractWAV
         },
         {
             name: "OGG audio",
@@ -2642,6 +2642,22 @@ export function extractBMP(bytes, offset) {
     return stream.carve();
 }
 
+/**
+ * WAV extractor.
+ *
+ * @param {Uint8Array} bytes
+ * @param {Number} offset
+ * @returns {Uint8Array}
+ */
+export function extractWAV(bytes, offset) {
+    const stream = new Stream(bytes.slice(offset));
+    stream.moveTo(4);
+
+    // Move to file size.
+    stream.moveTo(stream.readInt(4, "le")-4);
+    return stream.carve();
+}
+
 
 /**
  * FLV extractor.

From 2387452a56f64e9f3df96e8c7d7bc038ee682fad Mon Sep 17 00:00:00 2001
From: n1073645 <n1073645@gmail.com>
Date: Fri, 8 Nov 2019 14:59:06 +0000
Subject: [PATCH 2/4] Comment the WAV extractor.

---
 src/core/lib/FileSignatures.mjs | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/core/lib/FileSignatures.mjs b/src/core/lib/FileSignatures.mjs
index 38712717..896898c8 100644
--- a/src/core/lib/FileSignatures.mjs
+++ b/src/core/lib/FileSignatures.mjs
@@ -2651,6 +2651,8 @@ export function extractBMP(bytes, offset) {
  */
 export function extractWAV(bytes, offset) {
     const stream = new Stream(bytes.slice(offset));
+
+    // Move to file size field.
     stream.moveTo(4);
 
     // Move to file size.

From 4d9bfcad200ec58c1e8bfe169b69483d8547ae1e Mon Sep 17 00:00:00 2001
From: n1073645 <n1073645@gmail.com>
Date: Fri, 8 Nov 2019 15:00:20 +0000
Subject: [PATCH 3/4] Comment the WAV extractor.

---
 src/core/lib/FileSignatures.mjs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/core/lib/FileSignatures.mjs b/src/core/lib/FileSignatures.mjs
index 896898c8..af046629 100644
--- a/src/core/lib/FileSignatures.mjs
+++ b/src/core/lib/FileSignatures.mjs
@@ -2657,6 +2657,7 @@ export function extractWAV(bytes, offset) {
 
     // Move to file size.
     stream.moveTo(stream.readInt(4, "le")-4);
+
     return stream.carve();
 }
 

From eb81b9217eb0f4d797e226b72a5a368fb6f75f2f Mon Sep 17 00:00:00 2001
From: n1073645 <n1073645@gmail.com>
Date: Fri, 8 Nov 2019 17:08:14 +0000
Subject: [PATCH 4/4] SQLITE, EVT, EVTX and Signatures added

---
 src/core/lib/FileSignatures.mjs | 210 +++++++++++++++++++++++++++++++-
 1 file changed, 207 insertions(+), 3 deletions(-)

diff --git a/src/core/lib/FileSignatures.mjs b/src/core/lib/FileSignatures.mjs
index af046629..b93a7c9f 100644
--- a/src/core/lib/FileSignatures.mjs
+++ b/src/core/lib/FileSignatures.mjs
@@ -1870,7 +1870,7 @@ export const FILE_SIGNATURES = {
                 2: 0x4c,
                 3: 0x69
             },
-            extractor: null
+            extractor: extractSQLITE
         },
         {
             name: "BitTorrent link",
@@ -1993,7 +1993,7 @@ export const FILE_SIGNATURES = {
                 6: 0x4c,
                 7: 0x65
             },
-            extractor: null
+            extractor: extractEVT
         },
         {
             name: "Windows Event Log",
@@ -2009,7 +2009,7 @@ export const FILE_SIGNATURES = {
                 5: 0x6c,
                 6: 0x65
             },
-            extractor: null
+            extractor: extractEVTX
         },
         {
             name: "Windows Pagedump",
@@ -2331,6 +2331,133 @@ export const FILE_SIGNATURES = {
                 19: 0x46
             },
             extractor: null
+        },
+        {
+            name: "Bash",
+            extension: "bash",
+            mime: "application/bash",
+            description: "",
+            signature: {
+                0: 0x23, // #!/bin/bash
+                1: 0x21,
+                2: 0x2f,
+                3: 0x62,
+                4: 0x69,
+                5: 0x6e,
+                6: 0x2f,
+                7: 0x62,
+                8: 0x61,
+                9: 0x73,
+                10: 0x68,
+            },
+            extractor: null
+        },
+        {
+            name: "Shell",
+            extension: "sh",
+            mime: "application/sh",
+            description: "",
+            signature: {
+                0: 0x23, // #!/bin/sh
+                1: 0x21,
+                2: 0x2f,
+                3: 0x62,
+                4: 0x69,
+                5: 0x6e,
+                6: 0x2f,
+                7: 0x73,
+                8: 0x68,
+            },
+            extractor: null
+        },
+        {
+            name: "Python",
+            extension: "py,pyc,pyd,pyo,pyw,pyz",
+            mime: "application/python",
+            description: "",
+            signature: {
+                0: 0x23, // #!/usr/bin/python(2|3)
+                1: 0x21,
+                2: 0x2f,
+                3: 0x75,
+                4: 0x73,
+                5: 0x72,
+                6: 0x2f,
+                7: 0x62,
+                8: 0x69,
+                9: 0x6e,
+                10: 0x2f,
+                11: 0x70,
+                12: 0x79,
+                13: 0x74,
+                14: 0x68,
+                15: 0x6f,
+                16: 0x6e,
+                17: [0x32, 0x33, 0xa, 0xd],
+            },
+            extractor: null
+        },
+        {
+            name: "Ruby",
+            extension: "rb",
+            mime: "application/ruby",
+            description: "",
+            signature: {
+                0: 0x23, // #!/usr/bin/ruby
+                1: 0x21,
+                2: 0x2f,
+                3: 0x75,
+                4: 0x73,
+                5: 0x72,
+                6: 0x2f,
+                7: 0x62,
+                8: 0x69,
+                9: 0x6e,
+                10: 0x2f,
+                11: 0x72,
+                12: 0x75,
+                13: 0x62,
+                14: 0x79,
+            },
+            extractor: null
+        },
+        {
+            name: "perl",
+            extension: "pl,pm,t,pod",
+            mime: "application/perl",
+            description: "",
+            signature: {
+                0: 0x23, // #!/usr/bin/perl
+                1: 0x21,
+                2: 0x2f,
+                3: 0x75,
+                4: 0x73,
+                5: 0x72,
+                6: 0x2f,
+                7: 0x62,
+                8: 0x69,
+                9: 0x6e,
+                10: 0x2f,
+                11: 0x70,
+                12: 0x65,
+                13: 0x72,
+                14: 0x6c,
+            },
+            extractor: null
+        },
+        {
+            name: "php",
+            extension: "php,phtml,php3,php4,php5,php7,phps,php-s,pht,phar",
+            mime: "application/php",
+            description: "",
+            signature: {
+                0: 0x3c, // <?php
+                1: 0x3f,
+                2: 0x70,
+                3: 0x68,
+                4: 0x70,
+            },
+            extractor: null
         }
     ]
 };
@@ -2749,6 +2876,32 @@ export function extractRTF(bytes, offset) {
 }
 
 
+/**
+ * SQLITE extractor.
+ *
+ * @param {Uint8Array} bytes
+ * @param {number} offset
+ * @returns {Uint8Array}
+ */
+export function extractSQLITE(bytes, offset) {
+    const stream = new Stream(bytes.slice(offset));
+
+    stream.moveTo(16);
+
+    // Extract the size of the page.
+    const pageSize = stream.readInt(2);
+
+    stream.moveTo(28);
+
+    // Extract the number of pages.
+    const numPages = stream.readInt(4);
+
+    // Move to the end of all the pages.
+    stream.moveTo(pageSize*numPages);
+    return stream.carve();
+}
+
+
 /**
  * PList (XML) extractor.
  *
@@ -3176,3 +3329,54 @@ function readHuffmanCode(stream, table) {
 
     return codeWithLength & 0xffff;
 }
+
+
+/**
+ * EVTX extractor.
+ *
+ * @param {Uint8Array} bytes
+ * @param {Number} offset
+ * @returns {Uint8Array}
+ */
+export function extractEVTX(bytes, offset) {
+    const stream = new Stream(bytes.slice(offset));
+    stream.moveTo(0x28);
+
+    // Move to first ELFCHNK.
+    const total = stream.readInt(4, "le") - 0x2c;
+    stream.moveForwardsBy(total);
+    while (stream.hasMore()) {
+
+        // Loop through ELFCHNKs.
+        if (stream.getBytes(7).join("") === [0x45, 0x6c, 0x66, 0x43, 0x68, 0x6e, 0x6b].join(""))
+            stream.moveForwardsBy(0xfff9);
+        else
+            break;
+    }
+    return stream.carve();
+}
+
+
+/**
+ * EVT extractor.
+ *
+ * @param {Uint8Array} bytes
+ * @param {Number} offset
+ * @returns {Uint8Array}
+ */
+export function extractEVT(bytes, offset) {
+    const stream = new Stream(bytes.slice(offset));
+
+    stream.moveTo(0x14);
+
+    // Extract offset of EOF.
+    const eofoffset = stream.readInt(4, "le");
+    stream.moveTo(eofoffset);
+
+    // Extract the size of the EOF.
+    const eofsize = stream.readInt(4, "le");
+
+    // Move past EOF.
+    stream.moveForwardsBy(eofsize-4);
+    return stream.carve();
+}