Scalpel version 2.0 audit file Started at Fri Nov 23 01:37:35 2018 Command line: scalpel doddy.dd -o output/doddy -v Output directory: output/doddy Configuration file: /etc/scalpel/scalpel.conf ------ BEGIN COPY OF CONFIG FILE USED ------ # Scalpel configuration file # This configuration file controls the types and sizes of files that # are carved by Scalpel. NOTE THAT THE FORMAT OF THIS FILE WAS # EXTENDED in Scalpel 1.90-->! # For each file type, the configuration file describes the file's # extension, whether the header and footer are case sensitive, the # min/maximum file size, and the header and footer for the file. The # footer field is optional, but extension, case sensitivity, size, and # footer are required. Any line that begins with a '#' is considered # a comment and ignored. Thus, to skip a file type just put a '#' at # the beginning of the line containing the rule for the file type. # If you want files carved without filename extensions, use "NONE" in # the extension column. # Beginning with Scalpel 1.90, HEADERS AND/OR FOOTERS MAY BE EITHER # FIXED STRINGS OR REGULAR EXPRESSIONS. # Headers and footers are decoded before use, unless they are regular # expressions. To specify a value in hexadecimal use \x[0-f][0-f] and # for octal use \[0-3][0-7][0-7]. Spaces can be represented by # \s. Example: "\x4F\123\I\sCCI" decodes to "OSI CCI". # To match any single character (aka a wildcard) in a non-regular # expression header/footer, use a '?'. If you need to search for the # '?' character, you will need to change the 'wildcard' line *and* # every occurrence of the old wildcard character in the configuration # file. # Regular expressions in extended format can be specified for headers # or footers by bracketing a header or footer with //, e.g., /GGG[^G]/ # matches a string of three G characters, followed by a character # other than G. To clarify, here is a complete rule for a file type # that should be at most 100000 characters, must begin with three G's # followed by a non-G character and terminate with at least one digit # character (0-9) followed by five H characters: # XXX y 100000 /GGG[^G]/ /[0-9]HHHHH/ # Beginning with Scalpel 1.90, minimum carve sizes may be specified # for each file type using this format for the size parameter: # smallest:largest e.g., jpg y 5000:100000 \xff\xd8\xff\xe0\x00\x10 \xff\xd9 # carves JPG format image files between 5000 and 100000 bytes in # length, ignoring files smaller than 5000 bytes. If the minimum # carve size is not specified, 0 is assumed. This maintains # compatibility with Scalpel configuration files created prior to # 1.90. # The REVERSE keyword after a footer causes a search # backwards starting from [size] bytes beyond the location of the header # This is useful for files like PDFs that may contain multiple copies of # the footer throughout the file. When using the REVERSE keyword you will # extract bytes from the header to the LAST occurence of the footer (and # including the footer in the carved file). # The NEXT keyword after a footer results in file carves that # include the header and all data BEFORE the first occurence of the # footer (the footer is not included in the carved file). If no # occurrence of the footer is discovered within maximum carve size bytes # from the header, then a block of the disk image including the header # and with length equal to the maximum carve size is carved. Use NEXT # when there is no definitive footer for a file type, but you know which # data should NOT be included in a carved file--e.g., the beginning of # a subsequent file of the same type. # FORWARD_NEXT is the default carve type and this keyword may be # included after the footer, but is not required. For FORWARD_NEXT # carves, a block of data including the header and the first footer # (within the maximum carve size) are carved. If no footer appears # after the header within the maximum carve size, then no carving is # performed UNLESS the -b command line option is supplied. In this case, # a block of max carve size bytes, including the header, is carved and a # notation is made in the Scalpel log that the file was chopped. # To redefine the wildcard character, change the setting below and all # occurences in the formost.conf file. # #wildcard ? # case size header footer #extension sensitive # #--------------------------------------------------------------------- # EXAMPLE WITH NO SUFFIX #--------------------------------------------------------------------- # # Here is an example of how to use the no extension option. Any files # beginning with the string "FOREMOST" are carved and no file extensions # are used. No footer is defined and the max carve size is 1000 bytes. # # NONE y 1000 FOREMOST # #--------------------------------------------------------------------- # GRAPHICS FILES #--------------------------------------------------------------------- # # # AOL ART files # art y 150000 \x4a\x47\x04\x0e \xcf\xc7\xcb # art y 150000 \x4a\x47\x03\x0e \xd0\xcb\x00\x00 # # GIF and JPG files (very common) # gif y 5000000 \x47\x49\x46\x38\x37\x61 \x00\x3b # gif y 5000000 \x47\x49\x46\x38\x39\x61 \x00\x00\x3b jpg y 200000000 \xff\xd8\xff\xe0\x00\x10 \xff\xd9 jpg y 200000000 \xff\xd8\xff\xe1 \xff\xd9 # # # PNG png y 20000000 \x50\x4e\x47? \xff\xfc\xfd\xfe # # # BMP (used by MSWindows, use only if you have reason to think there are # BMP files worth digging for. This often kicks back a lot of false # positives # # bmp y 100000 BM??\x00\x00\x00 # # TIFF # tif y 200000000 \x49\x49\x2a\x00 # TIFF # tif y 200000000 \x4D\x4D\x00\x2A # #--------------------------------------------------------------------- # VIDEO AND AUDIO FILES #--------------------------------------------------------------------- # # AVI (Windows animation and DiVX/MPEG-4 movies) # avi y 50000000 RIFF????AVI # # APPLE QUICKTIME # These needles are based on the file command's magic. I don't # recommend uncommenting the 4th and 5th Quicktime needles unless # you're sure you need to, because they generate HUGE numbers of # false positives. # # mov y 10000000 ????moov # mov y 10000000 ????mdat # mov y 10000000 ????widev # mov y 10000000 ????skip # mov y 10000000 ????free # mov y 10000000 ????idsc # mov y 10000000 ????pckg # # MPEG Video # mpg y 50000000 \x00\x00\x01\xba \x00\x00\x01\xb9 # mpg y 50000000 \x00\x00\x01\xb3 \x00\x00\x01\xb7 # # FLASH # fws y 4000000 FWS # # WAV format # wav y 200000 RIFF????WAVE # # REAL AUDIO # ra y 1000000 .RMF # ra y 1000000 \x2e\x72\x61\xfd # # asf y 8000000 \x30\x26\xB2\x75\x8E\x66\xCF\x11\xA6\xD9\x00\xAA\x00\x62\xCE\x6C # # WMV/WMA # wmv y 20000000 \x30\x26\xB2\x75\x8E\x66\xCF\x11\xA6\xD9\x00\xAA\x00\x62\xCE\x6C # # wma y 8000000 \x30\x26\xB2\x75 \x00\x00\x00\xFF # # wma y 8000000 \x30\x26\xB2\x75 \x52\x9A\x12\x46 # # MP3 # mp3 y 8000000 \xFF\xFB??\x44\x00\x00 # mp3 y 8000000 \x57\x41\x56\45 \x00\x00\xFF\ # mp3 y 8000000 \xFF\xFB\xD0\ \xD1\x35\x51\xCC\ # mp3 y 8000000 \x49\x44\x33\ # mp3 y 8000000 \x4C\x41\x4D\x45\ # #--------------------------------------------------------------------- # MICROSOFT OFFICE #--------------------------------------------------------------------- # # Word documents # doc y 10000000 \xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1\x00\x00 \xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1\x00\x00 NEXT doc y 10000000 \xd0\xcf\x11\xe0\xa1\xb1 # # Outlook files pst y 500000000 \x21\x42\x4e\xa5\x6f\xb5\xa6 ost y 500000000 \x21\x42\x44\x4e # # Outlook Express # dbx y 10000000 \xcf\xad\x12\xfe\xc5\xfd\x74\x6f # idx y 10000000 \x4a\x4d\x46\x39 # mbx y 10000000 \x4a\x4d\x46\x36 # #--------------------------------------------------------------------- # WORDPERFECT #--------------------------------------------------------------------- # wpc y 1000000 ?WPC # #--------------------------------------------------------------------- # HTML #--------------------------------------------------------------------- # # htm n 50000 # #--------------------------------------------------------------------- # ADOBE PDF #--------------------------------------------------------------------- # pdf y 5000000 %PDF %EOF\x0d REVERSE pdf y 5000000 %PDF %EOF\x0a REVERSE # #--------------------------------------------------------------------- # AOL (AMERICA ONLINE) #--------------------------------------------------------------------- # # AOL Mailbox # mail y 500000 \x41\x4f\x4c\x56\x4d # #--------------------------------------------------------------------- # RPM (Linux package format) #--------------------------------------------------------------------- # rpm y 1000000 \xed\xab #--------------------------------------------------------------------- # WINDOWS REGISTRY FILES #--------------------------------------------------------------------- # # Windows NT registry # dat y 4000000 regf # Windows 95 registry # dat y 4000000 CREG # #--------------------------------------------------------------------- # MISCELLANEOUS #--------------------------------------------------------------------- # # zip y 10000000 PK\x03\x04 \x3c\xac # rar y 10000000 Rar! # java y 1000000 \xca\xfe\xba\xbe # #--------------------------------------------------------------------- # ScanSoft PaperPort "Max" files #--------------------------------------------------------------------- # max y 1000000 \x56\x69\x47\x46\x6b\x1a\x00\x00\x00\x00 \x00\x00\x05\x80\x00\x00 #--------------------------------------------------------------------- # PINs Password Manager program #--------------------------------------------------------------------- # pins y 8000 \x50\x49\x4e\x53\x20\x34\x2e\x32\x30\x0d #--------------------------------------------------------------------- # Experimental header for Virtual Box disks # vbox y 10000000000 <<