1 2#------------------------------------------------------------------------------ 3# $File: database,v 1.73 2024/11/09 19:54:36 christos Exp $ 4# database: file(1) magic for various databases 5# 6# extracted from header/code files by Graeme Wilford (eep2gw@ee.surrey.ac.uk) 7# 8# 9# GDBM magic numbers 10# Will be maintained as part of the GDBM distribution in the future. 11# <downsj@teeny.org> 120 belong 0x13579acd GNU dbm 1.x or ndbm database, big endian, 32-bit 13!:mime application/x-gdbm 140 belong 0x13579ace GNU dbm 1.x or ndbm database, big endian, old 15!:mime application/x-gdbm 160 belong 0x13579acf GNU dbm 1.x or ndbm database, big endian, 64-bit 17!:mime application/x-gdbm 180 lelong 0x13579acd GNU dbm 1.x or ndbm database, little endian, 32-bit 19!:mime application/x-gdbm 200 lelong 0x13579ace GNU dbm 1.x or ndbm database, little endian, old 21!:mime application/x-gdbm 220 lelong 0x13579acf GNU dbm 1.x or ndbm database, little endian, 64-bit 23!:mime application/x-gdbm 240 string GDBM GNU dbm 2.x database 25!:mime application/x-gdbm 26# 27# Berkeley DB 28# 29# Ian Darwin's file /etc/magic files: big/little-endian version. 30# 31# Hash 1.85/1.86 databases store metadata in network byte order. 32# Btree 1.85/1.86 databases store the metadata in host byte order. 33# Hash and Btree 2.X and later databases store the metadata in host byte order. 34 350 long 0x00061561 Berkeley DB 36!:mime application/x-dbm 37>8 belong 4321 38>>4 belong >2 1.86 39>>4 belong <3 1.85 40>>4 belong >0 (Hash, version %d, native byte-order) 41>8 belong 1234 42>>4 belong >2 1.86 43>>4 belong <3 1.85 44>>4 belong >0 (Hash, version %d, little-endian) 45 460 belong 0x00061561 Berkeley DB 47>8 belong 4321 48>>4 belong >2 1.86 49>>4 belong <3 1.85 50>>4 belong >0 (Hash, version %d, big-endian) 51>8 belong 1234 52>>4 belong >2 1.86 53>>4 belong <3 1.85 54>>4 belong >0 (Hash, version %d, native byte-order) 55 560 long 0x00053162 Berkeley DB 1.85/1.86 57>4 long >0 (Btree, version %d, native byte-order) 580 belong 0x00053162 Berkeley DB 1.85/1.86 59>4 belong >0 (Btree, version %d, big-endian) 600 lelong 0x00053162 Berkeley DB 1.85/1.86 61>4 lelong >0 (Btree, version %d, little-endian) 62 6312 long 0x00061561 Berkeley DB 64>16 long >0 (Hash, version %d, native byte-order) 6512 belong 0x00061561 Berkeley DB 66>16 belong >0 (Hash, version %d, big-endian) 6712 lelong 0x00061561 Berkeley DB 68>16 lelong >0 (Hash, version %d, little-endian) 69 7012 long 0x00053162 Berkeley DB 71>16 long >0 (Btree, version %d, native byte-order) 7212 belong 0x00053162 Berkeley DB 73>16 belong >0 (Btree, version %d, big-endian) 7412 lelong 0x00053162 Berkeley DB 75>16 lelong >0 (Btree, version %d, little-endian) 76 7712 long 0x00042253 Berkeley DB 78>16 long >0 (Queue, version %d, native byte-order) 7912 belong 0x00042253 Berkeley DB 80>16 belong >0 (Queue, version %d, big-endian) 8112 lelong 0x00042253 Berkeley DB 82>16 lelong >0 (Queue, version %d, little-endian) 83 84# From Max Bowsher. 8512 long 0x00040988 Berkeley DB 86>16 long >0 (Log, version %d, native byte-order) 8712 belong 0x00040988 Berkeley DB 88>16 belong >0 (Log, version %d, big-endian) 8912 lelong 0x00040988 Berkeley DB 90>16 lelong >0 (Log, version %d, little-endian) 91 92# 93# 94# Round Robin Database Tool by Tobias Oetiker <oetiker@ee.ethz.ch> 950 string/b RRD\0 RRDTool DB 96>4 string/b x version %s 97 98>>10 short !0 16bit aligned 99>>>10 bedouble 8.642135e+130 big-endian 100>>>>18 short x 32bit long (m68k) 101 102>>10 short 0 103>>>12 long !0 32bit aligned 104>>>>12 bedouble 8.642135e+130 big-endian 105>>>>>20 long 0 64bit long 106>>>>>20 long !0 32bit long 107>>>>12 ledouble 8.642135e+130 little-endian 108>>>>>24 long 0 64bit long 109>>>>>24 long !0 32bit long (i386) 110>>>>12 string \x43\x2b\x1f\x5b\x2f\x25\xc0\xc7 middle-endian 111>>>>>24 short !0 32bit long (arm) 112 113>>8 quad 0 64bit aligned 114>>>16 bedouble 8.642135e+130 big-endian 115>>>>24 long 0 64bit long (s390x) 116>>>>24 long !0 32bit long (hppa/mips/ppc/s390/SPARC) 117>>>16 ledouble 8.642135e+130 little-endian 118>>>>28 long 0 64bit long (alpha/amd64/ia64) 119>>>>28 long !0 32bit long (armel/mipsel) 120 121#---------------------------------------------------------------------- 122# ROOT: file(1) magic for ROOT databases 123# 1240 string root\0 ROOT file 125>4 belong x Version %d 126>33 belong x (Compression: %d) 127 128# XXX: Weak magic. 129# Alex Ott <ott@jet.msk.su> 130## Paradox file formats 131#2 leshort 0x0800 Paradox 132#>0x39 byte 3 v. 3.0 133#>0x39 byte 4 v. 3.5 134#>0x39 byte 9 v. 4.x 135#>0x39 byte 10 v. 5.x 136#>0x39 byte 11 v. 5.x 137#>0x39 byte 12 v. 7.x 138#>>0x04 byte 0 indexed .DB data file 139#>>0x04 byte 1 primary index .PX file 140#>>0x04 byte 2 non-indexed .DB data file 141#>>0x04 byte 3 non-incrementing secondary index .Xnn file 142#>>0x04 byte 4 secondary index .Ynn file 143#>>0x04 byte 5 incrementing secondary index .Xnn file 144#>>0x04 byte 6 non-incrementing secondary index .XGn file 145#>>0x04 byte 7 secondary index .YGn file 146#>>>0x04 byte 8 incrementing secondary index .XGn file 147 148## XBase database files 149# updated by Joerg Jenderek at Feb 2013 150# https://www.dbase.com/Knowledgebase/INT/db7_file_fmt.htm 151# https://www.clicketyclick.dk/databases/xbase/format/dbf.html 152# inspect VVYYMMDD , where 1<= MM <= 12 and 1<= DD <= 31 1530 ubelong&0x0000FFFF <0x00000C20 154!:strength +10 155# skip Infocom game Z-machine 156>2 ubyte >0 157# skip Androids *.xml 158>>3 ubyte >0 159>>>3 ubyte <32 160# 1 < version VV 161>>>>0 ubyte >1 162# skip HELP.CA3 by test for reserved byte ( NULL ) 163>>>>>27 ubyte 0 164# reserved bytes not always 0 ; also found 0x3901 (T4.DBF) ,0x7101 (T5.DBF,T6.DBF) 165#>>>>>30 ubeshort x 30NULL?%x 166# possible production flag,tag numbers(<=0x30),tag length(<=0x20), reserved (NULL) 167>>>>>>24 ubelong&0xffFFFFff >0x01302000 168# .DBF or .MDX 169>>>>>>24 ubelong&0xffFFFFff <0x01302001 170# for Xbase Database file (*.DBF) reserved (NULL) for multi-user 171>>>>>>>24 ubelong&0xffFFFFff =0 172# test for 2 reserved NULL bytes,transaction and encryption byte flag 173>>>>>>>>12 ubelong&0xFFFFfEfE 0 174# test for MDX flag 175>>>>>>>>>28 ubyte x 176>>>>>>>>>28 ubyte&0xf8 0 177# header size >= 32 178>>>>>>>>>>8 uleshort >31 179# skip PIC15736.PCX by test for language driver name or field name 180>>>>>>>>>>>32 ubyte >0 181#!:mime application/x-dbf; charset=unknown-8bit ?? 182#!:mime application/x-dbase 183>>>>>>>>>>>>0 use xbase-type 184# database file 185>>>>>>>>>>>>28 ubyte&0x04 =0 \b DBF 186!:ext dbf 187>>>>>>>>>>>>28 ubyte&0x04 =4 \b DataBaseContainer 188!:ext dbc 189>>>>>>>>>>>>4 lelong 0 \b, no records 190>>>>>>>>>>>>4 lelong >0 \b, %d record 191# plural s appended 192>>>>>>>>>>>>>4 lelong >1 \bs 193# https://www.clicketyclick.dk/databases/xbase/format/dbf_check.html#CHECK_DBF 194# 1 <= record size <= 4000 (dBase 3,4) or 32 * KB (=0x8000) 195>>>>>>>>>>>>10 uleshort x * %d 196# file size = records * record size + header size 197>>>>>>>>>>>>1 ubyte x \b, update-date 198>>>>>>>>>>>>1 use xbase-date 199# https://msdn.microsoft.com/de-de/library/cc483186(v=vs.71).aspx 200#>>>>>>>>>>>>29 ubyte =0 \b, codepage ID=%#x 201# 2~cp850 , 3~cp1252 , 0x1b~?? ; what code page is 0x1b ? 202>>>>>>>>>>>>29 ubyte >0 \b, codepage ID=%#x 203#>>>>>>>>>>>>28 ubyte&0x01 0 \b, no index file 204# MDX or CDX index 205>>>>>>>>>>>>28 ubyte&0x01 1 \b, with index file .MDX 206>>>>>>>>>>>>28 ubyte&0x02 2 \b, with memo .FPT 207#>>>>>>>>>>>>28 ubyte&0x04 4 \b, DataBaseContainer 208# 1st record offset + 1 = header size 209>>>>>>>>>>>>8 uleshort >0 210>>>>>>>>>>>>(8.s+1) ubyte >0 211>>>>>>>>>>>>>8 uleshort >0 \b, at offset %d 212>>>>>>>>>>>>>(8.s+1) ubyte >0 213>>>>>>>>>>>>>>&-1 string >\0 1st record "%s" 214# for multiple index files (*.MDX) Production flag,tag numbers(<=0x30),tag length(<=0x20), reserved (NULL) 215>>>>>>>24 ubelong&0x0133f7ff >0 216# test for reserved NULL byte 217>>>>>>>>47 ubyte 0 218# test for valid TAG key format (0x10 or 0) 219>>>>>>>>>559 ubyte&0xeF 0 220# test MM <= 12 221>>>>>>>>>>45 ubeshort <0x0C20 222>>>>>>>>>>>45 ubyte >0 223>>>>>>>>>>>>46 ubyte <32 224>>>>>>>>>>>>>46 ubyte >0 225#!:mime application/x-mdx 226>>>>>>>>>>>>>>0 use xbase-type 227>>>>>>>>>>>>>>0 ubyte x \b MDX 228>>>>>>>>>>>>>>1 ubyte x \b, creation-date 229>>>>>>>>>>>>>>1 use xbase-date 230>>>>>>>>>>>>>>44 ubyte x \b, update-date 231>>>>>>>>>>>>>>44 use xbase-date 232# No.of tags in use (1,2,5,12) 233>>>>>>>>>>>>>>28 uleshort x \b, %d 234# No. of entries in tag (0x30) 235>>>>>>>>>>>>>>25 ubyte x \b/%d tags 236# Length of tag 237>>>>>>>>>>>>>>26 ubyte x * %d 238# 1st tag name_ 239>>>>>>>>>>>>>548 string x \b, 1st tag "%.11s" 240# 2nd tag name 241#>>>>>>>>>>>>(26.b+548) string x \b, 2nd tag "%.11s" 242# 243# Print the xBase names of different version variants 2440 name xbase-type 245>0 ubyte <2 246# 1 < version 247>0 ubyte >1 248>>0 ubyte 0x02 FoxBase 249!:mime application/x-dbf 250# like: ACCESS.DBF USER.DBF dbase3date.dbf mitarbei.dbf produkte.dbf umlaut-test-v2.dbf 251# FoxBase+/dBaseIII+, no memo 252>>0 ubyte 0x03 FoxBase+/dBase III 253!:mime application/x-dbf 254# like: 92DATA.DBF MSCATLOG.DBF SYLLABI2.DBF SYLLABUS.DBF T4.DBF Teleadr.dbf us_city.dbf 255# dBASE IV no memo file 256>>0 ubyte 0x04 dBase IV 257!:mime application/x-dbf 258# like: Quattro-test11.dbf umlaut-test-v4.dbf 259# dBASE V no memo file 260>>0 ubyte 0x05 dBase V 261!:mime application/x-dbf 262# like: dbase4double.dbf Quattro-test2.dbf umlaut-test7.dbf 263!:ext dbf 264# probably Apollo Database Server 9.7? xBase (0x6) 265>>0 ubyte 0x06 Apollo 266!:mime application/x-dbf 267# like: ALIAS.DBF CRYPT.DBF PROCS.DBF USERS.DBF 268# https://docs.microsoft.com/en-us/previous-versions/visualstudio/foxpro/st4a0s68(v=vs.80) 269>>0 ubyte 0x2F FoxBase+/Dbase III plus, no memo 270!:mime application/x-dbf 271# no example 272>>0 ubyte 0x30 Visual FoxPro 273!:mime application/x-dbf 274# like: 26FRX.DBF 30DBC.DBF 30DBCPRO.DBF BEHINDSC.DBF USER_LEV.DBF 275# Microsoft Visual FoxPro Database Container File like: FOXPRO-DB-TEST.DBC TESTDATA.DBC TASTRADE.DBC 276>>0 ubyte 0x31 Visual FoxPro, autoincrement 277!:mime application/x-dbf 278# like: AI_Table.DBF dbase_31.dbf w_cityFoxpro.dbf 279# Visual FoxPro, with field type Varchar or Varbinary 280>>0 ubyte 0x32 Visual FoxPro, with field type Varchar 281!:mime application/x-dbf 282# like: dbase_32.dbf 283# dBASE IV SQL, no memo;dbv memo var size (Flagship) 284>>0 ubyte 0x43 dBase IV, with SQL table 285!:mime application/x-dbf 286# like: ASSEMBLY.DBF INVENTRY.DBF STAFF.DBF 287# https://docs.microsoft.com/en-us/previous-versions/visualstudio/foxpro/st4a0s68(v=vs.80) 288>>0 ubyte 0x62 dBase IV, with SQL table 289#!:mime application/x-dbf 290# no example 291# dBASE IV, with memo!! 292>>0 ubyte 0x7b dBase IV, with memo 293!:mime application/x-dbf 294# like: test3memo.DBF dbase5.DBF 295# https://docs.microsoft.com/en-us/previous-versions/visualstudio/foxpro/st4a0s68(v=vs.80) 296>>0 ubyte 0x82 dBase IV, with SQL system 297#!:mime application/x-dbf 298# no example 299# FoxBase+/dBaseIII+ with memo .DBT! 300>>0 ubyte 0x83 FoxBase+/dBase III, with memo .DBT 301!:mime application/x-dbf 302# like: T2.DBF t3.DBF biblio.dbf dbase_83.dbf dbase3dbt0_4.dbf fsadress.dbf stop.dbf 303# VISUAL OBJECTS (first 1.0 versions) for the Dbase III files (NTX clipper driver); memo file 304>>0 ubyte 0x87 VISUAL OBJECTS, with memo file 305!:mime application/x-dbf 306# like: ACCESS.DBF dbase3date.dbf dbase3float.dbf holdings.dbf mitarbei.dbf 307# https://docs.microsoft.com/en-us/previous-versions/visualstudio/foxpro/st4a0s68(v=vs.80) 308>>0 ubyte 0x8A FoxBase+/dBase III, with memo .DBT 309#!:mime application/x-dbf 310# no example 311# dBASE IV with memo! 312>>0 ubyte 0x8B dBase IV, with memo .DBT 313!:mime application/x-dbf 314# like: animals.dbf archive.dbf callin.dbf dbase_8b.dbf phnebook.dbf t6.dbf 315# dBase IV with SQL Table,no memo? 316>>0 ubyte 0x8E dBase IV, with SQL table 317!:mime application/x-dbf 318# like: dbase5.DBF test3memo.DBF test-memo.DBF 319# .dbv and .dbt memo (Flagship)? 320>>0 ubyte 0xB3 Flagship 321!:mime application/x-dbf 322# no example 323# https://docs.microsoft.com/en-us/previous-versions/visualstudio/foxpro/st4a0s68(v=vs.80) 324>>0 ubyte 0xCA dBase IV with memo .DBT 325#!:mime application/x-dbf 326# no example 327# dBASE IV with SQL table, with memo .DBT 328>>0 ubyte 0xCB dBase IV with SQL table, with memo .DBT 329!:mime application/x-dbf 330# like: dbase5.DBF test3memo.DBF test-memo.DBF 331# HiPer-Six format;Clipper SIX, with SMT memo file 332>>0 ubyte 0xE5 Clipper SIX with memo 333!:mime application/x-dbf 334# like: dbase5.DBF test3memo.DBF test-memo.DBF testClipper.dbf DATA.DBF 335# https://docs.microsoft.com/en-us/previous-versions/visualstudio/foxpro/st4a0s68(v=vs.80) 336>>0 ubyte 0xF4 dBase IV, with SQL table, with memo 337#!:mime application/x-dbf 338# no example 339>>0 ubyte 0xF5 FoxPro with memo 340!:mime application/x-dbf 341# like: CUSTOMER.DBF FOXUSER1.DBF Invoice.DBF NG.DBF OBJSAMP.DBF dbase_f5.dbf kunde.dbf 342# probably Apollo Database Server 9.7 with SQL and memo mask? xBase (0xF6) 343>>0 ubyte 0xF6 Apollo, with SQL table with memo 344!:mime application/x-dbf 345# like: SCRIPTS.DBF 346# https://docs.microsoft.com/en-us/previous-versions/visualstudio/foxpro/st4a0s68(v=vs.80) 347#>>0 ubyte 0xFA FoxPro 2.x, with memo 348#!:mime application/x-dbf 349# no example 350# unknown version (should not happen) 351>>0 default x xBase 352!:mime application/x-dbf 353>>>0 ubyte x (%#x) 354# flags in version byte 355# DBT flag (with dBASE III memo .DBT)!! 356# >>0 ubyte&0x80 >0 DBT_FLAG=%x 357# memo flag ?? 358# >>0 ubyte&0x08 >0 MEMO_FLAG=%x 359# SQL flag ?? 360# >>0 ubyte&0x70 >0 SQL_FLAG=%x 361# test and print the date of xBase .DBF .MDX 3620 name xbase-date 363# inspect YYMMDD , where 1<= MM <= 12 and 1<= DD <= 31 364>0 ubelong x 365>1 ubyte <13 366>>1 ubyte >0 367>>>2 ubyte >0 368>>>>2 ubyte <32 369>>>>>0 ubyte x 370# YY is interpreted as 20YY or 19YY 371>>>>>>0 ubyte <100 \b %.2d 372# YY is interpreted 1900+YY; TODO: display yy or 20yy instead 1YY 373>>>>>>0 ubyte >99 \b %d 374>>>>>1 ubyte x \b-%d 375>>>>>2 ubyte x \b-%d 376 377# dBase memo files .DBT or .FPT 378# https://msdn.microsoft.com/en-us/library/8599s21w(v=vs.80).aspx 37916 ubyte <4 380>16 ubyte !2 381>>16 ubyte !1 382# next free block index is positive 383>>>0 ulelong >0 384# skip many JPG. ZIP, BZ2 by test for reserved bytes NULL , 0|2 , 0|1 , low byte of block size 385>>>>17 ubelong&0xFFfdFEff 0x00000000 386# skip many RAR by test for low byte 0 ,high byte 0|2|even of block size, 0|a|e|d7 , 0|64h 387>>>>>20 ubelong&0xFF01209B 0x00000000 388# dBASE III 389>>>>>>16 ubyte 3 390# skip with invalid "low" 1st item "\0\0\0\0" StateRepository-Deployment.srd-shm "\001\010\0\0" gcry_cast5.mod 391>>>>>>>512 ubyte >040 392# skip with valid 1st item "rintf" keylayouts.mod 393# by looking for valid terminating character Ctrl-Z like in test.dbt 394>>>>>>>>513 search/3308 \032 395# skip GRUB plan9.mod with invalid second terminating character 007 396# by checking second terminating character Ctrl-Z like in test.dbt 397>>>>>>>>>&0 ubyte 032 398# dBASE III DBT with two Ctr-Z terminating characters 399>>>>>>>>>>0 use dbase3-memo-print 400# second terminating character \0 like in dbase-memo.dbt or GRUB nativedisk.mod 401>>>>>>>>>&0 ubyte 0 402# skip GRUB nativedisk.mod with grub_mod_init\0grub_mod_fini\0grub_fs_autoload_hook\0 403>>>>>>>>>>0x1ad string !grub_mod_init 404# like dbase-memo.dbt 405>>>>>>>>>>>0 use dbase3-memo-print 406# dBASE III DBT without version, dBASE IV DBT , FoxPro FPT , or many ZIP , DBF garbage 407>>>>>>16 ubyte 0 408# unusual dBASE III DBT like angest.dbt, dBASE IV DBT with block size 0 , FoxPro FPT , or garbage PCX DBF 409>>>>>>>20 uleshort 0 410# FoxPro FPT , unusual dBASE III DBT like biblio.dbt or garbage 411>>>>>>>>8 ulong =0 412>>>>>>>>>6 ubeshort >0 413# skip emacs.PIF 414>>>>>>>>>>4 ushort 0 415# check for valid FoxPro field type 416>>>>>>>>>>>512 ubelong <3 417# skip LXMDCLN4.OUT LXMDCLN6.OUT LXMDALG6.OUT with invalid blocksize 170=AAh 418>>>>>>>>>>>>6 ubeshort&0x002f 0 419>>>>>>>>>>>>>0 use foxpro-memo-print 420# dBASE III DBT , garbage 421# skip WORD1XW.DOC with improbably high free block index 422>>>>>>>>>0 ulelong <0x400000 423# skip WinStore.App.exe by looking for printable 2nd character of 1st memo item 424>>>>>>>>>>513 ubyte >037 425# skip DOS executables CPQ0TD.DRV E30ODI.COM IBM0MONO.DRV by looking for printable 1st character of 1st memo item 426>>>>>>>>>>>512 ubyte >037 427# skip few (14/758) Microsoft Event Trace Logs (boot_BASE+CSWITCH_1.etl DlTel-Merge.etl UpdateUx.006.etl) with invalid "high" 1st item \377\377 428>>>>>>>>>>>>512 ubyte <0377 429# skip some Commodore 64 Art Studio (Deep_Strike.aas dragon's_lair_ii.aas), some Atari DEGAS Elite bitmap (ELEPHANT.PC3 ST.PC2) 430# some probably old GRUB modules (part_sun.mod) and virtual-boy-wario-land.vb. 431# by looking for valid terminating character Ctrl-Z 432>>>>>>>>>>>>>513 search/523 \032 433# Atari DEGAS bitmap ST.PC2 with 0370 as second terminating character 434#>>>>>>>>>>>>>>&0 ubyte x 2ND_CHAR_IS=%o 435# dBASE III DBT with two Ctr-Z terminating characters like dbase3dbt0_1.dbt dbase_83.dbt 436>>>>>>>>>>>>>>&0 ubyte 032 437>>>>>>>>>>>>>>>0 use dbase3-memo-print 438# second terminating character \0 like in pcidump.mod or fsadress.dbt umlaut-dbf-cmd.dbt 439>>>>>>>>>>>>>>&0 ubyte 0 440# look for old GRUB module pcidump.mod with specific content "pcidump\0Show raw dump of the PCI configuration space" 441>>>>>>>>>>>>>>>514 search/0x11E pcidump\0Show 442# dBASE III DBT with Ctr-Z + \0 terminating characters like fsadress.dbt 443>>>>>>>>>>>>>>>514 default x 444# unusual dBASE III DBT like fsadress.dbt umlaut-dbf-cmd.dbt 445>>>>>>>>>>>>>>>>0 use dbase3-memo-print 446# dBASE III DBT like angest.dbt, or garbage PCX DBF 447>>>>>>>>8 ubelong !0 448# skip PCX and some DBF by test for for reserved NULL bytes 449>>>>>>>>>510 ubeshort 0 450# skip bad symples with improbably high free block index above 2 GiB file limit 451>>>>>>>>>>0 ulelong <0x400000 452# skip AI070GEP.EPS by printable 1st character of 1st memo item 453>>>>>>>>>>>512 ubyte >037 454# skip some Microsoft Visual C, OMF library like: BZ2.LIB WATTCPWL.LIB ZLIB.LIB 455>>>>>>>>>>>>512 ubyte <0200 456# skip gluon-ffhat-1.0-tp-link-tl-wr1043n-nd-v2-sysupgrade.bin by printable 2nd character 457>>>>>>>>>>>>>513 ubyte >037 458# skip few (8/758) Microsoft Event Trace Logs (WBEngine.3.etl Wifi.etl) with valid 1st item like 459# "9600.20369.amd64fre.winblue_ltsb_escrow.220427-1727" 460# "9600.19846.amd64fre.winblue_ltsb_escrow.200923-1735" 461# "10586.494.amd64fre.th2_release_sec.160630-1736" 462# by looking for valid terminating character Ctrl-Z 463>>>>>>>>>>>>>>513 search/0x11E \032 464# followed by second character Ctrl-Z implies typical DBT 465>>>>>>>>>>>>>>>&0 ubyte 032 466# examples like: angest.dbt 467>>>>>>>>>>>>>>>>0 use dbase3-memo-print 468>>>>>>>>>>>>>>>&0 ubyte 0 469# no example found here with terminating sequence CTRL-Z + \0 470>>>>>>>>>>>>>>>>0 use dbase3-memo-print 471# dBASE IV DBT with positive block size 472>>>>>>>20 uleshort >0 473# dBASE IV DBT with valid block length like 512, 1024 474# multiple of 2 in between 16 and 16 K ,implies upper and lower bits are zero 475# skip also 3600h 3E00h size 476>>>>>>>>20 uleshort&0xE00f 0 477>>>>>>>>>0 use dbase4-memo-print 478 479# Print the information of dBase III DBT memo file 4800 name dbase3-memo-print 481>0 ubyte x dBase III DBT 482!:mime application/x-dbt 483!:ext dbt 484# instead 3 as version number 0 for unusual examples like biblio.dbt 485>16 ubyte !3 \b, version number %u 486# Number of next available block for appending data 487#>0 lelong =0 \b, next free block index %u 488>0 lelong !0 \b, next free block index %u 489# no positive block length 490#>20 uleshort =0 \b, block length %u 491>20 uleshort !0 \b, block length %u 492# dBase III memo field terminated often by \032\032 493# like: "WHAT IS XBASE" test.dbt "Borges, Malte" biblio.dbt "First memo\032\032" T2.DBT 494>512 string >\0 \b, 1st item "%s" 495# For DEBUGGING 496#>512 ubelong x \b, 1ST item %#8.8x 497#>513 search/0x225 \032 FOUND_TERMINATOR 498#>>&0 ubyte 032 2xCTRL_Z 499# fsadress.dbt has 1 Ctrl-Z terminator followed by nil byte 500#>>&0 ubyte 0 1xCTRL_Z 501 502# https://www.clicketyclick.dk/databases/xbase/format/dbt.html 503# Print the information of dBase IV DBT memo file 5040 name dbase4-memo-print 505>0 lelong x dBase IV DBT 506!:mime application/x-dbt 507!:ext dbt 508# 8 character shorted main name of corresponding dBASE IV DBF file 509>8 ubelong >0x20000000 510# skip unusual like for angest.dbt 511>>20 uleshort >0 512>>>8 string >\0 \b of %-.8s.DBF 513# value 0 implies 512 as size 514#>4 ulelong =0 \b, blocks size %u 515# size of blocks not reliable like 0x2020204C in angest.dbt 516>4 ulelong !0 517>>4 ulelong&0x0000003f 0 \b, blocks size %u 518# dBase IV DBT with positive block length (found 512 , 1024) 519>20 uleshort >0 \b, block length %u 520# next available block 521#>0 lelong =0 \b, next free block index %u 522>0 lelong !0 \b, next free block index %u 523>20 uleshort >0 524>>(20.s) ubelong x 525>>>&-4 use dbase4-memofield-print 526# unusual dBase IV DBT without block length (implies 512 as length) 527>20 uleshort =0 528>>512 ubelong x 529>>>&-4 use dbase4-memofield-print 530# Print the information of dBase IV memo field 5310 name dbase4-memofield-print 532# free dBase IV memo field 533>0 ubelong !0xFFFF0800 534>>0 lelong x \b, next free block %u 535>>4 lelong x \b, next used block %u 536# used dBase IV memo field 537>0 ubelong =0xFFFF0800 538# length of memo field 539>>4 lelong x \b, field length %d 540>>>8 string >\0 \b, 1st used item "%s" 541# http://www.dbfree.org/webdocs/1-documentation/0018-developers_stuff_(advanced)/os_related_stuff/xbase_file_format.htm 542# Print the information of FoxPro FPT memo file 5430 name foxpro-memo-print 544>0 belong x FoxPro FPT 545!:mime application/x-fpt 546!:ext fpt 547# Size of blocks for FoxPro ( 64,256 ); probably a multiple of two 548>6 ubeshort x \b, blocks size %u 549# next available block 550#>0 belong =0 \b, next free block index %u 551>0 belong !0 \b, next free block index %u 552# field type ( 0~picture, 1~memo, 2~object ) 553>512 ubelong <3 \b, field type %u 554# length of memo field 555>512 ubelong 1 556>>516 belong >0 \b, field length %d 557>>>520 string >\0 \b, 1st item "%s" 558 559# Summary: DBASE Compound Index file *.CDX and FoxPro index *.IDX 560# From: Joerg Jenderek 561# URL: https://www.clicketyclick.dk/databases/xbase/format/cdx.html 562# https://www.clicketyclick.dk/databases/xbase/format/idx.html 563# https://www.clicketyclick.dk/databases/xbase/format/idx_comp.html 564# Reference: https://mark0.net/download/triddefs_xml.7z/defs/s/sybase-ianywhere-cdx.trid.xml 565# https://mark0.net/download/triddefs_xml.7z/defs/c/cdx-vfp7.trid.xml 566# like: kunde.cdx 5670 ulelong 0x1C00 568>0 use xbase-index 569# like: SYLLABI2.CDX SYLLABUS.CDX 5700 ulelong 0x0800 571>0 use xbase-index 572# often in xBase index pointer to root node 400h 5730 ulelong 0x0400 574# skip most Maple help database *.hdb with version tag handled by ./maple 575>1028 string !version 576# skip Maple help database hsum.hdb checking for valid reserved area 577>>492 quad =0 578# skip remaining Maple help database *.hdb by checking key length 579#>>>12 uleshort !0x000F KEY_LENGTHVALID 580>>>0 use xbase-index 581# display information about dBase/FoxPro index 5820 name xbase-index 583>0 ulelong x xBase 584!:mime application/x-dbase-index 585>14 ubyte &0x40 compound index 586# DCX for FoxPro database index like: TESTDATA.DCX 587!:ext cdx/dcx 588>14 ubyte ^0x40 index 589# only 1 example like: TEST.IDX 590!:ext idx 591# pointer to root node like: 1C00h 800h often 400h 592>0 ulelong !0x400 \b, root pointer %#x 593# Pointer to free node list: often 0 but -1 if not present 594>4 ulelong !0 \b, free node pointer %#x 595# MAYBE number of pages in file (Foxbase, FoxPro 1.x) or 596# http://www.foxpert.com/foxpro/knowlbits/files/knowlbits_200708_1.HTM 597# Whenever Visual FoxPro updates the index file it increments this reserved field 598# Reserved for internal use like: 02000000h 03000000h 460c0000h 780f0000h 89000000h 9fdc0100h often 0 599>8 ulelong !0 \b, reserved counter %#x 600# length of key like: mostly 000Ah 0028h (TEST.IDX) 601>12 uleshort !0x000A \b, key length %#x 602# index options like: 24h E0h E8h 603# 1~a unique index 8~index has FOR clause 32~compact index format 64~compound index header 604# 16~Bit vector (SoftC) 128~Structure index (FoxPro) 605>14 ubyte x \b, index options (%#x 606>14 ubyte &0x01 \b, unique 607>14 ubyte &0x08 \b, has FOR clause 608>14 ubyte &0x10 \b, bit vector (SoftC) 609>14 ubyte &0x20 \b, compact format 610#>14 ubyte &0x40 \b, compound header 611>14 ubyte &0x80 \b, structure 612>14 ubyte x \b) 613# WHAT EXACTLY IS THAT? index signature like: 0 (sybase-ianywhere-cdx.trid.xml) 1 (cdx-vfp7.trid.xml) 614>15 ubyte !0 \b, index signature %u 615# reserved area (0-bytes) til about 500, but not for uncompressed Index files *.idx 616>16 quad !0 \b, at 16 reserved %#llx 617>492 quad !0 \b, at 492 reserved %#llx 618# for IDX variant 619#>14 ubyte ^0x40 IDX 620# for CDX variant 621>14 ubyte &0x40 622# Ascending or descending: 0~ascending 1~descending 623>>502 uleshort x \b, sort order %u 624# Total expression length (FoxPro 2) like: 0 1 625>>504 uleshort !0 \b, expression length %u 626# FOR expression pool length like: 1 627>>506 uleshort !1 \b, FOR expression pool length %#x 628# reserved for internal use like: 0 629>>508 uleshort !0 \b, at 0x508 reserved %#x 630# Key expression pool length like: 1 631>>510 uleshort !1 \b, key expression pool length %#x 632# 512 - 1023 Key & FOR expression pool (uncompiled) 633>>512 quad !0 \b, key expression pool %#llx 634#>>520 quad !0 \b, key expression pool %#llx 635 636# Summary: dBASE IV Printer Form *.PRF 637# From: Joerg Jenderek 638# URL: https://en.wikipedia.org/wiki/.dbf#Other_file_types_found_in_dBASE 639# Reference: https://mark0.net/download/triddefs_xml.7z/defs/p/prf-dbase.trid.xml 6400 ubeshort 0x0400 641# skip some Xbase Index files *.ndx and Infocom (Z-machine 4) *.z4 handled by ./adventure 642# by looking for valid printer driver name extension 643>0x58 search/8 .PR2 644>>0 use xbase-prf 645# display information of dbase print form like printer driver *.PR2 6460 name xbase-prf dBase Printer Form 647!:mime application/x-dbase-prf 648!:ext prf 649# MAYBE version? like: 4~DBASE IV 650#>0 ubyte x \b, version %u 651# MAYBE flag like: 1~with output file name 0~not 652#>2 ubyte !0 \b, flag %u 653# optional printer text output file name like E:\DBASE\IV\T6.txt 654>3 string >\0 \b, output file %s 655# probably padding with nils til 0x53 656#>0x48 uquad !0 \b, at 0x48 padding %#llx 657# dBASE IV printer driver name like: Generic.PR2 ASCII.PR2 658>0x56 string >\0 \b, using printer driver %s 659# 2 is probably last character of previous dBASE printer driver name 660#>0x60 ubyte !0x32 \b, at 0x60 %#x 661# probably padding with nils til 0xa8 662#>0x61 uquad !0 \b, at 0x61 padding %#llx 663# unknown 0x03020300 0x03020100 at 0xa8 664>0xa8 ubelong x \b, at 0xa8 unknown %#8.8x 665# probably padding with nils til 0x2aa 666#>0x2a0 uquad !0 \b, at 0x2a0 padding %#llx 667# unknown 0x100ff7f01000001 at 0x2AB 668>0x2ab ubequad !0x100ff7f01000001 \b, at 0x2ab unknown %#llx 669# unknown 0x0042 at 0x2b3 670>0x2b3 ubeshort !0x0042 \b, at 0x2b3 unknown %#4.4x 671# unknown last 4 bytes at 0x2b6 like: 0 0x23 672>0x2b6 ubelong !0 \b, at 0x2b6 unknown %#8.8x 673 674# TODO: 675# DBASE index file *.NDX 676# dBASE compiled Format *.FMO 677# FoxPro Database memo file *.DCT 678# FoxPro Forms Memo *.SCT 679# FoxPro Generated Menu Program *.MPR 680# FoxPro Report *.FRX 681# FoxPro Report Memo *.FRT 682# Foxpro Generated Screen Program *.SPR 683# Foxpro memo *.PJT 684## End of XBase database stuff 685 686# MS Access database 6874 string Standard\ Jet\ DB Microsoft Access Database 688!:mime application/x-msaccess 6894 string Standard\ ACE\ DB Microsoft Access Database 690!:mime application/x-msaccess 691 692# From: Joerg Jenderek 693# URL: http://fileformats.archiveteam.org/wiki/Extensible_Storage_Engine 694# Reference: https://github.com/libyal/libesedb/archive/master.zip 695# libesedb-master/documentation/ 696# Extensible Storage Engine (ESE) Database File (EDB) format.asciidoc 697# Note: also known as "JET Blue". Used by numerous Windows components such as 698# Windows Search, Mail, Exchange and Active Directory. 6994 ubelong 0xefcdab89 700# unknown1 701>132 ubelong 0 Extensible storage engine 702!:mime application/x-ms-ese 703# file_type 0~database 1~stream 704>>12 ulelong 0 DataBase 705# Security DataBase (sdb) 706!:ext edb/sdb 707>>12 ulelong 1 STreaMing 708!:ext stm 709# format_version 620h 710>>8 uleshort x \b, version %#x 711>>10 uleshort >0 revision %#4.4x 712>>0 ubelong x \b, checksum %#8.8x 713# Page size 4096 8192 32768 714>>236 ulequad x \b, page size %lld 715# database_state 716>>52 ulelong 1 \b, JustCreated 717>>52 ulelong 2 \b, DirtyShutdown 718#>>52 ulelong 3 \b, CleanShutdown 719>>52 ulelong 4 \b, BeingConverted 720>>52 ulelong 5 \b, ForceDetach 721# Windows NT major version when the databases indexes were updated. 722>>216 ulelong x \b, Windows version %d 723# Windows NT minor version 724>>220 ulelong x \b.%d 725 726# From: Joerg Jenderek 727# URL: https://forensicswiki.org/wiki/Windows_Application_Compatibility 728# Note: files contain application compatibility fixes, application compatibility modes and application help messages. 7298 string sdbf 730>7 ubyte 0 731# TAG_TYPE_LIST+TAG_INDEXES 732>>12 uleshort 0x7802 Windows application compatibility Shim DataBase 733# version? 2 3 734#>>>0 ulelong x \b, version %d 735!:mime application/x-ms-sdb 736!:ext sdb 737 738# TDB database from Samba et al - Martin Pool <mbp@samba.org> 7390 string TDB\ file TDB database 740>32 lelong 0x2601196D version 6, little-endian 741>>36 lelong x hash size %d bytes 742 743# ICE authority file data (Wolfram Kleff) 7442 string ICE ICE authority data 745 746# X11 Xauthority file (Wolfram Kleff) 74710 string MIT-MAGIC-COOKIE-1 X11 Xauthority data 74811 string MIT-MAGIC-COOKIE-1 X11 Xauthority data 74912 string MIT-MAGIC-COOKIE-1 X11 Xauthority data 75013 string MIT-MAGIC-COOKIE-1 X11 Xauthority data 75114 string MIT-MAGIC-COOKIE-1 X11 Xauthority data 75215 string MIT-MAGIC-COOKIE-1 X11 Xauthority data 75316 string MIT-MAGIC-COOKIE-1 X11 Xauthority data 75417 string MIT-MAGIC-COOKIE-1 X11 Xauthority data 75518 string MIT-MAGIC-COOKIE-1 X11 Xauthority data 756 757# From: Maxime Henrion <mux@FreeBSD.org> 758# PostgreSQL's custom dump format, Maxime Henrion <mux@FreeBSD.org> 7590 string PGDMP PostgreSQL custom database dump 760>5 byte x - v%d 761>6 byte x \b.%d 762>5 beshort <0x101 \b-0 763>5 beshort >0x100 764>>7 byte x \b-%d 765 766# Type: Advanced Data Format (ADF) database 767# URL: https://www.grc.nasa.gov/WWW/cgns/adf/ 768# From: Nicolas Chauvat <nicolas.chauvat@logilab.fr> 7690 string @(#)ADF\ Database CGNS Advanced Data Format 770 771# Tokyo Cabinet magic data 772# http://tokyocabinet.sourceforge.net/index.html 7730 string ToKyO\ CaBiNeT\n Tokyo Cabinet 774>14 string x \b (%s) 775>32 byte 0 \b, Hash 776!:mime application/x-tokyocabinet-hash 777>32 byte 1 \b, B+ tree 778!:mime application/x-tokyocabinet-btree 779>32 byte 2 \b, Fixed-length 780!:mime application/x-tokyocabinet-fixed 781>32 byte 3 \b, Table 782!:mime application/x-tokyocabinet-table 783>33 byte &1 \b, [open] 784>33 byte &2 \b, [fatal] 785>34 byte x \b, apow=%d 786>35 byte x \b, fpow=%d 787>36 byte &0x01 \b, [large] 788>36 byte &0x02 \b, [deflate] 789>36 byte &0x04 \b, [bzip] 790>36 byte &0x08 \b, [tcbs] 791>36 byte &0x10 \b, [excodec] 792>40 lequad x \b, bnum=%lld 793>48 lequad x \b, rnum=%lld 794>56 lequad x \b, fsiz=%lld 795 796# Type: QDBM Quick Database Manager 797# From: Benoit Sibaud <bsibaud@april.org> 7980 string \\[depot\\]\n\f Quick Database Manager, little endian 7990 string \\[DEPOT\\]\n\f Quick Database Manager, big endian 800 801# Type: TokyoCabinet database 802# URL: http://tokyocabinet.sourceforge.net/ 803# From: Benoit Sibaud <bsibaud@april.org> 8040 string ToKyO\ CaBiNeT\n TokyoCabinet database 805>14 string x (version %s) 806 807# From: Stephane Blondon https://www.yaal.fr 808# Database file for Zope (done by FileStorage) 8090 string FS21 Zope Object Database File Storage v3 (data) 8100 string FS30 Zope Object Database File Storage v4 (data) 811 812# Cache file for the database of Zope (done by ClientStorage) 8130 string ZEC3 Zope Object Database Client Cache File (data) 814 815# IDA (Interactive Disassembler) database 8160 string IDA0 IDA (Interactive Disassembler) database 8170 string IDA1 IDA (Interactive Disassembler) database 8180 string IDA2 IDA (Interactive Disassembler) database 819 820# Hopper (reverse engineering tool) https://www.hopperapp.com/ 8210 string hopperdb Hopper database 822 823# URL: https://en.wikipedia.org/wiki/Panorama_(database_engine) 824# Reference: http://www.provue.com/Panorama/ 825# From: Joerg Jenderek 826# NOTE: test only versions 4 and 6.0 with Windows 827# length of Panorama database name 8285 ubyte >0 829# look after database name for "some" null bits 830>(5.B+7) ubelong&0xF3ffF000 0 831# look for first keyword 832>>&1 search/2 DESIGN Panorama database 833#!:mime application/x-panorama-database 834!:apple KASXZEPD 835!:ext pan 836# database name 837>>>5 pstring x \b, "%s" 838 839# 840# 841# askSam Database by Stefan A. Haubenthal <polluks@web.de> 8420 string askw40\0 askSam DB 843 844# 845# 846# MUIbase Database Tool by Stefan A. Haubenthal <polluks@web.de> 8470 string MBSTV\040 MUIbase DB 848>6 string x version %s 849 850# 851# CDB database 8520 string NBCDB\012 NetBSD Constant Database 853>7 byte x \b, version %d 854>8 string x \b, for '%s' 855>24 lelong x \b, datasize %d 856>28 lelong x \b, entries %d 857>32 lelong x \b, index %d 858>36 lelong x \b, seed %#x 859 860# 861# Redis RDB - https://redis.io/topics/persistence 8620 string REDIS Redis RDB file, 863>5 regex [0-9][0-9][0-9][0-9] version %s 864 865# Mork database. 866# Used by older versions of Mozilla Suite and Firefox, 867# and current versions of Thunderbird. 868# From: David Korth <gerbilsoft@gerbilsoft.com> 869# Update: Joerg Jenderek 870# URL: http://fileformats.archiveteam.org/wiki/Mork 871# https://en.wikipedia.org/wiki/Mork_(file_format) 872# Note: called "Mork" by DROID via fmt/612 8730 string //\ <!--\ <mdb:mork:z\ v=" Mozilla Mork database 874# display Mozilla Mork database (strength=260=260+0) before "exported SGML document" (strength=28=38-10) via ./sgml 875#!:strength +0 876#!:mime text/plain 877!:mime text/x-mozilla-mork 878# version like 1.4 879>23 string x \b, version %.3s 880# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/msf.trid.xml 881# Note: called "Mozilla Mail Summary file" by TrID 882>26 search/7516 mailboxName \b, Mail Summary file 883# like: Archives.msf Drafts.msf INBOX.msf Junk.msf Sent.msf Templates.msf Trash.msf 884!:ext msf 885# Reference: http://mark0.net/download/triddefs_xml.7z/defs/m/mab.trid.xml 886# Note: called "Mozilla Address Book" by TrID 887>26 search/192 addrbk \b, Address Book 888!:ext mab 889# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/dat-mork.trid.xml 890# Note: called "Mozilla Mail folder cache" by TrID 891>26 search/210 indexingPriority \b, Mail folder cache 892# panacea.dat 893!:ext dat 894 895# URL: https://en.wikipedia.org/wiki/Management_Information_Format 896# Reference: https://www.dmtf.org/sites/default/files/standards/documents/DSP0005.pdf 897# From: Joerg Jenderek 898# Note: only tested with monitor asset reports of Dell Display Manager 899# skip start like Language=fr|CA|iso8859-1 9000 search/27/C Start\040Component DMI Management Information Format 901#!:mime text/plain 902!:mime text/x-dmtf-mif 903!:ext mif 904 905# https://github.com/boltdb/bolt 906# https://github.com/etcd-io/bbolt 907# See magic value here: https://github.com/boltdb/bolt/blob/fd01fc79c553a8e99d512a07e8e0c63d4a3ccfc5/db.go#L24 908# The magic value is written according to endianess of the host, 909# so we check both to detect them also on hosts with differnet endianess 91016 lelong 0xED0CDAED BoltDB database 91116 belong 0xED0CDAED BoltDB database, big-endian 912