#------------------------------------------------------------------------------ # $File: database,v 1.72 2024/09/13 20:05:17 christos Exp $ # database: file(1) magic for various databases # # extracted from header/code files by Graeme Wilford (eep2gw@ee.surrey.ac.uk) # # # GDBM magic numbers # Will be maintained as part of the GDBM distribution in the future. # 0 belong 0x13579acd GNU dbm 1.x or ndbm database, big endian, 32-bit !:mime application/x-gdbm 0 belong 0x13579ace GNU dbm 1.x or ndbm database, big endian, old !:mime application/x-gdbm 0 belong 0x13579acf GNU dbm 1.x or ndbm database, big endian, 64-bit !:mime application/x-gdbm 0 lelong 0x13579acd GNU dbm 1.x or ndbm database, little endian, 32-bit !:mime application/x-gdbm 0 lelong 0x13579ace GNU dbm 1.x or ndbm database, little endian, old !:mime application/x-gdbm 0 lelong 0x13579acf GNU dbm 1.x or ndbm database, little endian, 64-bit !:mime application/x-gdbm 0 string GDBM GNU dbm 2.x database !:mime application/x-gdbm # # Berkeley DB # # Ian Darwin's file /etc/magic files: big/little-endian version. # # Hash 1.85/1.86 databases store metadata in network byte order. # Btree 1.85/1.86 databases store the metadata in host byte order. # Hash and Btree 2.X and later databases store the metadata in host byte order. 0 long 0x00061561 Berkeley DB !:mime application/x-dbm >8 belong 4321 >>4 belong >2 1.86 >>4 belong <3 1.85 >>4 belong >0 (Hash, version %d, native byte-order) >8 belong 1234 >>4 belong >2 1.86 >>4 belong <3 1.85 >>4 belong >0 (Hash, version %d, little-endian) 0 belong 0x00061561 Berkeley DB >8 belong 4321 >>4 belong >2 1.86 >>4 belong <3 1.85 >>4 belong >0 (Hash, version %d, big-endian) >8 belong 1234 >>4 belong >2 1.86 >>4 belong <3 1.85 >>4 belong >0 (Hash, version %d, native byte-order) 0 long 0x00053162 Berkeley DB 1.85/1.86 >4 long >0 (Btree, version %d, native byte-order) 0 belong 0x00053162 Berkeley DB 1.85/1.86 >4 belong >0 (Btree, version %d, big-endian) 0 lelong 0x00053162 Berkeley DB 1.85/1.86 >4 lelong >0 (Btree, version %d, little-endian) 12 long 0x00061561 Berkeley DB >16 long >0 (Hash, version %d, native byte-order) 12 belong 0x00061561 Berkeley DB >16 belong >0 (Hash, version %d, big-endian) 12 lelong 0x00061561 Berkeley DB >16 lelong >0 (Hash, version %d, little-endian) 12 long 0x00053162 Berkeley DB >16 long >0 (Btree, version %d, native byte-order) 12 belong 0x00053162 Berkeley DB >16 belong >0 (Btree, version %d, big-endian) 12 lelong 0x00053162 Berkeley DB >16 lelong >0 (Btree, version %d, little-endian) 12 long 0x00042253 Berkeley DB >16 long >0 (Queue, version %d, native byte-order) 12 belong 0x00042253 Berkeley DB >16 belong >0 (Queue, version %d, big-endian) 12 lelong 0x00042253 Berkeley DB >16 lelong >0 (Queue, version %d, little-endian) # From Max Bowsher. 12 long 0x00040988 Berkeley DB >16 long >0 (Log, version %d, native byte-order) 12 belong 0x00040988 Berkeley DB >16 belong >0 (Log, version %d, big-endian) 12 lelong 0x00040988 Berkeley DB >16 lelong >0 (Log, version %d, little-endian) # # # Round Robin Database Tool by Tobias Oetiker 0 string/b RRD\0 RRDTool DB >4 string/b x version %s >>10 short !0 16bit aligned >>>10 bedouble 8.642135e+130 big-endian >>>>18 short x 32bit long (m68k) >>10 short 0 >>>12 long !0 32bit aligned >>>>12 bedouble 8.642135e+130 big-endian >>>>>20 long 0 64bit long >>>>>20 long !0 32bit long >>>>12 ledouble 8.642135e+130 little-endian >>>>>24 long 0 64bit long >>>>>24 long !0 32bit long (i386) >>>>12 string \x43\x2b\x1f\x5b\x2f\x25\xc0\xc7 middle-endian >>>>>24 short !0 32bit long (arm) >>8 quad 0 64bit aligned >>>16 bedouble 8.642135e+130 big-endian >>>>24 long 0 64bit long (s390x) >>>>24 long !0 32bit long (hppa/mips/ppc/s390/SPARC) >>>16 ledouble 8.642135e+130 little-endian >>>>28 long 0 64bit long (alpha/amd64/ia64) >>>>28 long !0 32bit long (armel/mipsel) #---------------------------------------------------------------------- # ROOT: file(1) magic for ROOT databases # 0 string root\0 ROOT file >4 belong x Version %d >33 belong x (Compression: %d) # XXX: Weak magic. # Alex Ott ## Paradox file formats #2 leshort 0x0800 Paradox #>0x39 byte 3 v. 3.0 #>0x39 byte 4 v. 3.5 #>0x39 byte 9 v. 4.x #>0x39 byte 10 v. 5.x #>0x39 byte 11 v. 5.x #>0x39 byte 12 v. 7.x #>>0x04 byte 0 indexed .DB data file #>>0x04 byte 1 primary index .PX file #>>0x04 byte 2 non-indexed .DB data file #>>0x04 byte 3 non-incrementing secondary index .Xnn file #>>0x04 byte 4 secondary index .Ynn file #>>0x04 byte 5 incrementing secondary index .Xnn file #>>0x04 byte 6 non-incrementing secondary index .XGn file #>>0x04 byte 7 secondary index .YGn file #>>>0x04 byte 8 incrementing secondary index .XGn file ## XBase database files # updated by Joerg Jenderek at Feb 2013 # https://www.dbase.com/Knowledgebase/INT/db7_file_fmt.htm # https://www.clicketyclick.dk/databases/xbase/format/dbf.html # inspect VVYYMMDD , where 1<= MM <= 12 and 1<= DD <= 31 0 ubelong&0x0000FFFF <0x00000C20 !:strength +10 # skip Infocom game Z-machine >2 ubyte >0 # skip Androids *.xml >>3 ubyte >0 >>>3 ubyte <32 # 1 < version VV >>>>0 ubyte >1 # skip HELP.CA3 by test for reserved byte ( NULL ) >>>>>27 ubyte 0 # reserved bytes not always 0 ; also found 0x3901 (T4.DBF) ,0x7101 (T5.DBF,T6.DBF) #>>>>>30 ubeshort x 30NULL?%x # possible production flag,tag numbers(<=0x30),tag length(<=0x20), reserved (NULL) >>>>>>24 ubelong&0xffFFFFff >0x01302000 # .DBF or .MDX >>>>>>24 ubelong&0xffFFFFff <0x01302001 # for Xbase Database file (*.DBF) reserved (NULL) for multi-user >>>>>>>24 ubelong&0xffFFFFff =0 # test for 2 reserved NULL bytes,transaction and encryption byte flag >>>>>>>>12 ubelong&0xFFFFfEfE 0 # test for MDX flag >>>>>>>>>28 ubyte x >>>>>>>>>28 ubyte&0xf8 0 # header size >= 32 >>>>>>>>>>8 uleshort >31 # skip PIC15736.PCX by test for language driver name or field name >>>>>>>>>>>32 ubyte >0 #!:mime application/x-dbf; charset=unknown-8bit ?? #!:mime application/x-dbase >>>>>>>>>>>>0 use xbase-type # database file >>>>>>>>>>>>28 ubyte&0x04 =0 \b DBF !:ext dbf >>>>>>>>>>>>28 ubyte&0x04 =4 \b DataBaseContainer !:ext dbc >>>>>>>>>>>>4 lelong 0 \b, no records >>>>>>>>>>>>4 lelong >0 \b, %d record # plural s appended >>>>>>>>>>>>>4 lelong >1 \bs # https://www.clicketyclick.dk/databases/xbase/format/dbf_check.html#CHECK_DBF # 1 <= record size <= 4000 (dBase 3,4) or 32 * KB (=0x8000) >>>>>>>>>>>>10 uleshort x * %d # file size = records * record size + header size >>>>>>>>>>>>1 ubyte x \b, update-date >>>>>>>>>>>>1 use xbase-date # https://msdn.microsoft.com/de-de/library/cc483186(v=vs.71).aspx #>>>>>>>>>>>>29 ubyte =0 \b, codepage ID=%#x # 2~cp850 , 3~cp1252 , 0x1b~?? ; what code page is 0x1b ? >>>>>>>>>>>>29 ubyte >0 \b, codepage ID=%#x #>>>>>>>>>>>>28 ubyte&0x01 0 \b, no index file # MDX or CDX index >>>>>>>>>>>>28 ubyte&0x01 1 \b, with index file .MDX >>>>>>>>>>>>28 ubyte&0x02 2 \b, with memo .FPT #>>>>>>>>>>>>28 ubyte&0x04 4 \b, DataBaseContainer # 1st record offset + 1 = header size >>>>>>>>>>>>8 uleshort >0 >>>>>>>>>>>>(8.s+1) ubyte >0 >>>>>>>>>>>>>8 uleshort >0 \b, at offset %d >>>>>>>>>>>>>(8.s+1) ubyte >0 >>>>>>>>>>>>>>&-1 string >\0 1st record "%s" # for multiple index files (*.MDX) Production flag,tag numbers(<=0x30),tag length(<=0x20), reserved (NULL) >>>>>>>24 ubelong&0x0133f7ff >0 # test for reserved NULL byte >>>>>>>>47 ubyte 0 # test for valid TAG key format (0x10 or 0) >>>>>>>>>559 ubyte&0xeF 0 # test MM <= 12 >>>>>>>>>>45 ubeshort <0x0C20 >>>>>>>>>>>45 ubyte >0 >>>>>>>>>>>>46 ubyte <32 >>>>>>>>>>>>>46 ubyte >0 #!:mime application/x-mdx >>>>>>>>>>>>>>0 use xbase-type >>>>>>>>>>>>>>0 ubyte x \b MDX >>>>>>>>>>>>>>1 ubyte x \b, creation-date >>>>>>>>>>>>>>1 use xbase-date >>>>>>>>>>>>>>44 ubyte x \b, update-date >>>>>>>>>>>>>>44 use xbase-date # No.of tags in use (1,2,5,12) >>>>>>>>>>>>>>28 uleshort x \b, %d # No. of entries in tag (0x30) >>>>>>>>>>>>>>25 ubyte x \b/%d tags # Length of tag >>>>>>>>>>>>>>26 ubyte x * %d # 1st tag name_ >>>>>>>>>>>>>548 string x \b, 1st tag "%.11s" # 2nd tag name #>>>>>>>>>>>>(26.b+548) string x \b, 2nd tag "%.11s" # # Print the xBase names of different version variants 0 name xbase-type >0 ubyte <2 # 1 < version >0 ubyte >1 >>0 ubyte 0x02 FoxBase !:mime application/x-dbf # like: ACCESS.DBF USER.DBF dbase3date.dbf mitarbei.dbf produkte.dbf umlaut-test-v2.dbf # FoxBase+/dBaseIII+, no memo >>0 ubyte 0x03 FoxBase+/dBase III !:mime application/x-dbf # like: 92DATA.DBF MSCATLOG.DBF SYLLABI2.DBF SYLLABUS.DBF T4.DBF Teleadr.dbf us_city.dbf # dBASE IV no memo file >>0 ubyte 0x04 dBase IV !:mime application/x-dbf # like: Quattro-test11.dbf umlaut-test-v4.dbf # dBASE V no memo file >>0 ubyte 0x05 dBase V !:mime application/x-dbf # like: dbase4double.dbf Quattro-test2.dbf umlaut-test7.dbf !:ext dbf # probably Apollo Database Server 9.7? xBase (0x6) >>0 ubyte 0x06 Apollo !:mime application/x-dbf # like: ALIAS.DBF CRYPT.DBF PROCS.DBF USERS.DBF # https://docs.microsoft.com/en-us/previous-versions/visualstudio/foxpro/st4a0s68(v=vs.80) >>0 ubyte 0x2F FoxBase+/Dbase III plus, no memo !:mime application/x-dbf # no example >>0 ubyte 0x30 Visual FoxPro !:mime application/x-dbf # like: 26FRX.DBF 30DBC.DBF 30DBCPRO.DBF BEHINDSC.DBF USER_LEV.DBF # Microsoft Visual FoxPro Database Container File like: FOXPRO-DB-TEST.DBC TESTDATA.DBC TASTRADE.DBC >>0 ubyte 0x31 Visual FoxPro, autoincrement !:mime application/x-dbf # like: AI_Table.DBF dbase_31.dbf w_cityFoxpro.dbf # Visual FoxPro, with field type Varchar or Varbinary >>0 ubyte 0x32 Visual FoxPro, with field type Varchar !:mime application/x-dbf # like: dbase_32.dbf # dBASE IV SQL, no memo;dbv memo var size (Flagship) >>0 ubyte 0x43 dBase IV, with SQL table !:mime application/x-dbf # like: ASSEMBLY.DBF INVENTRY.DBF STAFF.DBF # https://docs.microsoft.com/en-us/previous-versions/visualstudio/foxpro/st4a0s68(v=vs.80) >>0 ubyte 0x62 dBase IV, with SQL table #!:mime application/x-dbf # no example # dBASE IV, with memo!! >>0 ubyte 0x7b dBase IV, with memo !:mime application/x-dbf # like: test3memo.DBF dbase5.DBF # https://docs.microsoft.com/en-us/previous-versions/visualstudio/foxpro/st4a0s68(v=vs.80) >>0 ubyte 0x82 dBase IV, with SQL system #!:mime application/x-dbf # no example # FoxBase+/dBaseIII+ with memo .DBT! >>0 ubyte 0x83 FoxBase+/dBase III, with memo .DBT !:mime application/x-dbf # like: T2.DBF t3.DBF biblio.dbf dbase_83.dbf dbase3dbt0_4.dbf fsadress.dbf stop.dbf # VISUAL OBJECTS (first 1.0 versions) for the Dbase III files (NTX clipper driver); memo file >>0 ubyte 0x87 VISUAL OBJECTS, with memo file !:mime application/x-dbf # like: ACCESS.DBF dbase3date.dbf dbase3float.dbf holdings.dbf mitarbei.dbf # https://docs.microsoft.com/en-us/previous-versions/visualstudio/foxpro/st4a0s68(v=vs.80) >>0 ubyte 0x8A FoxBase+/dBase III, with memo .DBT #!:mime application/x-dbf # no example # dBASE IV with memo! >>0 ubyte 0x8B dBase IV, with memo .DBT !:mime application/x-dbf # like: animals.dbf archive.dbf callin.dbf dbase_8b.dbf phnebook.dbf t6.dbf # dBase IV with SQL Table,no memo? >>0 ubyte 0x8E dBase IV, with SQL table !:mime application/x-dbf # like: dbase5.DBF test3memo.DBF test-memo.DBF # .dbv and .dbt memo (Flagship)? >>0 ubyte 0xB3 Flagship !:mime application/x-dbf # no example # https://docs.microsoft.com/en-us/previous-versions/visualstudio/foxpro/st4a0s68(v=vs.80) >>0 ubyte 0xCA dBase IV with memo .DBT #!:mime application/x-dbf # no example # dBASE IV with SQL table, with memo .DBT >>0 ubyte 0xCB dBase IV with SQL table, with memo .DBT !:mime application/x-dbf # like: dbase5.DBF test3memo.DBF test-memo.DBF # HiPer-Six format;Clipper SIX, with SMT memo file >>0 ubyte 0xE5 Clipper SIX with memo !:mime application/x-dbf # like: dbase5.DBF test3memo.DBF test-memo.DBF testClipper.dbf DATA.DBF # https://docs.microsoft.com/en-us/previous-versions/visualstudio/foxpro/st4a0s68(v=vs.80) >>0 ubyte 0xF4 dBase IV, with SQL table, with memo #!:mime application/x-dbf # no example >>0 ubyte 0xF5 FoxPro with memo !:mime application/x-dbf # like: CUSTOMER.DBF FOXUSER1.DBF Invoice.DBF NG.DBF OBJSAMP.DBF dbase_f5.dbf kunde.dbf # probably Apollo Database Server 9.7 with SQL and memo mask? xBase (0xF6) >>0 ubyte 0xF6 Apollo, with SQL table with memo !:mime application/x-dbf # like: SCRIPTS.DBF # https://docs.microsoft.com/en-us/previous-versions/visualstudio/foxpro/st4a0s68(v=vs.80) #>>0 ubyte 0xFA FoxPro 2.x, with memo #!:mime application/x-dbf # no example # unknown version (should not happen) >>0 default x xBase !:mime application/x-dbf >>>0 ubyte x (%#x) # flags in version byte # DBT flag (with dBASE III memo .DBT)!! # >>0 ubyte&0x80 >0 DBT_FLAG=%x # memo flag ?? # >>0 ubyte&0x08 >0 MEMO_FLAG=%x # SQL flag ?? # >>0 ubyte&0x70 >0 SQL_FLAG=%x # test and print the date of xBase .DBF .MDX 0 name xbase-date # inspect YYMMDD , where 1<= MM <= 12 and 1<= DD <= 31 >0 ubelong x >1 ubyte <13 >>1 ubyte >0 >>>2 ubyte >0 >>>>2 ubyte <32 >>>>>0 ubyte x # YY is interpreted as 20YY or 19YY >>>>>>0 ubyte <100 \b %.2d # YY is interpreted 1900+YY; TODO: display yy or 20yy instead 1YY >>>>>>0 ubyte >99 \b %d >>>>>1 ubyte x \b-%d >>>>>2 ubyte x \b-%d # dBase memo files .DBT or .FPT # https://msdn.microsoft.com/en-us/library/8599s21w(v=vs.80).aspx 16 ubyte <4 >16 ubyte !2 >>16 ubyte !1 # next free block index is positive >>>0 ulelong >0 # skip many JPG. ZIP, BZ2 by test for reserved bytes NULL , 0|2 , 0|1 , low byte of block size >>>>17 ubelong&0xFFfdFEff 0x00000000 # skip many RAR by test for low byte 0 ,high byte 0|2|even of block size, 0|a|e|d7 , 0|64h >>>>>20 ubelong&0xFF01209B 0x00000000 # dBASE III >>>>>>16 ubyte 3 # skip with invalid "low" 1st item "\0\0\0\0" StateRepository-Deployment.srd-shm "\001\010\0\0" gcry_cast5.mod >>>>>>>512 ubyte >040 # skip with valid 1st item "rintf" keylayouts.mod # by looking for valid terminating character Ctrl-Z like in test.dbt >>>>>>>>513 search/3308 \032 # skip GRUB plan9.mod with invalid second terminating character 007 # by checking second terminating character Ctrl-Z like in test.dbt >>>>>>>>>&0 ubyte 032 # dBASE III DBT with two Ctr-Z terminating characters >>>>>>>>>>0 use dbase3-memo-print # second terminating character \0 like in dbase-memo.dbt or GRUB nativedisk.mod >>>>>>>>>&0 ubyte 0 # skip GRUB nativedisk.mod with grub_mod_init\0grub_mod_fini\0grub_fs_autoload_hook\0 >>>>>>>>>>0x1ad string !grub_mod_init # like dbase-memo.dbt >>>>>>>>>>>0 use dbase3-memo-print # dBASE III DBT without version, dBASE IV DBT , FoxPro FPT , or many ZIP , DBF garbage >>>>>>16 ubyte 0 # unusual dBASE III DBT like angest.dbt, dBASE IV DBT with block size 0 , FoxPro FPT , or garbage PCX DBF >>>>>>>20 uleshort 0 # FoxPro FPT , unusual dBASE III DBT like biblio.dbt or garbage >>>>>>>>8 ulong =0 >>>>>>>>>6 ubeshort >0 # skip emacs.PIF >>>>>>>>>>4 ushort 0 # check for valid FoxPro field type >>>>>>>>>>>512 ubelong <3 # skip LXMDCLN4.OUT LXMDCLN6.OUT LXMDALG6.OUT with invalid blocksize 170=AAh >>>>>>>>>>>>6 ubeshort&0x002f 0 >>>>>>>>>>>>>0 use foxpro-memo-print # dBASE III DBT , garbage # skip WORD1XW.DOC with improbably high free block index >>>>>>>>>0 ulelong <0x400000 # skip WinStore.App.exe by looking for printable 2nd character of 1st memo item >>>>>>>>>>513 ubyte >037 # skip DOS executables CPQ0TD.DRV E30ODI.COM IBM0MONO.DRV by looking for printable 1st character of 1st memo item >>>>>>>>>>>512 ubyte >037 # skip few (14/758) Microsoft Event Trace Logs (boot_BASE+CSWITCH_1.etl DlTel-Merge.etl UpdateUx.006.etl) with invalid "high" 1st item \377\377 >>>>>>>>>>>>512 ubyte <0377 # skip some Commodore 64 Art Studio (Deep_Strike.aas dragon's_lair_ii.aas), some Atari DEGAS Elite bitmap (ELEPHANT.PC3 ST.PC2) # some probably old GRUB modules (part_sun.mod) and virtual-boy-wario-land.vb. # by looking for valid terminating character Ctrl-Z >>>>>>>>>>>>>513 search/523 \032 # Atari DEGAS bitmap ST.PC2 with 0370 as second terminating character #>>>>>>>>>>>>>>&0 ubyte x 2ND_CHAR_IS=%o # dBASE III DBT with two Ctr-Z terminating characters like dbase3dbt0_1.dbt dbase_83.dbt >>>>>>>>>>>>>>&0 ubyte 032 >>>>>>>>>>>>>>>0 use dbase3-memo-print # second terminating character \0 like in pcidump.mod or fsadress.dbt umlaut-dbf-cmd.dbt >>>>>>>>>>>>>>&0 ubyte 0 # look for old GRUB module pcidump.mod with specific content "pcidump\0Show raw dump of the PCI configuration space" >>>>>>>>>>>>>>>514 search/0x11E pcidump\0Show # dBASE III DBT with Ctr-Z + \0 terminating characters like fsadress.dbt >>>>>>>>>>>>>>>514 default x # unusual dBASE III DBT like fsadress.dbt umlaut-dbf-cmd.dbt >>>>>>>>>>>>>>>>0 use dbase3-memo-print # dBASE III DBT like angest.dbt, or garbage PCX DBF >>>>>>>>8 ubelong !0 # skip PCX and some DBF by test for for reserved NULL bytes >>>>>>>>>510 ubeshort 0 # skip bad symples with improbably high free block index above 2 GiB file limit >>>>>>>>>>0 ulelong <0x400000 # skip AI070GEP.EPS by printable 1st character of 1st memo item >>>>>>>>>>>512 ubyte >037 # skip some Microsoft Visual C, OMF library like: BZ2.LIB WATTCPWL.LIB ZLIB.LIB >>>>>>>>>>>>512 ubyte <0200 # skip gluon-ffhat-1.0-tp-link-tl-wr1043n-nd-v2-sysupgrade.bin by printable 2nd character >>>>>>>>>>>>>513 ubyte >037 # skip few (8/758) Microsoft Event Trace Logs (WBEngine.3.etl Wifi.etl) with valid 1st item like # "9600.20369.amd64fre.winblue_ltsb_escrow.220427-1727" # "9600.19846.amd64fre.winblue_ltsb_escrow.200923-1735" # "10586.494.amd64fre.th2_release_sec.160630-1736" # by looking for valid terminating character Ctrl-Z >>>>>>>>>>>>>>513 search/0x11E \032 # followed by second character Ctrl-Z implies typical DBT >>>>>>>>>>>>>>>&0 ubyte 032 # examples like: angest.dbt >>>>>>>>>>>>>>>>0 use dbase3-memo-print >>>>>>>>>>>>>>>&0 ubyte 0 # no example found here with terminating sequence CTRL-Z + \0 >>>>>>>>>>>>>>>>0 use dbase3-memo-print # dBASE IV DBT with positive block size >>>>>>>20 uleshort >0 # dBASE IV DBT with valid block length like 512, 1024 # multiple of 2 in between 16 and 16 K ,implies upper and lower bits are zero # skip also 3600h 3E00h size >>>>>>>>20 uleshort&0xE00f 0 >>>>>>>>>0 use dbase4-memo-print # Print the information of dBase III DBT memo file 0 name dbase3-memo-print >0 ubyte x dBase III DBT !:mime application/x-dbt !:ext dbt # instead 3 as version number 0 for unusual examples like biblio.dbt >16 ubyte !3 \b, version number %u # Number of next available block for appending data #>0 lelong =0 \b, next free block index %u >0 lelong !0 \b, next free block index %u # no positive block length #>20 uleshort =0 \b, block length %u >20 uleshort !0 \b, block length %u # dBase III memo field terminated often by \032\032 # like: "WHAT IS XBASE" test.dbt "Borges, Malte" biblio.dbt "First memo\032\032" T2.DBT >512 string >\0 \b, 1st item "%s" # For DEBUGGING #>512 ubelong x \b, 1ST item %#8.8x #>513 search/0x225 \032 FOUND_TERMINATOR #>>&0 ubyte 032 2xCTRL_Z # fsadress.dbt has 1 Ctrl-Z terminator followed by nil byte #>>&0 ubyte 0 1xCTRL_Z # https://www.clicketyclick.dk/databases/xbase/format/dbt.html # Print the information of dBase IV DBT memo file 0 name dbase4-memo-print >0 lelong x dBase IV DBT !:mime application/x-dbt !:ext dbt # 8 character shorted main name of corresponding dBASE IV DBF file >8 ubelong >0x20000000 # skip unusual like for angest.dbt >>20 uleshort >0 >>>8 string >\0 \b of %-.8s.DBF # value 0 implies 512 as size #>4 ulelong =0 \b, blocks size %u # size of blocks not reliable like 0x2020204C in angest.dbt >4 ulelong !0 >>4 ulelong&0x0000003f 0 \b, blocks size %u # dBase IV DBT with positive block length (found 512 , 1024) >20 uleshort >0 \b, block length %u # next available block #>0 lelong =0 \b, next free block index %u >0 lelong !0 \b, next free block index %u >20 uleshort >0 >>(20.s) ubelong x >>>&-4 use dbase4-memofield-print # unusual dBase IV DBT without block length (implies 512 as length) >20 uleshort =0 >>512 ubelong x >>>&-4 use dbase4-memofield-print # Print the information of dBase IV memo field 0 name dbase4-memofield-print # free dBase IV memo field >0 ubelong !0xFFFF0800 >>0 lelong x \b, next free block %u >>4 lelong x \b, next used block %u # used dBase IV memo field >0 ubelong =0xFFFF0800 # length of memo field >>4 lelong x \b, field length %d >>>8 string >\0 \b, 1st used item "%s" # http://www.dbfree.org/webdocs/1-documentation/0018-developers_stuff_(advanced)/os_related_stuff/xbase_file_format.htm # Print the information of FoxPro FPT memo file 0 name foxpro-memo-print >0 belong x FoxPro FPT !:mime application/x-fpt !:ext fpt # Size of blocks for FoxPro ( 64,256 ); probably a multiple of two >6 ubeshort x \b, blocks size %u # next available block #>0 belong =0 \b, next free block index %u >0 belong !0 \b, next free block index %u # field type ( 0~picture, 1~memo, 2~object ) >512 ubelong <3 \b, field type %u # length of memo field >512 ubelong 1 >>516 belong >0 \b, field length %d >>>520 string >\0 \b, 1st item "%s" # Summary: DBASE Compound Index file *.CDX and FoxPro index *.IDX # From: Joerg Jenderek # URL: https://www.clicketyclick.dk/databases/xbase/format/cdx.html # https://www.clicketyclick.dk/databases/xbase/format/idx.html # https://www.clicketyclick.dk/databases/xbase/format/idx_comp.html # Reference: https://mark0.net/download/triddefs_xml.7z/defs/s/sybase-ianywhere-cdx.trid.xml # https://mark0.net/download/triddefs_xml.7z/defs/c/cdx-vfp7.trid.xml # like: kunde.cdx 0 ulelong 0x1C00 >0 use xbase-index # like: SYLLABI2.CDX SYLLABUS.CDX 0 ulelong 0x0800 >0 use xbase-index # often in xBase index pointer to root node 400h 0 ulelong 0x0400 # skip most Maple help database *.hdb with version tag handled by ./maple >1028 string !version # skip Maple help database hsum.hdb checking for valid reserved area >>492 quad =0 # skip remaining Maple help database *.hdb by checking key length #>>>12 uleshort !0x000F KEY_LENGTHVALID >>>0 use xbase-index # display information about dBase/FoxPro index 0 name xbase-index >0 ulelong x xBase !:mime application/x-dbase-index >14 ubyte &0x40 compound index # DCX for FoxPro database index like: TESTDATA.DCX !:ext cdx/dcx >14 ubyte ^0x40 index # only 1 example like: TEST.IDX !:ext idx # pointer to root node like: 1C00h 800h often 400h >0 ulelong !0x400 \b, root pointer %#x # Pointer to free node list: often 0 but -1 if not present >4 ulelong !0 \b, free node pointer %#x # MAYBE number of pages in file (Foxbase, FoxPro 1.x) or # http://www.foxpert.com/foxpro/knowlbits/files/knowlbits_200708_1.HTM # Whenever Visual FoxPro updates the index file it increments this reserved field # Reserved for internal use like: 02000000h 03000000h 460c0000h 780f0000h 89000000h 9fdc0100h often 0 >8 ulelong !0 \b, reserved counter %#x # length of key like: mostly 000Ah 0028h (TEST.IDX) >12 uleshort !0x000A \b, key length %#x # index options like: 24h E0h E8h # 1~a unique index 8~index has FOR clause 32~compact index format 64~compound index header # 16~Bit vector (SoftC) 128~Structure index (FoxPro) >14 ubyte x \b, index options (%#x >14 ubyte &0x01 \b, unique >14 ubyte &0x08 \b, has FOR clause >14 ubyte &0x10 \b, bit vector (SoftC) >14 ubyte &0x20 \b, compact format #>14 ubyte &0x40 \b, compound header >14 ubyte &0x80 \b, structure >14 ubyte x \b) # WHAT EXACTLY IS THAT? index signature like: 0 (sybase-ianywhere-cdx.trid.xml) 1 (cdx-vfp7.trid.xml) >15 ubyte !0 \b, index signature %u # reserved area (0-bytes) til about 500, but not for uncompressed Index files *.idx >16 quad !0 \b, at 16 reserved %#llx >492 quad !0 \b, at 492 reserved %#llx # for IDX variant #>14 ubyte ^0x40 IDX # for CDX variant >14 ubyte &0x40 # Ascending or descending: 0~ascending 1~descending >>502 uleshort x \b, sort order %u # Total expression length (FoxPro 2) like: 0 1 >>504 uleshort !0 \b, expression length %u # FOR expression pool length like: 1 >>506 uleshort !1 \b, FOR expression pool length %#x # reserved for internal use like: 0 >>508 uleshort !0 \b, at 0x508 reserved %#x # Key expression pool length like: 1 >>510 uleshort !1 \b, key expression pool length %#x # 512 - 1023 Key & FOR expression pool (uncompiled) >>512 quad !0 \b, key expression pool %#llx #>>520 quad !0 \b, key expression pool %#llx # Summary: dBASE IV Printer Form *.PRF # From: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/.dbf#Other_file_types_found_in_dBASE # Reference: https://mark0.net/download/triddefs_xml.7z/defs/p/prf-dbase.trid.xml 0 ubeshort 0x0400 # skip some Xbase Index files *.ndx and Infocom (Z-machine 4) *.z4 handled by ./adventure # by looking for valid printer driver name extension >0x58 search/8 .PR2 >>0 use xbase-prf # display information of dbase print form like printer driver *.PR2 0 name xbase-prf dBase Printer Form !:mime application/x-dbase-prf !:ext prf # MAYBE version? like: 4~DBASE IV #>0 ubyte x \b, version %u # MAYBE flag like: 1~with output file name 0~not #>2 ubyte !0 \b, flag %u # optional printer text output file name like E:\DBASE\IV\T6.txt >3 string >\0 \b, output file %s # probably padding with nils til 0x53 #>0x48 uquad !0 \b, at 0x48 padding %#llx # dBASE IV printer driver name like: Generic.PR2 ASCII.PR2 >0x56 string >\0 \b, using printer driver %s # 2 is probably last character of previous dBASE printer driver name #>0x60 ubyte !0x32 \b, at 0x60 %#x # probably padding with nils til 0xa8 #>0x61 uquad !0 \b, at 0x61 padding %#llx # unknown 0x03020300 0x03020100 at 0xa8 >0xa8 ubelong x \b, at 0xa8 unknown %#8.8x # probably padding with nils til 0x2aa #>0x2a0 uquad !0 \b, at 0x2a0 padding %#llx # unknown 0x100ff7f01000001 at 0x2AB >0x2ab ubequad !0x100ff7f01000001 \b, at 0x2ab unknown %#llx # unknown 0x0042 at 0x2b3 >0x2b3 ubeshort !0x0042 \b, at 0x2b3 unknown %#4.4x # unknown last 4 bytes at 0x2b6 like: 0 0x23 >0x2b6 ubelong !0 \b, at 0x2b6 unknown %#8.8x # TODO: # DBASE index file *.NDX # dBASE compiled Format *.FMO # FoxPro Database memo file *.DCT # FoxPro Forms Memo *.SCT # FoxPro Generated Menu Program *.MPR # FoxPro Report *.FRX # FoxPro Report Memo *.FRT # Foxpro Generated Screen Program *.SPR # Foxpro memo *.PJT ## End of XBase database stuff # MS Access database 4 string Standard\ Jet\ DB Microsoft Access Database !:mime application/x-msaccess 4 string Standard\ ACE\ DB Microsoft Access Database !:mime application/x-msaccess # From: Joerg Jenderek # URL: http://fileformats.archiveteam.org/wiki/Extensible_Storage_Engine # Reference: https://github.com/libyal/libesedb/archive/master.zip # libesedb-master/documentation/ # Extensible Storage Engine (ESE) Database File (EDB) format.asciidoc # Note: also known as "JET Blue". Used by numerous Windows components such as # Windows Search, Mail, Exchange and Active Directory. 4 ubelong 0xefcdab89 # unknown1 >132 ubelong 0 Extensible storage engine !:mime application/x-ms-ese # file_type 0~database 1~stream >>12 ulelong 0 DataBase # Security DataBase (sdb) !:ext edb/sdb >>12 ulelong 1 STreaMing !:ext stm # format_version 620h >>8 uleshort x \b, version %#x >>10 uleshort >0 revision %#4.4x >>0 ubelong x \b, checksum %#8.8x # Page size 4096 8192 32768 >>236 ulequad x \b, page size %lld # database_state >>52 ulelong 1 \b, JustCreated >>52 ulelong 2 \b, DirtyShutdown #>>52 ulelong 3 \b, CleanShutdown >>52 ulelong 4 \b, BeingConverted >>52 ulelong 5 \b, ForceDetach # Windows NT major version when the databases indexes were updated. >>216 ulelong x \b, Windows version %d # Windows NT minor version >>220 ulelong x \b.%d # From: Joerg Jenderek # URL: https://forensicswiki.org/wiki/Windows_Application_Compatibility # Note: files contain application compatibility fixes, application compatibility modes and application help messages. 8 string sdbf >7 ubyte 0 # TAG_TYPE_LIST+TAG_INDEXES >>12 uleshort 0x7802 Windows application compatibility Shim DataBase # version? 2 3 #>>>0 ulelong x \b, version %d !:mime application/x-ms-sdb !:ext sdb # TDB database from Samba et al - Martin Pool 0 string TDB\ file TDB database >32 lelong 0x2601196D version 6, little-endian >>36 lelong x hash size %d bytes # ICE authority file data (Wolfram Kleff) 2 string ICE ICE authority data # X11 Xauthority file (Wolfram Kleff) 10 string MIT-MAGIC-COOKIE-1 X11 Xauthority data 11 string MIT-MAGIC-COOKIE-1 X11 Xauthority data 12 string MIT-MAGIC-COOKIE-1 X11 Xauthority data 13 string MIT-MAGIC-COOKIE-1 X11 Xauthority data 14 string MIT-MAGIC-COOKIE-1 X11 Xauthority data 15 string MIT-MAGIC-COOKIE-1 X11 Xauthority data 16 string MIT-MAGIC-COOKIE-1 X11 Xauthority data 17 string MIT-MAGIC-COOKIE-1 X11 Xauthority data 18 string MIT-MAGIC-COOKIE-1 X11 Xauthority data # From: Maxime Henrion # PostgreSQL's custom dump format, Maxime Henrion 0 string PGDMP PostgreSQL custom database dump >5 byte x - v%d >6 byte x \b.%d >5 beshort <0x101 \b-0 >5 beshort >0x100 >>7 byte x \b-%d # Type: Advanced Data Format (ADF) database # URL: https://www.grc.nasa.gov/WWW/cgns/adf/ # From: Nicolas Chauvat 0 string @(#)ADF\ Database CGNS Advanced Data Format # Tokyo Cabinet magic data # http://tokyocabinet.sourceforge.net/index.html 0 string ToKyO\ CaBiNeT\n Tokyo Cabinet >14 string x \b (%s) >32 byte 0 \b, Hash !:mime application/x-tokyocabinet-hash >32 byte 1 \b, B+ tree !:mime application/x-tokyocabinet-btree >32 byte 2 \b, Fixed-length !:mime application/x-tokyocabinet-fixed >32 byte 3 \b, Table !:mime application/x-tokyocabinet-table >33 byte &1 \b, [open] >33 byte &2 \b, [fatal] >34 byte x \b, apow=%d >35 byte x \b, fpow=%d >36 byte &0x01 \b, [large] >36 byte &0x02 \b, [deflate] >36 byte &0x04 \b, [bzip] >36 byte &0x08 \b, [tcbs] >36 byte &0x10 \b, [excodec] >40 lequad x \b, bnum=%lld >48 lequad x \b, rnum=%lld >56 lequad x \b, fsiz=%lld # Type: QDBM Quick Database Manager # From: Benoit Sibaud 0 string \\[depot\\]\n\f Quick Database Manager, little endian 0 string \\[DEPOT\\]\n\f Quick Database Manager, big endian # Type: TokyoCabinet database # URL: http://tokyocabinet.sourceforge.net/ # From: Benoit Sibaud 0 string ToKyO\ CaBiNeT\n TokyoCabinet database >14 string x (version %s) # From: Stephane Blondon https://www.yaal.fr # Database file for Zope (done by FileStorage) 0 string FS21 Zope Object Database File Storage v3 (data) 0 string FS30 Zope Object Database File Storage v4 (data) # Cache file for the database of Zope (done by ClientStorage) 0 string ZEC3 Zope Object Database Client Cache File (data) # IDA (Interactive Disassembler) database 0 string IDA0 IDA (Interactive Disassembler) database 0 string IDA1 IDA (Interactive Disassembler) database 0 string IDA2 IDA (Interactive Disassembler) database # Hopper (reverse engineering tool) https://www.hopperapp.com/ 0 string hopperdb Hopper database # URL: https://en.wikipedia.org/wiki/Panorama_(database_engine) # Reference: http://www.provue.com/Panorama/ # From: Joerg Jenderek # NOTE: test only versions 4 and 6.0 with Windows # length of Panorama database name 5 ubyte >0 # look after database name for "some" null bits >(5.B+7) ubelong&0xF3ffF000 0 # look for first keyword >>&1 search/2 DESIGN Panorama database #!:mime application/x-panorama-database !:apple KASXZEPD !:ext pan # database name >>>5 pstring x \b, "%s" # # # askSam Database by Stefan A. Haubenthal 0 string askw40\0 askSam DB # # # MUIbase Database Tool by Stefan A. Haubenthal 0 string MBSTV\040 MUIbase DB >6 string x version %s # # CDB database 0 string NBCDB\012 NetBSD Constant Database >7 byte x \b, version %d >8 string x \b, for '%s' >24 lelong x \b, datasize %d >28 lelong x \b, entries %d >32 lelong x \b, index %d >36 lelong x \b, seed %#x # # Redis RDB - https://redis.io/topics/persistence 0 string REDIS Redis RDB file, >5 regex [0-9][0-9][0-9][0-9] version %s # Mork database. # Used by older versions of Mozilla Suite and Firefox, # and current versions of Thunderbird. # From: David Korth # Update: Joerg Jenderek # URL: http://fileformats.archiveteam.org/wiki/Mork # https://en.wikipedia.org/wiki/Mork_(file_format) # Note: called "Mork" by DROID via fmt/612 0 string //\