database 22 KB


  1. #------------------------------------------------------------------------------
  2. # $File: database,v 1.56 2019/06/14 20:12:00 christos Exp $
  3. # database: file(1) magic for various databases
  4. #
  5. # extracted from header/code files by Graeme Wilford (eep2gw@ee.surrey.ac.uk)
  6. #
  7. #
  8. # GDBM magic numbers
  9. # Will be maintained as part of the GDBM distribution in the future.
  10. # <downsj@teeny.org>
  11. 0 belong 0x13579acd GNU dbm 1.x or ndbm database, big endian, 32-bit
  12. !:mime application/x-gdbm
  13. 0 belong 0x13579ace GNU dbm 1.x or ndbm database, big endian, old
  14. !:mime application/x-gdbm
  15. 0 belong 0x13579acf GNU dbm 1.x or ndbm database, big endian, 64-bit
  16. !:mime application/x-gdbm
  17. 0 lelong 0x13579acd GNU dbm 1.x or ndbm database, little endian, 32-bit
  18. !:mime application/x-gdbm
  19. 0 lelong 0x13579ace GNU dbm 1.x or ndbm database, little endian, old
  20. !:mime application/x-gdbm
  21. 0 lelong 0x13579acf GNU dbm 1.x or ndbm database, little endian, 64-bit
  22. !:mime application/x-gdbm
  23. 0 string GDBM GNU dbm 2.x database
  24. !:mime application/x-gdbm
  25. #
  26. # Berkeley DB
  27. #
  28. # Ian Darwin's file /etc/magic files: big/little-endian version.
  29. #
  30. # Hash 1.85/1.86 databases store metadata in network byte order.
  31. # Btree 1.85/1.86 databases store the metadata in host byte order.
  32. # Hash and Btree 2.X and later databases store the metadata in host byte order.
  33. 0 long 0x00061561 Berkeley DB
  34. !:mime application/x-dbm
  35. >8 belong 4321
  36. >>4 belong >2 1.86
  37. >>4 belong <3 1.85
  38. >>4 belong >0 (Hash, version %d, native byte-order)
  39. >8 belong 1234
  40. >>4 belong >2 1.86
  41. >>4 belong <3 1.85
  42. >>4 belong >0 (Hash, version %d, little-endian)
  43. 0 belong 0x00061561 Berkeley DB
  44. >8 belong 4321
  45. >>4 belong >2 1.86
  46. >>4 belong <3 1.85
  47. >>4 belong >0 (Hash, version %d, big-endian)
  48. >8 belong 1234
  49. >>4 belong >2 1.86
  50. >>4 belong <3 1.85
  51. >>4 belong >0 (Hash, version %d, native byte-order)
  52. 0 long 0x00053162 Berkeley DB 1.85/1.86
  53. >4 long >0 (Btree, version %d, native byte-order)
  54. 0 belong 0x00053162 Berkeley DB 1.85/1.86
  55. >4 belong >0 (Btree, version %d, big-endian)
  56. 0 lelong 0x00053162 Berkeley DB 1.85/1.86
  57. >4 lelong >0 (Btree, version %d, little-endian)
  58. 12 long 0x00061561 Berkeley DB
  59. >16 long >0 (Hash, version %d, native byte-order)
  60. 12 belong 0x00061561 Berkeley DB
  61. >16 belong >0 (Hash, version %d, big-endian)
  62. 12 lelong 0x00061561 Berkeley DB
  63. >16 lelong >0 (Hash, version %d, little-endian)
  64. 12 long 0x00053162 Berkeley DB
  65. >16 long >0 (Btree, version %d, native byte-order)
  66. 12 belong 0x00053162 Berkeley DB
  67. >16 belong >0 (Btree, version %d, big-endian)
  68. 12 lelong 0x00053162 Berkeley DB
  69. >16 lelong >0 (Btree, version %d, little-endian)
  70. 12 long 0x00042253 Berkeley DB
  71. >16 long >0 (Queue, version %d, native byte-order)
  72. 12 belong 0x00042253 Berkeley DB
  73. >16 belong >0 (Queue, version %d, big-endian)
  74. 12 lelong 0x00042253 Berkeley DB
  75. >16 lelong >0 (Queue, version %d, little-endian)
  76. # From Max Bowsher.
  77. 12 long 0x00040988 Berkeley DB
  78. >16 long >0 (Log, version %d, native byte-order)
  79. 12 belong 0x00040988 Berkeley DB
  80. >16 belong >0 (Log, version %d, big-endian)
  81. 12 lelong 0x00040988 Berkeley DB
  82. >16 lelong >0 (Log, version %d, little-endian)
  83. #
  84. #
  85. # Round Robin Database Tool by Tobias Oetiker <oetiker@ee.ethz.ch>
  86. 0 string/b RRD\0 RRDTool DB
  87. >4 string/b x version %s
  88. >>10 short !0 16bit aligned
  89. >>>10 bedouble 8.642135e+130 big-endian
  90. >>>>18 short x 32bit long (m68k)
  91. >>10 short 0
  92. >>>12 long !0 32bit aligned
  93. >>>>12 bedouble 8.642135e+130 big-endian
  94. >>>>>20 long 0 64bit long
  95. >>>>>20 long !0 32bit long
  96. >>>>12 ledouble 8.642135e+130 little-endian
  97. >>>>>24 long 0 64bit long
  98. >>>>>24 long !0 32bit long (i386)
  99. >>>>12 string \x43\x2b\x1f\x5b\x2f\x25\xc0\xc7 middle-endian
  100. >>>>>24 short !0 32bit long (arm)
  101. >>8 quad 0 64bit aligned
  102. >>>16 bedouble 8.642135e+130 big-endian
  103. >>>>24 long 0 64bit long (s390x)
  104. >>>>24 long !0 32bit long (hppa/mips/ppc/s390/SPARC)
  105. >>>16 ledouble 8.642135e+130 little-endian
  106. >>>>28 long 0 64bit long (alpha/amd64/ia64)
  107. >>>>28 long !0 32bit long (armel/mipsel)
  108. #----------------------------------------------------------------------
  109. # ROOT: file(1) magic for ROOT databases
  110. #
  111. 0 string root\0 ROOT file
  112. >4 belong x Version %d
  113. >33 belong x (Compression: %d)
  114. # XXX: Weak magic.
  115. # Alex Ott <ott@jet.msk.su>
  116. ## Paradox file formats
  117. #2 leshort 0x0800 Paradox
  118. #>0x39 byte 3 v. 3.0
  119. #>0x39 byte 4 v. 3.5
  120. #>0x39 byte 9 v. 4.x
  121. #>0x39 byte 10 v. 5.x
  122. #>0x39 byte 11 v. 5.x
  123. #>0x39 byte 12 v. 7.x
  124. #>>0x04 byte 0 indexed .DB data file
  125. #>>0x04 byte 1 primary index .PX file
  126. #>>0x04 byte 2 non-indexed .DB data file
  127. #>>0x04 byte 3 non-incrementing secondary index .Xnn file
  128. #>>0x04 byte 4 secondary index .Ynn file
  129. #>>0x04 byte 5 incrementing secondary index .Xnn file
  130. #>>0x04 byte 6 non-incrementing secondary index .XGn file
  131. #>>0x04 byte 7 secondary index .YGn file
  132. #>>>0x04 byte 8 incrementing secondary index .XGn file
  133. ## XBase database files
  134. # updated by Joerg Jenderek at Feb 2013
  135. # https://www.dbase.com/Knowledgebase/INT/db7_file_fmt.htm
  136. # https://www.clicketyclick.dk/databases/xbase/format/dbf.html
  137. # inspect VVYYMMDD , where 1<= MM <= 12 and 1<= DD <= 31
  138. 0 ubelong&0x0000FFFF <0x00000C20
  139. # skip Infocom game Z-machine
  140. >2 ubyte >0
  141. # skip Androids *.xml
  142. >>3 ubyte >0
  143. >>>3 ubyte <32
  144. # 1 < version VV
  145. >>>>0 ubyte >1
  146. # skip HELP.CA3 by test for reserved byte ( NULL )
  147. >>>>>27 ubyte 0
  148. # reserved bytes not always 0 ; also found 0x3901 (T4.DBF) ,0x7101 (T5.DBF,T6.DBF)
  149. #>>>>>30 ubeshort x 30NULL?%x
  150. # possible production flag,tag numbers(<=0x30),tag length(<=0x20), reserved (NULL)
  151. >>>>>>24 ubelong&0xffFFFFff >0x01302000
  152. # .DBF or .MDX
  153. >>>>>>24 ubelong&0xffFFFFff <0x01302001
  154. # for Xbase Database file (*.DBF) reserved (NULL) for multi-user
  155. >>>>>>>24 ubelong&0xffFFFFff =0
  156. # test for 2 reserved NULL bytes,transaction and encryption byte flag
  157. >>>>>>>>12 ubelong&0xFFFFfEfE 0
  158. # test for MDX flag
  159. >>>>>>>>>28 ubyte x
  160. >>>>>>>>>28 ubyte&0xf8 0
  161. # header size >= 32
  162. >>>>>>>>>>8 uleshort >31
  163. # skip PIC15736.PCX by test for language driver name or field name
  164. >>>>>>>>>>>32 ubyte >0
  165. #!:mime application/x-dbf; charset=unknown-8bit ??
  166. #!:mime application/x-dbase
  167. >>>>>>>>>>>>0 use xbase-type
  168. # database file
  169. >>>>>>>>>>>>0 ubyte x \b DBF
  170. >>>>>>>>>>>>4 lelong 0 \b, no records
  171. >>>>>>>>>>>>4 lelong >0 \b, %d record
  172. # plural s appended
  173. >>>>>>>>>>>>>4 lelong >1 \bs
  174. # https://www.clicketyclick.dk/databases/xbase/format/dbf_check.html#CHECK_DBF
  175. # 1 <= record size <= 4000 (dBase 3,4) or 32 * KB (=0x8000)
  176. >>>>>>>>>>>>10 uleshort x * %d
  177. # file size = records * record size + header size
  178. >>>>>>>>>>>>1 ubyte x \b, update-date
  179. >>>>>>>>>>>>1 use xbase-date
  180. # https://msdn.microsoft.com/de-de/library/cc483186(v=vs.71).aspx
  181. #>>>>>>>>>>>>29 ubyte =0 \b, codepage ID=0x%x
  182. # 2~cp850 , 3~cp1252 , 0x1b~?? ; what code page is 0x1b ?
  183. >>>>>>>>>>>>29 ubyte >0 \b, codepage ID=0x%x
  184. #>>>>>>>>>>>>28 ubyte&0x01 0 \b, no index file
  185. >>>>>>>>>>>>28 ubyte&0x01 1 \b, with index file .MDX
  186. >>>>>>>>>>>>28 ubyte&0x02 2 \b, with memo .FPT
  187. >>>>>>>>>>>>28 ubyte&0x04 4 \b, DataBaseContainer
  188. # 1st record offset + 1 = header size
  189. >>>>>>>>>>>>8 uleshort >0
  190. >>>>>>>>>>>>(8.s+1) ubyte >0
  191. >>>>>>>>>>>>>8 uleshort >0 \b, at offset %d
  192. >>>>>>>>>>>>>(8.s+1) ubyte >0
  193. >>>>>>>>>>>>>>&-1 string >\0 1st record "%s"
  194. # for multiple index files (*.MDX) Production flag,tag numbers(<=0x30),tag length(<=0x20), reserved (NULL)
  195. >>>>>>>24 ubelong&0x0133f7ff >0
  196. # test for reserved NULL byte
  197. >>>>>>>>47 ubyte 0
  198. # test for valid TAG key format (0x10 or 0)
  199. >>>>>>>>>559 ubyte&0xeF 0
  200. # test MM <= 12
  201. >>>>>>>>>>45 ubeshort <0x0C20
  202. >>>>>>>>>>>45 ubyte >0
  203. >>>>>>>>>>>>46 ubyte <32
  204. >>>>>>>>>>>>>46 ubyte >0
  205. #!:mime application/x-mdx
  206. >>>>>>>>>>>>>>0 use xbase-type
  207. >>>>>>>>>>>>>>0 ubyte x \b MDX
  208. >>>>>>>>>>>>>>1 ubyte x \b, creation-date
  209. >>>>>>>>>>>>>>1 use xbase-date
  210. >>>>>>>>>>>>>>44 ubyte x \b, update-date
  211. >>>>>>>>>>>>>>44 use xbase-date
  212. # No.of tags in use (1,2,5,12)
  213. >>>>>>>>>>>>>>28 uleshort x \b, %d
  214. # No. of entries in tag (0x30)
  215. >>>>>>>>>>>>>>25 ubyte x \b/%d tags
  216. # Length of tag
  217. >>>>>>>>>>>>>>26 ubyte x * %d
  218. # 1st tag name_
  219. >>>>>>>>>>>>>548 string x \b, 1st tag "%.11s"
  220. # 2nd tag name
  221. #>>>>>>>>>>>>(26.b+548) string x \b, 2nd tag "%.11s"
  222. #
  223. # Print the xBase names of different version variants
  224. 0 name xbase-type
  225. >0 ubyte <2
  226. # 1 < version
  227. >0 ubyte >1
  228. >>0 ubyte 0x02 FoxBase
  229. # FoxBase+/dBaseIII+, no memo
  230. >>0 ubyte 0x03 FoxBase+/dBase III
  231. !:mime application/x-dbf
  232. # dBASE IV no memo file
  233. >>0 ubyte 0x04 dBase IV
  234. !:mime application/x-dbf
  235. # dBASE V no memo file
  236. >>0 ubyte 0x05 dBase V
  237. !:mime application/x-dbf
  238. >>0 ubyte 0x30 Visual FoxPro
  239. !:mime application/x-dbf
  240. >>0 ubyte 0x31 Visual FoxPro, autoincrement
  241. !:mime application/x-dbf
  242. # Visual FoxPro, with field type Varchar or Varbinary
  243. >>0 ubyte 0x32 Visual FoxPro, with field type Varchar
  244. !:mime application/x-dbf
  245. # dBASE IV SQL, no memo;dbv memo var size (Flagship)
  246. >>0 ubyte 0x43 dBase IV, with SQL table
  247. !:mime application/x-dbf
  248. # https://msdn.microsoft.com/en-US/library/st4a0s68(v=vs.80).aspx
  249. #>>0 ubyte 0x62 dBase IV, with SQL table
  250. #!:mime application/x-dbf
  251. # dBASE IV, with memo!!
  252. >>0 ubyte 0x7b dBase IV, with memo
  253. !:mime application/x-dbf
  254. # https://msdn.microsoft.com/en-US/library/st4a0s68(v=vs.80).aspx
  255. #>>0 ubyte 0x82 dBase IV, with SQL system
  256. #!:mime application/x-dbf
  257. # FoxBase+/dBaseIII+ with memo .DBT!
  258. >>0 ubyte 0x83 FoxBase+/dBase III, with memo .DBT
  259. !:mime application/x-dbf
  260. # VISUAL OBJECTS (first 1.0 versions) for the Dbase III files (NTX clipper driver); memo file
  261. >>0 ubyte 0x87 VISUAL OBJECTS, with memo file
  262. !:mime application/x-dbf
  263. # https://msdn.microsoft.com/en-US/library/st4a0s68(v=vs.80).aspx
  264. #>>0 ubyte 0x8A FoxBase+/dBase III, with memo .DBT
  265. #!:mime application/x-dbf
  266. # dBASE IV with memo!
  267. >>0 ubyte 0x8B dBase IV, with memo .DBT
  268. !:mime application/x-dbf
  269. # dBase IV with SQL Table,no memo?
  270. >>0 ubyte 0x8E dBase IV, with SQL table
  271. !:mime application/x-dbf
  272. # .dbv and .dbt memo (Flagship)?
  273. >>0 ubyte 0xB3 Flagship
  274. # https://msdn.microsoft.com/en-US/library/st4a0s68(v=vs.80).aspx
  275. #>>0 ubyte 0xCA dBase IV with memo .DBT
  276. #!:mime application/x-dbf
  277. # dBASE IV with SQL table, with memo .DBT
  278. >>0 ubyte 0xCB dBase IV with SQL table, with memo .DBT
  279. !:mime application/x-dbf
  280. # HiPer-Six format;Clipper SIX, with SMT memo file
  281. >>0 ubyte 0xE5 Clipper SIX with memo
  282. !:mime application/x-dbf
  283. # https://msdn.microsoft.com/en-US/library/st4a0s68(v=vs.80).aspx
  284. #>>0 ubyte 0xF4 dBase IV, with SQL table, with memo
  285. #!:mime application/x-dbf
  286. >>0 ubyte 0xF5 FoxPro with memo
  287. !:mime application/x-dbf
  288. # https://msdn.microsoft.com/en-US/library/st4a0s68(v=vs.80).aspx
  289. #>>0 ubyte 0xFA FoxPro 2.x, with memo
  290. #!:mime application/x-dbf
  291. # unknown version (should not happen)
  292. >>0 default x xBase
  293. !:mime application/x-dbf
  294. >>>0 ubyte x (0x%x)
  295. # flags in version byte
  296. # DBT flag (with dBASE III memo .DBT)!!
  297. # >>0 ubyte&0x80 >0 DBT_FLAG=%x
  298. # memo flag ??
  299. # >>0 ubyte&0x08 >0 MEMO_FLAG=%x
  300. # SQL flag ??
  301. # >>0 ubyte&0x70 >0 SQL_FLAG=%x
  302. # test and print the date of xBase .DBF .MDX
  303. 0 name xbase-date
  304. # inspect YYMMDD , where 1<= MM <= 12 and 1<= DD <= 31
  305. >0 ubelong x
  306. >1 ubyte <13
  307. >>1 ubyte >0
  308. >>>2 ubyte >0
  309. >>>>2 ubyte <32
  310. >>>>>0 ubyte x
  311. # YY is interpreted as 20YY or 19YY
  312. >>>>>>0 ubyte <100 \b %.2d
  313. # YY is interpreted 1900+YY; TODO: display yy or 20yy instead 1YY
  314. >>>>>>0 ubyte >99 \b %d
  315. >>>>>1 ubyte x \b-%d
  316. >>>>>2 ubyte x \b-%d
  317. # dBase memo files .DBT or .FPT
  318. # https://msdn.microsoft.com/en-us/library/8599s21w(v=vs.80).aspx
  319. 16 ubyte <4
  320. >16 ubyte !2
  321. >>16 ubyte !1
  322. # next free block index is positive
  323. >>>0 ulelong >0
  324. # skip many JPG. ZIP, BZ2 by test for reserved bytes NULL , 0|2 , 0|1 , low byte of block size
  325. >>>>17 ubelong&0xFFfdFEff 0x00000000
  326. # skip many RAR by test for low byte 0 ,high byte 0|2|even of block size, 0|a|e|d7 , 0|64h
  327. >>>>>20 ubelong&0xFF01209B 0x00000000
  328. # dBASE III
  329. >>>>>>16 ubyte 3
  330. # dBASE III DBT
  331. >>>>>>>0 use dbase3-memo-print
  332. # dBASE III DBT without version, dBASE IV DBT , FoxPro FPT , or many ZIP , DBF garbage
  333. >>>>>>16 ubyte 0
  334. # unusual dBASE III DBT like angest.dbt, dBASE IV DBT with block size 0 , FoxPro FPT , or garbage PCX DBF
  335. >>>>>>>20 uleshort 0
  336. # FoxPro FPT , unusual dBASE III DBT like biblio.dbt or garbage
  337. >>>>>>>>8 ulong =0
  338. >>>>>>>>>6 ubeshort >0
  339. # skip emacs.PIF
  340. >>>>>>>>>>4 ushort 0
  341. # check for valid FoxPro field type
  342. >>>>>>>>>>>512 ubelong <3
  343. >>>>>>>>>>>>0 use foxpro-memo-print
  344. # dBASE III DBT , garbage
  345. # skip WORD1XW.DOC with improbably high free block index
  346. >>>>>>>>>0 lelong <2205083
  347. # unusual dBASE III DBT like adressen.dbt
  348. >>>>>>>>>>0 use dbase3-memo-print
  349. # dBASE III DBT like angest.dbt, or garbage PCX DBF
  350. >>>>>>>>8 ubelong !0
  351. # skip PCX and some DBF by test for for reserved NULL bytes
  352. >>>>>>>>>510 ubeshort 0
  353. # skip AI070GEP.EPS with improbably high free block index
  354. >>>>>>>>>>0 lelong <458766
  355. >>>>>>>>>>>0 use dbase3-memo-print
  356. # dBASE IV DBT with positive block size
  357. >>>>>>>20 uleshort >0
  358. # dBASE IV DBT with valid block length like 512, 1024
  359. # multiple of 2 in between 16 and 16 K ,implies upper and lower bits are zero
  360. # skip also 3600h 3E00h size
  361. >>>>>>>>20 uleshort&0xE00f 0
  362. >>>>>>>>>0 use dbase4-memo-print
  363. # Print the information of dBase III DBT memo file
  364. 0 name dbase3-memo-print
  365. >0 ubyte x dBase III DBT
  366. !:mime application/x-dbt
  367. !:ext dbt
  368. # instead 3 as version number 0 for unusual examples like biblio.dbt
  369. >16 ubyte !3 \b, version number %u
  370. # Number of next available block for appending data
  371. #>0 lelong =0 \b, next free block index %u
  372. >0 lelong !0 \b, next free block index %u
  373. # no positiv block length
  374. #>20 uleshort =0 \b, block length %u
  375. >20 uleshort !0 \b, block length %u
  376. # dBase III memo field terminated by \032\032
  377. >512 string >\0 \b, 1st item "%s"
  378. # https://www.clicketyclick.dk/databases/xbase/format/dbt.html
  379. # Print the information of dBase IV DBT memo file
  380. 0 name dbase4-memo-print
  381. >0 lelong x dBase IV DBT
  382. !:mime application/x-dbt
  383. !:ext dbt
  384. # 8 character shorted main name of coresponding dBASE IV DBF file
  385. >8 ubelong >0x20000000
  386. # skip unusual like for angest.dbt
  387. >>20 uleshort >0
  388. >>>8 string >\0 \b of %-.8s.DBF
  389. # value 0 implies 512 as size
  390. #>4 ulelong =0 \b, blocks size %u
  391. # size of blocks not reliable like 0x2020204C in angest.dbt
  392. >4 ulelong !0
  393. >>4 ulelong&0x0000003f 0 \b, blocks size %u
  394. # dBase IV DBT with positive block length (found 512 , 1024)
  395. >20 uleshort >0 \b, block length %u
  396. # next available block
  397. #>0 lelong =0 \b, next free block index %u
  398. >0 lelong !0 \b, next free block index %u
  399. >20 uleshort >0
  400. >>(20.s) ubelong x
  401. >>>&-4 use dbase4-memofield-print
  402. # unusual dBase IV DBT without block length (implies 512 as length)
  403. >20 uleshort =0
  404. >>512 ubelong x
  405. >>>&-4 use dbase4-memofield-print
  406. # Print the information of dBase IV memo field
  407. 0 name dbase4-memofield-print
  408. # free dBase IV memo field
  409. >0 ubelong !0xFFFF0800
  410. >>0 lelong x \b, next free block %u
  411. >>4 lelong x \b, next used block %u
  412. # used dBase IV memo field
  413. >0 ubelong =0xFFFF0800
  414. # length of memo field
  415. >>4 lelong x \b, field length %d
  416. >>>8 string >\0 \b, 1st used item "%s"
  417. # http://www.dbfree.org/webdocs/1-documentation/0018-developers_stuff_(advanced)/os_related_stuff/xbase_file_format.htm
  418. # Print the information of FoxPro FPT memo file
  419. 0 name foxpro-memo-print
  420. >0 belong x FoxPro FPT
  421. !:mime application/x-fpt
  422. !:ext fpt
  423. # Size of blocks for FoxPro ( 64,256 )
  424. >6 ubeshort x \b, blocks size %u
  425. # next available block
  426. #>0 belong =0 \b, next free block index %u
  427. >0 belong !0 \b, next free block index %u
  428. # field type ( 0~picture, 1~memo, 2~object )
  429. >512 ubelong <3 \b, field type %u
  430. # length of memo field
  431. >512 ubelong 1
  432. >>516 belong >0 \b, field length %d
  433. >>>520 string >\0 \b, 1st item "%s"
  434. # TODO:
  435. # DBASE index file *.NDX
  436. # DBASE Compound Index file *.CDX
  437. # dBASE IV Printer Driver *.PRF
  438. ## End of XBase database stuff
  439. # MS Access database
  440. 4 string Standard\ Jet\ DB Microsoft Access Database
  441. !:mime application/x-msaccess
  442. 4 string Standard\ ACE\ DB Microsoft Access Database
  443. !:mime application/x-msaccess
  444. # From: Joerg Jenderek
  445. # URL: http://fileformats.archiveteam.org/wiki/Extensible_Storage_Engine
  446. # Reference: https://github.com/libyal/libesedb/archive/master.zip
  447. # libesedb-master/documentation/
  448. # Extensible Storage Engine (ESE) Database File (EDB) format.asciidoc
  449. # Note: also known as "JET Blue". Used by numerous Windows components such as
  450. # Windows Search, Mail, Exchange and Active Directory.
  451. 4 ubelong 0xefcdab89
  452. # unknown1
  453. >132 ubelong 0 Extensible storage engine
  454. !:mime application/x-ms-ese
  455. # file_type 0~database 1~stream
  456. >>12 ulelong 0 DataBase
  457. # Security DataBase (sdb)
  458. !:ext edb/sdb
  459. >>12 ulelong 1 STreaMing
  460. !:ext stm
  461. # format_version 620h
  462. >>8 uleshort x \b, version 0x%x
  463. >>10 uleshort >0 revision 0x%4.4x
  464. >>0 ubelong x \b, checksum 0x%8.8x
  465. # Page size 4096 8192 32768
  466. >>236 ulequad x \b, page size %lld
  467. # database_state
  468. >>52 ulelong 1 \b, JustCreated
  469. >>52 ulelong 2 \b, DirtyShutdown
  470. #>>52 ulelong 3 \b, CleanShutdown
  471. >>52 ulelong 4 \b, BeingConverted
  472. >>52 ulelong 5 \b, ForceDetach
  473. # Windows NT major version when the databases indexes were updated.
  474. >>216 ulelong x \b, Windows version %d
  475. # Windows NT minor version
  476. >>220 ulelong x \b.%d
  477. # From: Joerg Jenderek
  478. # URL: https://forensicswiki.org/wiki/Windows_Application_Compatibility
  479. # Note: files contain application compatibility fixes, application compatibility modes and application help messages.
  480. 8 string sdbf
  481. >7 ubyte 0
  482. # TAG_TYPE_LIST+TAG_INDEXES
  483. >>12 uleshort 0x7802 Windows application compatibility Shim DataBase
  484. # version? 2 3
  485. #>>>0 ulelong x \b, version %d
  486. !:mime application/x-ms-sdb
  487. !:ext sdb
  488. # TDB database from Samba et al - Martin Pool <mbp@samba.org>
  489. 0 string TDB\ file TDB database
  490. >32 lelong 0x2601196D version 6, little-endian
  491. >>36 lelong x hash size %d bytes
  492. # SE Linux policy database
  493. 0 lelong 0xf97cff8c SE Linux policy
  494. >16 lelong x v%d
  495. >20 lelong 1 MLS
  496. >24 lelong x %d symbols
  497. >28 lelong x %d ocons
  498. # ICE authority file data (Wolfram Kleff)
  499. 2 string ICE ICE authority data
  500. # X11 Xauthority file (Wolfram Kleff)
  501. 10 string MIT-MAGIC-COOKIE-1 X11 Xauthority data
  502. 11 string MIT-MAGIC-COOKIE-1 X11 Xauthority data
  503. 12 string MIT-MAGIC-COOKIE-1 X11 Xauthority data
  504. 13 string MIT-MAGIC-COOKIE-1 X11 Xauthority data
  505. 14 string MIT-MAGIC-COOKIE-1 X11 Xauthority data
  506. 15 string MIT-MAGIC-COOKIE-1 X11 Xauthority data
  507. 16 string MIT-MAGIC-COOKIE-1 X11 Xauthority data
  508. 17 string MIT-MAGIC-COOKIE-1 X11 Xauthority data
  509. 18 string MIT-MAGIC-COOKIE-1 X11 Xauthority data
  510. # From: Maxime Henrion <mux@FreeBSD.org>
  511. # PostgreSQL's custom dump format, Maxime Henrion <mux@FreeBSD.org>
  512. 0 string PGDMP PostgreSQL custom database dump
  513. >5 byte x - v%d
  514. >6 byte x \b.%d
  515. >5 beshort <0x101 \b-0
  516. >5 beshort >0x100
  517. >>7 byte x \b-%d
  518. # Type: Advanced Data Format (ADF) database
  519. # URL: https://www.grc.nasa.gov/WWW/cgns/adf/
  520. # From: Nicolas Chauvat <nicolas.chauvat@logilab.fr>
  521. 0 string @(#)ADF\ Database CGNS Advanced Data Format
  522. # Tokyo Cabinet magic data
  523. # http://tokyocabinet.sourceforge.net/index.html
  524. 0 string ToKyO\ CaBiNeT\n Tokyo Cabinet
  525. >14 string x \b (%s)
  526. >32 byte 0 \b, Hash
  527. !:mime application/x-tokyocabinet-hash
  528. >32 byte 1 \b, B+ tree
  529. !:mime application/x-tokyocabinet-btree
  530. >32 byte 2 \b, Fixed-length
  531. !:mime application/x-tokyocabinet-fixed
  532. >32 byte 3 \b, Table
  533. !:mime application/x-tokyocabinet-table
  534. >33 byte &1 \b, [open]
  535. >33 byte &2 \b, [fatal]
  536. >34 byte x \b, apow=%d
  537. >35 byte x \b, fpow=%d
  538. >36 byte &0x01 \b, [large]
  539. >36 byte &0x02 \b, [deflate]
  540. >36 byte &0x04 \b, [bzip]
  541. >36 byte &0x08 \b, [tcbs]
  542. >36 byte &0x10 \b, [excodec]
  543. >40 lequad x \b, bnum=%lld
  544. >48 lequad x \b, rnum=%lld
  545. >56 lequad x \b, fsiz=%lld
  546. # Type: QDBM Quick Database Manager
  547. # From: Benoit Sibaud <bsibaud@april.org>
  548. 0 string \\[depot\\]\n\f Quick Database Manager, little endian
  549. 0 string \\[DEPOT\\]\n\f Quick Database Manager, big endian
  550. # Type: TokyoCabinet database
  551. # URL: http://tokyocabinet.sourceforge.net/
  552. # From: Benoit Sibaud <bsibaud@april.org>
  553. 0 string ToKyO\ CaBiNeT\n TokyoCabinet database
  554. >14 string x (version %s)
  555. # From: Stephane Blondon https://www.yaal.fr
  556. # Database file for Zope (done by FileStorage)
  557. 0 string FS21 Zope Object Database File Storage v3 (data)
  558. 0 string FS30 Zope Object Database File Storage v4 (data)
  559. # Cache file for the database of Zope (done by ClientStorage)
  560. 0 string ZEC3 Zope Object Database Client Cache File (data)
  561. # IDA (Interactive Disassembler) database
  562. 0 string IDA1 IDA (Interactive Disassembler) database
  563. # Hopper (reverse engineering tool) https://www.hopperapp.com/
  564. 0 string hopperdb Hopper database
  565. # URL: https://en.wikipedia.org/wiki/Panorama_(database_engine)
  566. # Reference: http://www.provue.com/Panorama/
  567. # From: Joerg Jenderek
  568. # NOTE: test only versions 4 and 6.0 with Windows
  569. # length of Panorama database name
  570. 5 ubyte >0
  571. # look after database name for "some" null bits
  572. >(5.B+7) ubelong&0xF3ffF000 0
  573. # look for first keyword
  574. >>&1 search/2 DESIGN Panorama database
  575. #!:mime application/x-panorama-database
  576. !:apple KASXZEPD
  577. !:ext pan
  578. # database name
  579. >>>5 pstring x \b, "%s"
  580. #
  581. #
  582. # askSam Database by Stefan A. Haubenthal <polluks@web.de>
  583. 0 string askw40\0 askSam DB
  584. #
  585. #
  586. # MUIbase Database Tool by Stefan A. Haubenthal <polluks@web.de>
  587. 0 string MBSTV\040 MUIbase DB
  588. >6 string x version %s
  589. #
  590. # CDB database
  591. 0 string NBCDB\012 NetBSD Constant Database
  592. >7 byte x \b, version %d
  593. >8 string x \b, for '%s'
  594. >24 lelong x \b, datasize %d
  595. >28 lelong x \b, entries %d
  596. >32 lelong x \b, index %d
  597. >36 lelong x \b, seed %#x
  598. #
  599. # Redis RDB - https://redis.io/topics/persistence
  600. 0 string REDIS Redis RDB file,
  601. >5 regex [0-9][0-9][0-9][0-9] version %s
  602. # Mork database.
  603. # Used by older versions of Mozilla Suite and Firefox,
  604. # and current versions of Thunderbird.
  605. # From: David Korth <gerbilsoft@gerbilsoft.com>
  606. 0 string //\ <!--\ <mdb:mork:z\ v=" Mozilla Mork database
  607. >23 string x \b, version %.3s