file/magic/Magdir/database

#------------------------------------------------------------------------------
# $File: database,v 1.69 2023/01/12 00:14:04 christos Exp $
# database:  file(1) magic for various databases
#
# extracted from header/code files by Graeme Wilford (eep2gw@ee.surrey.ac.uk)
#
#
# GDBM magic numbers
#  Will be maintained as part of the GDBM distribution in the future.
#  <downsj@teeny.org>
0	belong	0x13579acd	GNU dbm 1.x or ndbm database, big endian, 32-bit
!:mime	application/x-gdbm
0	belong	0x13579ace	GNU dbm 1.x or ndbm database, big endian, old
!:mime	application/x-gdbm
0	belong	0x13579acf	GNU dbm 1.x or ndbm database, big endian, 64-bit
!:mime	application/x-gdbm
0	lelong	0x13579acd	GNU dbm 1.x or ndbm database, little endian, 32-bit
!:mime	application/x-gdbm
0	lelong	0x13579ace	GNU dbm 1.x or ndbm database, little endian, old
!:mime	application/x-gdbm
0	lelong	0x13579acf	GNU dbm 1.x or ndbm database, little endian, 64-bit
!:mime	application/x-gdbm
0	string	GDBM		GNU dbm 2.x database
!:mime	application/x-gdbm
#
# Berkeley DB
#
# Ian Darwin's file /etc/magic files: big/little-endian version.
#
# Hash 1.85/1.86 databases store metadata in network byte order.
# Btree 1.85/1.86 databases store the metadata in host byte order.
# Hash and Btree 2.X and later databases store the metadata in host byte order.

0	long	0x00061561	Berkeley DB
!:mime	application/x-dbm
>8	belong	4321
>>4	belong	>2		1.86
>>4	belong	<3		1.85
>>4	belong	>0		(Hash, version %d, native byte-order)
>8	belong	1234
>>4	belong	>2		1.86
>>4	belong	<3		1.85
>>4	belong	>0		(Hash, version %d, little-endian)

0	belong	0x00061561	Berkeley DB
>8	belong	4321
>>4	belong	>2		1.86
>>4	belong	<3		1.85
>>4	belong	>0		(Hash, version %d, big-endian)
>8	belong	1234
>>4	belong	>2		1.86
>>4	belong	<3		1.85
>>4	belong	>0		(Hash, version %d, native byte-order)

0	long	0x00053162	Berkeley DB 1.85/1.86
>4	long	>0		(Btree, version %d, native byte-order)
0	belong	0x00053162	Berkeley DB 1.85/1.86
>4	belong	>0		(Btree, version %d, big-endian)
0	lelong	0x00053162	Berkeley DB 1.85/1.86
>4	lelong	>0		(Btree, version %d, little-endian)

12	long	0x00061561	Berkeley DB
>16	long	>0		(Hash, version %d, native byte-order)
12	belong	0x00061561	Berkeley DB
>16	belong	>0		(Hash, version %d, big-endian)
12	lelong	0x00061561	Berkeley DB
>16	lelong	>0		(Hash, version %d, little-endian)

12	long	0x00053162	Berkeley DB
>16	long	>0		(Btree, version %d, native byte-order)
12	belong	0x00053162	Berkeley DB
>16	belong	>0		(Btree, version %d, big-endian)
12	lelong	0x00053162	Berkeley DB
>16	lelong	>0		(Btree, version %d, little-endian)

12	long	0x00042253	Berkeley DB
>16	long	>0		(Queue, version %d, native byte-order)
12	belong	0x00042253	Berkeley DB
>16	belong	>0		(Queue, version %d, big-endian)
12	lelong	0x00042253	Berkeley DB
>16	lelong	>0		(Queue, version %d, little-endian)

# From Max Bowsher.
12	long	0x00040988	Berkeley DB
>16	long	>0		(Log, version %d, native byte-order)
12	belong	0x00040988	Berkeley DB
>16	belong	>0		(Log, version %d, big-endian)
12	lelong	0x00040988	Berkeley DB
>16	lelong	>0		(Log, version %d, little-endian)

#
#
# Round Robin Database Tool by Tobias Oetiker <oetiker@ee.ethz.ch>
0	string/b	RRD\0		RRDTool DB
>4	string/b	x		version %s

>>10	short		!0		16bit aligned
>>>10	bedouble	8.642135e+130	big-endian
>>>>18	short		x		32bit long (m68k)

>>10	short		0
>>>12	long		!0		32bit aligned
>>>>12	bedouble	8.642135e+130	big-endian
>>>>>20 long		0		64bit long
>>>>>20 long		!0		32bit long
>>>>12	ledouble	8.642135e+130	little-endian
>>>>>24 long		0		64bit long
>>>>>24 long		!0		32bit long (i386)
>>>>12	string		\x43\x2b\x1f\x5b\x2f\x25\xc0\xc7	middle-endian
>>>>>24 short		!0		32bit long (arm)

>>8	quad		0		64bit aligned
>>>16	bedouble	8.642135e+130	big-endian
>>>>24	long		0		64bit long (s390x)
>>>>24	long		!0		32bit long (hppa/mips/ppc/s390/SPARC)
>>>16	ledouble	8.642135e+130	little-endian
>>>>28	long		0		64bit long (alpha/amd64/ia64)
>>>>28	long		!0		32bit long (armel/mipsel)

#----------------------------------------------------------------------
# ROOT: file(1) magic for ROOT databases
#
0       string  root\0  ROOT file
>4      belong  x       Version %d
>33     belong  x       (Compression: %d)

# XXX: Weak magic.
# Alex Ott <ott@jet.msk.su>
## Paradox file formats
#2	  leshort	0x0800	Paradox
#>0x39	  byte		3	v. 3.0
#>0x39	  byte		4	v. 3.5
#>0x39	  byte		9	v. 4.x
#>0x39	  byte		10	v. 5.x
#>0x39	  byte		11	v. 5.x
#>0x39	  byte		12	v. 7.x
#>>0x04	  byte		0	indexed .DB data file
#>>0x04	  byte		1	primary index .PX file
#>>0x04	  byte		2	non-indexed .DB data file
#>>0x04	  byte		3	non-incrementing secondary index .Xnn file
#>>0x04	  byte		4	secondary index .Ynn file
#>>0x04	  byte		5	incrementing secondary index .Xnn file
#>>0x04	  byte		6	non-incrementing secondary index .XGn file
#>>0x04	  byte		7	secondary index .YGn file
#>>>0x04	  byte		8	incrementing secondary index .XGn file

## XBase database files
# updated by Joerg Jenderek at Feb 2013
# https://www.dbase.com/Knowledgebase/INT/db7_file_fmt.htm
# https://www.clicketyclick.dk/databases/xbase/format/dbf.html
# inspect VVYYMMDD , where 1<= MM <= 12 and 1<= DD <= 31
0	ubelong&0x0000FFFF		<0x00000C20
!:strength +10
# skip Infocom game Z-machine
>2		ubyte			>0
# skip Androids *.xml
>>3		ubyte			>0
>>>3		ubyte			<32
# 1 < version VV
>>>>0		ubyte			>1
# skip HELP.CA3 by test for reserved byte ( NULL )
>>>>>27		ubyte			0
# reserved bytes not always 0 ; also found 0x3901 (T4.DBF) ,0x7101 (T5.DBF,T6.DBF)
#>>>>>30		ubeshort     		x		30NULL?%x
# possible production flag,tag numbers(<=0x30),tag length(<=0x20), reserved (NULL)
>>>>>>24	ubelong&0xffFFFFff	>0x01302000
# .DBF or .MDX
>>>>>>24	ubelong&0xffFFFFff	<0x01302001
# for Xbase Database file (*.DBF) reserved (NULL) for multi-user
>>>>>>>24	ubelong&0xffFFFFff	=0
# test for 2 reserved NULL bytes,transaction and encryption byte flag
>>>>>>>>12	ubelong&0xFFFFfEfE	0
# test for MDX flag
>>>>>>>>>28	ubyte			x
>>>>>>>>>28	ubyte&0xf8		0
# header size >= 32
>>>>>>>>>>8	uleshort		>31
# skip PIC15736.PCX by test for language driver name or field name
>>>>>>>>>>>32	ubyte			>0
#!:mime	application/x-dbf; charset=unknown-8bit ??
#!:mime	application/x-dbase
>>>>>>>>>>>>0	use			xbase-type
# database file
>>>>>>>>>>>>28	ubyte&0x04		=0		\b DBF
!:ext	dbf
>>>>>>>>>>>>28	ubyte&0x04		=4		\b DataBaseContainer
!:ext	dbc
>>>>>>>>>>>>4	lelong			0		\b, no records
>>>>>>>>>>>>4	lelong			>0		\b, %d record
# plural s appended
>>>>>>>>>>>>>4	lelong			>1		\bs
# https://www.clicketyclick.dk/databases/xbase/format/dbf_check.html#CHECK_DBF
# 1 <= record size <= 4000 (dBase 3,4) or 32 * KB (=0x8000)
>>>>>>>>>>>>10	uleshort		x		* %d
# file size = records * record size + header size
>>>>>>>>>>>>1	ubyte			x		\b, update-date
>>>>>>>>>>>>1	use			xbase-date
# https://msdn.microsoft.com/de-de/library/cc483186(v=vs.71).aspx
#>>>>>>>>>>>>29	ubyte			=0		\b, codepage ID=%#x
# 2~cp850 , 3~cp1252 , 0x1b~?? ; what code page is 0x1b ?
>>>>>>>>>>>>29	ubyte			>0		\b, codepage ID=%#x
#>>>>>>>>>>>>28	ubyte&0x01		0		\b, no index file
# MDX or CDX index
>>>>>>>>>>>>28	ubyte&0x01		1		\b, with index file .MDX
>>>>>>>>>>>>28	ubyte&0x02		2		\b, with memo .FPT
#>>>>>>>>>>>>28	ubyte&0x04		4		\b, DataBaseContainer
# 1st record offset + 1 = header size
>>>>>>>>>>>>8	uleshort		>0
>>>>>>>>>>>>(8.s+1)	ubyte		>0
>>>>>>>>>>>>>8		uleshort	>0		\b, at offset %d
>>>>>>>>>>>>>(8.s+1)	ubyte		>0
>>>>>>>>>>>>>>&-1	string		>\0		1st record "%s"
# for multiple index files (*.MDX) Production flag,tag numbers(<=0x30),tag length(<=0x20), reserved (NULL)
>>>>>>>24	ubelong&0x0133f7ff	>0
# test for reserved NULL byte
>>>>>>>>47	ubyte			0
# test for valid TAG key format (0x10 or 0)
>>>>>>>>>559	ubyte&0xeF		0
# test MM <= 12
>>>>>>>>>>45	ubeshort		<0x0C20
>>>>>>>>>>>45	ubyte			>0
>>>>>>>>>>>>46	ubyte			<32
>>>>>>>>>>>>>46	ubyte			>0
#!:mime	application/x-mdx
>>>>>>>>>>>>>>0		use		xbase-type
>>>>>>>>>>>>>>0		ubyte		x		\b MDX
>>>>>>>>>>>>>>1		ubyte		x		\b, creation-date
>>>>>>>>>>>>>>1		use		xbase-date
>>>>>>>>>>>>>>44	ubyte		x		\b, update-date
>>>>>>>>>>>>>>44	use		xbase-date
# No.of tags in use (1,2,5,12)
>>>>>>>>>>>>>>28	uleshort	x		\b, %d
# No. of entries in tag (0x30)
>>>>>>>>>>>>>>25	ubyte		x		\b/%d tags
#  Length of tag
>>>>>>>>>>>>>>26	ubyte		x		* %d
# 1st tag name_
>>>>>>>>>>>>>548	string		x		\b, 1st tag "%.11s"
# 2nd tag name
#>>>>>>>>>>>>(26.b+548)	string		x		\b, 2nd tag "%.11s"
#
#		Print the xBase names of different version variants
0	name				xbase-type
>0	ubyte		<2
# 1 < version
>0	ubyte		>1
>>0	ubyte		0x02		FoxBase
!:mime	application/x-dbf
# like: ACCESS.DBF USER.DBF dbase3date.dbf mitarbei.dbf produkte.dbf umlaut-test-v2.dbf
# FoxBase+/dBaseIII+, no memo
>>0	ubyte		0x03		FoxBase+/dBase III
!:mime	application/x-dbf
# like: 92DATA.DBF MSCATLOG.DBF SYLLABI2.DBF SYLLABUS.DBF T4.DBF Teleadr.dbf us_city.dbf
# dBASE IV no memo file
>>0	ubyte		0x04		dBase IV
!:mime	application/x-dbf
# like: Quattro-test11.dbf umlaut-test-v4.dbf
# dBASE V no memo file
>>0	ubyte		0x05		dBase V
!:mime	application/x-dbf
# like: dbase4double.dbf Quattro-test2.dbf umlaut-test7.dbf
!:ext	dbf
# probably Apollo Database Server 9.7? xBase (0x6)
>>0	ubyte		0x06		Apollo
!:mime	application/x-dbf
# like: ALIAS.DBF CRYPT.DBF PROCS.DBF USERS.DBF
# https://docs.microsoft.com/en-us/previous-versions/visualstudio/foxpro/st4a0s68(v=vs.80)
>>0	ubyte		0x2F		FoxBase+/Dbase III plus, no memo
!:mime	application/x-dbf
# no example
>>0	ubyte		0x30		Visual FoxPro
!:mime	application/x-dbf
# like: 26FRX.DBF 30DBC.DBF 30DBCPRO.DBF BEHINDSC.DBF USER_LEV.DBF
# Microsoft Visual FoxPro Database Container File like: FOXPRO-DB-TEST.DBC TESTDATA.DBC TASTRADE.DBC
>>0	ubyte		0x31		Visual FoxPro, autoincrement
!:mime	application/x-dbf
# like: AI_Table.DBF dbase_31.dbf w_cityFoxpro.dbf 
# Visual FoxPro, with field type Varchar or Varbinary
>>0	ubyte		0x32		Visual FoxPro, with field type Varchar
!:mime	application/x-dbf
# like: dbase_32.dbf
# dBASE IV SQL, no memo;dbv memo var size (Flagship)
>>0	ubyte		0x43		dBase IV, with SQL table
!:mime	application/x-dbf
# like: ASSEMBLY.DBF INVENTRY.DBF STAFF.DBF
# https://docs.microsoft.com/en-us/previous-versions/visualstudio/foxpro/st4a0s68(v=vs.80)
>>0	ubyte		0x62		dBase IV, with SQL table
#!:mime	application/x-dbf
# no example
# dBASE IV, with memo!!
>>0	ubyte		0x7b		dBase IV, with memo
!:mime	application/x-dbf
# like: test3memo.DBF dbase5.DBF
# https://docs.microsoft.com/en-us/previous-versions/visualstudio/foxpro/st4a0s68(v=vs.80)
>>0	ubyte		0x82		dBase IV, with SQL system
#!:mime	application/x-dbf
# no example
# FoxBase+/dBaseIII+ with memo .DBT!
>>0	ubyte		0x83		FoxBase+/dBase III, with memo .DBT
!:mime	application/x-dbf
# like: T2.DBF t3.DBF biblio.dbf dbase_83.dbf dbase3dbt0_4.dbf fsadress.dbf stop.dbf
# VISUAL OBJECTS (first 1.0 versions) for the Dbase III files (NTX clipper driver); memo file
>>0	ubyte		0x87		VISUAL OBJECTS, with memo file
!:mime	application/x-dbf
# like: ACCESS.DBF dbase3date.dbf dbase3float.dbf holdings.dbf mitarbei.dbf
# https://docs.microsoft.com/en-us/previous-versions/visualstudio/foxpro/st4a0s68(v=vs.80)
>>0	ubyte		0x8A		FoxBase+/dBase III, with memo .DBT
#!:mime	application/x-dbf
# no example
# dBASE IV with memo!
>>0	ubyte		0x8B		dBase IV, with memo .DBT
!:mime	application/x-dbf
# like: animals.dbf archive.dbf callin.dbf dbase_8b.dbf phnebook.dbf t6.dbf
# dBase IV with SQL Table,no memo?
>>0	ubyte		0x8E		dBase IV, with SQL table
!:mime	application/x-dbf
# like: dbase5.DBF test3memo.DBF test-memo.DBF
# .dbv and .dbt memo (Flagship)?
>>0	ubyte		0xB3		Flagship
!:mime	application/x-dbf
# no example
# https://docs.microsoft.com/en-us/previous-versions/visualstudio/foxpro/st4a0s68(v=vs.80)
>>0	ubyte		0xCA		dBase IV with memo .DBT
#!:mime	application/x-dbf
# no example
# dBASE IV with SQL table, with memo .DBT
>>0	ubyte		0xCB		dBase IV with SQL table, with memo .DBT
!:mime	application/x-dbf
# like: dbase5.DBF test3memo.DBF test-memo.DBF
# HiPer-Six format;Clipper SIX, with SMT memo file
>>0	ubyte		0xE5		Clipper SIX with memo
!:mime	application/x-dbf
# like: dbase5.DBF test3memo.DBF test-memo.DBF testClipper.dbf DATA.DBF
# https://docs.microsoft.com/en-us/previous-versions/visualstudio/foxpro/st4a0s68(v=vs.80)
>>0	ubyte		0xF4		dBase IV, with SQL table, with memo
#!:mime	application/x-dbf
# no example
>>0	ubyte		0xF5		FoxPro with memo
!:mime	application/x-dbf
# like: CUSTOMER.DBF FOXUSER1.DBF Invoice.DBF NG.DBF OBJSAMP.DBF dbase_f5.dbf kunde.dbf
# probably Apollo Database Server 9.7 with SQL and memo mask? xBase (0xF6)
>>0	ubyte		0xF6		Apollo, with SQL table with memo
!:mime	application/x-dbf
# like: SCRIPTS.DBF
# https://docs.microsoft.com/en-us/previous-versions/visualstudio/foxpro/st4a0s68(v=vs.80)
#>>0	ubyte		0xFA		FoxPro 2.x, with memo
#!:mime	application/x-dbf
# no example
# unknown version (should not happen)
>>0	default		x		xBase
!:mime	application/x-dbf
>>>0	ubyte		x		(%#x)
# flags in version byte
# DBT flag (with dBASE III memo .DBT)!!
# >>0	ubyte&0x80	>0		DBT_FLAG=%x
# memo flag ??
# >>0	ubyte&0x08	>0		MEMO_FLAG=%x
# SQL flag ??
# >>0	ubyte&0x70	>0		SQL_FLAG=%x
#		test and print the date of xBase .DBF .MDX
0	name				xbase-date
# inspect YYMMDD , where 1<= MM <= 12 and 1<= DD <= 31
>0	ubelong		x
>1	ubyte		<13
>>1	ubyte		>0
>>>2	ubyte		>0
>>>>2	ubyte		<32
>>>>>0	ubyte		x
# YY is interpreted as 20YY or 19YY
>>>>>>0	ubyte		<100		\b %.2d
# YY is interpreted 1900+YY; TODO: display yy or 20yy instead 1YY
>>>>>>0	ubyte		>99		\b %d
>>>>>1	ubyte		x		\b-%d
>>>>>2	ubyte		x		\b-%d

#	dBase memo files .DBT or .FPT
# https://msdn.microsoft.com/en-us/library/8599s21w(v=vs.80).aspx
16		ubyte		<4
>16		ubyte		!2
>>16		ubyte		!1
# next free block index is positive
>>>0		ulelong		>0
# skip many JPG. ZIP, BZ2 by test for reserved bytes NULL , 0|2 , 0|1 , low byte of block size
>>>>17		ubelong&0xFFfdFEff	0x00000000
# skip many RAR by test for low byte 0 ,high byte 0|2|even of block size, 0|a|e|d7 , 0|64h
>>>>>20		ubelong&0xFF01209B	0x00000000
# dBASE III
>>>>>>16	ubyte		3
# skip with invalid "low" 1st item "\0\0\0\0" StateRepository-Deployment.srd-shm "\001\010\0\0" gcry_cast5.mod
>>>>>>>512	ubyte		>040
# skip with valid 1st item "rintf" keylayouts.mod
# by looking for valid terminating character Ctrl-Z like in test.dbt
>>>>>>>>513 search/3308	\032
# skip GRUB plan9.mod with invalid second terminating character 007
# by checking second terminating character Ctrl-Z like in test.dbt
>>>>>>>>>&0 ubyte		032
# dBASE III DBT with two Ctr-Z terminating characters
>>>>>>>>>>0	use		dbase3-memo-print
# second terminating character \0 like in dbase-memo.dbt or GRUB nativedisk.mod
>>>>>>>>>&0 ubyte		0
# skip GRUB nativedisk.mod with grub_mod_init\0grub_mod_fini\0grub_fs_autoload_hook\0
>>>>>>>>>>0x1ad string		!grub_mod_init
# like dbase-memo.dbt
>>>>>>>>>>>0	use		dbase3-memo-print
# dBASE III DBT without version, dBASE IV DBT , FoxPro FPT , or many ZIP , DBF garbage
>>>>>>16	ubyte		0
# unusual dBASE III DBT like angest.dbt, dBASE IV DBT with block size 0 , FoxPro FPT ,  or garbage PCX DBF
>>>>>>>20	uleshort	0
# FoxPro FPT , unusual dBASE III DBT like biblio.dbt or garbage
>>>>>>>>8	ulong		=0
>>>>>>>>>6	ubeshort	>0
# skip emacs.PIF
>>>>>>>>>>4	ushort		0
# check for valid FoxPro field type
>>>>>>>>>>>512	ubelong		<3
# skip LXMDCLN4.OUT LXMDCLN6.OUT LXMDALG6.OUT with invalid blocksize 170=AAh
>>>>>>>>>>>>6	ubeshort&0x002f	0
>>>>>>>>>>>>>0	use		foxpro-memo-print
# dBASE III DBT , garbage
# skip WORD1XW.DOC with improbably high free block index
>>>>>>>>>0	ulelong		<0x400000
# skip WinStore.App.exe by looking for printable 2nd character of 1st memo item
>>>>>>>>>>513	ubyte		>037
# skip DOS executables CPQ0TD.DRV E30ODI.COM IBM0MONO.DRV by looking for printable 1st character of 1st memo item
>>>>>>>>>>>512	ubyte		>037
# skip few (14/758) Microsoft Event Trace Logs (boot_BASE+CSWITCH_1.etl DlTel-Merge.etl UpdateUx.006.etl) with invalid "high" 1st item \377\377
>>>>>>>>>>>>512	ubyte		<0377
# skip some Commodore 64 Art Studio (Deep_Strike.aas dragon's_lair_ii.aas), some Atari DEGAS Elite bitmap (ELEPHANT.PC3 ST.PC2)
# some probably old GRUB modules (part_sun.mod) and virtual-boy-wario-land.vb. 
# by looking for valid terminating character Ctrl-Z
>>>>>>>>>>>>>513 search/523	\032
# Atari DEGAS bitmap ST.PC2 with 0370 as second terminating character
#>>>>>>>>>>>>>>&0 ubyte		x		2ND_CHAR_IS=%o
# dBASE III DBT with two Ctr-Z terminating characters like dbase3dbt0_1.dbt dbase_83.dbt
>>>>>>>>>>>>>>&0 ubyte		032
>>>>>>>>>>>>>>>0 use		dbase3-memo-print
# second terminating character \0 like in pcidump.mod or fsadress.dbt umlaut-dbf-cmd.dbt
>>>>>>>>>>>>>>&0 ubyte		0
# look for old GRUB module pcidump.mod with specific content "pcidump\0Show raw dump of the PCI configuration space"
>>>>>>>>>>>>>>>514 search/0x11E	pcidump\0Show
# dBASE III DBT with Ctr-Z + \0 terminating characters like fsadress.dbt
>>>>>>>>>>>>>>>514 default	x
# unusual dBASE III DBT like fsadress.dbt umlaut-dbf-cmd.dbt
>>>>>>>>>>>>>>>>0 use		dbase3-memo-print
# dBASE III DBT like angest.dbt, or garbage PCX DBF
>>>>>>>>8	ubelong		!0
# skip PCX and some DBF by test for for reserved NULL bytes
>>>>>>>>>510	ubeshort	0
# skip bad symples with improbably high free block index above 2 GiB file limit
>>>>>>>>>>0	ulelong		<0x400000
# skip AI070GEP.EPS by printable 1st character of 1st memo item
>>>>>>>>>>>512	ubyte		>037
# skip some Microsoft Visual C, OMF library like: BZ2.LIB WATTCPWL.LIB ZLIB.LIB
>>>>>>>>>>>>512	ubyte		<0200
# skip gluon-ffhat-1.0-tp-link-tl-wr1043n-nd-v2-sysupgrade.bin by printable 2nd character
>>>>>>>>>>>>>513 ubyte		>037
# skip few (8/758) Microsoft Event Trace Logs (WBEngine.3.etl Wifi.etl) with valid 1st item like
# "9600.20369.amd64fre.winblue_ltsb_escrow.220427-1727"
# "9600.19846.amd64fre.winblue_ltsb_escrow.200923-1735"
# "10586.494.amd64fre.th2_release_sec.160630-1736"
# by looking for valid terminating character Ctrl-Z
>>>>>>>>>>>>>>513 search/0x11E	\032
# followed by second character Ctrl-Z implies typical DBT
>>>>>>>>>>>>>>>&0	ubyte	032
# examples like: angest.dbt
>>>>>>>>>>>>>>>>0	use	dbase3-memo-print
>>>>>>>>>>>>>>>&0	ubyte	0
# no example found here with terminating sequence CTRL-Z + \0
>>>>>>>>>>>>>>>>0	use	dbase3-memo-print
# dBASE IV DBT with positive block size
>>>>>>>20	uleshort	>0
# dBASE IV DBT with valid block length like 512, 1024
# multiple of 2 in between 16 and 16 K ,implies upper and lower bits are zero
# skip also 3600h 3E00h size
>>>>>>>>20	uleshort&0xE00f	0
>>>>>>>>>0	use		dbase4-memo-print

#		Print the information of dBase III DBT memo file
0	name				dbase3-memo-print
>0	ubyte			x		dBase III DBT
!:mime	application/x-dbt
!:ext	dbt
# instead 3 as version number 0 for unusual examples like biblio.dbt
>16	ubyte			!3		\b, version number %u
# Number of next available block for appending data
#>0	lelong			=0		\b, next free block index %u
>0	lelong			!0		\b, next free block index %u
# no positive block length
#>20	uleshort		=0		\b, block length %u
>20	uleshort		!0		\b, block length %u
# dBase III memo field terminated often by \032\032
# like: "WHAT IS XBASE" test.dbt "Borges, Malte" biblio.dbt "First memo\032\032" T2.DBT
>512	string			>\0		\b, 1st item "%s"
# For DEBUGGING
#>512	ubelong			x		\b, 1ST item %#8.8x
#>513	search/0x225		\032		FOUND_TERMINATOR
#>>&0	ubyte			032		2xCTRL_Z
# fsadress.dbt has 1 Ctrl-Z terminator followed by nil byte
#>>&0	ubyte			0		1xCTRL_Z

# https://www.clicketyclick.dk/databases/xbase/format/dbt.html
#		Print the information of dBase IV DBT memo file
0	name				dbase4-memo-print
>0		lelong		x		dBase IV DBT
!:mime	application/x-dbt
!:ext dbt
# 8 character shorted main name of corresponding dBASE IV DBF file
>8		ubelong		>0x20000000
# skip unusual like for angest.dbt
>>20		uleshort	>0
>>>8		string		>\0		\b of %-.8s.DBF
# value 0 implies 512 as size
#>4		ulelong		=0		\b, blocks size %u
# size of blocks not reliable like 0x2020204C in angest.dbt
>4		ulelong		!0
>>4		ulelong&0x0000003f	0	\b, blocks size %u
# dBase IV DBT with positive block length (found 512 , 1024)
>20		uleshort	>0		\b, block length %u
# next available block
#>0		lelong		=0		\b, next free block index %u
>0		lelong		!0		\b, next free block index %u
>20		uleshort	>0
>>(20.s)	ubelong		x
>>>&-4		use		dbase4-memofield-print
# unusual dBase IV DBT without block length (implies 512 as length)
>20		uleshort	=0
>>512		ubelong		x
>>>&-4		use				dbase4-memofield-print
#		Print the information of dBase IV memo field
0	name			dbase4-memofield-print
# free dBase IV memo field
>0		ubelong		!0xFFFF0800
>>0		lelong		x		\b, next free block %u
>>4		lelong		x		\b, next used block %u
# used dBase IV memo field
>0		ubelong		=0xFFFF0800
# length of memo field
>>4		lelong		x		\b, field length %d
>>>8		string		>\0		\b, 1st used item "%s"
# http://www.dbfree.org/webdocs/1-documentation/0018-developers_stuff_(advanced)/os_related_stuff/xbase_file_format.htm
#		Print the information of FoxPro FPT memo file
0	name				foxpro-memo-print
>0		belong		x		FoxPro FPT
!:mime	application/x-fpt
!:ext	fpt
# Size of blocks for FoxPro ( 64,256 ); probably a multiple of two
>6		ubeshort	x		\b, blocks size %u
# next available block
#>0		belong		=0		\b, next free block index %u
>0		belong		!0		\b, next free block index %u
# field type ( 0~picture, 1~memo, 2~object )
>512		ubelong		<3		\b, field type %u
# length of memo field
>512		ubelong		1
>>516		belong		>0		\b, field length %d
>>>520		string		>\0		\b, 1st item "%s"

# Summary:	DBASE Compound Index file *.CDX and FoxPro index *.IDX
# From:		Joerg Jenderek
# URL:		https://www.clicketyclick.dk/databases/xbase/format/cdx.html
#		https://www.clicketyclick.dk/databases/xbase/format/idx.html
#		https://www.clicketyclick.dk/databases/xbase/format/idx_comp.html
# Reference:	https://mark0.net/download/triddefs_xml.7z/defs/s/sybase-ianywhere-cdx.trid.xml
#		https://mark0.net/download/triddefs_xml.7z/defs/c/cdx-vfp7.trid.xml
# like: kunde.cdx
0	ulelong		0x1C00
>0	use			xbase-index
# like: SYLLABI2.CDX SYLLABUS.CDX
0	ulelong		0x0800
>0	use			xbase-index
# often in xBase index pointer to root node 400h
0	ulelong		0x0400
# skip most Maple help database *.hdb with version tag handled by ./maple
>1028	string		!version
# skip Maple help database hsum.hdb checking for valid reserved area
>>492	quad		=0
# skip remaining Maple help database *.hdb by checking key length
#>>>12	uleshort	!0x000F			KEY_LENGTHVALID
>>>0	use			xbase-index
#	display information about dBase/FoxPro index
0	name			xbase-index
>0	ulelong		x			xBase
!:mime	application/x-dbase-index
>14	ubyte		&0x40			compound index
# DCX for FoxPro database index like: TESTDATA.DCX
!:ext	cdx/dcx
>14	ubyte		^0x40			index
# only 1 example like: TEST.IDX
!:ext	idx
# pointer to root node like: 1C00h 800h often 400h 
>0	ulelong		!0x400			\b, root pointer %#x
# Pointer to free node list: often 0 but -1 if not present
>4	ulelong		!0			\b, free node pointer %#x
# MAYBE number of pages in file (Foxbase, FoxPro 1.x) or
# http://www.foxpert.com/foxpro/knowlbits/files/knowlbits_200708_1.HTM
# Whenever Visual FoxPro updates the index file it increments this reserved field
# Reserved for internal use like: 02000000h 03000000h 460c0000h 780f0000h 89000000h 9fdc0100h often 0
>8	ulelong		!0			\b, reserved counter %#x
# length of key like: mostly 000Ah 0028h (TEST.IDX)
>12	uleshort	!0x000A			\b, key length %#x
# index options like: 24h E0h E8h
# 1~a unique index 8~index has FOR clause 32~compact index format 64~compound index header
# 16~Bit vector (SoftC) 128~Structure index (FoxPro)
>14	ubyte		x			\b, index options (%#x
>14	ubyte		&0x01			\b, unique
>14	ubyte		&0x08			\b, has FOR clause
>14	ubyte		&0x10			\b, bit vector (SoftC)
>14	ubyte		&0x20			\b, compact format
#>14	ubyte		&0x40			\b, compound header
>14	ubyte		&0x80			\b, structure
>14	ubyte		x			\b)
# WHAT EXACTLY IS THAT? index signature like: 0 (sybase-ianywhere-cdx.trid.xml) 1 (cdx-vfp7.trid.xml)
>15	ubyte		!0			\b, index signature %u
# reserved area (0-bytes) til about 500, but not for uncompressed Index files *.idx
>16	quad		!0			\b, at 16 reserved %#llx
>492	quad		!0			\b, at 492 reserved %#llx
# for IDX variant
#>14	ubyte		^0x40			IDX
# for CDX variant
>14	ubyte		&0x40
# Ascending or descending: 0~ascending 1~descending
>>502	uleshort	x			\b, sort order %u
# Total expression length (FoxPro 2) like: 0 1
>>504	uleshort	!0			\b, expression length %u
# FOR expression pool length like: 1
>>506	uleshort	!1			\b, FOR expression pool length %#x
# reserved for internal use like: 0
>>508	uleshort	!0			\b, at 0x508 reserved %#x
# Key expression pool length like: 1
>>510	uleshort	!1			\b, key expression pool length %#x
# 512 - 1023 Key & FOR expression pool (uncompiled)
>>512	quad		!0			\b, key expression pool %#llx
#>>520	quad		!0			\b, key expression pool %#llx

# Summary:	dBASE IV Printer Form *.PRF
# From:		Joerg Jenderek
# URL:		https://en.wikipedia.org/wiki/.dbf#Other_file_types_found_in_dBASE	
# Reference:	https://mark0.net/download/triddefs_xml.7z/defs/p/prf-dbase.trid.xml
0	ubeshort	0x0400
# skip some Xbase Index files *.ndx and Infocom (Z-machine 4) *.z4 handled by ./adventure
# by looking for valid printer driver name extension
>0x58	search/8	.PR2
>>0	use			xbase-prf
#	display information of dbase print form like printer driver *.PR2
0	name			xbase-prf	dBase Printer Form
!:mime	application/x-dbase-prf
!:ext	prf
# MAYBE version? like: 4~DBASE IV
#>0	ubyte		x			\b, version %u
# MAYBE flag like: 1~with output file name 0~not
#>2	ubyte		!0			\b, flag %u
# optional printer text output file name like E:\DBASE\IV\T6.txt
>3	string		>\0			\b, output file %s
# probably padding with nils til 0x53
#>0x48	 uquad		!0			\b, at 0x48 padding %#llx
# dBASE IV printer driver name like: Generic.PR2 ASCII.PR2
>0x56	string		>\0			\b, using printer driver %s
# 2 is probably last character of previous dBASE printer driver name
#>0x60	ubyte		!0x32			\b, at 0x60 %#x
# probably padding with nils til 0xa8
#>0x61	uquad		!0			\b, at 0x61 padding %#llx
# unknown 0x03020300 0x03020100 at 0xa8
>0xa8	ubelong 	x			\b, at 0xa8 unknown %#8.8x
# probably padding with nils til 0x2aa
#>0x2a0	uquad		!0			\b, at 0x2a0 padding %#llx
# unknown 0x100ff7f01000001 at 0x2AB
>0x2ab	ubequad		!0x100ff7f01000001	\b, at 0x2ab unknown %#llx
# unknown 0x0042 at 0x2b3
>0x2b3	ubeshort 	!0x0042			\b, at 0x2b3 unknown %#4.4x
# unknown last 4 bytes at 0x2b6 like: 0 0x23
>0x2b6	ubelong		!0			\b, at 0x2b6 unknown %#8.8x

# TODO:
# DBASE index file *.NDX
# dBASE compiled Format *.FMO
# FoxPro Database memo file *.DCT
# FoxPro Forms Memo *.SCT
# FoxPro Generated Menu Program *.MPR
# FoxPro Report *.FRX
# FoxPro Report Memo *.FRT
# Foxpro Generated Screen Program *.SPR
# Foxpro memo *.PJT
## End of XBase database stuff

# MS Access database
4	string	Standard\ Jet\ DB	Microsoft Access Database
!:mime	application/x-msaccess
4	string	Standard\ ACE\ DB	Microsoft Access Database
!:mime	application/x-msaccess

# From: Joerg Jenderek
# URL: http://fileformats.archiveteam.org/wiki/Extensible_Storage_Engine
# Reference: https://github.com/libyal/libesedb/archive/master.zip
#	libesedb-master/documentation/
#	Extensible Storage Engine (ESE) Database File (EDB) format.asciidoc
# Note: also known as "JET Blue". Used by numerous Windows components such as
# Windows Search, Mail, Exchange and Active Directory.
4	ubelong		0xefcdab89
# unknown1
>132	ubelong		0		Extensible storage engine
!:mime	application/x-ms-ese
# file_type 0~database 1~stream
>>12	ulelong		0		DataBase
# Security DataBase (sdb)
!:ext	edb/sdb
>>12	ulelong		1		STreaMing
!:ext	stm
# format_version 620h
>>8	uleshort	x		\b, version %#x
>>10	uleshort	>0		revision %#4.4x
>>0	ubelong		x	 	\b, checksum %#8.8x
# Page size 4096 8192 32768
>>236	ulequad		x		\b, page size %lld
# database_state
>>52	ulelong		1		\b, JustCreated
>>52	ulelong		2		\b, DirtyShutdown
#>>52	ulelong		3		\b, CleanShutdown
>>52	ulelong		4		\b, BeingConverted
>>52	ulelong		5		\b, ForceDetach
# Windows NT major version when the databases indexes were updated.
>>216	ulelong		x		\b, Windows version %d
# Windows NT minor version
>>220	ulelong		x		\b.%d

# From: Joerg Jenderek
# URL: https://forensicswiki.org/wiki/Windows_Application_Compatibility
# Note: files contain application compatibility fixes, application compatibility modes and application help messages.
8	string		sdbf
>7	ubyte		0
# TAG_TYPE_LIST+TAG_INDEXES
>>12	uleshort	0x7802		Windows application compatibility Shim DataBase
# version? 2 3
#>>>0	ulelong		x		\b, version %d
!:mime	application/x-ms-sdb
!:ext	sdb

# TDB database from Samba et al - Martin Pool <mbp@samba.org>
0	string	TDB\ file		TDB database
>32	lelong	0x2601196D		version 6, little-endian
>>36	lelong	x			hash size %d bytes

# SE Linux policy database
0       lelong  0xf97cff8c      SE Linux policy
>16     lelong  x               v%d
>20     lelong  1      MLS
>24     lelong  x       %d symbols
>28     lelong  x       %d ocons

# ICE authority file data (Wolfram Kleff)
2	string		ICE		ICE authority data

# X11 Xauthority file (Wolfram Kleff)
10	string		MIT-MAGIC-COOKIE-1	X11 Xauthority data
11	string		MIT-MAGIC-COOKIE-1	X11 Xauthority data
12	string		MIT-MAGIC-COOKIE-1	X11 Xauthority data
13	string		MIT-MAGIC-COOKIE-1	X11 Xauthority data
14	string		MIT-MAGIC-COOKIE-1	X11 Xauthority data
15	string		MIT-MAGIC-COOKIE-1	X11 Xauthority data
16	string		MIT-MAGIC-COOKIE-1	X11 Xauthority data
17	string		MIT-MAGIC-COOKIE-1	X11 Xauthority data
18	string		MIT-MAGIC-COOKIE-1	X11 Xauthority data

# From: Maxime Henrion <mux@FreeBSD.org>
# PostgreSQL's custom dump format, Maxime Henrion <mux@FreeBSD.org>
0	string		PGDMP		PostgreSQL custom database dump
>5	byte		x		- v%d
>6	byte		x		\b.%d
>5	beshort		<0x101		\b-0
>5	beshort		>0x100
>>7	byte		x		\b-%d

# Type: Advanced Data Format (ADF) database
# URL:  https://www.grc.nasa.gov/WWW/cgns/adf/
# From: Nicolas Chauvat <nicolas.chauvat@logilab.fr>
0	string	@(#)ADF\ Database	CGNS Advanced Data Format

# Tokyo Cabinet magic data
# http://tokyocabinet.sourceforge.net/index.html
0	string		ToKyO\ CaBiNeT\n	Tokyo Cabinet
>14	string		x			\b (%s)
>32	byte		0			\b, Hash
!:mime	application/x-tokyocabinet-hash
>32	byte		1			\b, B+ tree
!:mime	application/x-tokyocabinet-btree
>32	byte		2			\b, Fixed-length
!:mime	application/x-tokyocabinet-fixed
>32	byte		3			\b, Table
!:mime	application/x-tokyocabinet-table
>33	byte		&1			\b, [open]
>33	byte		&2			\b, [fatal]
>34	byte		x			\b, apow=%d
>35	byte		x			\b, fpow=%d
>36	byte		&0x01			\b, [large]
>36	byte		&0x02			\b, [deflate]
>36	byte		&0x04			\b, [bzip]
>36	byte		&0x08			\b, [tcbs]
>36	byte		&0x10			\b, [excodec]
>40	lequad		x			\b, bnum=%lld
>48	lequad		x			\b, rnum=%lld
>56	lequad		x			\b, fsiz=%lld

# Type:	QDBM Quick Database Manager
# From:	Benoit Sibaud <bsibaud@april.org>
0	string		\\[depot\\]\n\f		Quick Database Manager, little endian
0	string		\\[DEPOT\\]\n\f		Quick Database Manager, big endian

# Type:	TokyoCabinet database
# URL:	http://tokyocabinet.sourceforge.net/
# From:	Benoit Sibaud <bsibaud@april.org>
0	string		ToKyO\ CaBiNeT\n	TokyoCabinet database
>14	string		x			(version %s)

# From:  Stephane Blondon https://www.yaal.fr
# Database file for Zope (done by FileStorage)
0	string	FS21	Zope Object Database File Storage v3 (data)
0	string	FS30	Zope Object Database File Storage v4 (data)

# Cache file for the database of Zope (done by ClientStorage)
0	string		ZEC3	Zope Object Database Client Cache File (data)

# IDA (Interactive Disassembler) database
0	string		IDA1	IDA (Interactive Disassembler) database

# Hopper (reverse engineering tool) https://www.hopperapp.com/
0	string		hopperdb	Hopper database

# URL: https://en.wikipedia.org/wiki/Panorama_(database_engine)
# Reference: http://www.provue.com/Panorama/
# From: Joerg Jenderek
# NOTE: test only versions 4 and 6.0 with Windows
# length of Panorama database name
5	ubyte				>0
# look after database name for "some" null bits
>(5.B+7)	ubelong&0xF3ffF000	0
# look for first keyword
>>&1		search/2		DESIGN		Panorama database
#!:mime	application/x-panorama-database
!:apple	KASXZEPD
!:ext	pan
# database name
>>>5	pstring				x		\b, "%s"

#
#
# askSam Database by Stefan A. Haubenthal <polluks@web.de>
0	string	askw40\0	askSam DB

#
#
# MUIbase Database Tool by Stefan A. Haubenthal <polluks@web.de>
0	string	MBSTV\040	MUIbase DB
>6	string	x		version %s

#
# CDB database
0	string	NBCDB\012	NetBSD Constant Database
>7	byte	x		\b, version %d
>8	string	x		\b, for '%s'
>24	lelong	x		\b, datasize %d
>28	lelong	x		\b, entries %d
>32	lelong	x		\b, index %d
>36	lelong	x		\b, seed %#x

#
# Redis RDB - https://redis.io/topics/persistence
0	string	REDIS			Redis RDB file,
>5	regex	[0-9][0-9][0-9][0-9]	version %s

# Mork database.
# Used by older versions of Mozilla Suite and Firefox,
# and current versions of Thunderbird.
# From: David Korth <gerbilsoft@gerbilsoft.com>
0	string	//\ <!--\ <mdb:mork:z\ v="	Mozilla Mork database
>23	string	x		\b, version %.3s

# URL:		https://en.wikipedia.org/wiki/Management_Information_Format
# Reference:	https://www.dmtf.org/sites/default/files/standards/documents/DSP0005.pdf
# From:		Joerg Jenderek
# Note:		only tested with monitor asset reports of Dell Display Manager
#		skip start like Language=fr|CA|iso8859-1
0	search/27/C	Start\040Component	DMI Management Information Format
#!:mime	text/plain
!:mime	text/x-dmtf-mif
!:ext	mif