1
2#------------------------------------------------------------------------------
3# windows: file(1) magic for Microsoft Windows
4#
5# This file is mainly reserved for files where programs
6# using them are run almost always on MS Windows 3.x or
7# above, or files only used exclusively in Windows OS,
8# where there is no better category to allocate for.
9# For example, even though WinZIP almost run on Windows
10# only, it is better to treat them as "archive" instead.
11# For format usable in DOS, such as generic executable
12# format, please specify under "msdos" file.
13#
14
15
16# Summary: Outlook Express DBX file
17# Extension: .dbx
18# Created by: Christophe Monniez
190 string \xCF\xAD\x12\xFE MS Outlook Express DBX file
20>4 byte =0xC5 \b, message database
21>4 byte =0xC6 \b, folder database
22>4 byte =0xC7 \b, account information
23>4 byte =0x30 \b, offline database
24
25
26# Summary: Windows crash dump
27# Extension: .dmp
28# Created by: Andreas Schuster (http://computer.forensikblog.de/)
29# Reference (1): http://computer.forensikblog.de/en/2008/02/64bit_magic.html
30# Modified by (1): Abel Cheung (Avoid match with first 4 bytes only)
310 string PAGE
32>4 string DUMP MS Windows 32bit crash dump
33>>0x05c byte 0 \b, no PAE
34>>0x05c byte 1 \b, PAE
35>>0xf88 lelong 1 \b, full dump
36>>0xf88 lelong 2 \b, kernel dump
37>>0xf88 lelong 3 \b, small dump
38>>0x068 lelong x \b, %ld pages
39>4 string DU64 MS Windows 64bit crash dump
40>>0xf98 lelong 1 \b, full dump
41>>0xf98 lelong 2 \b, kernel dump
42>>0xf98 lelong 3 \b, small dump
43>>0x090 lequad x \b, %lld pages
44
45
46# Summary: Vista Event Log
47# Extension: .evtx
48# Created by: Andreas Schuster (http://computer.forensikblog.de/)
49# Reference (1): http://computer.forensikblog.de/en/2007/05/some_magic.html
500 string ElfFile\0 MS Windows Vista Event Log
51>0x2a leshort x \b, %d chunks
52>>0x10 lelong x \b (no. %d in use)
53>0x18 lelong >1 \b, next record no. %d
54>0x18 lelong =1 \b, empty
55>0x78 lelong &1 \b, DIRTY
56>0x78 lelong &2 \b, FULL
57
58
59# Summary: Windows 3.1 group files
60# Extension: .grp
61# Created by: unknown
620 string \120\115\103\103 MS Windows 3.1 group files
63
64
65# Summary: Old format help files
66# Extension: .hlp
67# Created by: Dirk Jagdmann <doj@cubic.org>
680 lelong 0x00035f3f MS Windows 3.x help file
69
70
71# Summary: Hyper terminal
72# Extension: .ht
73# Created by: unknown
740 string HyperTerminal\
75>15 string 1.0\ --\ HyperTerminal\ data\ file MS Windows HyperTerminal profile
76
77
78# Summary: Windows shortcut
79# Extension: .lnk
80# Created by: unknown
810 string \114\0\0\0\001\024\002\0\0\0\0\0\300\0\0\0\0\0\0\106 MS Windows shortcut
82
83
84# Summary: Outlook Personal Folders
85# Created by: unknown
860 lelong 0x4E444221 Microsoft Outlook email folder
87>10 leshort 0x0e (<=2002)
88>10 leshort 0x17 (>=2003)
89
90
91# Summary: Windows help cache
92# Created by: unknown
930 string \164\146\115\122\012\000\000\000\001\000\000\000 MS Windows help cache
94
95
96# Summary: IE cache file
97# Created by: Christophe Monniez
980 string Client\ UrlCache\ MMF Internet Explorer cache file
99>20 string >\0 version %s
100
101
102# Summary: Registry files
103# Created by: unknown
104# Modified by (1): Joerg Jenderek
1050 string regf MS Windows registry file, NT/2000 or above
1060 string CREG MS Windows 95/98/ME registry file
1070 string SHCC3 MS Windows 3.1 registry file
108
109
110# Summary: Windows Registry text
111# Extension: .reg
112# Submitted by: Abel Cheung <abelcheung@gmail.com>
1130 string REGEDIT4\r\n\r\n Windows Registry text (Win95 or above)
1140 string Windows\ Registry\ Editor\
115>&0 string Version\ 5.00\r\n\r\n Windows Registry text (Win2K or above)
| 1
2#------------------------------------------------------------------------------
3# windows: file(1) magic for Microsoft Windows
4#
5# This file is mainly reserved for files where programs
6# using them are run almost always on MS Windows 3.x or
7# above, or files only used exclusively in Windows OS,
8# where there is no better category to allocate for.
9# For example, even though WinZIP almost run on Windows
10# only, it is better to treat them as "archive" instead.
11# For format usable in DOS, such as generic executable
12# format, please specify under "msdos" file.
13#
14
15
16# Summary: Outlook Express DBX file
17# Extension: .dbx
18# Created by: Christophe Monniez
190 string \xCF\xAD\x12\xFE MS Outlook Express DBX file
20>4 byte =0xC5 \b, message database
21>4 byte =0xC6 \b, folder database
22>4 byte =0xC7 \b, account information
23>4 byte =0x30 \b, offline database
24
25
26# Summary: Windows crash dump
27# Extension: .dmp
28# Created by: Andreas Schuster (http://computer.forensikblog.de/)
29# Reference (1): http://computer.forensikblog.de/en/2008/02/64bit_magic.html
30# Modified by (1): Abel Cheung (Avoid match with first 4 bytes only)
310 string PAGE
32>4 string DUMP MS Windows 32bit crash dump
33>>0x05c byte 0 \b, no PAE
34>>0x05c byte 1 \b, PAE
35>>0xf88 lelong 1 \b, full dump
36>>0xf88 lelong 2 \b, kernel dump
37>>0xf88 lelong 3 \b, small dump
38>>0x068 lelong x \b, %ld pages
39>4 string DU64 MS Windows 64bit crash dump
40>>0xf98 lelong 1 \b, full dump
41>>0xf98 lelong 2 \b, kernel dump
42>>0xf98 lelong 3 \b, small dump
43>>0x090 lequad x \b, %lld pages
44
45
46# Summary: Vista Event Log
47# Extension: .evtx
48# Created by: Andreas Schuster (http://computer.forensikblog.de/)
49# Reference (1): http://computer.forensikblog.de/en/2007/05/some_magic.html
500 string ElfFile\0 MS Windows Vista Event Log
51>0x2a leshort x \b, %d chunks
52>>0x10 lelong x \b (no. %d in use)
53>0x18 lelong >1 \b, next record no. %d
54>0x18 lelong =1 \b, empty
55>0x78 lelong &1 \b, DIRTY
56>0x78 lelong &2 \b, FULL
57
58
59# Summary: Windows 3.1 group files
60# Extension: .grp
61# Created by: unknown
620 string \120\115\103\103 MS Windows 3.1 group files
63
64
65# Summary: Old format help files
66# Extension: .hlp
67# Created by: Dirk Jagdmann <doj@cubic.org>
680 lelong 0x00035f3f MS Windows 3.x help file
69
70
71# Summary: Hyper terminal
72# Extension: .ht
73# Created by: unknown
740 string HyperTerminal\
75>15 string 1.0\ --\ HyperTerminal\ data\ file MS Windows HyperTerminal profile
76
77
78# Summary: Windows shortcut
79# Extension: .lnk
80# Created by: unknown
810 string \114\0\0\0\001\024\002\0\0\0\0\0\300\0\0\0\0\0\0\106 MS Windows shortcut
82
83
84# Summary: Outlook Personal Folders
85# Created by: unknown
860 lelong 0x4E444221 Microsoft Outlook email folder
87>10 leshort 0x0e (<=2002)
88>10 leshort 0x17 (>=2003)
89
90
91# Summary: Windows help cache
92# Created by: unknown
930 string \164\146\115\122\012\000\000\000\001\000\000\000 MS Windows help cache
94
95
96# Summary: IE cache file
97# Created by: Christophe Monniez
980 string Client\ UrlCache\ MMF Internet Explorer cache file
99>20 string >\0 version %s
100
101
102# Summary: Registry files
103# Created by: unknown
104# Modified by (1): Joerg Jenderek
1050 string regf MS Windows registry file, NT/2000 or above
1060 string CREG MS Windows 95/98/ME registry file
1070 string SHCC3 MS Windows 3.1 registry file
108
109
110# Summary: Windows Registry text
111# Extension: .reg
112# Submitted by: Abel Cheung <abelcheung@gmail.com>
1130 string REGEDIT4\r\n\r\n Windows Registry text (Win95 or above)
1140 string Windows\ Registry\ Editor\
115>&0 string Version\ 5.00\r\n\r\n Windows Registry text (Win2K or above)
|