sleuthkit

 

 

 


 

sleuthkit

apt-get install sleuthkit

 


sigfind

 

Usage

sigfind [-b bsize] [-o offset] [-t template] [-lV] [hex_signature] file

-b bsize: Give block size (default 512)

-o offset: Give offset into block where signature should exist (default 0)

-l: Signature will be little endian in image

-V: Version

-t template: dospart, ext2, ext3, ext4, fat, hfs, hfs+, ntfs, ufs1, ufs2

Example

mkfs.ext4 test.bin

dumpe2fs -h test.bin

Block size:               1024

# ext4: Offset: 0x38, Magic signature: 0xEF53

sigfind -b 1024 -o 56 -l EF53 test.bin

Block size: 1024  Offset: 56  Signature: 53EF

Block: 1 (-)           # xxd -s 0x400 test.bin | less
Block: 8193 (+8192)    # xxd -s 0x800400 test.bin | less  <- hex(8193 * 1024)
Block: 24577 (+16384)  # xxd -s 0x1800400 test.bin | less