-
Notifications
You must be signed in to change notification settings - Fork 0
/
scalpel_for_private_keys.conf
113 lines (91 loc) · 5.03 KB
/
scalpel_for_private_keys.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
# Before we get to the rules that facilitate carving out lost private keys we
# will drop a copy of comments explaining this configuration file format from
# the official scalpel repository for easy reference.
# === EXPLANATION START ===
# Scalpel configuration file
# This configuration file controls the types and sizes of files that
# are carved by Scalpel. NOTE THAT THE FORMAT OF THIS FILE WAS
# EXTENDED in Scalpel 1.90-->!
# For each file type, the configuration file describes the file's
# extension, whether the header and footer are case sensitive, the
# min/maximum file size, and the header and footer for the file. The
# footer field is optional, but extension, case sensitivity, size, and
# header are required. Any line that begins with a '#' is considered
# a comment and ignored. Thus, to skip a file type just put a '#' at
# the beginning of the line containing the rule for the file type.
# If you want files carved without filename extensions, use "NONE" in
# the extension column.
# Beginning with Scalpel 1.90, HEADERS AND/OR FOOTERS MAY BE EITHER
# FIXED STRINGS OR REGULAR EXPRESSIONS.
# Headers and footers are decoded before use, unless they are regular
# expressions. To specify a value in hexadecimal use \x[0-f][0-f] and
# for octal use \[0-3][0-7][0-7]. Spaces can be represented by
# \s. Example: "\x4F\123\I\sCCI" decodes to "OSI CCI".
# To match any single character (aka a wildcard) in a non-regular
# expression header/footer, use a '?'. If you need to search for the
# '?' character, you will need to change the 'wildcard' line *and*
# every occurrence of the old wildcard character in the configuration
# file.
# Regular expressions in extended format can be specified for headers
# or footers by bracketing a header or footer with //, e.g., /GGG[^G]/
# matches a string of three G characters, followed by a character
# other than G. To clarify, here is a complete rule for a file type
# that should be at most 100000 characters, must begin with three G's
# followed by a non-G character and terminate with at least one digit
# character (0-9) followed by five H characters:
# XXX y 100000 /GGG[^G]/ /[0-9]HHHHH/
# Beginning with Scalpel 1.90, minimum carve sizes may be specified
# for each file type using this format for the size parameter:
# smallest:largest e.g.,
# jpg y 5000:100000 \xff\xd8\xff\xe0\x00\x10 \xff\xd9
# carves JPG format image files between 5000 and 100000 bytes in
# length, ignoring files smaller than 5000 bytes. If the minimum
# carve size is not specified, 0 is assumed. This maintains
# compatibility with Scalpel configuration files created prior to
# 1.90.
# The REVERSE keyword after a footer causes a search
# backwards starting from [size] bytes beyond the location of the header
# This is useful for files like PDFs that may contain multiple copies of
# the footer throughout the file. When using the REVERSE keyword you will
# extract bytes from the header to the LAST occurence of the footer (and
# including the footer in the carved file).
# The NEXT keyword after a footer results in file carves that
# include the header and all data BEFORE the first occurence of the
# footer (the footer is not included in the carved file). If no
# occurrence of the footer is discovered within maximum carve size bytes
# from the header, then a block of the disk image including the header
# and with length equal to the maximum carve size is carved. Use NEXT
# when there is no definitive footer for a file type, but you know which
# data should NOT be included in a carved file--e.g., the beginning of
# a subsequent file of the same type.
# FORWARD_NEXT is the default carve type and this keyword may be
# included after the footer, but is not required. For FORWARD_NEXT
# carves, a block of data including the header and the first footer
# (within the maximum carve size) are carved. If no footer appears
# after the header within the maximum carve size, then no carving is
# performed UNLESS the -b command line option is supplied. In this case,
# a block of max carve size bytes, including the header, is carved and a
# notation is made in the Scalpel log that the file was chopped.
# To redefine the wildcard character, change the setting below and all
# occurences in the scalpel.conf file.
#
#wildcard ?
# case size header footer
#extension sensitive
#
#---------------------------------------------------------------------
# EXAMPLE WITH NO SUFFIX
#---------------------------------------------------------------------
#
# Here is an example of how to use the no extension option. Any files
# beginning with the string "FOREMOST" are carved and no file extensions
# are used. No footer is defined and the max carve size is 1000 bytes.
#
# NONE y 1000 FOREMOST
# === EXPLANATION END ===
# Handles ASCII armored OpenPGP private keys
asc y 65536 -----BEGIN\sPGP\sPRIVATE\sKEY\sBLOCK----- -----END\sPGP\sPRIVATE\sKEY\sBLOCK-----
# Handles private keys generated by OpenSSH
NONE y 65536 -----BEGIN\sOPENSSH\sPRIVATE\sKEY----- -----END\sOPENSSH\sPRIVATE\sKEY-----
# Handles private keys for Age
NONE y 74 AGE-SECRET-KEY-