Pro Dicover 라는 포렌식 도구로 유명한 테크패스웨이즈(techpathways)에서 작성한 문건으로 윈도우 시스템에서 종종사용하는 파일들의 초기 20바이드를 시그니쳐 (또는 매직넘버 ) 로 수집해 놓은 문건입니다.
여기에서 제가 생각하기에 포렌식에 증거수집으로 가치가 있을 만한 파일들만 강조하여 표기해 두었습니다.
원본 내용을 참고하실 분들은 http://toorcon.techpathways.com/uploads/headersig.txt 를 방문하시면 됩니다.
여기에서 제가 생각하기에 포렌식에 증거수집으로 가치가 있을 만한 파일들만 강조하여 표기해 두었습니다.
원본 내용을 참고하실 분들은 http://toorcon.techpathways.com/uploads/headersig.txt 를 방문하시면 됩니다.
## headersig.txt ## ProDiscover DFT Header Mismatch Configuration File ## Date 9/15/03 http://www.ProDiscover.com ## ## On Windows systems file signatures are often contained in the ## first 20 bytes of the file. ## ## Enter headers in the following format: ## ## <File Signature>,<File Extension[s] Separated by ;>,<"" Enclosed Signature Name> ## ## Use the # symbol to comment out individual signatures ## ## Many thanks to Tim Coakley, John, Harlan Carvey and others who have helped to ## create this database. See http://www.filesig.co.uk/ for great tools and resources. 818102000200070104,AVB,"MS Chat Character" 81810300020007010400,BGB,"MS Chat Background File" 3B2068656C702E687066,HPF,"HP LaserJet Fonts" 4C44425800010100000000200000,LDB/RDB,"Internet Log File (Zone Alarm)" 5456444227,LOG,"Zone Alarm Data File" 9901A2043C,PKR,"PGP Public Key-ring File" 3C68746D6C3E0D0A3C62,PLG,"MS Developer Build Log" 9501CF0436,SKR,"PGP Secret Key-ring File" 74576263000000000000,SYD,"QEMM / Sysedit Backup File" 535A4444,??_,"MS Compress 5 File(?? Could be anything)" 4B57414A,??_,"MS Compress 6 File(?? Could be anything)" 60EA,ARJ,"ARJ Archive File" 424147,BAG,"BAG Archive" 425A68,BZ,"Bzip Archive File" 4D534346,CAB,"Microsoft Cabinet File" 4D4D5320,CKIT,"Commodore Compressed File" 303730373037,CPIO,"CPIO Archive File" 4352555348,CRU,"CRUSH Archive File" 4841,HA,"HA Archive File" 91334846,HAP,"HAP Archive File" 28546869732066696C65,HQX,"Mac BinHex" 5F27A889,JAR,"Jar Archive File" 2D6C68352D,LHA,"LHA Compressed File" 4D415243,MARC,"MS Archive File" 4D48574B,MHK,"Broderbund Mohawk Archive Format" 4453,Q,"Quantum Archive" 526172211A07003B,RAR,"RAR Compressed File" EDABEEDB,RPM,"Redhat Linux Archive" 53495421,SIT,"Stuffit v1 Archive File" 53747566664974,SIT,"Stuffit v5 Archive File" 484C53515A,SQZ,"SQZ Archive File" 417070204E616D6509,STF,"ShrinkToFit Compressed Archive" 554641,UFA,"UFA Archive File" 7863722046696C65,XCR,"XCR Archive File" 504B0304140000000800,ZIP,"Winzip 8.1" 504B3030504B0304,ZIP,"WINZIP Compressed" 5A4F4F20,ZOO,"ZOO Compressed File" 2E736E64,AU,"SoundMachine Audio File" 49424B1A,IBK,"Soundblaster Instrument Bank" 4D503344415441,M3D,"MPEG Audio Datafile" 4D546864,MIDI/MID,"Musical Instrument Digital Interface (MIDI) File" 2E7261FD,RA/RAM,"Real Audio File" 2E524D46,RM,"Real Media File" 5354455645024880,SND,"AU Format Sound" 437265617469766520566F6963652046696C651A,VOC,"Creative Sound File" 52494646,WAV,"Wave Audio File" 3B0D0A3B,ASM,"Uncompiled Assembly Code" 0000000C000000,ATN,"Adobe Photoshop Script" 406563686F206F66660D,BTM,"NDOS Batch to Memory" 23212F62696E2F73680A,CGI,"Common Gateway Interface Script" 2F2A202A202A202A202A,H,"C++ Header File" 484FF3C976332E39392E,OBS,"ObjectScript" 56435043483000000000,PCH,"MS C++ Precompiled Header File" 00000100000001480000,RSC,"Compiled Resources" DCFE,EFX,"eFax file format" 0363080A,DBF,"Database File" 000100005374616E6461,MDB,"Microsoft Access file" 4D4C42,MLB,"MyLittleBase Database File" 00000041424300000000,ABC,"Micrografx ABC Flowcharter" 5157205665722E20,ABD,"Quicken Data File" 30000004150505,ADX,"Lotus Approach ADX File" 252150532D41646F6265,AI,"Adobe Illustrator" 5B7665725D,AMI,"Lotus Ami Pro" 5008,APP,"Clarion File Format" 49545346030000006000,CHM,"Compiled HTML Help File" 464158434F5645,CPE,"MS Office Fax Cover" D0CF11E0A1B11AE1,DOC,"Word 10 Office 2000 File" D0CF11E0A1B11AE1,DOC,"Word 8.0 Office 97 File" D0CF11E0A1B11AE1,DOC,"Generic MS Office File" 504B0304140000000000,DOC,"Star Writer 6.0" 31BE000000AB0000,DOC,"MS Word for DOS v6 File" 1234567890FF,DOC,"MS Word 6.0 File" 7FFE340A,DOC,"MS Word File" 4D47582069747064,DS4,"Micrografix Designer 4" 4D5600FF0C0010000000,DST,"Micrografx Designer Template" 3C21454E54495459,DTD,"Xml DTD" C5D0D3C6,EPS,"Adobe Encapsulated PostScript File" 00001A0007800100,FM3,"Lotus 123 v3 FMT File" 2000680020,FMT,"Lotus 123 v4 FMT File" 3C68746D6C3E,HTM,"HyperText Markup Language 1 File" 3C48544D4C3E,HTM,"HyperText Markup Language 2 File" 3C21444F4354,HTM,"HyperText Markup Language 3 File" 000100004D534953414D204461746162617365,MNY,"Microsoft Money File" 1A0000030000,NSF,"Lotus Notes Data File" 1A000003000011000100,NTF,"Lotus Notes Data File" 255044462D312E320D0A25E2E3CF,PDF,"PDF-1.2" AC9EBD8F,QDF,"Quicken Data File" 5157205665722E20,QSD,"Quicken Data File" 7B5C727466,RTF,"Rich Text Format" D0CF11E0A1B11AE1000000000000,SDW,"Star Writer 3 - 5" C354565362BD8AFF0000,TV4,"WordPerfect Insert Overflow - Doc 4" 2000604060,WK1,"Lotus 123 v1 Worksheet" 00001A0000100400,WK3,"Lotus 123 v3 Worksheet" 00001A0002100400,WK4,"Lotus 123 v5" 00001A001004,WKS,"Lotus MS Worksheet" 2000604060,WKS,"Lotus 123 v1 Worksheet" FF575043,WP,"WordPerfect v5 or v6" 090808000005000433,XLB,"Microsoft Excel Workbook" 0904060000004000,XLM,"Microsoft Excel Macro" 0902060000001000B9045C00,XLS,"MS Excel v2" D0CF11E0A1B11AE1,XLS,"Excel 8.0 Office 97 Type 2 File" D0CF11E0A1B11AE1,XLS,"Excel 8.0 Office 97 Type 1 File" 0904060000001000F6055C00,XLS,"MS Excel v4 File" FFFE3C0052004F004F00540053005400550042,XML,"MS Excel Document" 3C3F786D6C,XML,"MS Excel XML Document" 3D02,3D2,"Stereo CAD-3D 2 File" 33444D46,3DMF,"3D Meta File" 2A2A544939322A2A0100586E5669,92I,"TI Bitmap" 414D4646,AMFF,"AMFF Image File" 4A47040E000000,ART,"AOL ART 1" 4A47030E000000,ART,"AOL ART 2" 424D,BMP,"Bitmap Generic File" 424D,BMP,"Bitmap Type 1 File" 424D,BMP,"Bitmap Type 2 File" 424D,BMP,"Bitmap Type 3 File" BB010001C800C80001,BRK/301,"Brooktrout Fax" 737263646F6369643A,CAL/CALS,"CALS Raster Image" 07204D4D,CAM,"QV-10 Camera File" 20770002,CBD,"Vector Map Data Format" 45594553,CE1/CE2,"Computer Eyes File" 802A5FD700000800000004000000,CIN,"Kodac Cineon" 43616C6967617269,COB/SCN,"Caligari Truespace 2 File" 43505446494C45,CPT,"Corel Photopaint" 43414C414D5553435647,CVG,"Calamus" 3ADE68B1,DCX,"DCX Graphic File" 56697374612044454D2046696C65,DEM,"Vista Landscape Format" 424D36,DIB,"DIB Image File" 53445058,DPX,"Cineon Image File" 01FF02040302,DRW,"Micrographx Graphic" 41433130,DWG,"Autocad R13/R14 File" 65020102,ECW,"Enhanced Compressed Wavelet" 0100000058000000,EMF,"Enhanced Metafile Graphic" D0CF11E0A1B11AE100,FPX,"FlashPix" 53494D504C4520203D,FTS,"Flexible Image Transport System" 47494638,GIF,"ALL Types" 4850485034382D451E2B,GRO,"HP-48/49 GROB" 6E636F6C73,HDR,"ArcoInfo Binary Image" 354B5035315D2A67727280838563,HRU,"HRU Image" EB3C902A,IMG,"GEM Raster file" 656C6D6F,INFINI-D,"Infini-D Graphics File" 49574301,IWC,"WaveL Image" 803E445343494D,J6I,"Ricoh Camera Image File" 4A4946393961,JIF,"Jeff's Image Format" 0000000C6A5020200D0A870A,JP2,"JPEG-2000 JP2 Image" FFD8FFE1,JPG,"Generic 1 JPG" FFD8FFE0,JPG,"Generic 2 JPG" FFD8FFE14ED84578696600004949,JPG,"Kodak" 4D4D002A,KDC,"Kodak Camera DC20/40/50" 36344C414E204944424C4F434B,L64,"64LAN Image File" 464F524D,LBM,"Interchange File" 49492A00080000000E0000010400,LDF,"LuraDocument Format" 575602004745000E,LWF,"LuraWave Format" 3700001042000010000000003964,MBM,"Psion Series 5 Bitmap" 4D474C,MGL,"MosASCII Graphics Library File" 7B0A202043726561746564,MIF,"Image Magick File" 8A4D4E470D0A1A0A,MNG,"Multiple Image Format" 4D5046,MPW/MPF,"MosASCII Project Workspace File" 44616E4D,MSP,"Windows Paint File" 433634,N64,"64NET Image File" 6E6E0A005E00,NCR,"NCR G4" 6E6666,NFF,"WorldToolKit Neutral File Format" 4E4747000100,NGG,"Nokia Group Graphics" 4E4C4D20010200,NLM,"Nokia Logo File" 4E4F4C00010006010300,NOL,"Nokia Operator Logo" 4148,PAL,"Dr. Halo Palette File" 0000002000000001,PAT,"Gimp Pattern" 504158,PAX,"Secure Image File" 50340A,PBM,"Portable Bitmap" 6352010138093D00,PCD,"Kodak PhotoCD" 1B451B266C304F1B266C30451B26,PCL,"Page Control Language" 0A050108,PCX,"PC Paintbrush" 5032,PGM,"Portable Greymap File" 50350A,PGM,"Portable Greyscale" 5380F6344020,PIC,"Softimage" 504943DC30300100,PIC,"Psion Series 3 Bitmap" 9119,PIC,"PIC File" 50495820,PIX,"PABX Background" 89504E470D0A1A0A,PNG,"Portable Network Graphic" 889A0D12,PNG,"Portable Network Graphics File" 504F4C20466F726D6174,POL,"Polygon Model File" 5033,PPM,"Portable Pixmap File" 38425053000100000000,PSD,"Adobe PhotoShop" 7E424B00,PSP,"Paint Shop Pro File" 5061696E742053686F702050726F20496D6167652046696C65,PSP,"Paint Shop Pro File" 514C4949464158,QFX,"Fax Image File" 6D6F6F76,QTM,"Apple Quick Time File" 464F524D41543D,RAD,"Radiance" 59A66A95,RAS,"SUN Raster File" 01DA01010003,RGB,"Silicon Graphics RGB" 52495833,RIX,"ColoRIX File" 23202449643A20,SID,"Seamless Image Graphic File" 4175746F43414420536C696465,SLB/SLD,"Slide Library File" 53746F726D3344,SOD,"Storm 3D Object Definition" 49492A00,TIF/TIFF,"TIFF Image File" 4D4D2A,TIF/TIFF,"TIF Image File (Motorola)" FADEBABE0101,WIC,"J Wavelet Image Codec" D323000003000000,WLM,"CompW Image" D7CDC69A,WMF,"Windows graphics metafile" FF57504310,WPG,"WordPerfect Graphic" 2356524D4C2056322E30,WRL,"VRML Version 2 Image" 23646566696E65,XBM,"XBM - X11 Bitmap" 2F2A2058504D202A2F,XPM,"XPM - X11 Pixmap" 436C69656E742055726C43616368,DAT,"IE History DAT File" 55524C20020000,DAT,"98 IE Cache Index dat ver 1 File" 55524C20030000,DAT,"98 IE Cache Index dat ver 2 File" 55524C20020000,DAT,"98 IE History Subfolder Index dat ver 1 File" 55524C20030000,DAT,"98 IE History Subfolder Index dat ver 2 File" 55524C20020000,DAT,"98 & XP IE History Root Index dat ver 1 File" 55524C20030000,DAT,"98 & XP IE History Root Index dat ver 2 File" 55524C20020000,DAT,"XP IE Hist Subfolder Index dat ver 1 File" 55524C20020000,DAT,"XP IE Hist Subfolder Index dat ver 2 File" 55524C20020000,DAT,"XP IE Cache Index dat ver 1 File" 55524C20030000,DAT,"XP IE Cache Index dat ver 1 File" 5B50686F6E655D,DUN,"Dial-Up Network Export File" CFAD12FEC5FD,DBX,"Outlook Express Email Storage File" 3C21646F63747970652068746D6C207075626C6963,DCI,"AOL Web Email" 52657475726E2D506174683A203C,EML,"Outlook Express Email Message" 46726F6D202D20,EML,"Netscape Email Message" 46726F6D203F3F3F403F3F3F20,EML,"Eudora Email Message" 46726F6D3A20,EML,"Generic Email Message" 2142444E,PST,"Outlook 97 File" 0006156100000002000004D20000,HST,"Netscape HST" 574542,IGY,"Web Query" 5745420D0A310D0A687474703A2F,IQY,"Microsoft Web Query" 5F434153455F,CAS/CBK,"EnCase Case (or Backup) File" FEEF01,GHO,"Norton Ghost Image File" 43363453207461706520696D6167652066696C65,T64,"C64 Tape Image" 43363420434152545249444745,CRT,"C64 Emul Cartridge File" BABEEBEA,ANI,"NEOchrome Animation File" 4C504620,ANM,"DeluxePaint Animation" 3026B2758E66CF11A6D900AA0062,ASF,"Windows Media (ASF Compression)" 41564920,AVI,"Audio Video Interleave (AVI) File" 52494646,AVI,"AVI Type 1 File" 56445649,AVS,"Intel Digital Video Interface File" 44564D,DVM,"DVM Movie File" 52414E44,Filmstrip,"Adobe Filmstrip File Format" AF12,FLC,"Animator Pro Flic Files" 494D4443,IC1/IC2/IC3,"Atari Image Film" 4C5A414E494D,LZA,"Lempel-Ziv-Oberhumer Compressed Animation" 07010100436F70797269,MMM,"Microsoft Media Clip" 000007B56D6F6F76,MOV,"QuickTime Movie File" 6D646174,MOV;QT,"Quick Time Movie File" 000001B3,MPEG,"MPEG Video File" 5E405C6E534D4A504547,SMJPEG,"Simple Animation File" 52494646,ANI,"Cursor File" 4D5A9000030000000400,API,"Printer Info File" B5A2B0B3B3B0A2B5,CAL,"Windows 3.1 Calendar" 52545353,CAP,"Windows NT Netmon Capture File" 4D53434600000000,CDM,"Windows Update File" 50C30100080028,CLP,"Windows Clipboard File" 43524547,DAT,"Windows 95 Registry Files" 5348434333,DAT,"Windows 3.1 Registry File (REG.DAT)" 202020202020696E7465,FON,"Font File" 3F5F0300,GID,"General Index" 504D4343,GRP,"MS Windows Group" 3F5F0300,HLP,"Windows Help File" 4C4E0200,HLP,"Windows Help File" 48797065725465726D69,HT,"HyperTerminal File" 5B4578745368656C6C466F6C6465,INI,"Desktop.ini Folder Setting File" 47040100,JOB,"Scheduled Tasks File" 7B0D0A6F206331,LGC,"Application Log File" 4C00000001140200,LNK,"Windows Shortcut File" 4C5441520001,LTR,"Letter File" 2A5050442D41646F6265,PPD,"Postscript Printer Description File" E3828596010000,PWL,"Windows Password File" 5245474544495434,REG,"Windows NT Registry File" 0D0A5B536865,SCF,"Shell Command File" 3B0D0A3B205468697320697320,SCP,"Dial-Up Network Script" 4D5A90000300000004000000FFFF,SCR,"Screen Saver" 6749000078,SHD,"Printer Spool File" 4B490000,SHD,"Printer Spool File" 5245474544495434,SUD,"Registry Undo Files" FF4B455942202020,SYS,"Keyboard driver file"
'security > 포렌식' 카테고리의 다른 글
| 침해사고 대응을 위한 포렌식 시스템 구성 (0) | 2010.07.06 |
|---|---|
| PsLogList 를 이용한 윈도우 시스템 침해사고 대응 및 디지털 포렌식을 위한 이벤트 덤프 활용 (0) | 2010.07.03 |
| windows forensic toolchest (WFT 3.0) 자료 (0) | 2010.06.29 |
| 메모리 포렌식 관련 자료 입니다. (0) | 2010.06.25 |
| 보안감사 및 프라이버시를 위한 USB 장치 사용 히스토리 (4) | 2010.05.14 |
