Additional Templates for WinHex & X-Ways Forensics
Data Structure (and submitted by whom) |
Description & Download |
Olympus WMA Catalin Grigoras |
OLYMPUS_WMA_v03.tpl |
SQLite Header Terrance Maguire |
SQLite Header.tpl |
exFAT Scott Pancoast |
exFAT.zip |
PCAP file Frank Weiss |
PCAP.tpl |
DOS executable headers (MZ
EXE) Chris S |
DOS_exe.tpl |
exFAT Boot Sector Christopher Taylor |
exFAT Boot Sector 2.tpl |
exFAT Boot Sector Robert Shullich |
exFAT Boot Sector.tpl |
Dalet radio automation system Steven Scholte |
I've been using WinHex to analyse some soundfiles created by the Dalet radio automation system (version 5.1). I have made a couple of templates for this purpose and I thought I'd share them. There are three templates.
Dalet SND file
header.txt
One for reading the header of files with the SND extension.
These are the old style soundfiles used to store MPEG-layer II audio.
All SND files are accompanied by a VOL file which is used to store the
volume information. This enables the Dalet system to quickly draw the
waveform.
The third template describes the Broadcast Wave Format as developed by
the EBU. This format can be used to store MPEG as well as linear
(uncompressed) audio. The BWF format is not only used by Dalet, but also
by other programs used in radio and television production.
(Steven Scholte) |
JFS Superblock Jens Kirschner |
JFS Superblock.tpl This template should work for Linux implementations of JFS. (Jens Kirschner) |
Reiser4 File System Data
Structures Jens Kirschner |
Reiser4 is a fairly complex file
system. Not every possible data structure variation is covered by these
templates, but they work fairly well for me.
Start with the Reiser4 Superblock.tpl on Sector 64. From the root, follow Reiser4's internal tree using the Reiser4 Node Header.tpl on the nodes and either of the following on their node entries: Reiser4 Item Header Large.tpl or Reiser4 Item Header Small.tpl . "Large" and "Small" refer to the key size, large is usually what you want being default on Reiser4. The best way to use these templates: Put your cursor on the first byte of the node for the node header template; but put it on the first byte of the following (!) block for the item header templates and (within the template view) move backwards - one to start and then repeatedly to see the other keys.
Reiser4 Stat Data.tpl
Reads the Reiser4 variant of inode-like file management. Finding the structures for Stat Data and Directories is more of a problem and a bit beyond this little description... (Jens Kirschner) |
ReiserFS Jens Kirschner |
Reiser Superblock.tpl |
CDFS File System Data
Structures Chris Taylor |
CDFS Volume Descriptor.tpl CDFS Path Tables Ascii.tpl CDFS Path Tables Unicode.tpl CDFS Directory Entry Ascii.tpl CDFS Directory Entry Unicode.tpl Some WinHex templates for viewing the Volume Descriptor, Path Tables, and Directory Entries on ISO9660 CDs. (Chris Taylor) |
NTFS FILE Records and
Data Runs Jens Kirschner |
NTFS FILE Record.tpl NTFS Data Runs.tpl The NTFS FILE records are of a pretty variable structure. However, the first template extracts the main parts of the $STANDARD_INFORMATION (0x10) and $FILENAME (0x30) attributes. It also parses the FILE records header and at least lists all the other attributes present. If you do find the beginning of a data run within one of the attributes, apply the second template to the beginning of that data run and all the data runs within the set will be extracted. Keep in mind, though, neither of these templates knows anything about the fixup bytes which basically replace two bytes of potentially crucial information with more or less random values at the end of each sector making up a FILE record, so there may be the occasional odd value. (Jens Kirschner) |
Windows .lnk
Files Steve Guty |
Non-Unicode LNK FILE
Record.tpl LNK FILE Record.tpl
1. The volume serial number doesn't match the physical case
SN for hard |
UFS File System Data
Structures Michele Larese |
UFS1 Superblock BE.tpl (big-endian) UFS1 Superblock LE.tpl (little-endian) UFS1 superblock, located 8192 bytes from the start of an UFS partition
UFS1 Cylinder Group
Descriptor BE.tpl (big-endian)
UFS1 Inode BE.tpl (big-endian) UFS2 Superblock
BE.tpl
(big-endian)
UFS2 Cylinder Group
Descriptor BE.tpl (big-endian)
UFS2 Inode BE.tpl (big-endian)
UFS directory entry BE.tpl
(big-endian) |
Microsoft Windows Event
Log Andreas Schuster |
EVT_Cursor.tpl Cursor record. EVT_Event.tpl
EVT_Header.tpl More information: http://www.dfn-cert.de/events/ws/2005/dfncert-ws2005-f4.pdf |
HFS+ File System Data
Structures Jens Kirschner Stefan Fleischmann |
HFSPlus_Volume_Header.tpl Located 1024 bytes from the start of an Apple HFS+ volume. HFSPlus_Catalog_Key.tpl |
POS File Format Stefan Fleischmann |
WinHex/X-Ways Forensics position file format (.pos). Fully documented here. |
WAV PCM File Format Khomenko Volodymyr |
Structure of a simple WAV-PCM (unpacked) audio file |
BMP File Format Khomenko Volodymyr |
Structure of a BMP bitmap image file with palette |
AFP Datastream Records Bob Carlyle |
AFP (Advanced Function Presentation) is a widely used print datastream for high-end production printing throughout the world. It is also a viewable datastream, similar to PDF files (although PDF is much more powerful), using the AFP Viewer Plug-In, and other documentation is available at http://ibm.com/printers. The datastream itself is EBCDIC-based, but there is a lot of software that uses this datastream on ASCII-based systems. |
Structured Fax File Format Ulf Zibis |
SFF_File_Format.tpl Cf. http://delphi.pjh2.de/articles/graphic/sff_format.php . |
TIFF Image File Format v6.0 Ulf Zibis |
TIFF File Format.tpl TIFF File IFD.tpl Cf. http://partners.adobe.com/asn/developer/PDFS/TN/TIFF6.pdf . |
Palm Database Files Ulf Zibis |
Palm
PDB.tpl Palm PDB 6 records.tpl |
ZIP File Alex Sidorov |
ZIP.tpl |
ZIP File Data Structures Trenton D. Adams |
All ZIPs start with the "ZIP Local File
Header Structure" template. These are repeated until all files in the ZIP have been
looked at. After each one of those comes the "ZIP Data Descriptor Structure"
(which I've never actually seen myself). In order for a "ZIP Data Descriptor
Structure" to occur after each ZIP entry, bit 3 of the General Purpose bit flag of
the "ZIP Local File Header Structure" must be set. For me, I've never
actually seen that bit set, and hence have never actually seen a "ZIP Data Descriptor
Structure". Now, last but not least is the final listing of all ZIP entries in the archive for spanning purposes. You use the "ZIP Central Directory Structure" repeatedly until a "ZIP End of Central Directory Structure" is encountered. And, each signature of the structures tells you which one you're encountering. Remember though, the signatures are little endian because this is the ZIP specification. ZIP_Local_File_Header_Structure.tpl |
FAT32 FSINFO Sector Stefan Fleischmann |
To be applied to sector 1 of a FAT32-formatted logical drive. Contains additional information about the volume. FSINFO Sector.tpl |
DBF Format (Tutorial) Paul Mullen |
Three templates for data in the "dbf" or "xbase" format which originated with Ashton-Tates dBase program and has since been adopted by many applications. Presented as a tutorial on how to create such templates. tutorial.zip |
FAT16 Entry Paul Mullen |
Must start at start of FAT to get numbers right. "F8 FF" = first bytes of valid 16-bit FAT. FAT16 Entry.tpl |
FAT32 Entry Stefan Fleischmann |
Must start at start of FAT to get numbers right. "F8 FF" = first bytes of valid 32-bit FAT. Based on the FAT16 template version. FAT32 Entry.tpl |
... | ... |