[sleuthkit-users] Sigfind issue?
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] Sigfind issue?
|
From: Surago J. <su...@sj...> - 2005-05-22 22:24:00
|
Hi All, I am attempting to locate the JPEG end of file marker in an image file. The Signature for the end of file marker is 'ff d9' in hex. =20 I can find this using hexdump and grep no worries, however I figured it would be easier to use sigfind. However I'm not sure if I'm just doing something stupid or dumb, but for some reason I can't get it to work. Below are some examples o fwhat I have tried without any luck # hexdump -C /forensics/images/sotm26/scan26 | grep "ff d9" 0000c150 88 88 08 88 80 88 88 3f ff d9 00 00 00 00 00 00 |.......?........| # ./sigfind ffd9 /forensics/images/sotm26/scan26 Block size: 512 Offset: 0 Signature: FFD9 # ./sigfind -l ffd9 /forensics/images/sotm26/scan26 Block size: 512 Offset: 0 Signature: D9FF Any help here would be much appreciated. Cheers Surago. |