Re: [sleuthkit-users] Sigfind issue?
Brought to you by:
carrier
From: Brian C. <ca...@sl...> - 2005-05-23 03:11:54
|
On May 22, 2005, at 8:12 AM, Surago Jones wrote: > Hi All, > > I am attempting to locate the JPEG end of file marker in an image file. > The Signature for the end of file marker is 'ff d9' in hex. > > I can find this using hexdump and grep no worries, however I figured it > would be easier to use sigfind. However I'm not sure if I'm just doing > something stupid or dumb, but for some reason I can't get it to work. Currently, sigfind will not allow you to find this type of signature. sigfind currently needs to know the specific offset into a block that the signature should be found. The footer signature for a JPEG is not at a constant offset and therefore you would need to try every offset value (which is not very effecient). In the future, I guess I could assign '-o -1' to be an offset of "anywhere". brian > Below are some examples o fwhat I have tried without any luck > > > # hexdump -C /forensics/images/sotm26/scan26 | grep "ff d9" > 0000c150 88 88 08 88 80 88 88 3f ff d9 00 00 00 00 00 00 > |.......?........| > # ./sigfind ffd9 /forensics/images/sotm26/scan26 > Block size: 512 Offset: 0 Signature: FFD9 > # ./sigfind -l ffd9 /forensics/images/sotm26/scan26 > Block size: 512 Offset: 0 Signature: D9FF > > Any help here would be much appreciated. Cheers |