forked from sleuthkit/sleuthkit
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdefault.sort
More file actions
181 lines (123 loc) · 3.92 KB
/
default.sort
File metadata and controls
181 lines (123 loc) · 3.92 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
#
# default.sort
# default config file for Sleuth Kit sorter
#
# These settings have the lowest priority of all config files
#
# It is used for ALL platform types though
#
#
# Category
# If the keyword is found in the 'file' output, then the data is saved
# to either the summary file or even copied if the appropriate flags are
# given
#
# category cat_name keywords
#
#
# Extension
# If the keywords are found in the 'file' output, and the file extension
# is different than then the one on the file, an alert is generated
# 'somewhere'
# ext ext1,ext2,ext3 keywords
##########################################################################
# Multimedia
##########################################################################
# Audio
category audio audio
category audio MIDI
ext mid,rmi MIDI
category audio MP3
ext mp3 MP3
# Images
category images image data
ext jpg,jpeg,jpe JPEG image data
ext gif GIF image data
ext tif TIFF image data
ext png PNG image data
category images bitmap data
ext bmp PC bitmap data
category images font
ext ttf true type font
# Video
category video RealMedia
ext rm RealMedia
##########################################################################
# archive & compression
##########################################################################
# archive
category archive archive
ext zip,jar Zip archive data
ext tar tar archive
category archive DB
ext db Berkeley DB
# compression
category compress compress
ext gz,tgz gzip compressed data
ext Z compress'd data
##########################################################################
# Executables
##########################################################################
# Execs
category exec executable
category exec \sscript
# the above can cause errors with postscript and transcript
category exec batch file
# NOTE: Some windows binaries have the term "executable not relocatable"
# which will trigger on this when it should trigger on executable
category exec relocatable
# Java
category exec class data
ext class Java class data
category exec object
ext o object
category exec python compiled
##########################################################################
# Documents,
##########################################################################
category documents document
# Microsoft
ext doc,dot,ppt,pot,xls,xlt,msc,pcb Microsoft Office Document
category documents Rich Text Format
ext rtf Rich Text Format
# Corel & Word Perfect
category documents Corel\/WP
ext wpg,wpd,shw Corel\/WP
# Lotus
category documents Lotus 1\-2\-3
ext wb2 Lotus 1\-2\-3
# Adobe
ext pdf PDF document
ext ps,eps PostScript document
##########################################################################
# Text
##########################################################################
category text ASCII(.*?)text
ext txt,log ASCII(.*?)text
ext c,cpp,h,js ASCII(.*?)text
ext sh,csh ASCII(.*?)text
ext conf ASCII(.*?)text
category text character data
ext txt character data
category text ISO\-8859(.*?)text
ext txt ISO\-8859(.*?)text
category text HTML document text
ext htm,html,hta HTML document text
category text program text
ext c,cpp,h,js program text
category text \ssource
##########################################################################
# Other
##########################################################################
# Disk
category disk boot sector
category disk filesystem data
# Crypto
category crypto PGP
ext asc PGP armored
# Postscript Printer Description
category system PPD file
ext ppd PPD file
# 'file' reports 'data' for all unknown binary files
# do not bother with extensions with this
category data ^data$