Recent Posts

Pages: [1] 2 3 ... 10
1
Thanks for the new def!
2
Hello trid users,

some days ago i migrate a friends's PC from Windows 7 to 10. Unfortunately
the HP printer does not work after that procedure. So first i look by the
useful NirSoft InstalledPackagesView tool at the list of files belonging to
the HP printer MSI package. There are listed files where main name consist
of a GUID and the extension is devicemetadata-ms. Because i do not know
nothing about such files i look also for such files on my own systems.

When i run TrID on hundreds of such files these are described by
ark-cab.trid.xml as "Microsoft Cabinet Archive" ( see appended
deb/output/trid-old.txt).

For comparison reason i also run other file identifying tools.
The droid tool { found at http://droid.sourceforge.net/ } also recognize
such examples as "Windows Cabinet File" by PUID x-fmt/414 .

The newest file command version 5.38 {See
https://en.wikipedia.org/wiki/File_(command)} describes inspected examples
also like "Microsoft Cabinet archive" ( see appended output/file-5.38.txt)
From output is visible that first cabinet member is a file with name
"PackageInfo.xml".
This can be verified by running 7z with list option ( see appended
output/7z-l.txt).

So i run tridscan to generate the trid definition
ark-cab-devicemetadata.trid.xml and start to refine that file

Because file type is of CAB-Format i add that mime type. This is shown by
additional line:

   <Mime>application/vnd.ms-cab-compressed</Mime>

The used file name extension is expressed by line:

   <Ext>DEVICEMETADATA-MS</Ext>

With the observed knowledge i searched for a web page concerning that file
format. On Microsoft server if found a page about Building Device Metadata
Packages. So i add that page as reference by XML-line like:

<RefURL>
https://docs.microsoft.com
/en-us/windows-hardware/drivers/install/building-device-metadata-packages
</RefURL>

So i removed some null patterns at higher offsets and also some accident null
values at low offsets.

      <Ext>DEVICEMETADATA-MS</Ext>

In current trid definition there exist no reference. So i add Wikipedia page
about Debian package format. This is expressed by additional line:

   <RefURL>https://en.wikipedia.org/wiki/Deb_(file_format)</RefURL>

The essential XML files are now found in global string section by lines like

   <String>PACKAGEINFO.XML</String>
   <String>WINDOWSINFO.XML</String>

With the new trid definition file now all Device Metadata packages are
described more precisely ( see appended deb/output/trid-new.txt).

TrID definition, some examples and output are stored in archive
devicemetadata-ms.zip. I hope that the XML file can be used in future
version of triddefs.

With best wishes
Jörg Jenderek
3
Definitions DB change log / Re: Current
« Last post by Mark0 on January 19, 2020, 03:10:16 PM »
Updated:
  • Apricot Keyboard layout (KB)
  • CauseWay Compressor compressed 16bit DOS executable (EXE)
Added:
  • CauseWay Compressor compressed data ()
  • Parsons Technology resource data ()
  • 16bit DOS COM Crack Soft's cryptor encrypted (COM)
  • 16bit DOS COM DaRKSToP encrypted (COM)
  • 16bit DOS COM DCCrypt encrypted (COM)
  • Lotus Works Document (DOC)
  • 16bit DOS EXE DaRKSToP encrypted (EXE)
  • Parsons Technology resource Index (IDX)
  • Magnetic Scrolls Collection Layout (LAY)
  • Misfit Model 3D model (MM3D)
  • DROID Container Signature Mapping (XML)
  • DROID Container Signature Mapping (UTF-8) (XML)
Deleted:
  • Encapsulated PostScript (EPS) (old/duplicated)
4
Definitions DB change log / Re: Current
« Last post by Mark0 on January 18, 2020, 02:19:15 AM »
Updated:
  • Encapsulated PostScript binary (EPS/EPT)
  • PostScript document (PS)
Added:
  • 16bit DOS COM COMT text converted (with text wrapper) (ASC)
  • Pksmart Configuration (CFG)
  • 16bit DOS COM COMT text converted (COM)
  • 16bit DOS COM C0NtRiVER protected (COM)
  • 16bit DOS COM USCC encrypted (COM)
  • 16bit DOS COM VICKING protected (COM)
  • Encapsulated PostScript binary (with WMF preview) (EPS)
  • Encapsulated PostScript binary (with TIFF preview) (EPS/EPT)
  • Encapsulated PostScript Interchange (EPSI)
  • 16bit DOS EXE CRYPACK protected (v3.0) (EXE)
  • 16bit DOS EXE DCREXE enctrypted (v2.0) (EXE)
  • 16bit DOS EXE REC enctrypted (v0.32) (EXE)
Deleted:
  • Encapsulated PostScript (with DOS style preview) (EPS/PS)
5
Thanks for the defs and the info.
I scanned some other files, and removed all the strings (the header patterns should be to be enough).
I have added an EPSI def too.
6
Hello trid users,

some weeks ago i had to handle some Encapsulated Postscript binary
files with previews.

When running trid on such files all examples are recognized as "Adobe
Encapsulated Postscript" by eps-adobe.trid.xml (See appended
output/trid-old.txt).

For comparison reason i also run other tools for file type identification.
The newest file command version 5.38 {See
https://en.wikipedia.org/wiki/File_(command)} describes inspected examples
correctly like "DOS EPS Binary File" ( see appended output/file-5.38.txt)
and displays "image/x-eps" as mime type ( see appended
output/file-ik-5.38.txt )

The droid tool { found at http://droid.sourceforge.net/ } also recognize
such examples as "Encapsulated PostScript File Format" by PUID fmt/122 and
fmt/124 and use "application/postscript" as mime type ( see appended
output/droid-ept.csv) .

The identify command line tool of ImageMagick graphic software { found at
https://imagemagick.org/ } also recognize such examples as "EPT
(Encapsulated PostScript with TIFF preview)" ( see appended
output/identify-verbose.txt) .

So TrID only mention file name extension "eps", but according to ImageMagick
also "ept" is used for Encapsulated Postscript with TIFF preview like in
Bitmap_VS_SVG.ept generated from Wikipedia SVG example. So i run tridscan to
update definition file. Now 2 file name extensions are expressed by line

   <Ext>EPS/EPT</Ext>

For mime type i choose expression mentioned by file command. This is now
expressed by additional line

   <Mime>image/x-eps</Mime>

Information about that file format can be found on file formats archive team
web site. This is now expressed by XML line

<RefURL>
http://fileformats.archiveteam.org/wiki/Encapsulated_PostScript
</RefURL>

According to that site and by looking at other description the phrase "Adobe
Encapsulated PostScript" is not well suited. Better would be a phrase like
"Encapsulated PostScript Binary" or "Encapsulated PostScript with TIFF or
WMF preview". But at the moment i mention this fact in remark line.

I also do not like the "DOS" phrase used by file command. In computer
ancient times on classic Mac OS it was possible to put an preview image in
the resource fork, but on DOS computers this concept does not exist. So a
binary format was "invented" to put plain PostScript text together with
binary TIFF or WMF preview image in one file. Nowadays nearly nobody is
using DOS but that binary format still can be read/written by software like
CorelDRAW and ImageMagick.

That also means that definition eps-dos.trid.xml with text "Encapsulated
PostScript (with DOS style preview)" in principal describe the same and
should be removed, but there seems to exist samples with file name extension
PS. So if this is true then this name extension must be added to trid
definition.

When looking in output of file command ("Postscript starts at byte" ) and
the Encapsulated Postscript file format summary on Encyclopedia of graphics
file formats it is apparent that the pure Postscript part is embedded inside
that binary. When extracting this plain text the resulting file is
described by eps.trid.xml as "Encapsulated PostScript". So to be consistent
all string phrases like "PS-ADOBE-" "%%CREATOR" mentioned in global strings
section of eps.trid.xml should also appear inside eps-adobe.trid.xml.

But maybe there is one exception rule. Normally the plain Postscript part starts
after header at offset 30 or 32 followed by preview image, but in
example.eps preview image comes first and then plain text part. So it is
possible that characteristic postscript phrases like "%%CREATOR" are beyond the
search range limit of trid program.

But according to documentations it is possibly to distinguish between variant
with TIFF preview image and WMF preview image. So i run tridscan on samples
recognized by file command with TIFF preview image to generate
eps-tiff.trid.xml. Because these binaries contain a TIFF image, then no WMF
image is embedded. This means offset and length value of WMF image are
null. This fact is expressed by additional XML construct:

   <Bytes>0000000000000000</Bytes>
   <Pos>12</Pos>

Do the same procedure for WMF variant described by eps-wmf.trid.xml. Here
offset and length value of TIFF image are null. This fact is expressed here
by additional XML construct:

   <Bytes>0000000000000000</Bytes>
   <Pos>20</Pos>

It is not clear but for WMF variant only one file name extension seems to be
used. This i expressed by line:
      
      <Ext>EPS</Ext>

With the update trid definition and the 2 variant the examples are now more
precisely described ( see appended output/trid-new-v.txt). TrID definitions,
some examples and output are stored in archive eps_ept.zip. I hope that my
XML files can be used in future version of triddefs.

With best wishes
Jörg Jenderek
7
Definitions DB change log / Re: Current
« Last post by Mark0 on January 16, 2020, 09:46:08 PM »
Updated:
  • Canon RAW 2 format (CR2)
  • JAR compressed archive (J)
  • JAR Compressed Archive (with Security Envelope) (J)
Added:
  • 16bit DOS COM AVPACK compressed (COM)
  • 16bit DOS COM C-Crypt protected (v1.02) (COM)
  • 16bit DOS COM C.O.P. obfuscated (COM)
  • 16bit DOS COM CC packed (v2.61b) (COM)
  • 16bit DOS COM COMLOCK encrypted (v0.10) (COM)
  • 16bit DOS COM TurboBat compiled batch (unreg) (COM)
  • 16bit DOS COM XcomOR encrypted (v0.99) (COM)
  • 16bit DOS EXE cIPHATOR protected (v4.6) (EXE)
  • 16bit DOS EXE PGMPAK compressed (v0.13) (EXE)
  • 16bit DOS EXE PGMPAK compressed (v0.14) (EXE)
  • 16bit DOS EXE PGMPAK compressed (v0.15) (EXE)
  • 3D Studio 3.0 Help (HLP)
  • V-BASE Virus data (XDB)
Deleted:
  • AbiWord compressed document (ZABW)
8
Definitions DB change log / Re: Current
« Last post by Mark0 on January 14, 2020, 02:53:50 PM »
Updated:
  • Microsoft Word document (DOC)
Added:
  • 16bit DOS COM $UPD encrypted (COM)
  • 16bit DOS COM Maverick's C0DER protected (COM)
  • 16bit DOS COM mCrypt encrypted (v0.1b) (COM)
  • 16bit DOS COM The WiZ Cryptor encrypted (v1.00a) (COM)
  • Cre8or model/project (CR8)
  • 16bit DOS EXE $UPD encrypted (EXE)
  • 16bit DOS EXE Aluwain protected (EXE)
  • 16bit DOS EXE NOCLIP protected (v4.1) (EXE)
  • Micro Focus COBOL Library (LBR)
  • Meshwork model (v1.0) (MESH)
  • Meshwork model (v1.1) (MESH)
  • OpenStreetMap O5c data (O5C)
  • OpenStreetMap O5m data (O5M)
  • OpenStreetMap PBF data (PBF)
9
Definitions DB change log / Re: Current
« Last post by Mark0 on January 12, 2020, 10:10:43 PM »
Updated:
  • Shrink packed DOS Command (v1.0) (COM)
Added:
  • COSMI document (generic) ()
  • TERSE compressed archive ()
  • 16bit DOS COM BIN-Lock repackaged (COM)
  • 16bit DOS COM Ryptor encrypted (COM)
  • Shrink packed DOS Command (v2.0) (COM)
  • 16bit DOS EXE LamerStop protected (EXE)
  • Paradox Lock (LCK)
  • Swift Word Publisher document (PMF)
  • COSMI FormsMaker Form (v2.0) (WFM)
Deleted:
  • PockEmul session (PKM)
  • PockEmul model (PML)
  • 602PC Suite Template Document (WPT)
10
Definitions DB change log / Re: Current
« Last post by Mark0 on January 10, 2020, 05:46:23 PM »
Updated:
Added:
  • Encrypted OLE2 / Multistream Compound File (ECP v1.0) ()
  • CorelDraw compressed format (generic) (CDX/CJW/CPX)
  • Ultimate Writing and Creativity Center document (PEN)
  • PockEmul session (PKM)
  • PockEmul model (PML)
Pages: [1] 2 3 ... 10