Author Topic: What are the numbers in parentheses  (Read 16061 times)

Shehi

  • Newbie
  • *
  • Posts: 6
What are the numbers in parentheses
« on: May 04, 2010, 10:28:15 AM »
hey marco,

when i run trid.exe thru command line to identify a file, at the end of each identification line, numbers such as (5000/1/2) appear. What do they mean? And is there any chance for me to see what exactly was detected in Hex level of file and at which offset? I ask for this reason:

Quicktime movies, usually with .mov extension may have one these two strings at offset 4: moov and mdat. Additionally, in H263+ encoded new generation mov's, we can see "ftypeqt" instead. Now, when I run file thru TrID, it identifies the file correctly, but HOW? In your XML signature file, there is no mention of "ftypeqt" in video-mov.xml.

Thanks for your answer in advance.

Shehi

Shehi

  • Newbie
  • *
  • Posts: 6
Re: What are the numbers in parentheses
« Reply #1 on: May 04, 2010, 11:25:48 AM »
Oh, and when I try to download the definitions file from http://mark0.net/download/triddefs.zip , I can't extract files within - "Unexpected end of archive" Winrar says. Could you please update the file there? Thanks...

Note: Please don't use 7-zip to make ZIP files, it is problematic sometimes. Its because the author does not follow magic-number signature standards - e.g. try creating TAR file with 7zip and IZArc, and run both files thru TrID, you will see. 7-zip lacks "USTAR" signature in TAR files, because... well read for yourself: http://sourceforge.net/projects/sevenzip/forums/forum/45797/topic/3686403
« Last Edit: May 04, 2010, 11:33:22 AM by Shehi »

Mark0

  • Administrator
  • Hero Member
  • *****
  • Posts: 2743
    • Mark0's Home Page
Re: What are the numbers in parentheses
« Reply #2 on: May 04, 2010, 12:23:31 PM »
when i run trid.exe thru command line to identify a file, at the end of each identification line, numbers such as (5000/1/2) appear. What do they mean?

The only "interesting" results is the first number, witch is the score obtaining evaluating all the patterns present in that filetype definitions, depending on lenght, positions, etc. The other two refer to the number of patterns and strings, but essentialy were interesting just for me while adjusting the score functions, rather than for the user.

Quote
And is there any chance for me to see what exactly was detected in Hex level of file and at which offset?

No.

Quote
Quicktime movies, usually with .mov extension may have one these two strings at offset 4: moov and mdat. Additionally, in H263+ encoded new generation mov's, we can see "ftypeqt" instead. Now, when I run file thru TrID, it identifies the file correctly, but HOW? In your XML signature file, there is no mention of "ftypeqt" in video-mov.xml.

Can't say specifically without checking the code and the defintions, but I think in the def there are probably some less evident pattern that still differentiate the two types.

Mark0

  • Administrator
  • Hero Member
  • *****
  • Posts: 2743
    • Mark0's Home Page
Re: What are the numbers in parentheses
« Reply #3 on: May 04, 2010, 12:26:19 PM »
Oh, and when I try to download the definitions file from http://mark0.net/download/triddefs.zip , I can't extract files within - "Unexpected end of archive" Winrar says. Could you please update the file there? Thanks...

The file is fine. I just tried to download and test/unpack it.

As for Z-Zip, I find it fine for my uses.

Shehi

  • Newbie
  • *
  • Posts: 6
Re: What are the numbers in parentheses
« Reply #4 on: May 04, 2010, 01:08:20 PM »
Well, I still can't extract the file with Winrar. Any ideas why? In my office comp, I don't have any other extractor, so maybe you can attach definition file without compression here, in this topic, please. Thanks.

Mark0

  • Administrator
  • Hero Member
  • *****
  • Posts: 2743
    • Mark0's Home Page
Re: What are the numbers in parentheses
« Reply #5 on: May 04, 2010, 01:48:51 PM »
I'm not at my usual PC at the moment.
But you probably just need a more recent version of RAR.
Either that or an antivirus is interfering in some ways.

Shehi

  • Newbie
  • *
  • Posts: 6
Re: What are the numbers in parentheses
« Reply #6 on: May 04, 2010, 04:02:33 PM »
Nope, doesnt work... Please attach the file here at your earliest convenience.

Mark0

  • Administrator
  • Hero Member
  • *****
  • Posts: 2743
    • Mark0's Home Page
Re: What are the numbers in parentheses
« Reply #7 on: May 04, 2010, 07:59:11 PM »
Disregard the comment about RAR; I was thinking about the compressed file with the XML definitions.
This is just a normal .ZIP, so I don't see any reasons for witch it can't be unpacked.

I'm sending the non compressed file to your mail address (don't want to post here a file that will be old / non current very soon).

Bye!