X-Ways
·.·. Computer forensics software made in Germany .·.·
   
 
 

Additional Templates for WinHex & X-Ways Forensics

 

Data Structure
(and submitted by whom)
Description
& Download
Olympus WMA
Catalin Grigoras
OLYMPUS_WMA_v03.tpl
SQLite Header
Terrance Maguire
SQLite Header.tpl
exFAT
Scott Pancoast
exFAT.zip
PCAP file
Frank Weiss
PCAP.tpl
DOS executable headers (MZ EXE)
Chris S
DOS_exe.tpl
exFAT Boot Sector
Christopher Taylor
exFAT Boot Sector 2.tpl
exFAT Boot Sector
Robert Shullich
exFAT Boot Sector.tpl
Dalet radio automation system
Steven Scholte

I've been using WinHex to analyse some soundfiles created by the Dalet radio automation system (version 5.1). I have made a couple of templates for this purpose and I thought I'd share them. There are three templates.

Dalet SND file header.txt
Dalet VOL file header.txt

One for reading the header of files with the SND extension. These are the old style soundfiles used to store MPEG-layer II audio. All SND files are accompanied by a VOL file which is used to store the volume information. This enables the Dalet system to quickly draw the waveform.

Dalet BWF file header.txt

The third template describes the Broadcast Wave Format as developed by the EBU. This format can be used to store MPEG as well as linear (uncompressed) audio. The BWF format is not only used by Dalet, but also by other programs used in radio and television production. (Steven Scholte)

JFS Superblock
Jens Kirschner
JFS Superblock.tpl

This template should work for Linux implementations of JFS. (Jens Kirschner)

Reiser4 File System Data Structures
Jens Kirschner
Reiser4 is a fairly complex file system. Not every possible data structure variation is covered by these templates, but they work fairly well for me.

Start with the Reiser4 Superblock.tpl on Sector 64.

From the root, follow Reiser4's internal tree using the Reiser4 Node Header.tpl on the nodes and either of the following on their node entries:  Reiser4 Item Header Large.tpl or Reiser4 Item Header Small.tpl . "Large" and "Small" refer to the key size, large is usually what you want being default on Reiser4. The best way to use these templates: Put your cursor on the first byte of the node for the node header template; but put it on the first byte of the following (!) block for the item header templates and (within the template view) move backwards - one to start and then repeatedly to see the other keys.

Reiser4 Stat Data.tpl Reads the Reiser4 variant of inode-like file management.
Reiser4 Directory Entries.tpl Reads all entries in a Reiser4 directory structure.

Finding the structures for Stat Data and Directories is more of a problem and a bit beyond this little description... (Jens Kirschner)

ReiserFS
Jens Kirschner
Reiser Superblock.tpl
CDFS File System Data Structures
Chris Taylor
CDFS Volume Descriptor.tpl
CDFS Path Tables Ascii.tpl

CDFS Path Tables Unicode.tpl
CDFS Directory Entry Ascii.tpl
CDFS Directory Entry Unicode.tpl

Some WinHex templates for viewing the Volume Descriptor, Path Tables, and Directory Entries on ISO9660 CDs. (Chris Taylor)

NTFS FILE Records and Data Runs
Jens Kirschner
NTFS FILE Record.tpl
NTFS Data Runs.tpl

The NTFS FILE records are of a pretty variable structure. However, the first template extracts the main parts of the $STANDARD_INFORMATION (0x10) and $FILENAME (0x30) attributes. It also parses the FILE records header and at least lists all the other attributes present.

If you do find the beginning of a data run within one of the attributes, apply the second template to the beginning of that data run and all the data runs within the set will be extracted.

Keep in mind, though, neither of these templates knows anything about the fixup bytes which basically replace two bytes of potentially crucial information with more or less random values at the end of each sector making up a FILE record, so there may be the occasional odd value. (Jens Kirschner)

Windows .lnk Files
Steve Guty
Non-Unicode LNK FILE Record.tpl
LNK FILE Record.tpl

1. The volume serial number doesn't match the physical case SN for hard
drives; it does match the Windows-assigned volume serial number returned by
the VOL command.
2. There's some additional info at the end of the .lnk files which is
described as "an unknown structure" in Jesse Hager's article
(http://www.i2s-lab.com/Papers/The_Windows_Shortcut_File_Format.pdf); I can
see that the computer name forms a part of this, but am currently at a loss
to discern how to reliably retrieve this data.
3. On some link files created under Windows 98 and earlier versions, you may
not see a length value preceding the strings for description, relative path,
working directory, etc. at the end of the template, so you may want to
modify those sections to simple zstrings rather than char[n] strings. (Steve Guty)

UFS File System Data Structures
Michele Larese
UFS1 Superblock BE.tpl (big-endian)
UFS1 Superblock LE.tpl (little-endian)
UFS1 superblock, located 8192 bytes from the start of an UFS partition

UFS1 Cylinder Group Descriptor BE.tpl (big-endian)
UFS1 Cylinder Group Descriptor LE.tpl (little-endian)
UFS1 cylinder group descriptor

UFS1 Inode BE.tpl (big-endian)
UFS1 Inode LE.tpl (little-endian)
UFS1 inode structure

UFS2 Superblock BE.tpl (big-endian)
UFS2 Superblock LE.tpl (little-endian)

UFS2 superblock, located 65536, 131072 or 262144 bytes from the start of an UFS partition

UFS2 Cylinder Group Descriptor BE.tpl (big-endian)
UFS2 Cylinder Group Descriptor LE.tpl (little-endian)
UFS2 cylinder group descriptor

UFS2 Inode BE.tpl (big-endian)
UFS2 Inode LE.tpl (little-endian)
UFS2 inode structure

UFS directory entry BE.tpl (big-endian)
UFS directory entry LE.tpl (little-endian)
UFS directory entry, identical for UFS1 and UFS2.
These templates display only regular entries in a directory block, not deleted ones.

Microsoft Windows Event Log
Andreas Schuster
EVT_Cursor.tpl
Cursor record.

EVT_Event.tpl
Event record.

EVT_Header.tpl
Header record.

More information: http://www.dfn-cert.de/events/ws/2005/dfncert-ws2005-f4.pdf

HFS+ File System Data Structures
Jens Kirschner
Stefan Fleischmann
HFSPlus_Volume_Header.tpl
Located 1024 bytes from the start of an Apple HFS+ volume.

HFSPlus_Catalog_Key.tpl
Defines a file or directory. Includes the file or folder record that follows.

HFSPlus_B-Tree_Header.tpl
HFSPlus_Index_Node.tpl

POS File Format
Stefan Fleischmann
WinHex/X-Ways Forensics position file format (.pos). Fully documented here.

POS_File_Format_1.1.tpl
POS_File_Format_2.0.tpl

WAV PCM File Format
Khomenko Volodymyr
Structure of a simple WAV-PCM (unpacked) audio file

WAVPCM.tpl

BMP File Format
Khomenko Volodymyr
Structure of a BMP bitmap image file with palette

BMP.tpl

AFP Datastream Records
Bob Carlyle
AFP (Advanced Function Presentation) is a widely used print datastream for high-end production printing throughout the world. It is also a viewable datastream, similar to PDF files (although PDF is much more powerful), using the AFP Viewer Plug-In, and other documentation is available at http://ibm.com/printers. The datastream itself is EBCDIC-based, but there is a lot of software that uses this datastream on ASCII-based systems.

AFP Structured Fields.tpl

Structured Fax File Format
Ulf Zibis
SFF_File_Format.tpl
Cf. http://delphi.pjh2.de/articles/graphic/sff_format.php .
TIFF Image File Format v6.0
Ulf Zibis
TIFF File Format.tpl
TIFF File IFD.tpl
Cf. http://partners.adobe.com/asn/developer/PDFS/TN/TIFF6.pdf .
Palm Database Files
Ulf Zibis
Palm PDB.tpl
Palm PDB 6 records.tpl
ZIP File
Alex Sidorov
ZIP.tpl
ZIP File Data Structures
Trenton D. Adams
All ZIPs start with the "ZIP Local File Header Structure" template. These are repeated until all files in the ZIP have been looked at. After each one of those comes the "ZIP Data Descriptor Structure" (which I've never actually seen myself).  In order for a "ZIP Data Descriptor Structure" to occur after each ZIP entry, bit 3 of the General Purpose bit flag of the "ZIP Local File Header Structure" must be set.  For me, I've never actually seen that bit set, and hence have never actually seen a "ZIP Data Descriptor Structure".

Now, last but not least is the final listing of all ZIP entries in the archive for spanning purposes.  You use the "ZIP Central Directory Structure" repeatedly until a "ZIP End of Central Directory Structure" is encountered.   And, each signature of the structures tells you which one you're encountering.   Remember though, the signatures are little endian because this is the ZIP specification.

ZIP_Local_File_Header_Structure.tpl
ZIP_Data_Descriptor_Structure.tpl
ZIP_Central_Directory_Structure.tpl
ZIP_End_of_Central_Dir_Structure.tpl

FAT32 FSINFO Sector
Stefan Fleischmann
To be applied to sector 1 of a FAT32-formatted logical drive. Contains additional information about the volume. FSINFO Sector.tpl
DBF Format (Tutorial)
Paul Mullen
Three templates for data in the "dbf" or "xbase" format which originated with Ashton-Tate’s dBase program and has since been adopted by many applications. Presented as a tutorial on how to create such templates. tutorial.zip
FAT16 Entry
Paul Mullen
Must start at start of FAT to get numbers right. "F8 FF" = first bytes of valid 16-bit FAT. FAT16 Entry.tpl
FAT32 Entry
Stefan Fleischmann
Must start at start of FAT to get numbers right. "F8 FF" = first bytes of valid 32-bit FAT. Based on the FAT16 template version. FAT32 Entry.tpl
... ...