-
September 7th, 2005, 02:53 AM
#1
File headers and footers -Ghost
Does anyone out there happen to know what the hex format of the headers and footers is for Symantec Ghost files? I'm looking for .GHO and .GHS files.
Antionline in a nutshell
\"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"
Trust your Technolust
-
September 7th, 2005, 02:30 PM
#2
Junior Member
What I could get quickly:
FE EF 09 02 --> GHS
FE EF 01 --> GHO
-
September 7th, 2005, 05:30 PM
#3
Tried doing a search for the magic number and didn't come up with anything after looking at magicdb.org/magic.db (also looked in my /usr/share/task/files/magic file) for .ghs/.gho/symantec...
Perhaps you could bring a few of the files up in a hex editor and see where commonality is in the first few/last few bytes and update their db ?
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
-
September 7th, 2005, 05:57 PM
#4
Nebulus: That's definitely my intention.
Antionline in a nutshell
\"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"
Trust your Technolust
-
September 8th, 2005, 12:15 AM
#5
So far here's what I've found.
It appears that bytes 1 & 2 are the "header". byte 3 is either 01 or 09 depending on .GHO or .GHS.
Byte 4 appears to be a version indicator or some sort although I don't have any older versions of ghost so I can't verify. If you have versions of ghost other than solution suite and 8 please pop the file in a hex editor, or run
dd if=/path/to/file bs=64 count=1 | xxd
to get the first 64 bytes of the file.
Byte 5 is the Ghost file index indicator. Basically it's randomly generated but the .GHO will be the lowest number, and each .GHS will increment by 1. Bytes 5-8 are a unique identifier for the ghost image and they are consistent across each file in the entire image.
To illustrate these findings:
file1.GHO
FE EF 01 03 D3 CC 12 43
file1-1.GHS
FE EF 09 03 D4 CC 12 43
file 1-2.GHS
FE EF 09 03 D5 CC 12 43
file 1-3 .GHS
FE EF 09 03 D6 CC 12 43
Antionline in a nutshell
\"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"
Trust your Technolust
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|