Does anyone out there happen to know what the hex format of the headers and footers is for Symantec Ghost files? I'm looking for .GHO and .GHS files.
Printable View
Does anyone out there happen to know what the hex format of the headers and footers is for Symantec Ghost files? I'm looking for .GHO and .GHS files.
What I could get quickly:
FE EF 09 02 --> GHS
FE EF 01 --> GHO
Tried doing a search for the magic number and didn't come up with anything after looking at magicdb.org/magic.db (also looked in my /usr/share/task/files/magic file) for .ghs/.gho/symantec...
Perhaps you could bring a few of the files up in a hex editor and see where commonality is in the first few/last few bytes and update their db ? :)
Nebulus: That's definitely my intention.
So far here's what I've found.
It appears that bytes 1 & 2 are the "header". byte 3 is either 01 or 09 depending on .GHO or .GHS.
Byte 4 appears to be a version indicator or some sort although I don't have any older versions of ghost so I can't verify. If you have versions of ghost other than solution suite and 8 please pop the file in a hex editor, or run
dd if=/path/to/file bs=64 count=1 | xxd
to get the first 64 bytes of the file.
Byte 5 is the Ghost file index indicator. Basically it's randomly generated but the .GHO will be the lowest number, and each .GHS will increment by 1. Bytes 5-8 are a unique identifier for the ghost image and they are consistent across each file in the entire image.
To illustrate these findings:
file1.GHO
FE EF 01 03 D3 CC 12 43
file1-1.GHS
FE EF 09 03 D4 CC 12 43
file 1-2.GHS
FE EF 09 03 D5 CC 12 43
file 1-3 .GHS
FE EF 09 03 D6 CC 12 43