悟夜叉个人博客 技术专题 浅析iPhone iOS镜像/iTunes备份文件手动取证

浅析iPhone iOS镜像/iTunes备份文件手动取证

发布: 2023年3月23日 172阅读 0评论

前言:本篇的内容有点用但并不多,现在众多取证软件已经可以满足大部分的取证需求,手动解析只是对原理上的一个理解,正常情况下不必过多了解。

iTunes 备份包(本篇主要介绍)

我们先看一下备份包解压下来有什么内容:

这些“00”、“cf”、“ff”的文件夹名称看起来像是自动按顺序生成的,但是“0f”后面不应该是“0g”吗?怎么变成了“01”,这就有点让人摸不清头脑了。

当然上面说的只是一句玩笑话,所有的文件夹名称都保存在根目录下的 “ Manifest.db ” 这个数据库中,我们使用Sqlite工具打开它(Android和iOS绝大数都采用的sqlite数据库):

我们打开 Files 表,这里有一个 fileID 字段,那么文件夹名称就是取字段前两位来进行命名的。那 fileID 字段的值是随意生成的Hash吗?并不是

fileID = SHA1(domain-relativePath) ,我们拿 RecNo 为 2 的(第二行数据)来举个例子:

domain 字段的值为 AppDomainPlugin-com.tencent.xin.siriextensionui,relativePath 字段的值为 Library,那么我们将两者的值进行合并就变成了:

AppDomainPlugin-com.tencent.xin.siriextensionui-Library

注意!别忘了中间还有一个“ – ”减号,少了计算的 Hash 可是错误的。我们拿上面合并好的值做 SHA1 加密,再取前两位就是 iTunes 备份包下文件夹的名称了。

我们到里面一层再看看有什么?

这些文件都是00开头的,其实大家也能猜到了,苹果只是做了一个分类。这些文件并不是通过记事本或者notepad工具就能查看的,将文件拖入 Winhex 来猜一下,下图的文件是什么?

89 50 4E 47 是 png文件的文件头,那么我们基本判断这个文件是一个 png 图片了。

直接用图片工具打开就能直接查看了:

接下来还剩根目录的 plist 文件没有介绍了,iTunes 备份包解压后一共会出现 3 个plist 文件,分别为:Info、Manifest、Status,那么依次来简单介绍一下。

1.1、Info.plist / 主要是保存了设备的基础信息

1)包含了设备的基本信息

	<key>Build Version</key>
	<string>15D60</string>
	<key>Device Name</key>
	<string> GYS-iPhone</string>
	<key>Display Name</key>
	<string> GYS-iPhone</string>
	<key>GUID</key>
	<string>688EAA8C850C3F37AB2F58237208580E</string>
	<key>IMEI</key>
	<string>358765058416964</string>
	<key>Installed Applications</key>
	<array>
	<key>Last Backup Date</key>
	<date>2018-12-14T08:41:51Z</date>
	<key>Product Type</key>
	<string>iPhone6,2</string>
	<key>Product Version</key>
	<string>11.2.5</string>
	<key>Serial Number</key>
	<string>DNQM11WUFR99</string>
	<key>Target Identifier</key>
	<string>9bb27b9f454b5ca1a19f82d2e92b9807cb3500df</string>
	<key>Target Type</key>
	<string>Device</string>
	<key>Unique Identifier</key>
	<string>9BB27B9F454B5CA1A19F82D2E92B9807CB3500DF</string>

2)包含了app的部分信息

		<key>com.7thg.flashlight</key>
		<dict>
			<key>ApplicationSINF</key>
			<data>
			base64加密..
			</data>
			<key>PlaceholderIcon</key>
			<data>
			iVBORw0KGgoAAAANSUhEUgAAAHgAAAB4CAYAAAA5ZDbSAAAAAXNS
			R0IArs4c6QAAAAlwSFlzAAAWJQAAFiUBSVIk8AAAABxpRE9UAAAA
			AgAAAAAAAAA8AAAAKAAAADwAAAA8AAAqhlCD+L8AACpSSURBVHgB
			vJ35l51Vme9Pr+XtH+6/ce9d67p6aYuRhQOiiCIiCAQEkiDzkKqk
			5tQ8z/M8n1OnqpIKCYQIGAZFRVpsBmkFRQgObSIINNAQByCh1dv7
			fj/7Pd9TbxXN1e7luq612Xs/+5m/+9nvft+qipnMX/l/Dz300Pvm
			5+dPy2azO/L5fNfS0tKq5vcvLCw8vri4+Iza8bm5uROin5iZmXlT
			9KB5oBd/ED2srq7GMXSaZIJ4w+zsbFyHNj09HXK5XFhbW4vrnluP
			5/Ij8k1MTITx8fHAHBtTU1NRN3zyL+qbnJyMupgfOHAgrmMTO/Q0
			+JFFTz43HZZyU2H/Wi4s5+fkSz7MzqBjTv4vhX379mHrzZWVlRPy
			+YRkjkvXM/Ll8b17996vmFYVW5fi3iG+08jdXxmOv446Ofk/1GoV
			/IPqT5IIEk0SaABC0uihAxZJI6HQmNNDowEAPXQasiTViYXGGF1K
			VFxHF3PrAVB0ICufIrijo6ORxwBbD/6ijw0AP3PA8TryjAEXO+he
			zs+H1WUBnJ0QwFnNZ8PaPvk8PSZ7s2F5OScdq/Ih2VDpnGCHzYxN
			+8e6cnVS8we1Visf/+dfB53/ohZ2mxK6TYE/StAET+AkmDkJwXnm
			rLkRCHysjY2NFemsO1g2BWCRAHit23LQkUXX8vJyXPccXmSZ09sP
			wB0ZGSnaIMkGCxnmrMOPfjaO7dsX+OGbmBgL+/fJ9tKEAB4La3vn
			NZ4Oe1fZCNpE81MCcFE6lgVastHRZZCHh4fjxkeX43YPD3ko2H5U
			trf9f63sEMLfYFTOHScZThIO4TA09zhrHvhoXmeNhFre4LEhqBiS
			Cs0AoxPQWIdmMFyNAEiS0AcP69iARj80NBQGBwejfRIIP3rQ6R4e
			g8rGMR157NPQu7gwKoCnw0p+vADwnCp4WkAvhtnpEQE8qblOl9Wl
			kNVxnc0uRl3Ebl+IEdvYg44tFwM9cWAPfq0dF982cv9frMe/TEzG
			3q8AHyFp7EI74WTR47DnjGlODj0yrKODhBIkc9YMBgEStNcIHh6S
			Cw9jZNFFtSPrOWMnEV548GFgYCD09/fHMev4j350umcDOCaOUOzQ
			HBPjifGhsHcFgAXi0qgAHgn7Vqf1PJ4QoPJ7eijMzY6GXFYbYCWr
			auREAaSxqBuf8MWbkNjQjw/09pe5afZR/j0CBn8ZWv9JLjlWKoOn
			nEiSQTIJ2g6QNBymZw1nmeOo+QwGdAJFluZEEiQA0JuOPHZp0NFv
			+1Q6suiyHXgAE/vQsNXb2xsbY9aRRz866Zn39fUVdfD8xg4NPfRD
			Q4NhZWkk7F0eDvv3TsRxbnEw7FuZUsUK4BUd75P9quCxBODlhXhc
			Ly7oVBsjJ4Cc+MIGxja+45Pt4C/2oENjzT4WYjwlntL/JHzvza6j
			5L8pAXmDiRHGJNBOkBycYQ2ak+eEs+bGOg6jg6RDtzw0A+CgHRy9
			bTMGDIChEtDB3DaQZY4+ePCju7s7NsbQWccuOpEjHnisg2N8s83F
			eVXu6rAAHQ637htXBQ+pggcF7IQqeFSXLt1FJvvC/NxwyC1qAyzr
			cjmn+8acjtsxThyBNzEeuru64kmETew5Z/jG3L3XzJeOUZtgGWze
			G7m/YEUK/ruM3GvAMIgxktbT0xOdYQ1aOllOGnw0JwqetA4SCq8b
			iaexg+mhI4M8NmwbOvahUwme2wcSxLptY7OzszM2aKyzuZBDJz3J
			61Li7SuniOkxjuGBcGBtRADriF4eFMBjquBBATwggBmPqtfjYKJb
			VTssugDOz2ism/mc4hrjxKMiRwVwp/r1TZbOCfZdBNjHtn0lJmjw
			FCr7PjD6C6B8N8uhQ4f+VsHf6yBJHg1Q6EmYE0py4MMBaDhE78Ya
			ifTcOxEd0OGHFhNZAIAgodHMY9vwAwZ62Qzw2B/GyBos22xvbw9t
			bW3RBxLKOrz4TI/ujo6OIqg8K7HjWJZzg+G2/cNhbaU/7Fse0BE9
			IlAHQj6ruZ7JK/kRVbDuEZPdYX52IGR1EVvRxYvjen5Wz9NRPTIm
			dEyrknt6ADg5Vewffnhz0RMzfrFuX91DJ1fwqN0LVu9G8M9QFNiK
			gydIG8QIYxJGzxrJgddrzHGCdcuxbj2sAw46oDOnERgN5+ktYwDQ
			T8DwIgudSoePOfppyDK3bfqWlpbQ2toaaegATPSgk54Nggw60cHG
			8ToXp0MHhgXwkCoYgPtUwcMCuC8sLfbGZzIbYDWvy+NEZ1iY7dcR
			PaLnst7N5/QYmdGxO9IjcHVPGB2Q3jaBPSq/u0KvfMc//CAn2KfH
			B+JiDd+Y45/pxAgvPNqwq38Gzo3LUrILQZoVYsjG6KkG1jCCA/Di
			JHP3jOFljWSZnzF0Eu7kOkCSj/MECc1+MMYOcsgQLGsAnJ5DQwf+
			wYsPNABubm6ONOisI2eg0Y0/tscRmNjsCIdvG1UbFshD4da9fRHk
			g2sA3BuWc73xmbya5+jWLX+iIyzOA7DWdfFa1HE9N6tjd6RboA7o
			Fq6TTgBP6Lju6e6Qb8kJgh/4hX33+IfvjtW+wuMCcLw6tXZtRPE9
			ZlL6fgV2ioBpGKF34AaWZEFjHQfgSTtifnqDQw8/jkJHB2Pk6L0h
			vJPRiQyNdWwjxxjAoFPtnsNPI0Gs2wf4GhsbY4PGRmMdXnS6b2pq
			KsbLcxq/FmZ7wt2HR8Lhg4MCeFDg9qj1hoNrAjQPwD06todUvVTw
			kI7odoHapyN6QACPa8xr02AYHdaxPK4TZ0yPg67m+Ezu7emQL1Rx
			dzE2fMVHx8LYPrIBTSdGeJmTN23qU8rF/34PWBMyL9JS9hhCBEfz
			GGU0EgNIJMw0DMOLI9Dce906ACK9jg54kacn8a5yenQiQ2Ns2/Aj
			i152MrKAAw8NWebYgodWX18fGhoaIg3/zW/f0W2d6OA53dvTHu4+
			NBTuvmNYAPeHOwTygb09quJeHde6Pee7w+pSjyp4QODS9CFlsk2g
			9qqCmeuz5fyAPn7064juUAX3hvFRnYzdzbGSe3vaQl+vABLIbW3a
			sPLTOXIs+I5vzO2zc8UadOIFcLXH/p8fQ/bs2XMVSpx0K6Z3oll3
			wkyjEklUmh/DtDQ46IVmfXV1dbGKkaeR+HSDDxkaY9uGF8DQRbWz
			Bjj0+IEO1m0bvtra2oA9+wzY8KPLull37BzzVOrdd/SHI18dDl+9
			rV8g6ya9t1sA9wjgAT2LAbg7Xrz25vsEuMCcagvZ+Z6QW+jTa9Sw
			nsF6bZrVxW9Yz91xPVJGFWNXY6zk3p5WbSJtbFVyW6s2ZCenVFIs
			jgXfXQiOkTViZM1jqhia4r/qP6xiBf6+mpqa4yghSQbMyUUZY+8i
			bYZowDQnCb70JnHCoKHT/PCRUOhubBwD7J2b9gXfAAh+ZFkjMOYA
			Sg9g3oD2GT7FFuwzOuCH17bRDc32sgvD4d67BsM9X6UNhTtvB+C+
			cNtaTzi4D4D7BWy3QO2Kz2Ru13vz/QK4RQB36fLVpyN6OCzO9Yb5
			md4wNtwaX6HGR3Vh6m4ME2O6v/TK/17dFfp0SrU363RRQbSTo9bi
			xsMfNiO9fcZvTido5J0xRzm5UxzHwfJdICv47VVVVVFZOnDGNCuz
			MRKWppEobw73GE/zWA/rAI0OxuikAQjJByADiQ77Aw9yyFCR0Dme
			oAMedBqyrHtzwVddXR3tQaOxjs/I2gd0JD42hwfuGQ/33TUgcPsF
			9FC46/Y+VTEAd6l1h0O3AnCXQO2Mlb62ogrW7XpuukXVC8A98Zmc
			1XE9r+f4+GirLmBdqmJdRHsa1ANwSxHkttYGHd0UUbPyAMDJZiV+
			NjN+eRPjNzFCo7Urb+TMG1s53/4ugJXsRyorK6MyJ8oKSYJ3uo3B
			awPQ4PEavfnp4YOGXsbeiWwo6G5OPg4ztn0DAJ/lvTnYtdCZ0+MH
			sszhxT7y+Is9aDTLI4Md64A3n+0KDz0wHu6/e0Dg0gb1LO5TFfeF
			2/cb4N5w62pXBDm5ePXpyO5RtQJwpwBWdS8PadyjY7onTIy2qIJ1
			0RrTxaqnTr1eN3ubVL0JyG2t9Tq69axt011CILe04HeSd/vKpsRX
			YiRHjo14ARdaIQePbABYu+R/KQH/Xl5eHisBBQ6agBGip7lSKioq
			NtDgMZ979GyWsz6c84ZCJ43dapC9c+G3L/AgR6CABZ3AoDOnxzan
			BnPbhg9/aU4K6/CSPBpz1nu6msK37xsKDz0wFr7+tQFVcb+AHgxf
			u6Mvgnxof2e449bueFzfutopgDvixWv/SnK7XpxtCfnFzrCc5fge
			iO/JC7NdArQlzEx1hskx3Rt662Ml9/c1hYH+lghyR3tdvF23twk8
			gdzcpEdOY71iaIinDzE4PsdonNJ5Mw+YFkFWwuoAd9euXVEZCYTR
			zPQYoHHUoRh+5iQRGjwkCho9TtDScp5bHzrgRZ5G8qkuHGZsPvyh
			2TY9YEBjQ3hOjwzybB4nALtlZWXRZ28YbAMqMd9yyy2ho61coLSG
			px6bDEd/OB2efmI2fO9bYzqqB8M3jgyFe+/sj8f14YNd4fCB7nCn
			juuD+zpVxZ3hwD4uXt06qntCdq5ZAHdIF8c3H0L0ZWumQxXcpOez
			btLjbQK4LlbzYL8qOFaxXhfbawWwLrituuipmpubdAo2ciLVharC
			yYq/zjN5IrfMyRUx05wDxV5fBFhJfpAEECyJsRKSTxINmJNMwuCl
			p2EYxTTz0KOHdcbopfc6zu3evTvKIM86yTfIjG0XPTR4kIMfgKAR
			lOes4wM6WLc99OAvMeIPcqWlpeHqq68OTfXXh2PPTISTr2XDyVfV
			1L9Nr/a2xq+/kA3HjubC4w/PCuwRVXGvwO1R07vwvo4I8kE9k7l4
			cbvOzTcLXAGc64xfvPKq5MW5jjA1DsDtquCWMNhXp9cpfZXrb1RT
			FauSOwVwTzfHs2767Q3a6LpjNNUqJ2xsHp1JDp1nYiQ+YmEjkwdo
			5KCQt+9EgPWwfp8S9DbJLikpiYmBAUUkjrF7lLly4HUCoaGYBo/5
			kaVZznPWkfWGsizg4SwNIPABGfcGDXveHATluf1AHjCxa3/wF3v2
			5fLLLw8dLdcnYEZwFzeCa5BfXRRP0l77VS78+Il5AT0ajhweCBzX
			gHz7fgDujq9QSwvNYSXXHkHm4kUlZ+faBXCjLmBtumi1hKH+2vjF
			a6i/oQCy3uk79ujx0BArub2tNrQ2a/M269HYoJOxmtOqRnGWF/NM
			rpwbckUeKApyQL4U59tgm1GiP0yC2dE7d+6MiQMAGvQ00CgkyfTw
			0pMwaCimQUOOPg00POiieR2b0N1wFHBwnrHl7Q986MUOYEEnMOiu
			UNaQZwPAa3/wF3vIXHfddeHG67aG3744n1QuAKu9JSDfekVAF6rX
			VW2AI11rb7yQC0//YCl8/ciobta9ulF3JyCrkpcXm8O+fIfejzvi
			7XolJ4DnAbYhLMy0q3JbwsigKljH9chQYxgaSEDu6qjR5UsfYjrr
			VM26R7QAMMevNmkNj0PySY6TXBOjsaFYXBjkghhZU24+nFGyd7Db
			ScDNN98ck2CwoDNGCFBo0FAALz2N5JJQ1sxDj6zl4EnrRY5nH3Ju
			gOFTgbGdpUfWtumpSGgEhm4DyBo6ABPb2IGGv7SbbropfPmyC8Pz
			RwvHMsAWAI5AvrZeycwjyFpP1gp9gf7qsVz4/sML4Z47+dKlr1t6
			hcovNgrgdgHcHp/Jq0udukm3hRkBPD/TKoCbBfCe+EFkZLA+DA/U
			q6IbQndntd6PAbdG9wHArVar0XNY1VijR0utQKsCB3JRHgvAuQVM
			CoK4yYXzJdoOAO4iASSb4EkcczeYGRscwGB84403xp4EkkyDbCDS
			PWP0ootmHSQcOTdA5USgMcYuQdAjBx+6kAdQ6ASGffxPH8PeAOa/
			4YYbwjXXXBMuvPCC8E8P9xaBc5WeFLCuVJ7Bb2+aJ9UrHoMND0f3
			K9lw/OhS+M4Ds3pX1seOpeawttym1h4vXvv0nry00BrmphrD4myr
			gG3WR4/aCPDYcIPATkDu6aoO/Xp96myvLoBco8tWTWhp0r1mT5kq
			GIDLiiDXKkfERiNHgEveyIXzpRx2Z5S4ZRJHsgGNRMFAEqF7TE9D
			AckmYfQYIJlOLjyb5eAzIF6H5g2FTuTZLOxGHz34AJ/1wcMcfvxl
			ncCgM3cVI2975v/KV74SvvCFL4RDa7UbwQWwAmiAaKBjTzVHWnKE
			sxmKlRzHyfykgD7xYi489fhSfFemkgGZ2zXH9dJCS5ifbtBRLaCn
			m8L48B5Vc5v6en3CrI8g93ZV6bKlVyVVMsd1R1u1LlwCuFn3lT27
			9SzWDVqVXF2tE7SSU6pauUgwAQMXRRoHAbycUZIegAi4119/fUw6
			CXXSPaanwUtieY4ZAJLrCoKGbFoOGjybdWAPOcCg924EaMboYUPY
			aXjQBT/+sg6Y0JmzYVhDPm2PtQsuuCB0t127AdxXjueTOZVYBNJH
			ND0Vm/QJuNyuC1UsgONYc/Oh4xdP58ID907F5zJfvPbrPTmv5/LC
			TL1u2ACtz5QjNfGDyMRInaq5TgDX6usWAOtVqbNKAFepiqsiyK3N
			ukHX7hLAut9U71LbHSorSgWwclTO4y0pQhcFuXD+lcNvAvCjJIWK
			JOFOHEzQ6UmwhaAB1LXXXhuTDQAkk+Y187uHn+Sjw3oBCnvI4RQ9
			1ebnCmPkDShydp4ef1k3mMzxnTU2h+NgfsUVV+hSdVH4/csLRYBf
			FbiPftcAU4mF6iyCDehJKx7jxTXxFsCHJ4Ifq11jzV85vhQefnBe
			P6gY0s26M6zm9H16tiEs6RVqcaZRN+pavTrp2/R4fRgvgDzQW6Ub
			9Z5AJfcI5M72SgFcpdu0Lo21paG5EaB3q4oTkOvquATrhCsD4N0x
			D8RtHMiNcvhYRon7CUkg2YBGD1A0MzM2WNBINu+Q9ABAMgEQPdDM
			7x4aPOiAZj7sIYdOenQBLO0/AhY+dNDbTzYEupkDMmvIQ8MOR/PW
			i88LL/58sgju715eCofvWI0/6ovgcdymq9VAxr4AIEBS5cW+IAMP
			1RxbAjA8v30pG558fDl87bB+A3OlXQDX64YtoOcaw/T4HvV8m9YX
			rdG6CPJgX5UuXHtCX3dVBLm7ozKC3N6q7wP1u/ROLKDrdkeQq6tK
			4jO5qkr3oXIA5vtFchkmj+SYpuL7SUZJeJ5kkGwuIfQkiQad3iCQ
			MNOuuuqqqATwnFwnFRl4LYcxjnRo1gcNe648em8YwGUML3zWawDp
			kUU/YDLHb2wwRp4xm/C8884NTz3aXwT35Gu58O0H1uKHAS4vBtjP
			WldkBLIAXFLJVHgCavKcBuykRRnGbBQ2AHLq39QF7NknVyLIK9km
			VXKrjunGMDu5R9WsT5cT+qI1ru/So7VhuB+Aa3TRAuDK0N1RoaO6
			MrS3loeGuhJdtvSqpEqu3VOqY7okNNRX6FlcqtOKOxGvf1yGdxc3
			OblTMTwPwCecMHY7iSOhNOgeGyxoCAMwgAEEyQRkeA0gvefwwYMO
			munYMyj0PiXQCbDoQNb82IBmf6EDJnT8prGGPP6df/75YW+2Yh1E
			Jf4Hj63FH47bv2f/abS4ntycDdKmIxrwYgPAJQGo9pqOeECPVVyo
			5MI8qXTR9F7986eX4s+U969y4dIHjykAbhbQtWFqrFZftwTwQKWe
			xTX6ylWlKhbAneWxkjv1CbWpoSS0tejbf32pqlgfa2oAWN8EqnkV
			5CjmUcWFa5dyleBAbpTP32QU6G9JCrudpNAzh8HJ9xxwDOT27dtj
			sl2JVBB88GzuoaHXa17HniuPHjAB2eDig23Sw2O/2BzoAUzo6Kfh
			M/IXX3xxuOXGS9YrSuD8/OmV+PvIyDhOjs5iFRtEg8S8UJlUbaxQ
			wH3jcDj1myPh1Ikj4eTrdwjkAtBp+QK/df/y2aXwjXsm4+16YaY2
			Xrzmp+oiyNOq5NHBqjA2BMAVYaCnQuACMMd0uaq3NFZyU0NpPK5r
			95To0qVPtQK4qnKnLl0l8XbNcX3TTQJYeSE3YJvR4PckhWQDGj1z
			gHTymW+mXXnllcXKSicXxcjSI0MPKOg1zXTsIWuAqCpAphlYZFlH
			lgq1X94cgImOHTt2RBs+Fc4888zw0yeHi+C9/vxS/IMwbpvYd5zs
			+Jf/eabIt/GyRVUmz9Xk6KWqlwTuPeGd3383/OHNx8O/qX/ntw+E
			U28AtKvf/bo8QP/quby+fukvE3VcL2d1s54GYH30mKgVuJVq1WFI
			AA/1VaqKy9UqdFSXhdamktDRWqaLVqmqWVVcu1MA61OsKrm6CoBv
			ibdrjuvrrr0mxkeMyt3vMwxIIAnatm1b7A2sk8/cNPfcTEk6QJAs
			EssaAKDTeunhQ79p5sMectihB0xApjG2rIG1PwYUPWwGZNFvkLdu
			3Rrqqq8ogkZy77tnNX4UQTfy3iDozs5ufDdOjlw/X/1sTXqO5ncM
			8Fs/Cn88+VxsEWgqWtUcN4VsJoAX5JirHXs2r+OaX6DXL+fN1kWQ
			56Zq9epUpVYdRnRUD/VTxeX6qVOlqrgitDWXqJLLYiW3NO7SM3mn
			xnzdKlEV67WwMgF4585bigVDbsh7hoETRsJpBA2dJDCmpZPLnI/1
			BsCJhScNomWgUa3otC5onALYgI8ehwCW5kqFz3oBEnl6/ITuDcYc
			fWy8T33qU+GZJwaLAB87uhJ/+9KbzxsCeRrzoz9MP4sBh+pLjmhf
			nIrH9etrqtpvCtij4U//9lL4P398I/zx1LFY0adO3CO7Ccjxdp2q
			6ngpk86f/TgX7rt7XJcuqlgfPab1HB6tim1suEogC+DeMh3XSSV3
			tJaokssFdGkEubEegHcLaF26anaG8t3JGwx5S2NGvjPphJEgGkFD
			BzgnwTSSwRiAUQAoJBcAWUPOMgYPPuuFx3zosBy2ABN9NAOLLHrc
			I8scfYwJCh3M0XfRRReFKy8/rwhurN4ja/G2bRv0+GxfkG+ouzm8
			+S+F52y8CfuZmzpuoRcA40j+w5vfD39851j49z+9pfZmrOR3fvdd
			PaN1XLM5Cq9e68e75ZPb9Z236y8jFhr0blwbZsardeGq1jFdoeex
			jun+8ljJ/T1lobOtRO/GZXoOl0aQmxu5dJXF2/XuXcn9hjyQN2Ij
			LjAgZxkGEJ0gkkQCaQRuASfDa5dddlkEEyDeC2BkDTaVhQ7LQ//y
			l78cZeHDFrporl74cdJ64LFf6GMML3Tm+HTOOeeExenSIsCvHMvH
			P1BDF36yAeFnjF6a/V/NrV+4XH0JUOsgx3m8eOV1VB9JQNYxTSX/
			SWD/4a2nYnWfVJXHzRCB3igPnVeoJ/4xF3+enJvTs3iiKt6uJ0cq
			9QlTN+qB8nhcD/aWh672kvhMppLbW0riM7mlSZ+Xb0pON2JzUThH
			5AZ6xskFWBJOkhw4oCNgnnTPcw4lAEByaVZuecvCh27Lmw9byJFg
			bAE6ANBwDjka6/T2hx596IHX80suuSR89KMfDT/43voPE558fG/8
			rUN4sIUNj5FHN3RotO99a13WR2oCKhcsWvIsTfp8OKVbNM/fP7z9
			I7WnIuDJpetwcZOlK9nVjO43fp0L3/nGnL5X6xPmVLUArglTo1y2
			ylXF5fHiNdhXpuot0ftxWehuL9VlS69Itbqj3JBcFMkLeQUH58L5
			p88QJIEZXJLuHe3kOxHuWSeZKEApsmwQ6FZuvfTQ0JuWh3bppZdG
			OSccUF3xdtzAujcv+hjDj5/MOZ5PO+20cOKFuWJyv3HfvvgZj3Wf
			Tt7MyNOYo4N29dXbdfseK8ont+gCqKrG9QrmOZ3MT/6rnsmqZoDl
			2RxfoQT8OpjJbTqeClS05dQfP5rX81h/SD5fG0GeGa/UUa0qFsjj
			Oq6H+8tCX1dJGNQzubtDHzmqeCQmcTvX5B0cnAvmNPKdYeAEkXAa
			QUMHOI/TPWPeMzEAKCTPvCg1kOi1IfQyRpYGD5sEOfjoAdGVi274
			6Vl3zxhA7CcyyHKi8NOiL57/qSI4gHH7bWvxOc06fOihx2d02TY0
			A19yyzXhxZ9NF8GMgKSev67kWJkGi/fj1/cn78X0Aj354sWznGdv
			4dLmcZRLToUfPJbXN+u2kJvjlalSnzIrdeGq0K26Qsd0WejvLtGr
			k35KV5KcVvhM3M41+SRvNGJwjslfhgkCJIyE05hDTwMHzQ0lX/rS
			lyIAGEKWZjkDaWPMSTA6ocEHjU1iG/QkH330OA8/PcmHPw2C7cGL
			LLo+97nPhau2r1+wfvdyVv+MwkoMnOqGDz30NHyhee4e/6qrbg4v
			/SIBOVYt1QsoasntOgFn/bNlAUgAjFW6cQ4tobtP+JB/+Zf6CZR+
			D3slW68qrgxzk1RxuY7rCh3TVK4+197wlRg/vuEzcRMLDZrzRo6Y
			u2VghmhwSZQTCShOhGn0tAsvvDACgGJkSTh0bxgnjh6aNw76zIct
			y9HjrB23Hnpk3BsE+4kMfrLhPvvZz4brrzk/JpJknnhxKf6TTOhk
			HRvogZ+xfWFuGj3+UQ07b7kqvPBc8kOK5LjNxUpMgxxBi1WZXKR8
			/CZVnhzNsXo5AeImcSX74sWGWQw/fJQLl/7sZVbPYgE8LYA5rrva
			duo3UJLiwF/n1cASD/66mokLHhr0DP9BEABIGjsdGgzQnIR0z5if
			r8KDYuRo5rFyz9lNrNsWdHjYJN4c9DiL43YeHmRJOmMDQW97XkfX
			2Wefrc+TFxYB5nen+Eda8NG27IvtkhDG1s0YP9m40G64bpueyYV3
			5HjJElCpSk7AS6oyoRfWBZpBLlZ5rOJknY3gox++53+a0+9hj4T8
			fI1em3SjnuTHhDfIl+Ru4fjxzRsVGo18Om/4DI9znYEZIsCyywGO
			OULQCJgxNPMy/uIXvxiVAAp8NMtZuZPIHN3ocTIZY8tyAIazAEBv
			HfTeHMi6oQ978LKOrs985jPh8kvPKQL8ll5F+OeQAJh168EmY+vy
			HJr9SW/cKy7fGh79Tk/Um1RyqvoKoBfpVLOATOaATIXSEsBjFacr
			uSB/4tfZ8PC3Z/UrP3UCtzzcfGNyMuEjvpMHxt6QBhY6eXDeiCGN
			U4ZFBA0uwFmRA7dSeM3PT2oACcVUB7zIQbMBjMHPHB7GTiw0bGEX
			OejWZ3DhgYZuenjskysSXmjo4oj+9FlnFAEmmQcPrMQbpjcTerBp
			Pej0HJr9YePaHjTGB/c2rOsWMPHyZLAKQMVqLdDieqQXnrt/BuQn
			/lH/MuDsnrB922XFEwe7xEYuGDv/AOz8QHdREIN5yGuGRRoJIwkG
			GCZoVkqPAA0l3FjhQTFyaV4bcLKYw0NvGs6xSSwHHRqA0cNLY+w1
			fGCMfQPGOjrQ9fnPfz584AMfCK8/P1sE4pv3r8QfKcJDsy+MDShj
			9NIYYweA0zTG2Gqsuza8XLh8vatKI+jrFcvx7Wr2szk5rhN6sgHM
			nw2P/MOSbvzXF+NzvMSG3/ibLgbGzg8b15vXOCGfcZAGF+CsCLAd
			MAFCN/95550XjQEIfMjDg3KcsXNpXZtp6LAcvQGlt5OM8cE9Yxo2
			bY+5Ad6yZUt48L6WIsA/+n4+/q0SvPCh13Exh45tWlovG5c5dMeH
			D/i8fdul4Vv3dBRtRKDTz2UqmGotHNfx2Sxa8txNKh8Zg56MF8Ph
			Q/l42uATNp1rMMFv/HEO0zmCH6CdI8tBz/AfB+YkQYOJOQEyhge6
			+akWjLFr4HPSoNkJZNO60GMaPCTLctCh4SQ9vDTGXqN3w6YDhkYS
			8OnjH/94GO67rpj8159P/tFT9MKHTsfF3LEbROtl47IO3fHhCzag
			Maaaf/Hj9Y8isVojuAK48OyNz1wqmQ2QArkIPvyFtXw+G08O29yc
			a/uPzwDu/DA34OZBlnGGRQYEQcLPPffcOIfBADDGKLw0xrxzQmfn
			wEeC0QMNw+ajt67NNGxZDp3I2XFkrMtr9E522jdoJB593KTP+/wn
			C5ecJKn3H1mKP3WyTmyii4bPzNFBsz/EZXuOD//s83pMF4SJ4V3h
			1z+bKm6qCGoEs3DJKoLr6qWakwp3Ff/quaX4myZsHHzAJvnCP2xi
			G3+wC415Oj/I0eCxHOMM/6GhkAZwzBEmaQSNQnrzMuZCgyIAwQFk
			oUOzAcswR1daDzRsObn0dpjeOhizxhx9jGn2zXR8QB836S1bPhyO
			/WS9sp75YS7+BQRJgd8goQed+G69jImTijANW9DxBRuM0QPdOrZu
			vVifFUvC099f/zGlgd7c+0OJn9GsH7krG38Txf7gI2MaNrGHLefQ
			OXL8Bhx+eIiBccYO4jSKaNBgcDCMWbdBxvzUBkXsGvPZARuwjHWl
			9cDDJjEPPc7iuOXpaazRo9/Jdu91/EnA3RLWlso3VNP3HszyG4ZR
			B/xpf9GJfjfrJS5ozOGnRxY7jInFGxsdTjQx7bz5yrCyWCWwh/Qj
			yPVf1TXQv3lx/Vs5tB8/sRT/xgqQ0G2b6KWh03Fi1/YYm459Gj5D
			Byv4IsAQXQEEwAJMKHYw8ECnQYMPHpyCz8F6B9HDBz9jkrSZhg7k
			rBNncRK9dhIaPMztJ3qh0aOT8ac//elw+umnh9aGKzeA+4uf5OI/
			d8DGgR89jot5Widzg7852djAlzTA1oMO9BKH84cudGzdelG48frL
			QlX5tlCx+/LQVHeF/sAteXQA7gs/zepfChqMjzrksY8tdKOXxsZF
			PzqJFxq+MDad3mPzwJdBiGalKGNuZzHImHUbZAwfikicgbKcDVjG
			jqf1MEYHPMhhx04izzqNMTz05mPuRMBDMs4444yw48rPbaiYf9E3
			Xv7pQG7E9pEYPE7btk7rZaNBQzcNOj7gM2Psmhe/8B3drNOz5tOI
			8Sc+8YlwztkfCy/9fP1Z/Yb+9nhR/5Yln0XRYXvw4yM0mnPNOnah
			OUfOD/Y9Ng96MghZMUq5pDC3szDZYRuEFi8zCoRE4ICTAG/aQFpX
			Wg886EAOHnRCw0n43KDBwxw+fITXPTSS95mzz9D76XryfvOi/j8V
			libjj9CcJMdikJindaXHxMUc2/BjL+0z/qT1sIYvzh9yVBn0s846
			K/z9339Af/SWfA2jcrlcHb59Lv6gHj77YlvoMY3TCT3MnQfmxEWP
			LfrNPPBnWHQQKOX3mVhAGMUExtgJZY0xfNDZOfDhGHoIEjp81r05
			8LR+y6HToCJPQw6afUAfPjJ3jx+nn36afgdroHg0k7yvHpqLPyZ0
			AvDR/nmMHutMJxY6cdHT4McevmAPXsdkHawRF7z08LBZ0f+hD30o
			7M9vvBc8/O1s/DMd/CNW68EOsvTI0rBpHnpozo/p2PcavsGDzgz/
			oaEQ59htzHESxdARgIaQnYePMUHA5wRBSxuwXDpw9MCDDsvBBw0n
			0eEGDR7m8KCHOTaR/+AHPxi+flfqE6Kq4x++lVyqnGDk4KdHj2Mk
			trRO5wD9JJ41aMg6Dx4Tg32BzzGj22vQeHTU11xW3HxU79Ens/Hf
			FvHjzbFhF5007KCXhs7NebA90+mtB/uWzaCU5kA++clPxjlMKIaO
			oPkQhAYfPCTCfPBAsyH4oCGDw6xBYw4POpwk6Dhpx+G1LtYYows9
			zJGlMuYmbt6QvCcfW4z/lAHJs8/w46N98Rg6NHxg7MQyZqN5DX7W
			0j47JutwzM4ffvK72Tu2nRt+99L6Tfrlf87q35Xsi/cCZJB3Xhgj
			h610TtEDL/44D8zT+fHcPOiiZTxAMc6hDBoBMMYQYyfBQbMGnaPB
			QCFnA+YzzXqwwxqyyDG3D9AciHlsmx4+ZGj8ak7Fros3gHvs2axu
			zO3xRooe68V3/HUMjtFzA4gvjOnZaKwzxx49CUWWdfyzHHYMEvcB
			1rnRX3LR2eFff7X+XZw/SMtlxyO4Plqx4RiRQyct7SM60W9e7CGD
			D9CRY2499PBAz/CfdCAoY44wY4wxNh+C0FhjTCLMBw80+OnRQ7OM
			9ZiHINAFD7I4hsOWp6elfcBWTN6Xztrwb2y8ekz/Lyb6R7f58JJO
			nn0wMNhGB3T0YtcAMveYDeI1ZKHjn2NFT9p/x8Yv/eHfdVd/Ibx6
			bP0vJng1Onz7dPzlOGQdZzo228eWfcRPPr9uzgNz59E67IN7/M+w
			yABnUfqxj30szq0YOorMZ16MwkMiGDsxrMNPv1kGfvhYS+s3L46l
			nYOOLnyw7Ec+8pFw5se3hOefGy9WL7+ak8+NxcqAP72D0UEzMIzx
			l94A0eMXPXz06DANfuj4Rn5YR968jhO+LVtOC5PDNxV/kMAzl3bk
			zul46QNY5NHlmJxf22MdXdaLTXhYNy+yNObw0zNHxj3jDEIMcBal
			KINGAIyhIwAtzcsadBJhGcvZgPmtH504w5yxE8echhyBe24+fGCM
			nb/7u/fr12LXXzdI3l13zMR3SXRiM5085jRseWx/8QUa+t07D/ji
			dctBQ9b86KTBd+aZnwh7Ki8Pv0x9IsU3Kvfeu6fi728bXGQABH/R
			5Xyhx/btI7Y5FeBhbN50jwy6aPC4R9//BQAA///EkzEPAAAac0lE
			QVTdnHe01dWVx6+9967YABUQLKggKrZlQRR1iYKKzjIKNiwgYkE0
			CKIjRUHKA8agZjlx1tLM0sQyOrbEEevSieBoIhF7jSUmxvnvzO9z
			9HPZ93jve2jmj1mTtU72Pt/93d+9zz73vXcb1g444IDUv3//tN9+
			+6V+/fqlvn37JrADDzww++D4WHAW/r777pvxQw89NPP233//HEML
			PlY+PtrqsD/ooIMyRp5csIMPPjjvwVjkkEvNHj16pHvuHJ3+9smC
			+vrNo23pvPPOy3r2SE/oWB+LhnvPKB9LH1jO1adPn4rfN90w8czU
			dsuYdPnYc9Lxxx+fBgwYkPtB+5BDDqlW/3TBeSemO382Jn2wdHa9
			J/v70zvz0x0Lp6WTTz4551GfGiw0OBt1OTcxe6BX+oj9wiFODjjW
			OaLHPsbUq5HERlEOD0bytwftl33i4Cy5cDioOWqBW0CMHHCaIYZP
			nrplk3Bc9LHbbrtVAz+tYYiLX5iXxo4dmw477LCsxVCoxzA4LL7L
			GJroYa1NjPrYvffeO+2yyy7p13df1lDrqw/mp4/+2JbefHV2Wvbq
			rPTJsrb09cfzGzheLPbFp2enaydcmR8Y1LK+dbyMOBdjcONM6Rc+
			cebGmZwxVg3qEMPCZdUI4iDI2mefffIeEsIUUwQeAjYAh0ciPHRY
			FsBaxBz4kUM9tORRhwU/5vfq1SsNP2NAw0Dfem1emjDhmnTUUUfl
			fHtFiwtWR21q6XNGewKLZ+/WrVuafsMZLS8uXmLpf/3xgrTkxTlp
			5k3XpMGDB6cjjzwy9+K8qMX5qWd/xJwLMbmcJ/YLP3KdEbng7smJ
			eg0XjCiH9xLwwRQBdyDgiDJMcyhEHBwLP+aARQ4aDh4edVjw5Pbu
			3TsdeXjf9Nk7c+tD//TtBemm6ZPToEGD6r3RA1roMIx4SDBqYVn8
			lKIv33P27NkznTt8YL0OF8hPbnmRcf/Xj+anN5fMTQ/dNzWNHTMy
			DRw4MD/oYx/UoT5nZ+F7TmLMCz4xufTkrOgXvlxxzkAuuDNDx9nB
			qxHEQZC111571YXxwUiIDYJR1EPAszG0bBbfPCy4ezTRcG/z8bBc
			7t579UpLfzetPuS/fLgg3XbrtPwT4kHIjVoMAx3qu+jZs3pGa7Pn
			T8DAAf3S5+GB9Mmy+WnKjRPT4BOOSeedc2K6bsLZafqNI9OMaRen
			GydfmEZffEY67rhB+U8Ef/d5YKlJPS8RjP6ckTN1HpyDGIsYSz4c
			5uAdaMFZ5d75U5NVQ0xhDsqyyTzg7y4SHjhcisOjAIfABzcP3L05
			5INjbQId68OnWRtGs3v3bum3D19Tv1x+cu775S3p9NNPzxeoFhY+
			lnpcLjpouqhFjMW5wOGzuNx99u6V3lw8vV7rqw8WpFsXTM1/Q8lB
			H00Hrz4xz4OmcSwcz0w+XGuCk8feeRkjFz569qsOFswcrDXRM2at
			GkGEEeTge+65ZyYhjg9OIjySWDaAzwXDQ0MtG4uYB1QHDvXE0aJZ
			aoHtvPPO6Y4FI+sD53KffmJuGjFiRK6JjlpYtaipDprssWjq06/1
			8XfeuWt65rEJDbXu++WsNGzYsKyFNgtd+NYF00cPfTDqyfc8cumD
			BZ+lTy5aLDD5aO2xxx6ZS4wcLTE18FmeUa0aYjZG84gRhMyeQoqA
			ywWHw6PUHLUsBF8MC+4eHw331kS/e/fuadzYExsG/trL89KYMWPy
			r0FyXPDx6RWLjheM73JgcOiXPGzXrl3TPy+8sKHWk4/MSueee27+
			TYCuiznEOvjOgfNQCwxtLJfr7MyjPjngzsBcYsbh2zt9qqMlhzpR
			Qx2sOjWHjCBCLIKIu1dEHK4NMMzdd9+9LiiHfItoachBO2B0iJvH
			E52hJx6cePLik5n3/jA/TZr00/y3jp7QiD3gi6PDEByE2nDIY/Er
			mf1OO+2UJowbWq9DvSUvtqWLLroo8TdV3TiHWAcfDmflPNQCc3bM
			DVyd2Dc4PGLmxrh14DBfdbDwzBeHx6IHOfBqFMBBECEOzx4yfmw4
			csEdpjk25VDVZU8ummrgU88cLDoH9u+dPlx6S33on7+7IM2ccX06
			+uij6z2hAR+rNlpqx8GKyWfPg4g3TU4Z0vhAeuf389L48VfmZ8E8
			QMhB18XgnAk64vTg2ewDSx8ljiYLnDx99FjG1YFDTfiRC25dcPfe
			HRh6NR0EEeI1JxhE9lGcBHC4LHwGQY7NYSlGLGI2oTYcNNizGHqv
			nt3Skuf/sX65/BT//LZp6YQTTsjDgkc/WHOpE3Fq+ui2vj2bxxsZ
			Bx/Yu3qzYvm7T396e36aPnViOuKII7KeA3UGzsH6aOM7B88LZsxL
			hGMePssZmW9vxp0pWvjOCwvXeuLu4cfz1hC0IYRYCrhXBC4xmvUg
			DJPLsUFz0WSpj7WwTaBBDfJ33HHH9G/3XlG/XH5dPvSrb58xUwNd
			Fly0XLF3a9GvgxCzZ35ye3TfKb3+0pR6rb9+xEuvKenYY4/NPdIT
			l2N/cQ741sZ3DvRBf2BaeuDM6pBnH16I+Woatw66nFkdZ2i+uPWp
			7UzQrCGIgyBCLDCIu+66a96T4GHkehAGAQ++WvgsuDaMtTAxfGox
			8M6dO6fZ08+qD5zLfe6pOfmJDk9UrIWe/aEnjhWHEwdrT9bacccd
			0qO/HtdQ61f/OiO/X0yeWgxOn1zOCGYddPFZnkfMPjmjszMPTZYz
			wodDDr7nop6946uDBXe+4uSDEZODX1OUBhAqhdmTCC9y4TtMLik2
			iI84Kx5MHXA4Xu4F5x7dMPA3XmlLl146Jr8cIkcN8ujHXrDo2Lv9
			+eiGL8Yz8x122CHNu2VEQ61FT8xOZ511Vv4TgI5aDEnfuYDF+uL0
			wKIWmH3Ct3/zrGEOe+dCPsu69s6c1JFLPnXE8UuM/JqFsQixKECC
			exKJg5OEbx6HYHjicthHTE3jWF6iHD2gb/ryvbb60D96c36aeO34
			/CEGddXAkmN/sQd8cXgc2kEQI4/fEqMvPLZeh98Sr/9nWxo1alR+
			OUMeGmqRrw/OGenHOvbCnlmxxLQOXB2tOdY0lzi5WOrhw7E2uFws
			MSy4Pjli+DUbxiLEMsG9FwxOElwWogyCN+jxjeO7hweupj5PdHrv
			0S298/rN9aF/+f78NGfWDflNempSy3pqU0sNe8DaNzFy7RmcB9Kx
			x/Sr3leeV6/1wdL56Zqrr8yf0qgHVy2GpO8cwOTEGGd1qMTpGQsW
			dcoc8uCVs4IXz+l8weVq1Xc+WGJw8WsUwEHEZdA9CfDAWeDsOQiD
			5LI8lLlo4sc8OfC7dt0xvfDbifWB80nMXXdOz8+YvRw0WFGDXHXt
			wT7BWQ6WOK9199l71/T+H2bWa33xHi+9rsuvq+PZ1MGKi1EXjD26
			LGOci2VfWGLicrXEOBdxeWWu5wTHh0u+dZyvGvAiBhesRgE2iLgM
			8nYhGInyiOGzwBkmvMhB2BXz4MDddtttqw/uR9UHzq/LRx6YmU47
			7bT8BMn6WOvpky+GNnWw9CmHQ1OLy+3cefv08tOT67V4IN2x8Mbq
			Q4Lj6kMjVw18aqCB74qYdYxRiwUOprUPtbVw4NM7vmcgTq4861Ab
			Prh1ojVPvrrsaxSAgIjLBPcmgLPIYSHAo5pB4qtloYgZ22677dL1
			E06tD5zLfWnRnHT22WfnJzoeltxYT59a1rcHLL3CIc9hbLPNNune
			f7mkodaD992cTjrppPxM0xysGvjUQENfK2Yv4Cx6tm/2xNEQV1tr
			Dr3qk0Ncq07UkgvP+WDNE6OuWI0kNjTkUtw9CWCRK4dDw7NZtFw2
			BxcOr3X/4dRDGwa+7NW26j3m0fkNE7RiwzZpXfb8PWXvsgb6xMHB
			tt9++zR1cuM3QF74j2+fMfNbhzrkwDcXy6KGZ8YXjznmEQdn2RO2
			xNEwjk+P9o415hng4Htma8vFEhOXi1UXv2ZhGnJRjKB7EyJXn0F0
			6dIl88HEbVgNXqIcctCe6bO359Qv+NO35qfJ143PL4eoQbNY66sR
			NallHSx9YqkjTq0RPzmiXoffEksXz00XX3xRfgMDDeqYg6WWvWLp
			Je7LHGqBseih7EO+s0PLPvE9m/n2Di4vcuxXPeoRdy9XzBo1C9ss
			lgIQxRCDF7kKMAibNG6+Gvzk9ujepeGDe74p0TZ7cn6iw4OEHAcV
			dTwslmV/cKxrn2D85B5+6F7pi3eXfwPk4+ql17UTxuVPh+iJl0ye
			Keqjoy6DUxdrjhx54ujG/uDF85iHZcF3PuaiqQa6+O7tFwtGDnz2
			6Ilh5eLXLIigC4xk9zYScUUZBBdYchwAA+/UaZvqg/vxDT9Rd981
			LX/lhny4LDRsXEwda1MLn+UQsODU6rlrl7RsyfIP7v9cvfSafct1
			+dMhh2G/5KGPVU8t+sB3lTnwwVgMkqUWVj541FYPDjHz4bDUgOde
			LTD1oo1cdcHwawYRcZUYYmDlogEGwa/EyAGHi94WW2yRfjb3nIbL
			feLhmfnDdP7mwoHPQkMdsVgTjFoR4xBgPHnr1Gnr6oP7nzbU+sXP
			p+RPongg2ZP9UlsMbc8f4/jgEYNLHhiLHlhqGeMsJW4Nz2c+OazY
			hxxy0MKqpxU3lxwx/BpJBLEUw4rFA4hrbYgL5icnNqZep06d0tDB
			BzQM/JXnZ+dvZfBaFy1qqEXT6ohZDwtGrRLjcjfffPP0i4UXNNT6
			9wdnpCFDhuRnxDGn7Fdtz0+cXjw/NmKeD4wYPdt31GiGq+n50FAv
			9gFPHN9+rBOtNcHIgatWzSCFXA7DPYnwyqUYvMghH2yzzTZLz//m
			2vrQ360+b73ssjH1JzrowbNeecHi9qiufZCLv+WWW6arr2j8Bsjv
			npuTzjzzzPx6ljw1yOEBQb/W1sLBZxl3X+bIFWcWYK6I27daWM8G
			z/7I1Y8cfPtxzl6+ddXDgplfw0GYQi4xLJgJEfcgFOSNC4SJu8B2
			69Wlfrk8k134T1Pz30IfYXLVsmlwsZJDP2L4vNYdOrh/w3eml/3X
			3Oql16j8WrfUIZffLPSrFhYelkXv9OI+YuTDxcIjhpZ12KsF7lzA
			ycHKgYeGesTNlWOO/agHj1Xuxcyv4SBCIRsWw4Ihgh9xclgUZmA2
			psZWW22Vhpywf/2CP3lrXrrqqqvyTxR58qMmdcCJu6wrT33s1ltv
			nfbt06P64H5Wvc6n1Qf3k669Mn8vCz14aEWd2K84nKhtLhir2YMC
			TH37VcManlMcaw614cX+9OWwx0dHS566WjC4LvO54K/YUMiGteKK
			s48LUQZhkzHGr81Th/SvD/6jP85L48aNy68vbUY+exZ1aBBcTI6Y
			fXK5XTpvW31wf2O9Bt+Zbps9Kf+W4ImGuWjpY/mpt444HM9tnD2+
			Oc5BPeNoiamnhnWiNj58FryYqy8HPXx0tGDqasHUFKvsV7Uq8CWJ
			FGLhsxS2UfFoLWSTMcZPcL++3evD51f0jJsm53esbEA+OmrRJLiY
			HDEulrXZZpumx+6/skH/7rum5mfMPPFTx7yoQ36My/H8ngcrFnPo
			jRx7QUvMOvLF1VHT88GTYx9YeOL41IiYsXgONcUq+2WtEvucRJvF
			j8tGI4bvQbgsm4wcsI033rj6Mvnyf5Ww+IU5afjw4fnXNM3IV4vG
			bFwrR8tvhk022STNmzm84XKffPjm/IyZ17pRhzz11eDBB8eYlp7x
			PQ9WrFkOGPFSHw1i8QzqqGkOPHxy7MMe5JCDlrXkEQePueaAVWf8
			olYlva2gDdsE1kYjpk8eBUqOeptuumm6fHTjh+yvPD+r+ueeI/Kn
			UAwZLfgsm4uYteyNy734/MZ/P7TkxW/fY+ZdNXtyIGpFHR4k1BKT
			Yw0scWyJycUah+sZ1FTDWNTBl08v+ObFuiUOh3gzC6amnGr/dq0q
			sJggRSmGjc04jBiXZyE54nLZb7zxRunJh65q+Gl75/W56erxl+SX
			S15ybLCsz543THjZNeDw3ukvHy7/4P7d37elS0ZfmH8rOJA4VHJd
			9MNCyzMbi3s4aMiHg4++fDG0rBtj1lCXfHOw4Cx55qIV65oDF1w9
			e9GqiRWr7GIueJGCFNPXegD32tiQTZYx9lxKp05bpscfaPyi22fv
			zEuzZlydv1HBEzW4No+vPj766PTq2bnhg/vP352frp88Lj9QPJQH
			dSBqYV28KRLjJcfzYFnExSLXuL1irSHfWMSjBr2wt44a7PWJ02/E
			jMVzWCvEnqlVSQ+TyKKYvtZhuNfaMAXgIFrG4BDjcnhSdOucxrcs
			+d7zPXfdkP+NLy+30FLHQ5u/9dabVx/cX1f/TcAH9wvaJuV/vsrl
			UtuePGjsRx9LP9aJuL7nwbLAxfBjb+DWNT/y5RpTU9x84/bVDI+Y
			+fLJt48Qe4QLXmhRDq6vjcMAQ0iLTwE4iJoD7gIjzuJv8iUXDmr4
			Fcuz66cevTkNHTokf/QVGzZngw02qD64b/xPN9x795T8wOClC7zY
			kwct+3FPH55DLFr0PI/aETMXjBXPqo78VjE16MUcrHjp04+1Yqzk
			x3pVzsJaRZ5oo60sSWWMImAUdmBYllw47uXwzPqYo/o0/PMULvm1
			l2alC0aend835icZDZ5QbbjhhtUH98PqP7lwFz0xI38rg8uNvVGP
			5aHRsL49qVv2FuP2GnPF4JGLBWNZt9SIuFraqBHzxGMdfWu5j1Y/
			1qzmMIkLHkaiC6K+liR8Bi6GVRRfjjixqBW5XPLuu3VJrzx7fcPF
			ffBGW5o+5fL8LhSX16XL9mnWtJ80cF5/mWfMZ+Y31NW0L2t6SHsV
			d099MPf27B49NNQFxzdHCyZe1gBHo8StETX0iTlHdeWLq2eOODwx
			bRUbVqsCvW20lTWBOEJaRdnDMR/cJSYHnAFvtNFGqdM2W6T777m0
			4QL5Cf1w6dz0xisz05/fX/5s+Vu8+kL8mAvz12msh0UPfWtqwYjF
			fcTM0xpjrz6YuBh6YlFf3FisCy8udZlDzLOGca0cNd3LR7sJt3et
			+o+orFqRv7Y4JH2tYu6xilGAPRzjxqIWvjriHI6/r9Ovb/zuFJdZ
			rg+XtqWrxo3KX/KzZqu61LFW7NX+qGsPYuU+ngeOFxH1wNQiP2rI
			L/GynvnisW7UE1fPWLNzfsf5mrut8b8KeNxDaG3eBuLeZrAUKDkx
			bh6YTRknxt9Y1qCBfdKLTy1/luwFf/nevPTYQzemU04+MX+5wHrq
			ohl960QcTI41S6zcx3xzxOCy6JuY+2Y1msXMUTfmWSNyoo9es72Y
			9Sqdx/Pl8n9V8DIHDdHGxUjS18JTFCxyjKlFXK4NyuEnWB6Xt2/f
			nmnkOYPS+CuGpfOr//DJfvv1yR9o8GQu1lDTXPWijb3qY6mplvkx
			jm9cPPYZc8QjFmvYjzpacfPBwWJdNSMeMXyX+e4re0X9gqtfeTtB
			oJg2+iSJY+MiZpNY8+RELDYf4830eSSzyLEGOerFOvrqYPWNxdz1
			11+/fh71YtwcY1o17R0duWLutRFXJ8bKXqghz56w4hFTuxnGndYv
			GKciPW3D2OgrIGYD7ImJY/UjR0wdY1hj2I7i8s1hH+tHXf3IxWet
			t956eYju5cS9uiWmLhYdc8XdayMetcDZqxH58uRg7Uc9rTOL+VVs
			UcPlsqkIw2Ixi8RhNItTSA625MR9bFL9aNGKe3zzo9Unbv2YF3Ui
			V45Yaa0HHnXZi6kRuSVmrD1c/bKHjvCoie9Z1fkuPux7F8wzroq0
			DOK6666bl75FwcHiQhAcK19fnnnqiK+INTdyI1bWKveRiwZ7Fjxj
			0Rq3XoyJaUuu+tFGbonHfOvYF3t98qKvZjNb8ZbVnz2Xt1wFT0d4
			nXXWyUvfxtiXixh8ufryolYznZJvntZ4tPpyoi1rRK5+tPjt7dGW
			00zbXHtwr424Osawa6+9dn12JdfaEddvZas7PK281/o+pbRSVfRZ
			irLKBsTAy2UzJR73NhWx9g4Yea38WFdfW+bYv5Z4Mz9ipUbcw2vF
			BS/7kKst67Mvc6xX4u613+U+wx3WL7SZUyX0qBr4hiZcNrLWWmtl
			TGscC6cZHjGbjXnmlph780tr3N6ijpg5crFgLDkxFv2O4lEr5kV8
			RTViPjn2qFaM66utrfBvqrvr3uxOv4dV5JEWwSIa99E3po2x0l8R
			TpnT0b6ZZjMs6qy55potzyOvIw147em0F7MGnLjEm9lW/YhXduT3
			LrI9oCp8m8U9jPtojWljrPRbcVrhZX6z/Y/N7SjPuLZZ7TXWWKPh
			giKnvVh7vFb1WuFoVZd7e3t32TRW/buh1SvR+2Oj+lh9CuiLa40Z
			j03KiVY+Vr9ZvBVmTqt881ZfffXcs/tmVq0y1gxvVU+uNmq1wprh
			MQ8fjjzuiLtqeokdgdXnsmtXgg8gylDiEtPGWCtfrrbkiWP1S07c
			R46+NvJKf7XVVms4Sxlnr462xCLeLL8jrFl+M6w9nYr/AHfU0T22
			G6/+42CrVUVuYyjtLRoxHptqhsmNNvrmaFvFwGPMvdb8Zta8ZjEw
			49pWPLnNapqrjRrNMLXkycGWfrW/jbtp9/J+SLB6tIxcddVVv6F4
			ZfNlNrPtYTbeTCPG9NFqpVfGSp415JW2jLfaRxw/LjXF3GvN1Ypj
			W2ER18cG/5vqLs7/IXe3wtzqUdOjau6ZVVZZJQ++mW0PiwcseTGm
			D6fkiWnhyjFPKyfayC9xY+pFq692yY17dcW04mrFvVjk6mO/W89y
			Byt8YT+GyAvpqsgpVUPLVl555TzcaPVtnn2JGevIxlw1xNyjEf2O
			NEt+zNVvZsWifisM3FgrG/uIfPEibxkznzBhwso/5s5+VA7vd1bN
			DKvWIhtcaaWV8sHY62vlaMW14itiyVmRPHnaUluNGBeDqx/jrTQi
			HvlqlHryY1xMy2yZccv3ln/Uzf24pK5VU2OrZh+r0v/mAbUVllju
			f4htlvf36FFbTXW0xox31GczXjNM3WhbaDM7Zji2Wl2r9X/yf3wP
			aM9q8ZHVxGrdXq0Hq/VctZZU661qff7d+u/K5oH/P7ac0fO+VfnM
			gFkwk9urxYyYFTP79jtUlfO/9b//AYEOGNZ1SYUWAAAAAElFTkSu
			QmCC
			</data>
			<key>iTunesMetadata</key>
			<data>
			    base64加密
			</data>
		</dict>

我这边仅留了 <key>PlaceholderIcon</key> 的数据做个例子,这里保存的是app的icon图标,下面的 data 数据采用的 base64加密,我们解码来测试一下到底是不是。

将 data 里面的数据全部复制到 https://the-x.cn/base64/ 进行解码:

上图蓝色标记的区域从头复制到尾部(除了第一/二行不用复制),然后将十六进制代码生成一个新文件:

我们看到什么了?89 50 4E 47 还记的是什么文件的文件头吗?我们将文件另存为 “ xxx.png ” 进行验证,发现验证成功(如下图)!

1.2、Manifest.plist / 主要是保存了设备上安装的应用信息

1)包含了app的版本号:CFBundleVersion 为构建(内部)版本号

		<key>com.Qting.QTTour</key>
		<dict>
			<key>CFBundleIdentifier</key>
			<string>com.Qting.QTTour</string>
			<key>CFBundleVersion</key>
			<string>8.2.0.2</string>
			<key>ContainerContentClass</key>
			<string>Data/Application</string>
			<key>Path</key>
			<string>/var/containers/Bundle/Application/AF52BE90-8083-47CF-A2CF-                     9C2BC4B6BB8D/QTTourAppStore.app</string>
		</dict>

1.3、Status.plist / 保存了备份的状态

1)包含了iTunes备份的时间,是否为完全备份等信息

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>BackupState</key>
	<string>new</string>
	<key>Date</key>
	<date>2018-12-14T08:44:33Z</date>
	<key>IsFullBackup</key>
	<false/>
	<key>SnapshotState</key>
	<string>finished</string>
	<key>UUID</key>
	<string>1A7C5B85-5598-4C69-BC47-72D41724B0EB</string>
	<key>Version</key>
	<string>3.2</string>
</dict>
</plist>

接下来就是总结几个简易手动解析的小问题

1、iOS在数据库中保存的时间格式

我们先用sqlite将根目录下的Manifest.db文件打开,导出成 plist 格式的文件;

我们打开plist文件后,显示如下:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>$archiver</key>
	<string>NSKeyedArchiver</string>
	<key>$objects</key>
	<array>
		<string>$null</string>
		<dict>
			<key>$class</key>
			<dict>
				<key>CF$UID</key>
				<integer>3</integer>
			</dict>
			<key>Birth</key>
			<integer>1510151431</integer>
			<key>Flags</key>
			<integer>0</integer>
			<key>GroupID</key>
			<integer>501</integer>
			<key>InodeNumber</key>
			<integer>33103952</integer>
			<key>LastModified</key>
			<integer>1528515534</integer>
			<key>LastStatusChange</key>
			<integer>1528515534</integer>
			<key>Mode</key>
			<integer>16877</integer>
			<key>ProtectionClass</key>
			<integer>0</integer>
			<key>RelativePath</key>
			<dict>
				<key>CF$UID</key>
				<integer>2</integer>
			</dict>
			<key>Size</key>
			<integer>0</integer>
			<key>UserID</key>
			<integer>501</integer>
		</dict>
		<string>Media/PhotoData/Thumbnails/V2/DCIM</string>
		<dict>
			<key>$classes</key>
			<array>
				<string>MBFile</string>
				<string>NSObject</string>
			</array>
			<key>$classname</key>
			<string>MBFile</string>
		</dict>
	</array>
	<key>$top</key>
	<dict>
		<key>root</key>
		<dict>
			<key>CF$UID</key>
			<integer>1</integer>
		</dict>
	</dict>
	<key>$version</key>
	<integer>100000</integer>
</dict>
</plist>

我们定位到 <key>Birth</key> 或其他的都可以,下面的值为 1510151431,10位数字标准的Unix时间戳格式,我们可以去时间戳转换网站或者工具进行解析。

也可以用 SQL语句 select from_unixtime(数值) 来转换查询。

2、iOS自带浏览器的历史记录文件格式

首先iOS自带的浏览器是Safari,我们在 Manifest.db 数据库里筛选一下:

出现了一个 ../Logs/xxx.log,那么说明他以文本格式①进行保存。咱们继续查找:

出现了 ../xxx.db 和 ../xxx.plist,那么说明又以 sqlite②plist③ 格式进行保存。

3、查找备份包中JPEG图片的总数量

JPEG图片不仅仅只是包含后缀为 .JPEG 的文件,Winhex有一个文件头汇总的文档:

Description	Extensions	Header	Offset	Footer	Default size	Flags
*** 图片
JPEG	JPG;jpeg;jpe;thm;mpo	\xFF\xD8\xFF[\xC0\xC4\xDB\xDD\xE0-\xE5\xE7\xE8\xEA-\xEE\xFE]	0	~1	2097152/33554432	e
PNG	png	\x89PNG\x0D\x0A\x1A\x0A	0	~6		e
GIF	gif	GIF8[79]a	0	~3	2097152/33554432
High Efficiency Image	heic	(ftypheic|ftypmif1)	4	~27	1000000/31457280
WebP Image	webp	RIFF....WEBP	0	~33	24576/1048576
AV1 Image	avif	ftypavif	4	~27	500000/4980736
Thumbcache fragment	cmmm	CMMM..\x00\x00.[^\x00]	0	~84	2097152/511705088	GUb
TIFF/NEF/CR2/DNG	tif;tiff;nef;cr2;dng;pef;nrw;arw	(\x49\x49\x2A\x00)|(\x4D\x4D\x00\x2A)	0	~5	25165824/268435456
Bitmap	bmp;dib	BM.....\x00.\x00....[\x0C\x28\x38\x40\x6C\x7C]\x00\x00\x00	0	~4
Paint Shop Pro	psp;PsPImage;pfr	(Paint Shop Pro Im)|(~BK\x00)	0	~8	2097152	b
Canon Raw	crw	HEAPCCDR	6		8200000	c
Adobe Photoshop	PSD;pdd;p3m;p3r;p3l	8BPS\x00\x01\x00\x00\x00\x00\x00\x00	0	~9	10485760	b
Icon	ico	\x00\x00\x01\x00[\x01-\x15]\x00(\x10\x10|\x20\x20|\x30\x30|\x40\x40|\x80\x80).\x00[\x00\x01]	0	~7	1024/1782600	c
Enhanced Metafile	emf	 EMF\x00\x00\x01\x00	40	~18		e
Artwork cache	ITC2;itc	\x00\x00\x01\x1Citch	0		802400	c
Corel Photo-Paint	cpt	CPT[789]FILE[\x01-\x0F]\x00\x00\x00	0	~97	3145728/37748736	b
Corel Draw	cdr;cdt	RIFF....CDR[ 3-G]vrsn\x02\x00\x00\x00	0	~33		bx
Corel Binary Metafile	cmx	CMX1	8	~33
Freehand drawing (v3)	fh3	FH31	0			c
Freehand drawing	fh9;fh8;fh7;fh5	AGD[1-4]	0		600000	c
Google SketchUp 	SKP;skb	\xFF\xFE\xFF\x0ES\x00k\x00e\x00t\x00c\x00h\x00U\x00p\x00\x20\x00M\x00o\x00d\x00e\x00l\x00\xFF\xFE\xFF.\x7B\x00[567]	0		4194304	b
SketchUp (v8 up)	SKP;skb	\xFF\xFE\xFF\x0ES\x00k\x00e\x00t\x00c\x00h\x00U\x00p\x00\x20\x00M\x00o\x00d\x00e\x00l\x00\xFF\xFE\xFF.\x7B\x00[0-489]	0	\x9A\x99\x99\x99\x99\x99\xE9\x3F.{12}	4194304	b
AutoCAD Drawing	DWG;123d	AC10[01][0-5]\x00	0		5242880	c
AutoCAD Drawing	dwg;dwt	AC10(18|24|27)\x00	0	~98	5242880
Drawing Exchange Format	dxf	\x20{0,3}\x30(\x0D\x0A|\x0A|\x0D)SECTION	0	~99
Encapsulated PostScript	eps;ai	\xC5\xD0\xD3\xC6	0	~70
JPEG (Base64)	B64	/9j/4[\x0A\x0Da-zA-Z0-9\+/]{256}	0	~101		b
PNG (Base64)	B64	iVBORw0[\x0A\x0Da-zA-Z0-9\+/]{256}	0	~101		b
Sony RAW	arw	\x05\x00\x00\x00AW1\x2E	0		16882074	b
Fuji Raw	raf	FUJIFILMCCD-RAW	0		9600000
Minolta Dimage RAW image	mrw	\x00MRM	0		6900000	c
WordPerfect graphics	WPG1;wpg	\xFFWPC...\x00\x01\x16	0		600000	c
The GIMP image	xcf	gimp\x20xcf\x20(file|v001|v002|v003)	0	~95	1048576/125829120	b
LuraWave JPEG-2000 bitmap	JP2;jpx;jpf;j2k	\x00\x00\x00\x0C\x6A\x50\x20\x20\x0D\x0A......ftypjp2 	0		5442880
Xara X drawing	XARA;xar;web	XARA\xA3\xA3\x0D	0		1200000
High Dynamic Range	hdr	\#\?RADIANCE\x0A	0		8400000	c
Kodak Cineon	cin	\x80\x2A\x5F\xD7\x00\x00\x08\x00\x00\x00\x04\x00\x00\x00\x04\x00\x00\x00\x00\x00	0
Digital Picture Exchange	dpx	(SDPX|XPDS)\x00...V#\x2E	0		7635174	c
Micrographix Graphic	DRW1;drw	\x01\xFF\x02\x04\x03\x02	0		1200000	c
Freehand (MX) Project	fh10;fh11	\x1C\x01\x00\x00\x02\x00\x04\x1C\x01\x14\x00\x02\x00\x14\x1C\x01\x16\x00\x02\x00	0		2097152
Photoshop Large Document	psb	8BPS\x00\x02\x00\x00\x00\x00\x00\x00\x00	0		8194304
ZbThumbnail	info	zbex\x04\x00\x00\x4C	0		1500000	b
Adobe Bridge Cache	bct	\x6C\x6E\x62\x74\x02\x00\x00\x00	0		10485760
Account Picture	accountpicture-ms	1SPS\x18\xB0\x8B\x0B\x25\x27\x44\x4B\x92\xBA\x79\x33	8	~106
MSO Document Image	mdi	EP\*\x00	0		2097152	c
PaperPort scanned	MAX1;max	ViG..\x1A	0	~96
Kies thumb	TEC1;tec	\xFF\xD9...[\x00-\x03]\xFF\xD8\xFF	0	\xFF\xD9		c
PC Paintbrush	pcx	\x0A\x05\x01\x08	0		524288	c
BBThumbs.dat	bbthumbs	\x24\x05\x20\x03[\x07\x08]\x01\x00	0		2097152
SymbianOS Multi BitMap	mbm	\x37\x00\x00\x10........9d9G	0		72474	x
Graphics Metafile	WMF;bkg	\xD7\xCD\xC6\x9A\x00\x00	0	~40		c
Windows 3 Metafile	wmf	\x01\x00\x09\x00\x00\x03	0	~40		c
Calamus Vector Graphic	cvg	CALAMUSCVG	0			c
OpenGL texture	ktx	\ABKTX 11	0	bvx$
*** 文档
Adobe Acrobat	pdf;ai;ait	%PDF\x2D[12]\x2E	0	~17	1048576/134217728
Unicode UTF-16LE	txt	\xFF\xFE[\x09\x0A\x0D\x20-\x3C\x40-\x7E\xC0-\xDC]\x00[^\x00]\x00	0	~48		G
Text UTF-8	txt	\xEF\xBB\xBF[\x09\x0A\x0D\x20-\x3C\x40-\x7E\xC0-\xDC]	0	~57		G
OLE2/MS Office	ole2;doc;xls;dot;ppt;xla;ppa;pps;pot;msi;sdw;db;vsd;msg	\xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1	0	~16		b
MS Office 2007+	docx;xlsx;pptx	_Types\]\.xml	38	~14		g
OpenOffice	odt;ods;odf;odg;odp;odb	Zip Archive				L
Rich Text Format	RTF;doc	\{\\rtf	0	~20		G
MS Access	mdb;mda;mde;mdt;fdb;psa	\x00\x01\x00\x00Standard Jet	0	~71
MS Access 2007	accdb;accde;accda;accdu	\x00\x01\x00\x00Standard ACE DB	0		8388608
WordPerfect document	WPD;wp;wp5;wp6;wpp;bk!;wcm	\xFFWPC...[\x00-\x02]\x01\x0A	0		300000
MS OneNote	one	\xE4\x52\x5C\x7B\x8C\xD8\xA7\x4D\xAE\xB1\x53\x78\xD0\x29\x96\xD3	0	~108	3145728
PostScript/Adobe	ps;eps;ai;pfa	%!PS-Adobe	0	~56
Quicken	qdf	\xAC\x9E\xBD\x8F	0		8388608
Quicken	qsd	QW Ver\. 	0		370000	c
QuickBooks Backup	qbb	\x45\x86\x00\x00\x06\x00\x02\x00	0		8388608	c
PDF (Base64)	B64	JVBERi[\x0A\x0Da-zA-Z0-9\+/]{256}	0	~101		b
OLE2 (Base64)	B64	0M8R4KGx[\x0A\x0Da-zA-Z0-9\+/]{256}	0	~101		b
Quattro Pro Notebook 6.0	wb2	\x00\x00\x02\x00[\x01\x02]\x10\xC9\x00\x02\x00\x00\x06	0		2097152
FileMaker Pro 7	fp7;fp12;fmp12	\x00\x01\x00\x00\x00\x02\x00\x01\x00\x05\x00\x02\x00\x02\xC0HBAM7	0		4194304
FileMaker Pro database	fp5;fp3	\x00\x01\x00\x00\x00\x02\x00\x01\x00\x05\x00\x02\x00\x02\xC0	0		4194304	cx
RagTime Document	rtd	\x43\x23\x2B\x44\xA4\x43\x4D\xA5\x48\x64\x72	0		524288
MS Money	MNY;m12;m14;m15;mnp;mne	\x00\x01\x00\x00MSISAM	0		8388608
MS Word 6.0	DOC2;doc	\x12\x34\x56\x78\x90\xFF	0		60000	c
MS Word (MacBinary)	DOC3;doc	BNMSWD...\x00	67			c
MS Write	wri	[\x31\x32]\xBE\x00\x00\x00\xAB\x00\x00\x00\x00\x00\x00	0		200000	c
Lotus WordPro v9	lwp	WordPro[\x00\x0D]	0	\xA4\x43\x4D\xA5\x48\x64\x72\xD7\x01\x01\x01\x00\x02\x00\x00\x00.{8}	1500000/12582912	c
Lotus 123 v9	123	\x00\x00\x1A\x00[\x03\x05]\x10\x04	0	\xA4\x43\x4D\xA5\x48\x64\x72\xD7\x01\x01\x01\x00\x02\x00\x00\x00.{8}	2097152/5242880	c
Lotus 123 v3-5	wk3;wk4;wk5	\x00\x00\x1A\x00[\x00\x02]\x10\x04\x00	0		800000	c
Lotus 123 v1	WK1;wk5	\x00\x00\x02\x00\x06\x04\x06\x00\x08\x00\x00\x00\x00\x00	0		524288	c
Microsoft Project	mpx	MPX[, ]	0		262144	c
Claris Works document	cwk	[\x00\x03\x04]BOBO	3		600000	c
Claris Works word processor (MacBinary)	cwk	WORDBOBO	65		1048576	c
Claris Works text (MacBinary)	cwk	CWWPBOBO	65		1048576	c
DJVU	djvu	AT&TFORM	0		5242880	c
Pocket Word	pwi;psw	\x7B\x5Cpwi\x15\x00\x00\x01	0		500000
TextMaker Document	tmd;tmv	MV\x00\xFF\x0C\x00[\x01\x0E]\x00	0			c
MS Works	WKS1;wks	\xFF\x00\x02\x00\x04\x04\x05\x54\x02\x00..\x26\x54\x02\x00\x00\x00\x06\x00\x08	0		262144
KWord	kwd	KOffice application/x-kword	10	~14		g
*** 邮件
E-mail	eml;wdseml;mht	(MIME-Version: 1\.0|Return-[Pp]ath: |Received: (from|by) |Delivery-date: [FMSTW]|From: [\x22<=A-Za-z]|Date: (Mon|Tue|Wed|Thu|Fri|Sat|Sun), [01]?# |References: <|Message-(ID|Id|id): <)	0	~102		bGA
Outlook	pst;ost;fdb;pab	!BDN	0	~24	4194304/536870912
Outlook AutoComplete	nk2	\x0D\xF0\xAD\xBA[\x0A-\x0C]\x00\x00\x00	0		2200000
Outlook Express	dbx	\xCF\xAD\x12\xFE[\x30\xC5-\xC7].{6}\x11	0	~25
vCard	vcf	BEGIN:VCARD\x0D?\x0A	0	END:VCARD\x0D?\x0A?	256000/35651584	b
Virtual Calendar	vcs;ics	BEGIN:[vV]C[aA][lL][eE][nN][dD][aA][rR]	0	END:VCALENDAR	256000/10485760
Mailbox	mbox;mbs	From\x20[^\x3F]	0	~43	2097152/536870912	EB
OS X Tiger E-mail	emlx	#{3,9}\x20{0,6}\x0D?\x0A(Delivered-To|Status|Return-[Pp]ath|From|Subject|In-Reply-To|Message-Id|Mime-Version|Received):\x20	0	~103	524288/102760448	FG
Outlook 2011 Mac	olk14MsgSource	MSrc	0	~77
Outlook 2011 Mac	olk14MsgAttach	Attc[\x00-\x08]	0	~77
Outlook 2011 Mac	olk14message	MLRC\x00	0	~77
Outlook 2014 Mac	olk15message	\xD0\x0D\x00\x00.{28}CRLM	0	~77
Outlook 2014 Mac	olk15MsgAttachment	\xD0\x0D\x00\x00.{28}cttA	0		1048576
Outlook 2014 Mac	olk15MsgSource	\xD0\x0D\x00\x00.{28}crSM	0		262144
OE addr. book	WAB;wab~	\x9C\xCB\xCB\x8D\x13\x75\xD2\x11\x91\x58\x00\xC0\x4F\x79\x56\xA4..\x00\x00..\x00\x00	0		2097152	b
OE addr. book (Win95)	wab	\x81\x32\x84\xC1\x85\x05\xD0\x11\xB2\x90\x00\xAA\x00\x3C\xF6\x76	0
Eudora	mbx	From\x20\x3F\x3F\x3F\x40\x3F\x3F\x3F\x20	0		8388608
AOL PFC	pfc;org	AOLVM100	0	~22
Video E-Mail	vem	High JPEG Data in Memory	0			c
Offline Address Book	oab	\x20\x00\x00\x00.{10}\x00\x00	0	~86		cxA
MIME	mime;dm;eml;mht	Content-Type:\x20	0	~56	2097152		xA
LDAP Data Interchange Format	LDIF;ldf	dn: [a-zA-Z]{1,14}=	0	~56	262144/4194304
OECustomProperty	FOL;%%%OECustomProperty	1SPS(\x30\xF1\x25\xB7|\xE0\x85\x9F\xF2)	8	~106	8196
*** 互联网
#INTERNAL1
XML/Markup	xml	[\x09\x0A\x0D\x20]{0,60}<[!\?A-Za-z][-:_A-Za-z]{2,24}[ >\x09\x0A\x0D]	0	~15		GEA
SQLite 2.x database	SQLITE2;sqlite;;	\*\* This file contains an SQLite 2\.#	0			t
SQLite 3.x database	sqlitedb;sqlite3;sqlite;lrcat;exb;itdb;localstorage	SQLite format 3\x00	0	~59		tx
Mime Html	mht;eml	MIME-Version:\x201\.0\x0D\x0A	0	\x00		fE
Nokia text	vmg	BEGIN:VMSG	0	END:VMSG	1048576/14680064	b
Nokia SMS	vmg	B\x00E\x00G\x00I\x00N\x00\x3A\x00V\x00M\x00S\x00G\x00\x0A\x00	0	E\x00N\x00D\x00\x3A\x00V\x00M\x00S\x00G\x00\x0A\x00	2048/100000
Dialup	dun	\[Phone\]\x0D\x0A	0	~56	860/3000	c
Google cookie	COOKIE;txt	(__utma|PREF)\x0A	0	\x0A\x2A\x0A\x00	1024/3600
Chrome cache	chrome	\xC3\xCA\x04\xC1[\x00\x03]\x00[\x01\x02]\x00	0	~63
Chrome session	snss	SNSS\x01\x00\x00\x00	0	~74		b
Firefox session	jsonlz4	version":\["sessionrestore"	16	\x7D\x5D\x7D
Facebook	json	for \(;;\);\{\x22	0	~56
Google	json	\{e:"[-_0-9a-zA-Z]{22}",	0	~56
Opera Hotlist (v2.0) / bookmark	adr	(\xEF\xBB\xBF)?Opera Hotlist version #\.0	0		128000
Firefox(1)	SESSIONSTORE;js	\(?\{\x22?windows\x22?:\[\{	0	~56	96000	c
Flash Cookie	sol	\x00\xBF....TCSO	0	~52
Safari Cookies	binarycookies	cook\x00	0	~68
Chrome Offline Cache	service_worker	\x30\x5C\x72\xA7\x1B\x6D\xFB\xFC\x05\x00\x00\x00	0	\xD8\x41\x0D\x97\x45\x6F\xFA\xF4\x01\x00\x00\x00.{12}	524288/2097152
Cryptnet	urlcache	[\x18\x70]\x00\x00\x00\x01\x01\x02\x20\x01\x00\x00\x00..\x00\x00	0		512
SkyDrive	ms-properties	1SPS\x53\xF1\xEF\xFC\x39\xE8\xF3\x4C\xA9\xE7\xEA\x22	8	~106	4096
*** 压缩包/存档
Zip Archive	zip;jar;xps;apk;pages	PK\x03\x04|PK00|PK\x05\x06	0	~14	4194304/536870912	gG
Zip (Base64)	B64	UEsDBB[\x0A\x0Da-zA-Z0-9\+/]{256}	0	~101		b
Jar Archive	JAR1;jar	\x5F\x27\xA8\x89	0
RAR Archive	rar;cbr	Rar!\x1a\x07\x00	0	~29	4194304/2147483648
RAR5 Archive	rar;cbr	Rar!\x1a\x07\x01\x00	0	\x03\x05\x04\x00	4194304/2147483648
GZip Archive	gz;tgz;emz	\x1F\x8B\x08[\x00\x02\x08\x10]....[\x00\x02\x04][\x00-\x12\xFF]	0	~32	1048576/134217728
7-Zip Archive	7z	7z\xBC\xAF\x27	0	~39	2097152/268435456
Tar/PAX Archive	tar;ova	ustar	257	~31	1048576/205520896	G
BZip Archive	BZ2;tbz	BZ[0h]#\x31\x41\x59\x26	0
MS Compressed	cab	MSCF\x00\x00\x00\x00	0	~82
ARJ Archive	arj	\x60\xEA......[\x00\x10\x14]\x00\x02	0
XZ Archive	xz	\xFD7zXZ\x00\x00	0
Stuffit SFX Archive	sea	APPLaust!	65			c
Stuffit Archive	sitx	StuffIt!	0			c
Stuffit v5 Archive	sit	StuffIt	0			c
ACE Archive	ace	\*\*ACE\*\*	7			c
BinHex 4.0	hqx	must be converted with BinHex	11			c
ALZip	alz	ALZ\x01\x0A\x00\x00\x00	0	CLZ\x02		c
lzop compressed	lzop;lzo	\x89LZO\x00\x0D\x0A\x1A	0
SQX compressed archive	sqx	R....-sqx-	2
ALZip EGG compressed	egg	EGGA\x00	0			c
Free Backup Fix	fbf	SymBakUp  1\.0\x0A\x1A\x01	0	FHT1.\x00{19}	2621440/104857600	c
KGB Archive	kgb	KGB_arch -	0
*** 音频/视频
MP3 ID3 v2/3/4	mp3	ID3[\x02-\x04]\x00[\x00\x20\x40\x80][\x00\x01]	0		6000000	E
MP3 general	mp3	\xFF[\xE2\xE3\xF2\xF3\xFA\xFB][\x10-\x1B\x20-\x2B\x30-\x3B\x40-\x4B\x50-\x5B\x60-\x6B\x70-\x7B\x80-\x8B\x90-\x9B\xA0-\xAB\xB0-\xBB\xC0-\xCB\xD0-\xDB\xE0-\xEB]	0	~21		cCGE
Wave	wav	RIFF....WAVE(fmt |JUNK|LIST|bext|fact)	0	~33
Audio Video Interleave	AVI;gvi;divx	RIFF....(LIST|JUNK|AVI )	0	~33	10000000/1610612736
MPEG	mpg;mpe;mpeg;vob	\x00\x00\x01\xBA	0	~41	8388608/1342177280	GE
Blu-ray	m2ts;ts	\x47\x40\x00\x10.{188}\x47	4	~109	8388608/1342177280	GE
QuickTime Movie	mov	(moov|skip|mdat)	4	~27	10000000/134217728	E
QuickTime MOV(1)	mov	\x00\x00\x00(\x14pnot......PICT|\x08wide)	0	~27	10000000/943718400	E
QuickTime MOV	MOV;mp4	ftypqt  	4	~27	10000000/943718400	E
QuickTime 3GP	3gp;mp4;m4a	ftypisom	4	~27	10000000/314572800
QuickTime 3GP	3GP;3ga;3g2;3gpp	ftyp3gp	4	~27	10000000/314572800
QuickTime 3GP	3gp	ftypmmp4	4	~27	10000000/314572800
QuickTime 3G2	3g2	ftyp3g2a	4	~27	10000000/314572800
QuickTime M4A	m4a;m4p	ftypM4A\x20	4	~27	10000000/104857600
QuickTime M4V	M4V;mp4	ftypM4V[P\x20]	4	~27	10000000/471859200
QuickTime MP4	mp4	ftyp(mp41|avc1|MSNV|FACE|mobi)	4	~27	10000000/2147483648
QuickTime MP4	mp4;m4b	ftyp(mp|MP)42	4	~27	10000000/2147483648
QuickTime MP4	mp4;m4b	ftypdash	4	~27	10000000/2147483648
Matroska	mkv;mka	(matroska|\x01\x42\xF7\x81\x01\x42\xF2\x81)	8		10485760
Windows Media	asf;wmv;wma;dvr-ms	\x30\x26\xB2\x75\x8E\x66\xCF\x11\xA6\xD9\x00\xAA\x00\x62\xCE\x6C	0	~26	10000000/1073741824
Ogg Vorbis Audio	ogg	OggS\x00\x02.{22}\x01vorbis	0	~45	8388608/335544320	cG
Ogg Video	ogv;ogm;opus;ogx	OggS\x00\x02.{22}(\x01video|\x80theora|fishead)	0	~45	8388608/335544320	cG
Audacity	au	dns\..{20}AudacityBlockFile	0		2097152
Adaptive Multi Rate audio	amr	\x23!AMR\x0A	0	~90
MediaPlayer Playlist	wpl	<\?wpl version=	0	</smil>\x0D\x0A	100000/1048576
M3U playlist	m3u	\#EXTM3U	0	~56
Flash Video	flv	FLV\x01[\x00\x01\x04\x05\x0D]	0	~36	10000000/104857600
Flash MP4 video	f4v	ftyp(f4v|F4V)\x20	4	~27	10000000/104857600
Video surveillance	MP4S;mp4	IMKH\x01\x01\x00\x00	0		104857600/268435456
Director - Shockwave movie	dcr	XFIR...\x00MDGF	0		3670016
Windows Television	wtv	\xB7\xD8\x00\x20\x37\x49\xDA\x11\xA6\x4E\x00\x07\xE9\x5E\xAD\x8D	0		10485760
Real Media	rm;rmvb;rv;ra;rmj;ram;rmx	\.RMF	0		100000000
MIDI	mid;kar;midi	MThd	0		300000
WebM Video	webm	\x1A\x45\xDF\xA3\x01\x00\x00\x00	0		33554432	b
Compact Disc Digital Audio (CD-DA) file	cda	RIFF....CDDAfmt	0	~33
AMR-WB Audio	AWB;amr	\x23!AMR-WB\x0A	0
Audacity Block	auf	AudacityBlockFile	0		16000
Sony Compressed Voice	dvf;msv	MS_VOICE.{8}SONY CORPORATION	0		12582912
AU Format Sound	snd	\x53\x54\x45\x56\x45\x02\x48\x80	0
NeXT_Sun uLaw-AUdio-format	ulaw;au;snd	\.snd\x00\x00[\x00\x01]	0			c
Audio Interchange	aif;aiff;caf	FORM....AIFF	0	~33		c
Audio Interchange (compressed)	aifc;aif;aiff	FORM....AIFC	0	~33		c
4X Movie	4xm	4XMVLIST	8
PixelMetrics	cwm	elmetrics\.com\x2E\x2E\x2E	80	~105	209715200/838860800
*** 程序
Windows exec.	exe;dll;drv;vxd;sys;ocx;vbx;com;fon;scr	MZ.[\x00-\x02].[\x00-\x02]	0	~30
Compiled HTML	chm;chw;chi	ITSF\x03\x00\x00\x00	0	~47		x
Windows Help	hlp;gid;lhp	(\x3F\x5F\x03\x00)|(\x4C\x4E\x02\x00)	0		2097152		x
MS Help 2.0	its;lit;h1d;h1h;h1q;h1w;ebo	ITOLITLS	0			cx
ELF Object	o;ko	\x7FELF[\x01\x02]\x01\x01[\x00\x09]\x00\x00\x00\x00\x00\x00\x00\x00\x01	0
ELF executable	elf;nexe	\x7FELF\x01\x01\x01\x00.......\x00\x02	0	~73
ELF 64-bit exec.	elf64;nexe	\x7FELF\x02\x01\x01........\x00\x02	0	~73
ELF shared object	so	\x7FELF[\x01\x02]\x01\x01.\x00\x00\x00\x00\x00\x00\x00\x00\x03	0	~73
MacOS exec.	MACHO;dylib	\xCA\xFE\xBA\xBE\x00\x00\x00[\x01\x02\x03]	0	~67
MacOS 64-bit exec.	MACHO64;dylib	\xCF\xFA\xED\xFE	0
Chrome Extension	crx	Cr24.\x00\x00\x00	0
*** 系统文件
WinNT Registry Hive	REGISTRY	regf	0	~28	1572864/96468992	Gt
Registry fragment	hbin	hbin\x00	0	~80	262144/50331648	GUE
Registry Script	rgs	HKCR\x0D\x0A\{	0	~56	524288/16777216
Windows Password	pwl	\xE3\x82\x85\x96	0		4096	c
Windows Event Log	evt	\x30\x00\x00\x00LfLe	0	~44	2097152/33554432
Windows Event Log	evtx	ElfFile	0	~42
setup info	SETUPINFO;;	DRBKLBSM	24
EFS Private Key file	EFS;;	\x02\x00\x00\x00\x00\x00\x00\x00[^\x00]\x00\x00\x00.\x00\x00\x00..\x00\x00..\x00\x00..\x00\x00\x14\x00	0		1000	c
EFS Master Key file	EFS;;	\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00[0-9a-f]\x00[0-9a-f]\x00	0		1000	c
Printer Spool 9x	shd	\x4B\x49\x00\x00..\x00\x00..\x00\x00..\x00\x00	0		1000	cE
Printer Spool NT	shd	\x66\x49\x00\x00......\x00\x00.\x00\x00\x00	0		1000	cE
Printer Spool W2K/XP	shd	\x67\x49\x00\x00.\x00\x00\x00......\x00\x00.\x00\x00\x00	0		4000	E
Printer Spool 2003	shd	\x68\x49\x00\x00.\x00\x00\x00......\x00\x00.\x00\x00\x00	0		4000	E
Printer Spool NT/2K/XP	spl	\x00\x00\x01\x00..\x00\x00\x10\x00\x00\x00..\x00\x00	0	~19		E
Certificate 1	cer;cat;p7b;p7c;p7m;p7s;swz;rsa;crl;crt;der	\x30\x82..[\x06\x0A\x30]	0	~53		x
Certificate 2	cat;swz;p7m	\x30\x83[^\x00]..\x06\x09	0	~53		x
Certificate 3	pem;p7b;p7m;crt;csr;cer	-----BEGIN\x20	0	-----END\x20.{3,32}-----	4096	bx
SSLHOSTINFO	sslinf	\x00[\x01-\x04]\x00\x00\x00...\x00\x30\x82	3		8196
setupapi Vista	log	\[Device Install Log\]\x0D\x0A	0	~56
setupapi XP	log	\[SetupAPI Log\]\x0D\x0A	0	~56
Shadow copy	VSC;;	\x6B\x87\x08\x38\x76\xC1\x48\x4E\xB7\xAE\x04\x04\x6E\x6C\xC7\x52\x01\x00\x00\x00\x04	0	~46	33554432/335544320
Windows Pagedump	dmp	PAGEDUMP	0	~51
Windows Pagedump	dmp	PAGEDU64	0		2097152
Heap dump file	HDMP;mdmp;dmp	MDMP\x93\xA7	0		4194304
NTFS $LogFile	$LOGFILE;;	RSTR\x1E\x00\x09\x00	0	~60	67108864
$UsnJrnl:$J record	usnjrnl	\x00\x00\x02\x00\x00\x00.{31}\x01.{17}[\x00\x01]\x3C\x00	2	~81		GUE
Event Trace Log	etl;blg	\x00[\x00\x04\x0C\x10\x20\x40\x80][\x00\x01\x02]\x00\x06[\x00\x01]\x01[\x04\x05]..\x00\x00[\x01-\x04\x08]\x00\x00\x00.{7}[\x00\x01](aa|Zb)\x02\x00	104
Snapshot Prop	SnapProp;;	\x1F\x44\xFA\xA0\x8E\xF6\xCC\x4D\x9D\x91\x2C\x2E\xBE\xC0\xBB\x63|\x8F\x11\xE1\x6A\x1A\x59\xE0\x47\xB2\xC3\x3C\xFA\x26\xEC\x2B\x80	0		32768
Windows Prefetch	pf	[\x11\x17\x1A]\x00\x00\x00SCCA	0	~23
Windows Prefetch (Win 10)	pf	MAM\x04...\x00	0	~104
Task Scheduler	job	(\x01\x05|\x00\x06|\x01\x06|\x02\x06|\x03\x06)\x01\x00.{16}\x46\x00	0		1200
$I Recycler	recycler	\x01\x00{7}.....\x00\x00\x00.{7}\x01[C-Z]\x00:\x00	0		1024	x
$I Recycler (win 10)	recycler	\x02\x00{7}.....\x00\x00\x00.{7}\x01[\x04-\xFF][\x00\x01]\x00\x00[C-Z]\x00:\x00	0		1024	x
Windows Shortcut	lnk	\x4C\x00\x00\x00\x01\x14\x02\x00\x00\x00\x00\x00\xC0\x00\x00\x00\x00\x00\x00\x46	0	~49	3000/32768	bGe
Internet Shortcut	url;ulk	\[InternetShortcut\]	0	\x00	6000	f
Internet Shortcut	url;website	(\[DEFAULT\]\x0D\x0ABASEURL|\[\{000214A0-0000-0000-C000-000000000046)	0	~56	4096/1048576
Apple download cache	waf	\.WAF	0			c
Change Log	clog;log	\x00\x00\x00\x00\x12\xEF\xCD\xAB	4		65536
Ubuntu Trash	trashinfo	\[Trash Info\]\x0A	0	\x00	1024	f
KDE cache	kdecache	7\x0Ahttp://	0
PList (XML)	plist	<!DOCTYPE plist	39	</plist>\x0A
PList (binary)	BPLIST;plist;ipmeta;abcdp;mdbackup;mdinfo;strings;nib;ichat;qtz;webbookmark;webhistory	bplist00	0	~58	524288/16777216
Finder bookmark	flnk	book..\x00\x00\x00	0	~75
Launch Service	csstore	\xD0\xFA\xD0\xDA\x00	0	~76
MacOS X Keychain	keychain	kych\x00\x01	0	~64
Virtual HD	vhd	conectix	0		8388608
VMware 4 Virtual Disk	vmdk	KDMV.\x00\x00\x00	0		8388608
Macintosh Disk Image	dmf;dmg	\x78\x01\x73\x0D\x62\x62\x60\x60	0		2097152
Windows Imaging	wim;swm	MSWIM\x00\x00\x00	0	~66		c
iPhone backup index	mbdx	mbdx\x02\x00	0		520000
iPhone backup db	mbdb	mbdb\x05\x00	0		2097152
iPhone crash report	CRASH;log	(Incident Identifier: [0-9A-F]{8}-|Date:####-##-##)	0	~56
AppleDouble	_ad	\x00\x05\x16\x07\x00[\x01\x02]\x00\x00	0		742	cx
Apple System Log	asl	ASL DB\x00{6}	0	~79
IIE Log	log	\#Software: Microsoft Internet Information Services #\.#\x0D\x0A	0	~56
Desktop Services Store	DS_STORE;;	\x00\x00\x00\x01Bud1	0	~91
EDB log (V1)	EDBLOG;log	\x00\x00\x02\x08\x00\x00[\x01-\x28]\x00[\x00\x10\x20\x80].{4}[\x00-\x0C].[\x00\x01]\x00.{4}[\x00-\x0C].[\x00\x01]\x00\x07\x00\x00\x00	7	~94
EDB log (V2)	EDBLOG;log	\x00\x00\x10\x01\x00[\x00\x10\x40\x80][\x00-\x08]\x00[\x00\x10\x20\x80]...[\x00-\x1F][\x00-\x0C].{6}[\x00-\x1F][\x00-\x0C]...[\x07\x08]\x00\x00\x00	7	~94
SQL Server Trace	TRC1;trc	\xFF\xFE\x90\x02\x01\x00\x4D\x00\x69\x00\x63\x00\x72\x00\x6F\x00	0		8388608
Win9x Registry Hive	registry	CREG	0
*** 应用数据
ESE Database	EDB;MSMessageStore	\xEF\xCD\xAB\x89[\x20\x23]\x06\x00\x00[\x00\x01]\x00\x00\x00	4	~54	5000000/1342177280
Acronis True Image file	tib	\xB4\x6E\x68\x44	0		20971520	c
Nero CD Compilation	nri;nrb	\x0E\x4E\x65\x72\x6F\x49\x53\x4F\x30	0	\x00LFDU[^\x00]*	800000/5452596
Alcohol 120% CD Image	mdf	\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x02\x00\x01	0		20971520	c
Ghost Image	gho;ghs	\xFE\xEF\x01[\x00-\x03]....[\x00\x01][\x00\x01]	0		20971520	c
eMule Collection	emulecollection	ed2k://\|file\|	0
PGP pubring	pkr;gpg	\x99\x01[\x0D\xA2]\x04	0		11264	c
PGP secring	skr	\x95(\x01\xCF|\x03\xC6)\x04	0		7000	c
AxCrypt Encrypted	axx	\xC0\xB9\x07\x2E\x4F\x93\xF1\x46\xA0\x15\x79\x2C\xA1\xD9\xE8\x21\x15\x00\x00\x00\x02	0			y
PGP Safe	pgd	PGPdMAIN\x60\x01\x00	0
Skype chat	CHATSYNC	sCdB	0	~78
Skype localization data	mls	MLSW...skypePM \x00	0		40000	c
Skype user data	dbb	l33l......\x00\x00	0	~50		G
iChat	ichat	AIM IM with 	0	~56		G
MS/MSN MARC archive	mar	MARC\x03	0		8388608
Auto completion	jsonp	window\.google\.ac\.h\(\[	0	\]\]\)	1024/524288
Auto completion (2)	jsonp	window\.google\.td&&	0	\}\);	1024/524288
MapSource GPS Waypoint Database	gdb	MsRcf	0		3145728
SeeYou Waypoint	ndb	! ILEC 	0
Flash	swf;swc;swt	[CF]WS[\x02-\x1B]	0	~37
Open financial exchange	ofx;qfx;qbo	\x0D?\x0A{0,12}OFXHEADER:\x20?100	0	</OFX>	500000
Point of Interest	gpi	GRMREC0[01]	8
Point of Interest	gpi	GRMREC01	12
BlackBerry Backup	ipd	[email protected] Pager Backup/Restore File[\x0A\x20]	0		20971520
Blu-ray Clip Information	CLPI;cpi;clp	HDMV0[12]00\x00	0		20000
Nokia backup	nbu	\xCC\x52\x33\xFC\xE9\x2C\x18\x48\xAF\xE3\x36\x30\x1A\x39\x40\x06	0		41943040
Adobe InDesign	indd;indb;indl;indt	\x06\x06\xED\xF5\xD8\x1D\x46\xE5\xBD\x31\xEF\xE7\xFE\x74\xB7\x1D	0	~87
AVCHD Playlist	MPL;mpls	MPLS0[12]00\x00	0		100000
Rhino 3D	3dm	3D Geometry File Format\x20\x20\x20\x20	0		4194304
Business Card Designer	bcf	Business\x0A\x00\x04\x00Card	0
Mobile Phone vNote	vnt	BEGIN:VNOTE	0	END:VNOTE	6000
MS Money	mny	pfmf\#1\x00	0
QuickBooks	QBW;adr;tlg	[\x00\x03]\x00\x00\x00\x5E\xBA\x7A\xDA	16	~93
Quickbooks (alt)	qbw	MAUI.\x00\x00\x00	96	~93
Inspiration Flowchart	isf	application/x-inspiration 	0		524288
Microsoft Money Backup	mbf	\x20\x00\x6D\x62\x66	58		20971520
Cisco VPN	pcf	\[main\]\x0D?\x0A(!?Description|UserPassword)=	0	~56
Palm Datebook	dba	\xBE\xBA\xFE\xCA\x0FPalmSG Database......BD	0		1468006
Palm address book	aba	\xBE\xBA\xFE\xCA\x0FPalmSG Database......BA	0		500000
Palm To-Do	tda	\xBE\xBA\xFE\xCA\x0FPalmSG Database......DT	0		20000
Palm Memo	mpa	\xBE\xBA\xFE\xCA\x0FPalmSG Database......PM	0		24000
TomTom POI	tlv	\x80\x01\x01\x01\x81\x01\x31http://	3		1500
Pcap-NG Packet Capture	PCAPNG;pcap	\x4D\x3C\x2B\x1A\x01\x00\x00\x00	8		4194304
Adobe Bridge Cache	bc	hcac[\x0E-\x17]\x00\x00\x00	0	~88
Picasa3 Index	thumbindex	ffF@...\x00	0	~89
Intuit Interchange Format	iif	!(HDR\x09PROD|TIMERHDR\x09VER)\x09VER\x09REL\x09	0	~56
Tax Exchange Format	txf	V0##\x0D\x0AA	0	~56
Cryptocurrency wallet	wallet	\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x62\x31\x05\x00	0		262144/2097152
*** 特殊文件
EDB Page	EDBPage	\x00{6}.\x00\x00\x00.\x00\x00\x00.{13}[\x28\xA8][\x01\x00]\x00	10	~110	32768
Google Analytics URL+ei TS	eiurl	https?://	0	~92	1400	GbA
Vaulty	vdata	obscured[^a-z]	0 
Zip record	ZIP;z01	PK\x03\x04|PK00|PK\x05\x06|PK\x07\x08	0	~62		b
Firefox(2)	SESSIONSTORE;js	[[email protected]\x20-\x2F\x3A-\x3F\x5B-\x60\x7B-\x7E]{199}	0	~100	12288	GS
Firefox cache	firefox	\x00\x01\x00[\x08-\x13].\x00..\x00\x00\x00.[\x49-\x56]	0	~55		gU
Base64	B64	[\x0A\x0Da-zA-Z0-9\+/]{256}	0	~101		GS
Information Summary	summary	\xFE\xFF\x00\x00.{21}\x00\x00\x00\xE0\x85\x9F\xF2\xF9\x4F	0		1024	U
TCP Packet	tcp	\x08\x00\x45\x00.....\x00[\x01-\x80]\x06	12	~61	1500/1500	b
UDP Packet	udp	\x08\x00\x45\x00[\x00-\x05].....[\x01-\x80]\x11	12	~61	1500/1500	b
VISA/Mastercard	ccn	[^0-9\-A-Za-z_\.][45]###[- ]####[- ]####[- ]####[^0-9\-A-Za-z_\[&]	0	~65	25/25	b
Gigatribe 2.x state file	state	\x40\x02\x00\x00\x5C\x5C[a-zA-Z]	0		1000
Gigatribe 3.x state file	state	\x00\x00\x00\x01\x00\x00[\x00\x01].\x00[\\a-zA-Z]\x00[\\:a-zA-Z]\x00	0	\x12\x34\x56\x78	1024/1048510
Gigatribe 2.x chat	GIGA	\x30\x41\x48\x43...\x00	0
Gigatribe 3.x chat	GIGA	\x63\x68\x00\x00\x00\x0A	0
Unix kern.log	log	[ADFJNOS][a-z][a-z] [ #]# [ 012]#:##:## [a-zA-Z]	0	~56		G
misc log files	log	20[01]#-##-##[ T]##:##:##[ \.\,]	0	~56		Gx
Gatherer fragm	gthr2	\x4D\x44\x4D\x44....\x00\x00\x00\x00	0	~85		GUb
CD Volume Descriptor	vdscr	\x01CD001\x01\x00	0		4096	c
Gateway php	PHP1;php	\x00\x00\x00\x01\x00\x12AppendToGatewayUrl	0		378880
Palmpilot	PRC1;prc	ovly(DTGR|WP2P)	60
Photoshop thmb	lnbt	lnbt\x01\x00\x00\x00	0	\x08gS\x09
Samsung trailer	SEFT	\x0E\x00\x00\x00Image_UTC_Data#{12}	4	\x00SEFT	512/10485760	b
Spotify Playlist	bnk	SPCO.\x00\x00\x00	0		800000
SQL	sql	-- (Generate|MySQL|phpMyAdmin|Copyright)	0	~56
XML fragment	xml	<\?xml version=[\x22\x27]1\.0	0	~15	8196/32000	b
Comma separated	csv	\x22[\x22A-Z]|Name|First	0	~107	1024/1048576	GS
Windows.edb fragment	1sps	1SPS\xA6\x6A\x63\x28\x3D\x95\xD2\x11\xB5\xD6\x00\xC0\x4F\xD9\x18\xD0	8	~106	4096	b
Bitlocker rec key	bitlocker	\xFF\xFE\x42\x00\x69\x00\x74\x00\x4C\x00\x6F\x00\x63\x00\x6B\x00\x65\x00\x72\x00\x20\x00	0	~48	1500
BitTorrent Link	torrent	d(8:announce##|4:infod[456]):	0	ee	32768/655360

大家可以看到第一行 JPEG 的解释,文件头为 \xFF\xD8\xFF,我们利用 Winhex 工具自带的文件签名批量检索功能进行查找。

注意!一定要是tar包,如果你拖进去的是 zip、7z 等进行过压缩的包,可能检索不出来。如果是压缩过的数据,先解压再重新打tar包,在用 WinHex 工具解析。

我们最终发现 JPEG图片 全部被 WinHex 统计出来。

4、常见的数据储存目录

4.1、iOS 通讯录数据库

在 \private\var\mobile\Library\AddressBook 目录下有两个数据库文件,AddressBook.sqlitedb(储存联系人信息)和 AddressBookImages.sqlitedb(储存联系人头像图片等)

4.2、iOS 短信存放数据库

在 \private\var\mobile\Library\SMS 中的 sms.db 数据库中。

我测试机备份的没通讯录、短信数据,短信内容就在 message 表中。

4.3、iOS 照片存放

其实下个 爱思助手 就能看到了,其他的文件存放位置就不花时间阐述了,本篇文章到此结束~

标签:iOS取证 iTunes备份 手动分析 手机取证 解析数据 镜像解析

发表回复

您的电子邮箱地址不会被公开。 必填项已用*标注

联系我们

联系我们

站长QQ:82794

在线咨询: QQ交谈

邮箱: [email protected]

任何技术问题请联系QQ,非特殊行业请勿加微信!龙信小伙伴请联系微信群找我~
关注微信
微信扫一扫关注我们

微信扫一扫关注我们

返回顶部