1# 2# default.sort 3# default config file for Sleuth Kit sorter 4# 5# These settings have the lowest priority of all config files 6# 7# It is used for ALL platform types though 8# 9# 10# Category 11# If the keyword is found in the 'file' output, then the data is saved 12# to either the summary file or even copied if the appropriate flags are 13# given 14# 15# category cat_name keywords 16# 17# 18# Extension 19# If the keywords are found in the 'file' output, and the file extension 20# is different than then the one on the file, an alert is generated 21# 'somewhere' 22# ext ext1,ext2,ext3 keywords 23 24 25 26 27########################################################################## 28# Multimedia 29########################################################################## 30 31# Audio 32category audio audio 33 34category audio MIDI 35ext mid,rmi MIDI 36 37category audio MP3 38ext mp3 MP3 39 40 41 42# Images 43category images image data 44ext jpg,jpeg,jpe JPEG image data 45ext gif GIF image data 46ext tif TIFF image data 47ext png PNG image data 48 49category images bitmap data 50ext bmp PC bitmap data 51 52category images font 53ext ttf true type font 54 55 56 57# Video 58category video RealMedia 59ext rm RealMedia 60 61 62 63 64########################################################################## 65# archive & compression 66########################################################################## 67 68# archive 69category archive archive 70ext zip,jar Zip archive data 71ext tar tar archive 72 73category archive DB 74ext db Berkeley DB 75 76 77# compression 78category compress compress 79ext gz,tgz gzip compressed data 80ext Z compress'd data 81 82 83 84 85########################################################################## 86# Executables 87########################################################################## 88# Execs 89category exec executable 90category exec \sscript 91# the above can cause errors with postscript and transcript 92 93category exec batch file 94 95# NOTE: Some windows binaries have the term "executable not relocatable" 96# which will trigger on this when it should trigger on executable 97category exec relocatable 98 99 100# Java 101category exec class data 102ext class Java class data 103 104 105category exec object 106ext o object 107 108category exec python compiled 109 110 111 112 113########################################################################## 114# Documents, 115########################################################################## 116category documents document 117 118 119# Microsoft 120ext doc,dot,ppt,pot,xls,xlt,msc,pcb Microsoft Office Document 121 122category documents Rich Text Format 123ext rtf Rich Text Format 124 125# Corel & Word Perfect 126category documents Corel\/WP 127ext wpg,wpd,shw Corel\/WP 128 129# Lotus 130category documents Lotus 1\-2\-3 131ext wb2 Lotus 1\-2\-3 132 133# Adobe 134ext pdf PDF document 135ext ps,eps PostScript document 136 137 138########################################################################## 139# Text 140########################################################################## 141category text ASCII(.*?)text 142ext txt,log ASCII(.*?)text 143ext c,cpp,h,js ASCII(.*?)text 144ext sh,csh ASCII(.*?)text 145ext conf ASCII(.*?)text 146 147category text character data 148ext txt character data 149 150category text ISO\-8859(.*?)text 151ext txt ISO\-8859(.*?)text 152 153category text HTML document text 154ext htm,html,hta HTML document text 155 156category text program text 157ext c,cpp,h,js program text 158category text \ssource 159 160 161 162########################################################################## 163# Other 164########################################################################## 165# Disk 166category disk boot sector 167category disk filesystem data 168 169 170# Crypto 171category crypto PGP 172ext asc PGP armored 173 174# Postscript Printer Description 175category system PPD file 176ext ppd PPD file 177 178 179# 'file' reports 'data' for all unknown binary files 180# do not bother with extensions with this 181category data ^data$ 182