1 /*
2
3 File: file_pst.c
4
5 Copyright (C) 2006-2007 Christophe GRENIER <grenier@cgsecurity.org>
6
7 This software is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 2 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License along
18 with this program; if not, write the Free Software Foundation, Inc., 51
19 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
20
21 */
22
23 #ifdef HAVE_CONFIG_H
24 #include <config.h>
25 #endif
26 #ifdef HAVE_STRING_H
27 #include <string.h>
28 #endif
29 #include <stdio.h>
30 #include "types.h"
31 #include "filegen.h"
32
33
34 static void register_header_check_pst(file_stat_t *file_stat);
35 static int header_check_pst(const unsigned char *buffer, const unsigned int buffer_size, const unsigned int safe_header_only, const file_recovery_t *file_recovery, file_recovery_t *file_recovery_new);
36
37 const file_hint_t file_hint_pst= {
38 .extension="pst",
39 .description="Outlook (pst/wab/dbx)",
40 .max_filesize=PHOTOREC_MAX_FILE_SIZE,
41 .recover=1,
42 .enable_by_default=1,
43 .register_header_check=®ister_header_check_pst
44 };
45
46 #define INDEX_TYPE_OFFSET 0x0A
47 #define FILE_SIZE_POINTER 0xA8
48 #define FILE_SIZE_POINTER_64 0xB8
49 #define DBX_SIZE_POINTER 0x7C
50
header_check_dbx(const unsigned char * buffer,const unsigned int buffer_size,const unsigned int safe_header_only,const file_recovery_t * file_recovery,file_recovery_t * file_recovery_new)51 static int header_check_dbx(const unsigned char *buffer, const unsigned int buffer_size, const unsigned int safe_header_only, const file_recovery_t *file_recovery, file_recovery_t *file_recovery_new)
52 {
53 const uint64_t size=(uint64_t)buffer[DBX_SIZE_POINTER] +
54 (((uint64_t)buffer[DBX_SIZE_POINTER+1])<<8) +
55 (((uint64_t)buffer[DBX_SIZE_POINTER+2])<<16) +
56 (((uint64_t)buffer[DBX_SIZE_POINTER+3])<<24);
57 if(size < DBX_SIZE_POINTER + 4)
58 return 0;
59 reset_file_recovery(file_recovery_new);
60 file_recovery_new->extension="dbx";
61 file_recovery_new->calculated_file_size=size;
62 file_recovery_new->data_check=&data_check_size;
63 file_recovery_new->file_check=&file_check_size;
64 return 1;
65 }
66
67 /*
68 Outlook 2000
69 0x0000 uchar signature[4];
70 0x000a uchar indexType;
71 0x00a8 uint32_t total_file_size;
72 0x00b8 uint32_t backPointer2;
73 0x00bc uint32_t offsetIndex2;
74 0x00c0 uint32_t backPointer1;
75 0x00c4 uint32_t offsetIndex1;
76 0x01cd uchar encryptionType;
77
78 Outlook 2003
79 0x0000 uchar signature[4];
80 0x000a uchar indexType;
81 0x00b8 uint64_t total_file_size;
82 0x00d8 uint64_t backPointer2;
83 0x00e0 uint64_t offsetIndex2;
84 0x00e8 uint64_t backPointer1;
85 0x00f0 uint64_t offsetIndex1;
86 0x0201 uchar encryptionType;
87
88 More information about the file structure can be found at
89 http://www.five-ten-sg.com/libpst/
90 */
91
header_check_wab(const unsigned char * buffer,const unsigned int buffer_size,const unsigned int safe_header_only,const file_recovery_t * file_recovery,file_recovery_t * file_recovery_new)92 static int header_check_wab(const unsigned char *buffer, const unsigned int buffer_size, const unsigned int safe_header_only, const file_recovery_t *file_recovery, file_recovery_t *file_recovery_new)
93 {
94 reset_file_recovery(file_recovery_new);
95 file_recovery_new->extension="wab"; /* Adresse Book */
96 return 1;
97 }
98
header_check_pst(const unsigned char * buffer,const unsigned int buffer_size,const unsigned int safe_header_only,const file_recovery_t * file_recovery,file_recovery_t * file_recovery_new)99 static int header_check_pst(const unsigned char *buffer, const unsigned int buffer_size, const unsigned int safe_header_only, const file_recovery_t *file_recovery, file_recovery_t *file_recovery_new)
100 {
101 if(buffer[INDEX_TYPE_OFFSET]==0x0e ||
102 buffer[INDEX_TYPE_OFFSET]==0x0f)
103 {
104 const uint64_t size=(uint64_t)buffer[FILE_SIZE_POINTER] +
105 (((uint64_t)buffer[FILE_SIZE_POINTER+1])<<8) +
106 (((uint64_t)buffer[FILE_SIZE_POINTER+2])<<16) +
107 (((uint64_t)buffer[FILE_SIZE_POINTER+3])<<24);
108 if(size < 0x1cd)
109 return 0;
110 /* Outlook 2000 and older versions */
111 reset_file_recovery(file_recovery_new);
112 file_recovery_new->extension=file_hint_pst.extension;
113 file_recovery_new->calculated_file_size=size;
114 file_recovery_new->data_check=&data_check_size;
115 file_recovery_new->file_check=&file_check_size;
116 return 1;
117 }
118 else
119 // if(buffer[INDEX_TYPE_OFFSET]==0x15 || buffer[INDEX_TYPE_OFFSET]==0x17)
120 { /* Outlook 2003 */
121 const uint64_t size=(uint64_t)buffer[FILE_SIZE_POINTER_64] +
122 (((uint64_t)buffer[FILE_SIZE_POINTER_64+1])<<8) +
123 (((uint64_t)buffer[FILE_SIZE_POINTER_64+2])<<16) +
124 (((uint64_t)buffer[FILE_SIZE_POINTER_64+3])<<24) +
125 (((uint64_t)buffer[FILE_SIZE_POINTER_64+4])<<32) +
126 (((uint64_t)buffer[FILE_SIZE_POINTER_64+5])<<40) +
127 (((uint64_t)buffer[FILE_SIZE_POINTER_64+6])<<48) +
128 (((uint64_t)buffer[FILE_SIZE_POINTER_64+7])<<56);
129 if(size < 0x201)
130 return 0;
131 reset_file_recovery(file_recovery_new);
132 file_recovery_new->extension=file_hint_pst.extension;
133 file_recovery_new->calculated_file_size=size;
134 file_recovery_new->data_check=&data_check_size;
135 file_recovery_new->file_check=&file_check_size;
136 return 1;
137 }
138 }
139
register_header_check_pst(file_stat_t * file_stat)140 static void register_header_check_pst(file_stat_t *file_stat)
141 {
142 static const unsigned char dbx_header[4]= { 0xCF, 0xAD, 0x12, 0xFE };
143 static const unsigned char wab_header[16] = { 0x9c, 0xcb, 0xcb, 0x8d, 0x13, 0x75, 0xd2, 0x11,
144 0x91, 0x58, 0x00, 0xc0, 0x4f, 0x79, 0x56, 0xa4 };
145 register_header_check(0, "!BDN", 4, &header_check_pst, file_stat);
146 register_header_check(0, dbx_header,sizeof(dbx_header), &header_check_dbx, file_stat);
147 register_header_check(0, wab_header,sizeof(wab_header), &header_check_wab, file_stat);
148 }
149