From eb5579b981dc13fab4a106ad34b939e91cf720dc Mon Sep 17 00:00:00 2001 From: Daniel Maslowski Date: Mon, 24 Nov 2025 16:26:53 +0100 Subject: [PATCH] docs/analysis: add hint on magic bytes Signed-off-by: Daniel Maslowski --- docs/analysis.md | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/docs/analysis.md b/docs/analysis.md index e72a1f6..5771dfd 100644 --- a/docs/analysis.md +++ b/docs/analysis.md @@ -12,6 +12,14 @@ The following example shall help understanding the thought process when trying to get behind the meaning of unknown data. Mind that this takes a lot of time. It often starts with the simple question: What is this? +A first helpful step is to try to identify headers and formats. Binary data +structures often start with markers called signatures, _magic_ bytes or numbers, +commonly four ASCII characters or significant numbers that suggest a meaning. +There are tools such as `file` to recognize them, as well as lists of common +[file signatures](https://en.wikipedia.org/wiki/List_of_file_signatures) and +[magic bytes](https://tool.lu/en_US/magicbytes/). Search engines and communities +are quick to assist with a first effort. + Often enough, other researchers have already performed initial work to build on top of. In the case of Intel ME generation 3 hardware, there are manifests with lots of metadata, described through what are called _extensions_ by Positive @@ -128,6 +136,5 @@ Which yields: 514:d=0 hl=2 l= 0 prim: EOC ``` -Success! Next up, we need to find a suitable library to parse this data. Further +Success! Next up, we need to find a suitable library to parse this data. Further development is omitted here. -