Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
87 lines (77 sloc) 1.98 KB
//------------------------------------------------
//--- 010 Editor v8.0.1 Binary Template
//
// File: ._ files on macOS
// Authors: Yogesh Khatri <yogesh@swiftforensics.com>
// Version: 0.2
// Purpose: Reading files that begin with ._ like ._ABC.jpg
// Category: macOS
// File Mask:
// ID Bytes: 00051607
// History: Last Updated Nov 8 2018
//------------------------------------------------
// All values in Big Endian
typedef struct {
local uint64 pos;
uint ValueOffset;
uint ValueLen;
ushort Unknown; // 00 00
ubyte NameLen;
char Name[NameLen];
if (FTell()%4)
byte Padding[4 - (FTell()%4)];
// Bookmarking data too!
pos = FTell();
FSeek(ValueOffset);
byte Value[ValueLen] <bgcolor=cLtGreen>;
FSeek(pos);
} AttrDefinition <read=ReadAttrDef, bgcolor=cRed>;
string ReadAttrDef(AttrDefinition &a) {
return a.Name;
}
typedef struct {
char Signature[4]; //"ATTR"
uint Unknown1;
uint LogicalFileSize;
uint ValuesOffset;
uint ValuesLen;
uint Unknown3; // 0
uint Unknown4; // 0
uint Unknown5; // 0
uint NumAttributes;
} ATTR_Header <bgcolor=cBlue>;
typedef struct {
uint Id;
uint Offset;
uint Size;
local uint64 pos = FTell();
// Seek to Entry
local uint i;
FSeek(Offset);
if (Id == 9) {
byte Unknown[0x22];
ATTR_Header attr_head;
if (attr_head.Signature != "ATTR")
Warning("Not the right ATTR signature!");
for (i=0; i<attr_head.NumAttributes; ++i)
AttrDefinition attr_def;
}
else if (Id == 2) { // Resource Fork
byte ResourceFork[Size];
}
FSeek(pos);
} Entry;
typedef struct {
uint Magic; // 00 05 16 07
ushort Version; // 00 02
ushort Reserved; // 00 00
char Macosx[16]; // "Mac OS X "
ushort NumEntries; // 00 02
} Header <bgcolor=cYellow>;
BigEndian();
Header header;
if (header.Magic != 0x00051607) {
Warning("Not the right signature, exiting!");
return;
}
Entry entry[header.NumEntries] <optimize=false>;