Find a binary signature in a file
sigfind [-b bsize ] [-o offset ] [-t template ] [-lV] [ hex_signature ] file
sigfind searches through a file and looks for the hex_signature at a given offset. This can be used to search for lost boot sectors, superblocks, and partition tables.
Specify the block size in which to search. The default is 512 and the value must be a multiple of 512.
Specify the offset in a block in which the signature must exist. The default is 0.
Specify a template name that defines the signature value and offset. Run with no options to get a list of supported templates.
The signature is stored in little-endian ordering and must therefore be reversed.
Display version
The binary signature that you are searching for. It must be given in hexadecimal format. This argument must exist if -t is not used.
Any raw data.
sigfind -o 510 -l AA55 disk.dd
sigfind -t fat disk.dd
Brian Carrier <carrier at sleuthkit dot org>
Send documentation updates to <doc-updates at sleuthkit dot org>