Magic numbers for keyring files?

David Shaw dshaw at jabberwocky.com
Wed Sep 25 17:46:03 CEST 2013


On Sep 25, 2013, at 9:18 AM, "Robert J. Hansen" <rjh at sixdemonbag.org> wrote:

> I'm working on adding support for GnuPG keyrings to a file carver (a
> forensic tool that recovers data from damaged filesystems, or recovers
> things that have been deleted but not overwritten).  Detecting an
> ASCII-armored keyblock is pretty easy: look for the "BEGIN PGP PUBLIC"
> header.  Binary, though, is still an unsolved question.
> 
> Before I start diving into code to find out if the keyring has a
> specific binary header I can detect, I figured I'd ask on-list.  :)
> 
> Does anyone know of any magic numbers for GnuPG keyring files?

Do you mean OpenPGP keyrings (i.e. "transferable public/secret keys", a la RFC-4880)?  If so, it's statistical magic only.  There are binary headers you can look for that don't quite ensure it's a OpenPGP keyring, but can leave you fairly confident.

Take a look at the "file" magic database as a start.  It's not 100%, but should get you going.

http://www.darwinsys.com/file/

David




More information about the Gnupg-users mailing list