Magic numbers for keyring files?
dshaw at jabberwocky.com
Wed Sep 25 17:46:03 CEST 2013
On Sep 25, 2013, at 9:18 AM, "Robert J. Hansen" <rjh at sixdemonbag.org> wrote:
> I'm working on adding support for GnuPG keyrings to a file carver (a
> forensic tool that recovers data from damaged filesystems, or recovers
> things that have been deleted but not overwritten). Detecting an
> ASCII-armored keyblock is pretty easy: look for the "BEGIN PGP PUBLIC"
> header. Binary, though, is still an unsolved question.
> Before I start diving into code to find out if the keyring has a
> specific binary header I can detect, I figured I'd ask on-list. :)
> Does anyone know of any magic numbers for GnuPG keyring files?
Do you mean OpenPGP keyrings (i.e. "transferable public/secret keys", a la RFC-4880)? If so, it's statistical magic only. There are binary headers you can look for that don't quite ensure it's a OpenPGP keyring, but can leave you fairly confident.
Take a look at the "file" magic database as a start. It's not 100%, but should get you going.
More information about the Gnupg-users