On Sep 25, 2013, at 9:18 AM, "Robert J. Hansen" <r...@sixdemonbag.org> wrote:
> I'm working on adding support for GnuPG keyrings to a file carver (a > forensic tool that recovers data from damaged filesystems, or recovers > things that have been deleted but not overwritten). Detecting an > ASCII-armored keyblock is pretty easy: look for the "BEGIN PGP PUBLIC" > header. Binary, though, is still an unsolved question. > > Before I start diving into code to find out if the keyring has a > specific binary header I can detect, I figured I'd ask on-list. :) > > Does anyone know of any magic numbers for GnuPG keyring files? Do you mean OpenPGP keyrings (i.e. "transferable public/secret keys", a la RFC-4880)? If so, it's statistical magic only. There are binary headers you can look for that don't quite ensure it's a OpenPGP keyring, but can leave you fairly confident. Take a look at the "file" magic database as a start. It's not 100%, but should get you going. http://www.darwinsys.com/file/ David _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users