Peter M. Groen / oletools

Commit 53dfd753efb9a549b81d2120aecde7d6b2dd278a

Authored by decalage2
1 parent 857d1e4a

ftguess: added OneNote format

Inline Side-by-side
Showing 1 changed file with 23 additions and 1 deletions
oletools/ftguess.py
  View file @53dfd75
@@ -189,6 +189,7 @@ class FTYPE(object): @@ -189,6 +189,7 @@ class FTYPE(object):
189 GENERIC_OPENXML = 'OpenXML' # Generic OpenXML file 189 GENERIC_OPENXML = 'OpenXML' # Generic OpenXML file
190 UNKNOWN = 'Unknown File Type' 190 UNKNOWN = 'Unknown File Type'
191 MSI = "MSI" 191 MSI = "MSI"
  192 + ONENOTE = "OneNote"
192 193
193 class CONTAINER(object): 194 class CONTAINER(object):
194 """ 195 """
@@ -203,6 +204,7 @@ class CONTAINER(object): @@ -203,6 +204,7 @@ class CONTAINER(object):
203 MIME = 'MIME' 204 MIME = 'MIME'
204 BINARY = 'Binary' # Generic binary file without container 205 BINARY = 'Binary' # Generic binary file without container
205 UNKNOWN = 'Unknown Container' 206 UNKNOWN = 'Unknown Container'
  207 + ONENOTE = 'OneNote'
206 208
207 class APP(object): 209 class APP(object):
208 """ 210 """
@@ -215,6 +217,7 @@ class APP(object): @@ -215,6 +217,7 @@ class APP(object):
215 MSVISIO = 'MS Visio' 217 MSVISIO = 'MS Visio'
216 MSPROJECT = 'MS Project' 218 MSPROJECT = 'MS Project'
217 MSOFFICE = 'MS Office' # when the exact app is unknown 219 MSOFFICE = 'MS Office' # when the exact app is unknown
  220 + MSONENOTE = 'MS OneNote'
218 ZIP_ARCHIVER = 'Any Zip Archiver' 221 ZIP_ARCHIVER = 'Any Zip Archiver'
219 WINDOWS = 'Windows' # for Windows executables and XPS 222 WINDOWS = 'Windows' # for Windows executables and XPS
220 UNKNOWN = 'Unknown Application' 223 UNKNOWN = 'Unknown Application'
@@ -678,6 +681,25 @@ class FType_MSI(FType_Generic_OLE): @@ -678,6 +681,25 @@ class FType_MSI(FType_Generic_OLE):
678 extensions = ['msi'] 681 extensions = ['msi']
679 682
680 683
  684 +class FType_OneNote(FType_Base):
  685 + container = CONTAINER.ONENOTE
  686 + application = APP.MSONENOTE
  687 + filetype = FTYPE.ONENOTE
  688 + name = 'OneNote'
  689 + longname = 'MS OneNote Revision Store (.one)'
  690 + extensions = ['one']
  691 + content_types = ('application/msonenote',)
  692 + PUID = 'fmt/637'
  693 + # ref: https://learn.microsoft.com/en-us/openspecs/office_file_formats/ms-onestore/ae670cd2-4b38-4b24-82d1-87cfb2cc3725
  694 + # PRONOM: https://www.nationalarchives.gov.uk/PRONOM/Format/proFormatSearch.aspx?status=detailReport&id=1437
  695 +
  696 + @classmethod
  697 + def recognize(cls, ftg):
  698 + # ref about Header with OneNote GUID:
  699 + # https://learn.microsoft.com/en-us/openspecs/office_file_formats/ms-onestore/2b394c6b-8788-441f-b631-da1583d772fd
  700 + return True if ftg.data.startswith(b'\xE4\x52\x5C\x7B\x8C\xD8\xA7\x4D\xAE\xB1\x53\x78\xD0\x29\x96\xD3') else False
  701 +
  702 +
681 # TODO: for PPT, check for stream 'PowerPoint Document' 703 # TODO: for PPT, check for stream 'PowerPoint Document'
682 # TODO: for Visio, check for stream 'VisioDocument' 704 # TODO: for Visio, check for stream 'VisioDocument'
683 705
@@ -770,7 +792,7 @@ class FileTypeGuesser(object): @@ -770,7 +792,7 @@ class FileTypeGuesser(object):
770 self.data_bytesio = io.BytesIO(self.data) 792 self.data_bytesio = io.BytesIO(self.data)
771 793
772 # Identify the main container type: 794 # Identify the main container type:
773 - for ftype in (FType_RTF, FType_Generic_OLE, FType_Generic_Zip): 795 + for ftype in (FType_RTF, FType_Generic_OLE, FType_Generic_Zip, FType_OneNote):
774 if ftype.recognize(self): 796 if ftype.recognize(self):
775 self.ftype = ftype 797 self.ftype = ftype
776 break 798 break