NAME¶

sigfind - Find a binary signature in a file

SYNOPSIS¶

sigfind [-b bsize ] [-o offset ] [-t template ] [-lV] [ hex_signature ] file

DESCRIPTION¶

sigfind searches through a file and looks for the hex_signature at a given offset. This can be used to search for lost boot sectors, superblocks, and partition tables.

ARGUMENTS¶

-b bsize: Specify the block size in which to search. The default is 512 and the value must be a multiple of 512.
-o offset: Specify the offset in a block in which the signature must exist. The default is 0.
-t template: Specify a template name that defines the signature value and offset. Run with no options to get a list of supported templates.
-l: The signature is stored in little-endian ordering and must therefore be reversed.
-V: Display version
[hex_signature]: The binary signature that you are searching for. It must be given in hexadecimal format. This argument must exist if -t is not used.
file: Any raw data.

EXAMPLES¶

sigfind -o 510 -l AA55 disk.dd

sigfind -t fat disk.dd

AUTHOR¶

Brian Carrier <carrier at sleuthkit dot org>

Send documentation updates to <doc-updates at sleuthkit dot org>

Source file:	sigfind.1.en.gz (from sleuthkit 4.12.0-bp156.1.5)
Source last updated:	2022-12-23T20:19:01Z
Converted to HTML:	2025-10-30T21:17:44Z