0

I have a MS SQL Server table with images stored in a large object. I know the BLOB contains image data, but I don't know what type all the images are. There are two different types identified by a type field, but that field contains a 1 or a 2. I have identified type 1 as a PDF, but cannot determine what type 2 is. The signature is {59F09E3A-D30B-419C-90E3-F95B27AC56E4}. This string starts every image with type = 2.

This doesn't even look like a known standard signature. I was able to extract the blobs into individual files, and can read PDF's by including a .pdf extension. I have tried several known image extensions (.gif, .jpg, .png, .bmp, .tif) but none of these help me, and Windows paint is unable to open the file. Is there any way I can even determine the image type? Or does this signature look like something else, maybe a container signature, or an encryption signature, or something else?

jmarkmurphy
  • 101
  • 1
    That signature is just a GUID. How do you know it's an image? For one PDF is not an image format so you already know that the table doesn't just store images. So it might just be another document format. I have to wonder why you don't have a look at the documentation for said database? – Seth Oct 13 '21 at 05:56
  • Generally the programs that are my go to for fileid are file on Linux and trid https://mark0.net/soft-trid-e.html which you can run on the actual files you have extracted – Journeyman Geek Oct 13 '21 at 08:44
  • They are invoices. And you are right, these PDF's do not contain images. I just called it an image because it is in an image field in the database. Problem is, I don't have any documentation for the database, this is an exercise in database forensics. – jmarkmurphy Oct 13 '21 at 14:37
  • I tried trid, but it couldn't identify the documents. Going to have to use another approach. – jmarkmurphy Oct 13 '21 at 15:32
  • Share the blob... maybe with Dropbox or Google Drive. – Mark Setchell Jun 21 '22 at 20:52
  • @MarkSetchell Sorry, Can't do that. Client might be a little upset about me sharing an invoice image. – jmarkmurphy Jun 22 '22 at 12:22
  • Ok, try running the blob through the Linux strings tool to see if you get any hints. – Mark Setchell Jun 22 '22 at 12:33
  • I'm on Windows, is there anything there I can try? – jmarkmurphy Jun 22 '22 at 16:18
  • If you have Python you could try this... https://stackoverflow.com/a/17196521/2836621 Instead of his line content=... you would need content = open('YOURBLOB','r').read() – Mark Setchell Jun 22 '22 at 16:26

1 Answers1

0

Is there any way I can even determine the image type?

Theoretically, you may be able to use a program such as ImageMagick to identify the images with something like magick -identify filename. This, of course, assumes that the files are supported by ImageMagick.

Anaksunaman
  • 17,239