-- file command¸¦ ÅëÇØ mac FAT fileÀÓÀ» ¾Ë ¼ö ÀÖ½À´Ï´Ù.

$ file ./forensics200-5be06945190cf5ff9722d0b5f12e0013
./forensics200-5be06945190cf5ff9722d0b5f12e0013: Mach-O fat file with 3 architectures

-- ¿ì¼± strings¸¦ ÅëÇØ ³»¿ëÀ» È®ÀÎÇغ¸¸é ´ÙÀ½°ú °°Àº »ç½ÇÀ» ¾Ë ¼ö ÀÖ½À´Ï´Ù.

1) JFIF ÀÌÈÄ adobe°ü·Ã signature°¡ Àִ°ÍÀ¸·Î º¸¾Æ jpeg ÆÄÀÏÀÌ ¾È¿¡ ÀÖÀ½
2) underscore°¡ µé¾î°£ function nameµéÀÌ µé¾î°¡ Àִ°ÍÀ¸·Î º¸¾Æ compileµÈ executable 
   binary°¡ ¾È¿¡ ÀÖ½À´Ï´Ù. ¶ÇÇÑ ¿©·¯°¡Áö strings °á°ú¸¦ Á¶ÇÕÇغ» °á°ú ELF formatÀ̶ó°í 
   ÃßÃøÇÒ ¼ö ÀÖ½À´Ï´Ù.

-- À§ÀÇ °á°ú¸¦ ÅëÇØ ¿ì¼± º»·¡ jpeg ÆÄÀÏÀ» º¹±¸Çس»´Â script restore.py¸¦ ÀÛ¼ºÇÏ¿´½À´Ï´Ù.

============================================
$ cat restore.py
#! /usr/bin/python
import os

Pattern_JFIF = "\xff\xd8\xff\xe0"

OrgFile = "forensics200-5be06945190cf5ff9722d0b5f12e0013"

f = open(OrgFile, "rb")
fstr = f.read()
f.close()

idx = 0

while 1:
    idx = fstr.find(Pattern_JFIF, idx)
    if idx==-1:
        break

    filename = "dump_%08x.jpg" % idx
    f = open(filename, "wb")
    f.write( fstr[0x44:])
    f.close()
    print "restored [%s]" % filename
$ file ./dump_00000044.jpg
./dump_00000044.jpg: JPEG image data, JFIF standard 1.01

============================================

-- À§ÀÇ ÆÄÀÏÀ» ¿­¾îº¸¸é ´äÀ» º¼ ¼ö ÀÖ½À´Ï´Ù.

FORENSIC200 key: IDYLWOOD GRILL