[File] [PATCH] of Magdir/windows for Windows Easy Transfer migration data *.mig

Jörg Jenderek joerg.jen.der.ek at gmx.net
Sat Nov 2 22:08:30 UTC 2019 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,
some days ago i read an article about problems and solutions when
switching from Windows 7 to 10.

In Windows 7 there exist a tool migwiz.exe inside system32 sub
directory with name "Windows Easy Transfer". Microsoft does not
support this tool any more and you get no real help. What an arrogant
behaviour!

But this tool still can be used even with Windows 10 to transfer files
and settings. One possibility of the tool is to store the saved stuff
as file with name extension mig on an external USB drive on network
drive. When i run file command version 5.37 on such samples these are
described only as data.

Some information about  Windows Easy Transfer can be found on
Wikipedia. So i add comment line to Magdir/windows like
 # URL:		https://en.wikipedia.org/wiki/Windows_Easy_Transfer

Unfortunately i find no file format specification for such MIG files.
The file identifier "TrID" ( see http://mark0.net/soft-trid-e.html)
describes such files as "Windows Easy Transfer migration data".
So i rely on TrID definition for identifying and mention that
reference by remark line like
 # Reference: mark0.net/download/triddefs_xml.7z/defs/m/mig.trid.xml

According to TrID identify now such samples are described by line:
 0	string		1giM	Windows Easy Transfer migration data
Afterwards show a user defined mime type an file name extension by
lines:
 !:mime	application/x-ms-mig
 !:ext	mig
Microsoft itself called such saved archive "Migration Store" or
"EasyTransfer file".

Furthermore i rely on my own observations. Apparently after header
are structures coming with keyword MRTS at some different positions.
Afterwards first file name length seems to be stored and 20 bytes
forward first file name is stored as URL string like File\C:\3 with
UTF-16 little endian coding. This information can be shown by lines
like:
 >0x18		search/29/b	MRTS
 >>&0		ulelong		x	\b, 1st length %u
 >>&20		lestring16	x	\b, 1st %-s

For MIG files without password MRTS tag always seems to be found at
offset 0x18. For samples with password this tag occur some bytes
forward. Some bytes after the filename a compressed structure seems
to be stored starting with byte sequence 7801h. For variants without
password this structure is 8 bytes after first file name part
For such samples with the help of stored file name length calculate
and print this offset to this structure and inspect this structure
by using other file magic parts. So this looks like
 >0x18			string		=MRTS	without password
 >>0x1c			ulelong+0x38	x	\b, at 0x%x
 >>(0x1c.l+0x38)	ubyte		x
 >>>&-1			indirect	x
 >0x18			string		!MRTS	with password
For my examples this structures are identified by Magdir/compress as
zlib compressed data. For samples with password zlib looking
structures seems to come also some bytes after file name part.

After applying the above mentioned modifications by patch
file-5.37-windows-mig.diff then i get an output like

TEST10PublicVideosNoPassword.MIG:
	Windows Easy Transfer migration data
	without password,
	at 0xd0 zlib compressed data,
	1st File\C:\Users\nutzer\AppData\Roaming\
	Microsoft\Windows\Libraries\desktop.ini\003
TEST15-1File3rootdirPassworda-z1-0A-Z1-0.MIG:
	Windows Easy Transfer migration data
	with password,
	1st File\C:\3\003\007\310
Windows-EasyTransfer - Elemente vom Quellcomputer.MIG:
	Windows Easy Transfer migration data
	without password,
	at 0xa6 zlib compressed data,
	1st File\
	C:\Users\user\.dbus-keyrings\org_gtk_gdbus_general
Windows-EasyTransfer - TEST3.MIG:
	Windows Easy Transfer migration data
	with password,
	1st File\
	C:\Users\user\AppData\Roaming\
	Microsoft\Internet Explorer\Quick Launch\desktop.ini

I hope my diff file can be applied in future version of
file utility.

With best wishes
Jörg Jenderek
- --
Jörg Jenderek

-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iF0EARECAB0WIQS5/qNWKD4ASGOJGL+v8rHJQhrU1gUCXb3+VQAKCRCv8rHJQhrU
1pj+AJ4/9twH7/KPOvj2Yj5wqNjSgWWtYwCfTfqIxmFdB5NX4Q9dTx7dJ5T0qe8=
=7mF2
-----END PGP SIGNATURE-----
-------------- next part --------------
--- file-5.37/magic/Magdir/windows.old	2019-05-01 17:55:25 +0000
+++ file-5.37/magic/Magdir/windows	2019-11-02 21:41:48 +0000
@@ -877,5 +877,29 @@
 #>0x7c	ubequad		x			\b, rhIntegrity 0x%16.16llx
 # Unused[60]
 #>148	ubequad		!0			\b,unused 0x%16.16llx
 #
 
+# From:		Joerg Jenderek
+# URL:		https://en.wikipedia.org/wiki/Windows_Easy_Transfer
+# Reference:	http://mark0.net/download/triddefs_xml.7z/defs/m/mig.trid.xml
+# Note:		called "Windows Easy Transfer migration data" by TrID,
+#		"Migration Store" or "EasyTransfer file" by Microsoft
+0		string		1giM	Windows Easy Transfer migration data
+#!:mime		application/octet-stream
+!:mime		application/x-ms-mig
+!:ext		mig
+>0x18		string		=MRTS	without password
+# data offset with 1 space at end
+>>0x1c		ulelong+0x38	x	\b, at 0x%x 
+# look for zlib compressed data by ./compress
+>>(0x1c.l+0x38)	ubyte		x
+>>>&-1	indirect	x
+# in password protected examples MRTS comes some bytes further
+>0x18		string		!MRTS	with password
+# look for first MRTS tag
+>0x18		search/29/b	MRTS
+# probably first file name length like 178, ...
+#>>&0		ulelong		x	\b, 1st length %u
+# URL like File\C:\Users\nutzer\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini
+>>&20		lestring16	x	\b, 1st %-s
+
-------------- next part --------------
A non-text attachment was scrubbed...
Name: file-5.37-windows-mig.diff.sig
Type: application/octet-stream
Size: 95 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20191102/233461ca/attachment.obj>

More information about the File mailing list