Signature Store
Signatures and other data are stored in an extensible file format called "Forensic Signature Store", or "FSS" for short. This is a tagged format that can handle any new datatype as required. Besides storing data, it also has the ability to create a dependency list, which is a list of other streams within the store. This is typically used to store a list (and order) of streams to be hashed as an additional integrity check.
The format is as follows:
- Header
- 16-bit magic number identifier S
- 16-bit checksum of body
- Body
- Zero or more Streams
Each Stream is formatted as follows:
- Stream Header
- 1-5 bytes stream identifier
- 1-5 bytes stream length
- Stream Body
- 0-2^32 bytes stream data
NB: A stream store does not know its own length. It is assumed that whatever is storing it will know how much has been stored.
The data format for each stream is dependent upon its stream identifier. Duplicate stream identifiers are not allowed. A lookup table must be provided in order for the Stream Store code to decode stream data for use. This is done dynamically.
32v encoding
The variable byte length values (programmatically called 32v or 64v) use a simple 7-bit lo-hi encoding with the top bit set to indicate another byte:
| 0 | 7f | 1 byte |
| 80 | 7fff | 2 bytes |
| 8000 | 7f ffff | 3 bytes |
| 80 0000 | 7fff ffff | 4 bytes |
| 8000 0000 | ffff ffff | 5 bytes |
Typically, only 1 or 2 bytes are needed for most values stored.