fixing details regarding the data format

[janstarke]

• checksum: I found the value you specified is not the starting value for checksum calculation. However, it seems that the starting value you gave is exactly the magic number "\xef\xcd\xab\x89". So, if you start at byte offset 4, using this starting value, it gets nulled out when XORing with the magic number. So, either you start with offset 4 using the starting value you supplied ((which is what you are doing;

  libesedb/libesedb/libesedb_file_header.c

  Lines 678 to 683 in d959e1e

  	if( libesedb_checksum_calculate_little_endian_xor32(
  	&calculated_xor32_checksum,
  	&( data[ 4 ] ),
  	data_size - 4,
  	0x89abcdef,
  	error ) != 1 )

  )), or you start at offset 8 with no starting value.
• DBTIME: I found in my test data that the structure contains three 1-byte-values (which follow your assertions and do look like a time), followed by 5 NULL-bytes.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 16.83%. Comparing base (d959e1e) to head (8c57e22).

❗ There is a different number of reports uploaded between BASE (d959e1e) and HEAD (8c57e22). Click for more details.

HEAD has 2 uploads less than BASE

Flag	BASE (d959e1e)	HEAD (8c57e22)
	4	2

Additional details and impacted files

@@            Coverage Diff             @@
##             main      #72      +/-   ##
==========================================
- Coverage   22.19%   16.83%   -5.37%     
==========================================
  Files          53       53              
  Lines       12299    12296       -3     
  Branches     2843     2842       -1     
==========================================
- Hits         2730     2070     -660     
- Misses       9141     9894     +753     
+ Partials      428      332      -96     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[joachimmetz]

Thanks for the proposed changes will take a look when time permits.

[joachimmetz]

running esentutl /mh on a test database shows dbtime: 449 (0x1c1)

libesedb_file_header_read_data: checksum                                : 0x09174c14
libesedb_file_header_read_data: signature                               : 0x89abcdef
libesedb_file_header_read_data: format version                          : 0x00000620
libesedb_file_header_read_data: file type                               : 0 (Database)
libesedb_file_header_read_data: database time:
00000000: c1 01 00 00 00 00 00 00                            ........

Note that your proposed changes look more related to log time https://github.com/libyal/libesedb/blob/main/documentation/Extensible%20Storage%20Engine%20(ESE)%20Database%20File%20(EDB)%20format.asciidoc#log_time

Given the PR introduces incorrect offsets, I'll close this PR in favor of future documentation tweaks.

[joachimmetz]

The checksum is a XOR over the 32-bit little-endian values in the header starting at offset 8 to at least offset 668, but presumably page size. The value 0x89abcdef is used as the initial value.

Actually the offset (in the original text) is incorrect here. This should be offset 4, given a change to the value at offset 4 will lead to checksum mismatch if checked with esentutl /k