Week 7 Flashcards
What is a file extension?
A file extension is a 2-4 character entry that follows the name of a file and indicate what TYPE of file the OPERATING SYSTEM should view the file as.
Is it hard to change a file extension? What are the implications of this?
No. They can be changed quite easily and this impacts how the OS views the file. Changing the file extension is a common way to attempt to hide contraband files and/or files of interest from digital forensic analysis.
Review Hexadecimal from Previous Week
-
File Headers
Used to validate the type of file (mismatch)
* Usually a 4-byte hexadecimal value at the beginning of the file
* Indicates type of file (also called mime-type)
* Usually uniform for certain types of files
They can be used to carve for data
* Contains other information about the file such as length (space that file takes up), size, etc.
These are HARD to change. So, they can be looked at to identify the extension.
File Signatures
- Also embedded in the hexadecimal data of the file
- Contains the ”Magic Number” - A constant numerical or text value used to identify a file format or protocol for that file
- Also tells us the overall length/size of the file on the disk = logical size of the file (space that the file takes up on the system)
- This data is part of what is referred to as file metadata
- File signatures & headers often referred to
synonymously - Very difficult to change the signature, because this is how programs (not OS) reads the file
Data carving
an automated OR manual process to search for certain types of data in remnant or “unallocated” areas of the memory
the analyst needs to tell the software what to search for in the automated fashion
- Some tools (Autopsy) automatically scan for common file
types (.jpg, video files, documents etc.) - Many returns from this scan may be not be viewable or
scrambled images - If parts of the file are missing and the tool IDs the file as a
certain type, it may still not be human-readable
Review Unallocated vs. Allocated
-
From a LEGAL standpoint, if we find contraband or other
evidence in UNALLOCATED space, is the owner of the computer
implicated in the incident or crime?
Mostly no, because law says “knowingly” possess XYZ. Unallocated space doesn’t necessarily mean knowingly.
Automated Data Carving in Autopsy
- Autopsy automatically scans, processes, carves and presents deleted or carved files of common types
- This includes pictures, video & documents
- Autopsy can be customized with a plug-in to carve for less common file types, but…
- What do you think the examiner has to know about this file type? (would have to know specific header/type)
*Other tools may do this automatically or manually, or a combination of both
Why/When would we want to carve for unallocated data?
In support of image cases - to show pattern of behavior
* In malware incident response –some malware is selfdestructing
* In questioned document cases – even without metadata
of ownership, we may be able to attribute prior versions
of a document to an author or owner
* Data recovery of all types (see blog)
* To find prior existing partitions, installation data, etc
can reconstruct older partitions
Validation of Automated Findings
In Autopsy, we can click the “Hex View” tab and look at the hexadecimal rendering of the carved file
*If the Hexadecimal reads any of the standard .JPG file headers, the carving is validated
* 4A464946
* FF D8 FF E0, etc.
* We can also export the file and look at it the Hex using 3rd party tools to validate the file as an image
* We could use FTK imager or Autopsy for this
Is There Such a Thing as a ”File Footer”?
Yes!
*Some files have a “footer” that is appended to
the end of a file, but generally considered part
of the Header
*Variable in length
*Never found at fixed offset (position) in the data
*Most often used when dealing with backward-compatibility of a file
* Think MS Office docs 97-2003 vs. newer docs
Can File Headers Be Changed?
*It Depends! It’s really hard!
*High Degree of Technical Ability
*Requires Hex Editor (WinHex)
*Pretty Complex way to hide data when faced
with options like Encryption
- Even if you can edit it, sometimes Windows doesn’t know what to do with it!
