Scribd
Upload
253 views12 pages

Understanding File Signatures in Forensics

The document discusses file signatures and their importance in digital investigations. File signatures are data used to identify file types and content, and come in two forms: file magic numbers stored as headers/footers and file checksums. They allow investigators to determine file formats accurately rather than relying on extensions, as signatures cannot be easily altered like file names. The document advises investigators to analyze file signatures early in examinations to properly classify files and detect any format modifications.

Uploaded by

Toan Phan Thanh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
253 views12 pages

Understanding File Signatures in Forensics

The document discusses file signatures and their importance in digital investigations. File signatures are data used to identify file types and content, and come in two forms: file magic numbers stored as headers/footers and file checksums. They allow investigators to determine file formats accurately rather than relying on extensions, as signatures cannot be easily altered like file names. The document advises investigators to analyze file signatures early in examinations to properly classify files and detect any format modifications.

Uploaded by

Toan Phan Thanh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

SC

Cyber Solutions Why is it important

• Its very easy to conceal a file by changing its file name

• Hence digital investigators do not depend on file names


to identify files

• A file signature is data used to identify or verify the


content of a file

• Two kinds
– File magic number
– File Checksum

12 December 2017 © SC Cyber Solutions shweta@[Link]


SC
Cyber Solutions File magic number

• Bytes within a file


• Used to identify the format of the file
• It is generally a short sequence of bytes (most
are 2-4 bytes long)
• It is always placed at the beginning of the file
i.e. as a header
• There is also a footer that is added by some file
formats
12 December 2017 © SC Cyber Solutions shweta@[Link]
SC
Cyber Solutions

• Tells the system which program to open the


file with
• Provides multiple program options for some
files
– E.g. Images
• Useful in classifying and salvaging data
fragments
• Helps with forensic data carving

12 December 2017 © SC Cyber Solutions shweta@[Link]


SC
Cyber Solutions File Magic Number

Number Extension Format


00 00 00 nn 66 74 79 70
MP4
33 67 70 35 MP4 video files

47 49 46 38 37 61 Image file encoded in the


47 49 46 38 39 61 gif Graphics Interchange
Format
FF D8 FF E0 Image file encoded in the
Jpg, jpeg
JPEG format
25 50 44 46 pdf PDF document
50 4B 03 04
50 4B 05 06 Zip, odt, docx Zip and document files
50 4B 07 08

12 December 2017 © SC Cyber Solutions shweta@[Link]


SC
Cyber Solutions File checksum

• Is generally the result of an hash function over


the file content
• This data is used to verify that the file content
integrity, generally against transmission errors
or malicious attacks
• The signature can be included at the end of the
file or in a separate file

12 December 2017 © SC Cyber Solutions shweta@[Link]


SC
Cyber Solutions File Signatures

• File signatures are good places for hiding data

• Attackers or employees with malicious have been


known to hide malicious files by changing the file
signatures

• This can be done using a hex editor

12 December 2017 © SC Cyber Solutions shweta@[Link]


SC
Cyber Solutions
Altering file signatures

• Use a hex editor

• Access the first 20 bytes of the file

• Change [Link] is hidden as a JPEG


image in the pictures folder by changing its file
signature header to FF D8 FF

12 December 2017 © SC Cyber Solutions shweta@[Link]


SC
Cyber Solutions Investigating File Signature

12 December 2017 © SC Cyber Solutions shweta@[Link]


SC
Cyber Solutions Investigating File Signatures

• File signatures are an important part of the


examination process
• File signature analysis should be done at the
beginning of the investigation processing
• This is so that the investigator and the
investigation tool are seeing files for what they
really are.
• Most examiners run a file signature analysis
right after the evidence file is verified.
12 December 2017 © SC Cyber Solutions shweta@[Link]
SC
Cyber Solutions

• The forensic tools perform a file signature


analysis
– To recognise the file format
– To decide how to treat and read the file
– To see if the file format is compromised
– To identify a new or unknown file format
• The file signature of the evidence file is
compared with a database of known file
signatures and extensions that is maintained

12 December 2017 © SC Cyber Solutions shweta@[Link]


SC
Cyber Solutions

• FTK – KFF (Known File Filter)

• Encase – File Signatures

12 December 2017 © SC Cyber Solutions shweta@[Link]

You might also like