hexadecimal data csc414thenry/csc414/08_file...microsoft office (after 2007).docx .xlsx .pptx50 4b...
TRANSCRIPT
CSC414ComputerSystemFundamentals
THINK BIG WE DO
U R Ihttp://www.forensics.cs.uri.edu
Digital Forensics CenterDepartment of Computer Science and Statics
File SignaturesFile Signatures
Hexadecimal DataHexadecimal Data- Hex is a way to view binary data
- Group bits into four digits- Two groups per byte
- Two hex characters per byte
- 16 possible combinations
- Use 0-9, A-F
Easier to recognize patterns and read data
01010100011010000110100101110011
0000 0 00001 1 10010 2 20011 3 30100 4 40101 5 50110 6 60111 7 7
1000 8 81001 9 91010 A 101011 B 111100 C 121101 D 131110 E 141111 F 15
Binary Hex Binary Hex DecimalDecimal
5 4 6 8 6 9 7 354 68 69 73
T h i s
Hexadecimal Data
54 68 69 73T h i s
Hex EditorsAllow you to examine and change the bits of a file, or the bits of a disk regardless of file boundaries. - Allow view, searching, and modifying at
the bit/byte level of files and disks
- Similar to a microscope allowing you to see the raw bits without interpretation by the operating system or an application
- ACSII codes are provided, but do not necessarily indicate byte values
- WinHex Specialist, FTK, EnCase, X-Ways provide hex “view” of data and disks.
ASCII codes are stored "as is"
- Each character you see or type
- Return key, tabs and special characters are stored also.
Text Files
Binary Hex Symbol
0101 0100 54 T
0010 0000 20 Space
0000 1101 0D Carriage Return
0000 1010 0A Line Feed
0000 1001 09 Tab Used by TRS-80, Mac OS 9 and
earlier
Used by Mac OS X and
Linux
.doc FilesMicrosoft Word Files (before 2007)
File Signature for Microsoft Office 2003
and earlier
MetadataOffset into file of 0A00Text starts 2,560 bytes into the file
File SignaturesFile signatures define the file- Suspect may hide file by changing file
extension like .jpg to .exe
- Most people don’t know about file signatures
- Changing file signature can make the file corrupt- Programs will not know how to interpret
the data
- Forensic tools allow searching for hex file signature to truly find all files of a type
Data CarvingUsing a hex editor to follow file table or markers in a file
to find all parts of a file.
For example, to reconstruct an image even if part has been
erased.
File SignaturesFile Type File Extension File SignatureMicrosoft Office (before 2007) .doc .xls .ppt D0 CF 11 E0 A1 B1 1A E1
Microsoft Office (after 2007) .docx .xlsx .pptx 50 4B 03 04 14 00 06 00
Zip Compressed Archive .zip 50 4B 03 04 (ASCII = PK)
PDF Documents .pdf 25 50 44 46
JPEG Image .jpeg .jpg FF D8 FF E0 ?? ?? 4A 46 49 46 00
TIFF Image .tiff .tif 49 49 2A 00
Bitmap Image .bmp 42 4D
Audio Interchange Format .aif .aiff 46 4F 52 4D 00
Waveform Audio Format .wav 57 41 56 45 66 6D 74 20
MPEG-4 .mp4 33 67 70 35
MPEG-1 Audio Layer 3 Audio .mp3 49 44 33
Dynamic Library .dll 21 3C 61 72 63 68 3E 0A
Windows Program (executable) .exe 4D 5A 90 00 03 00 00 00
PDF Trailers0A 25 25 45 4F 46 0A ( %%EOF )0D 0A 25 25 45 4F 46 0D 0A ( %%EOF )0D 25 25 45 4F 46 0D ( %%EOF )
JPEG Trailer FF D9
Microsoft Office Files
File Signature for Microsoft Office 2007
and laterText File: 83 bytes
Word .doc File: 22.5 KBWord .docx File: 16.4 KB
Microsoft Office Files
memo. zip
change extension
unzip archive
docx
Bitmap Files
File Signature3-byte pixels
(RGB)
JPEG Files
File Signature
Metadata (EXIF)
JPEG Data is encoded and compressed
JPEG File Trailer