22
Files Chapter 4

Files Chapter 4. Files HEX is useful when attempting to view a file that is partially deleted. Which lends us to two questions: 1. Why would a partially

Embed Size (px)

Citation preview

Page 1: Files Chapter 4. Files HEX is useful when attempting to view a file that is partially deleted. Which lends us to two questions: 1. Why would a partially

FilesChapter 4

Page 2: Files Chapter 4. Files HEX is useful when attempting to view a file that is partially deleted. Which lends us to two questions: 1. Why would a partially

FilesHEX is useful when attempting to view a file that is partially deleted. Which lends us to two questions:

1. Why would a partially deleted file have difficulties being opened or viewed normally?

2. What parts of a file does a HEX editor allow us to see, which otherwise would not be visible?

Page 3: Files Chapter 4. Files HEX is useful when attempting to view a file that is partially deleted. Which lends us to two questions: 1. Why would a partially

Files, File Structures, and File Formats• To answer the questions on the other slide, we need to

investigate the basics of a file, file structure, and file format.

• A partially deleted file in many cases may be missing part of its formatting data, the data that identifies the file.

• It is the formatting file that identifies the file to its parent or native software.

• If a file doesn’t contain the formatting information, the software or Operating System will most likely not be able to access or execute the file.

• It is this formatting information that uniquely identifies a file.

Page 4: Files Chapter 4. Files HEX is useful when attempting to view a file that is partially deleted. Which lends us to two questions: 1. Why would a partially

Different Formats

• There are hundreds of different formats for data. • There are also formats for executable programs on

different platforms. (Windows, Linux, Mac, Unix, etc.…)

• Each format defines how the sequence of bits and bytes are laid out, with ASCII based text files being one of the simplest formats for humans to decipher.

Page 5: Files Chapter 4. Files HEX is useful when attempting to view a file that is partially deleted. Which lends us to two questions: 1. Why would a partially

Other Formats

• Some file formats are designed to store very particular sorts of data:– JPEG formats – is designed to store photo images.– Gifs formats – is designed for both photo images

and animation.– QuickTime format – can act as a container for

many different types of multimedia.

Page 6: Files Chapter 4. Files HEX is useful when attempting to view a file that is partially deleted. Which lends us to two questions: 1. Why would a partially

Text Files Formats• A Text File is simply one that stores any text. – Format such as ASCII or UTF-8, with few if any control

characters.– Other file formats, such as HTML, or the source code of

some particular programming language, are in fact also text files, but follows more strict rules for specific purposes.

• Parent program, meaning the program or software that is used to create, execute, or otherwise access the file.

• In most cases a file will contain data , its file signature, from which its parent software will be able to identify and handle its operation.

Page 7: Files Chapter 4. Files HEX is useful when attempting to view a file that is partially deleted. Which lends us to two questions: 1. Why would a partially

File Signatures

• File Signature – contained in the file header. • File Header – Not see by the user of the software, but

very important for the file to function as designed.– It is this data contained within the file header that is used to

identify the format of the file.• File Headers – may also contain data regarding the

integrity of the file as well as information about itself and its contents. This data is often referred to as Metadata.

Page 8: Files Chapter 4. Files HEX is useful when attempting to view a file that is partially deleted. Which lends us to two questions: 1. Why would a partially

File Format Structures• There is no one specific file format structure

that fits all file types. • File formats will vary as well as file content.• The contents of an image, as well as its

format, for example, will be different from the contents and format of a word processing document.

Page 9: Files Chapter 4. Files HEX is useful when attempting to view a file that is partially deleted. Which lends us to two questions: 1. Why would a partially

File Extensions

• File formats are easily identified by file extensions.• Windows Operating System uses file extensions to bind

an application to a specific file type. – Example: Windows binds Adobe Reader to the .PDF file

extension. Whereas, MS WORD to the .Doc or .DocX file extension.

• File extensions are specific to the Window Operating System and without an extension the Window Operating System would not know how to open, process, or handle a file.

Page 10: Files Chapter 4. Files HEX is useful when attempting to view a file that is partially deleted. Which lends us to two questions: 1. Why would a partially

Question:What would occur if the file extension of an executable (.EXE) file was changed to that of an Adobe file extension (.PDF)????ANSWER:Windows would look at the file extension and see that it’s a .PDF; it would therefore hand that file over to Adobe to open. Adobe would attempt to launch or open the file and report an error since the file, regardless of its name, is not actually an Adobe file.

Page 11: Files Chapter 4. Files HEX is useful when attempting to view a file that is partially deleted. Which lends us to two questions: 1. Why would a partially

Registry

• Window stores this application binding information in a section of the Operating System (OS) called the registry.

• Each file type contains a corresponding file extension; this correlation stored within the registry tells the OS what type of program is needed to access a certain file type. This is Window’s way of organizing the many different types of files to their corresponding software.

Page 12: Files Chapter 4. Files HEX is useful when attempting to view a file that is partially deleted. Which lends us to two questions: 1. Why would a partially

OS

• When the OS identifies an extension say .CSV (Comma Separated Values), the OS looks to the registry and finds which application is bound to this extension. In most cases, MS Excel is bound to CSVs, so Windows will hand it over to Excel.

• A file extension and/or its corresponding registry information can be manipulated by a savvy user.

Page 13: Files Chapter 4. Files HEX is useful when attempting to view a file that is partially deleted. Which lends us to two questions: 1. Why would a partially

Changing File Extensions• Suppose a change was made to the registry so that

the .CSV file extension was associated to and therefore opened with an image viewer such as Window Picture Viewer.

• This will cause an error because the file was an Excel file and not an image.

• A file with an incorrect file extension would open as long as the Window Registry had that “incorrect” file extension associated with the correct software.

• Remember, changing or renaming a file extension does not change the content of the file; it only changes the way in which Windows OS handles the file (i.e. which application the file is sent to).

Page 14: Files Chapter 4. Files HEX is useful when attempting to view a file that is partially deleted. Which lends us to two questions: 1. Why would a partially

Computer Criminals

• So why is the way the OS handles the interpretation of a file’s extension important to a cyber forensic investigator?

• Computer criminals can use file extensions to hide files simply by changing the file extension.

• Example:

Page 15: Files Chapter 4. Files HEX is useful when attempting to view a file that is partially deleted. Which lends us to two questions: 1. Why would a partially

Changing A File’s Extension To Evade Detection

• The process to change a file’s extension to evade detection is quite simple:– Step 1: Create a legitimate looking folder into

which you wish to place your files. Use a name that will not be conspicuous.

Page 16: Files Chapter 4. Files HEX is useful when attempting to view a file that is partially deleted. Which lends us to two questions: 1. Why would a partially

Creating a file extension to evade detection

• Step 2: – Open the folder that you

created– Select Organize menu, select

layout and select Menu Bar• Step 3:– Open the Tools tab and select

Folder Options, and select the View Tab

Page 17: Files Chapter 4. Files HEX is useful when attempting to view a file that is partially deleted. Which lends us to two questions: 1. Why would a partially

Removing the file extension• Step 4:– Uncheck “Hide extensions for known file types”– File extension type is revealed

• Step 5:– Right-Click on the file name to Rename the file,

including providing any valid file extension type (.doc,.xls, .exe,.txt) The file name is changed based upon the extension provided (Do this to 4 images)

Page 18: Files Chapter 4. Files HEX is useful when attempting to view a file that is partially deleted. Which lends us to two questions: 1. Why would a partially

Removing the file extension• Step 6:– Click “Hide extensions for known file types, to hide

the new file extensions.• Notice where there was once 10 image files

there are now only six.• Scanning simply for image files will results in

missing the four files with modified extensions!

Page 19: Files Chapter 4. Files HEX is useful when attempting to view a file that is partially deleted. Which lends us to two questions: 1. Why would a partially

Notes about Hiding Files

• Remember Windows looks at a file’s extension first, and hands that file over to the appropriate application to open. A Microsoft Word application attempting to open a .JPEG or .TIF file would attempt to launch or open the file and report an error since the file, regardless of its name, is not actually a Microsoft Word file

Page 20: Files Chapter 4. Files HEX is useful when attempting to view a file that is partially deleted. Which lends us to two questions: 1. Why would a partially

File Signature

• File Signature – also known as the “Magic Number”.

• File Signature – is the binary that identifies a particular file: the data that will aid in the identification of the file to its native or parent software.

Page 21: Files Chapter 4. Files HEX is useful when attempting to view a file that is partially deleted. Which lends us to two questions: 1. Why would a partially

HEX Editor

• For common file formats, the file signatures conveniently represent the names of the file types.– Example: Image file GIF87a format in HEX equals

0x474946383761. GIF89a format in HEX equals 0x3474946383961. GIF (Graphic Interchange Format)

– First 6 Bytes of the file.

Page 22: Files Chapter 4. Files HEX is useful when attempting to view a file that is partially deleted. Which lends us to two questions: 1. Why would a partially

JPEG

• JPEG – Joint Photographic Expert Group image file is 0x4A464946, which is the ASCII equivalent of JFIF (JPEG File Interchange Format)– JPEG begin at the seventh byte