CSC414ComputerSystemFundamentals

THINK BIG WE DO

U R Ihttp://www.forensics.cs.uri.edu

Digital Forensics CenterDepartment of Computer Science and Statics

File SignaturesFile Signatures

Hexadecimal DataHexadecimal Data- Hex is a way to view binary data

- Group bits into four digits- Two groups per byte

- Two hex characters per byte

- 16 possible combinations

- Use 0-9, A-F

Easier to recognize patterns and read data

01010100011010000110100101110011

0000 0 00001 1 10010 2 20011 3 30100 4 40101 5 50110 6 60111 7 7

1000 8 81001 9 91010 A 101011 B 111100 C 121101 D 131110 E 141111 F 15

Binary Hex Binary Hex DecimalDecimal

5 4 6 8 6 9 7 354 68 69 73

T h i s

Hexadecimal Data

54 68 69 73T h i s

Hex EditorsAllow you to examine and change the bits of a file, or the bits of a disk regardless of file boundaries. - Allow view, searching, and modifying at

the bit/byte level of files and disks

- Similar to a microscope allowing you to see the raw bits without interpretation by the operating system or an application

- ACSII codes are provided, but do not necessarily indicate byte values

- WinHex Specialist, FTK, EnCase, X-Ways provide hex “view” of data and disks.

ASCII codes are stored "as is"

- Each character you see or type

- Return key, tabs and special characters are stored also.

Text Files

Binary Hex Symbol

0101 0100 54 T

0010 0000 20 Space

0000 1101 0D Carriage Return

0000 1010 0A Line Feed

0000 1001 09 Tab Used by TRS-80, Mac OS 9 and

earlier

Used by Mac OS X and

Linux

.doc FilesMicrosoft Word Files (before 2007)

File Signature for Microsoft Office 2003

and earlier

MetadataOffset into file of 0A00Text starts 2,560 bytes into the file

File SignaturesFile signatures define the file- Suspect may hide file by changing file

extension like .jpg to .exe

- Most people don’t know about file signatures

- Changing file signature can make the file corrupt- Programs will not know how to interpret

the data

- Forensic tools allow searching for hex file signature to truly find all files of a type

Data CarvingUsing a hex editor to follow file table or markers in a file

to find all parts of a file.

For example, to reconstruct an image even if part has been

erased.

File SignaturesFile Type File Extension File SignatureMicrosoft Office (before 2007) .doc .xls .ppt D0 CF 11 E0 A1 B1 1A E1

Microsoft Office (after 2007) .docx .xlsx .pptx 50 4B 03 04 14 00 06 00

Zip Compressed Archive .zip 50 4B 03 04 (ASCII = PK)

PDF Documents .pdf 25 50 44 46

JPEG Image .jpeg .jpg FF D8 FF E0 ?? ?? 4A 46 49 46 00

TIFF Image .tiff .tif 49 49 2A 00

Bitmap Image .bmp 42 4D

Audio Interchange Format .aif .aiff 46 4F 52 4D 00

Waveform Audio Format .wav 57 41 56 45 66 6D 74 20

MPEG-4 .mp4 33 67 70 35

MPEG-1 Audio Layer 3 Audio .mp3 49 44 33

Dynamic Library .dll 21 3C 61 72 63 68 3E 0A

Windows Program (executable) .exe 4D 5A 90 00 03 00 00 00

PDF Trailers0A 25 25 45 4F 46 0A ( %%EOF )0D 0A 25 25 45 4F 46 0D 0A ( %%EOF )0D 25 25 45 4F 46 0D ( %%EOF )

JPEG Trailer FF D9

Microsoft Office Files

File Signature for Microsoft Office 2007

and laterText File: 83 bytes

Word .doc File: 22.5 KBWord .docx File: 16.4 KB

Microsoft Office Files

memo. zip

change extension

unzip archive

docx

Bitmap Files

File Signature3-byte pixels

(RGB)

JPEG Files

File Signature

Metadata (EXIF)

JPEG Data is encoded and compressed

JPEG File Trailer