Files Chapter 4 Files HEX is useful when attempting to view a file that is partially deleted. Which lends us to two questions: 1. 2. Why would a partially deleted file have difficulties being opened or viewed normally? What parts of a file does a HEX editor allow us to see, which otherwise would not be visible? Files, File Structures, and File Formats • To answer the questions on the other slide, we need to investigate the basics of a file, file structure, and file format. • A partially deleted file in many cases may be missing part of its formatting data, the data that identifies the file. • It is the formatting file that identifies the file to its parent or native software. • If a file doesn’t contain the formatting information, the software or Operating System will most likely not be able to access or execute the file. • It is this formatting information that uniquely identifies a file. Different Formats • There are hundreds of different formats for data. • There are also formats for executable programs on different platforms. (Windows, Linux, Mac, Unix, etc.…) • Each format defines how the sequence of bits and bytes are laid out, with ASCII based text files being one of the simplest formats for humans to decipher. Other Formats • Some file formats are designed to store very particular sorts of data: – JPEG formats – is designed to store photo images. – Gifs formats – is designed for both photo images and animation. – QuickTime format – can act as a container for many different types of multimedia. Text Files Formats • A Text File is simply one that stores any text. – Format such as ASCII or UTF-8, with few if any control characters. – Other file formats, such as HTML, or the source code of some particular programming language, are in fact also text files, but follows more strict rules for specific purposes. • Parent program, meaning the program or software that is used to create, execute, or otherwise access the file. • In most cases a file will contain data , its file signature, from which its parent software will be able to identify and handle its operation. File Signatures • File Signature – contained in the file header. • File Header – Not see by the user of the software, but very important for the file to function as designed. – It is this data contained within the file header that is used to identify the format of the file. • File Headers – may also contain data regarding the integrity of the file as well as information about itself and its contents. This data is often referred to as Metadata. File Format Structures • There is no one specific file format structure that fits all file types. • File formats will vary as well as file content. • The contents of an image, as well as its format, for example, will be different from the contents and format of a word processing document. File Extensions • File formats are easily identified by file extensions. • Windows Operating System uses file extensions to bind an application to a specific file type. – Example: Windows binds Adobe Reader to the .PDF file extension. Whereas, MS WORD to the .Doc or .DocX file extension. • File extensions are specific to the Window Operating System and without an extension the Window Operating System would not know how to open, process, or handle a file. Question: What would occur if the file extension of an executable (.EXE) file was changed to that of an Adobe file extension (.PDF)???? ANSWER: Windows would look at the file extension and see that it’s a .PDF; it would therefore hand that file over to Adobe to open. Adobe would attempt to launch or open the file and report an error since the file, regardless of its name, is not actually an Adobe file. Registry • Window stores this application binding information in a section of the Operating System (OS) called the registry. • Each file type contains a corresponding file extension; this correlation stored within the registry tells the OS what type of program is needed to access a certain file type. This is Window’s way of organizing the many different types of files to their corresponding software. OS • When the OS identifies an extension say .CSV (Comma Separated Values), the OS looks to the registry and finds which application is bound to this extension. In most cases, MS Excel is bound to CSVs, so Windows will hand it over to Excel. • A file extension and/or its corresponding registry information can be manipulated by a savvy user. Changing File Extensions • Suppose a change was made to the registry so that the .CSV file extension was associated to and therefore opened with an image viewer such as Window Picture Viewer. • This will cause an error because the file was an Excel file and not an image. • A file with an incorrect file extension would open as long as the Window Registry had that “incorrect” file extension associated with the correct software. • Remember, changing or renaming a file extension does not change the content of the file; it only changes the way in which Windows OS handles the file (i.e. which application the file is sent to). Computer Criminals • So why is the way the OS handles the interpretation of a file’s extension important to a cyber forensic investigator? • Computer criminals can use file extensions to hide files simply by changing the file extension. • Example: Changing A File’s Extension To Evade Detection • The process to change a file’s extension to evade detection is quite simple: – Step 1: Create a legitimate looking folder into which you wish to place your files. Use a name that will not be conspicuous. Creating a file extension to evade detection • Step 2: – Open the folder that you created – Select Organize menu, select layout and select Menu Bar • Step 3: – Open the Tools tab and select Folder Options, and select the View Tab Removing the file extension • Step 4: – Uncheck “Hide extensions for known file types” – File extension type is revealed • Step 5: – Right-Click on the file name to Rename the file, including providing any valid file extension type (.doc,.xls, .exe,.txt) The file name is changed based upon the extension provided (Do this to 4 images) Removing the file extension • Step 6: – Click “Hide extensions for known file types, to hide the new file extensions. • Notice where there was once 10 image files there are now only six. • Scanning simply for image files will results in missing the four files with modified extensions! Notes about Hiding Files • Remember Windows looks at a file’s extension first, and hands that file over to the appropriate application to open. A Microsoft Word application attempting to open a .JPEG or .TIF file would attempt to launch or open the file and report an error since the file, regardless of its name, is not actually a Microsoft Word file File Signature • File Signature – also known as the “Magic Number”. • File Signature – is the binary that identifies a particular file: the data that will aid in the identification of the file to its native or parent software. HEX Editor • For common file formats, the file signatures conveniently represent the names of the file types. – Example: Image file GIF87a format in HEX equals 0x474946383761. GIF89a format in HEX equals 0x3474946383961. GIF (Graphic Interchange Format) – First 6 Bytes of the file. JPEG • JPEG – Joint Photographic Expert Group image file is 0x4A464946, which is the ASCII equivalent of JFIF (JPEG File Interchange Format) – JPEG begin at the seventh byte