Chapter 4 Files

advertisement
Files
Chapter 4
Files
HEX is useful when attempting to view a file that is partially
deleted. Which lends us to two questions:
1.
2.
Why would a partially deleted file have difficulties being opened or
viewed normally?
What parts of a file does a HEX editor allow us to see, which
otherwise would not be visible?
Files, File Structures, and File Formats
• To answer the questions on the other slide, we need to
investigate the basics of a file, file structure, and file
format.
• A partially deleted file in many cases may be missing
part of its formatting data, the data that identifies the
file.
• It is the formatting file that identifies the file to its
parent or native software.
• If a file doesn’t contain the formatting information, the
software or Operating System will most likely not be
able to access or execute the file.
• It is this formatting information that uniquely identifies
a file.
Different Formats
• There are hundreds of different formats for data.
• There are also formats for executable programs
on different platforms. (Windows, Linux, Mac,
Unix, etc.…)
• Each format defines how the sequence of bits
and bytes are laid out, with ASCII based text files
being one of the simplest formats for humans to
decipher.
Other Formats
• Some file formats are designed to store very
particular sorts of data:
– JPEG formats – is designed to store photo images.
– Gifs formats – is designed for both photo images
and animation.
– QuickTime format – can act as a container for
many different types of multimedia.
Text Files Formats
• A Text File is simply one that stores any text.
– Format such as ASCII or UTF-8, with few if any control
characters.
– Other file formats, such as HTML, or the source code
of some particular programming language, are in fact
also text files, but follows more strict rules for specific
purposes.
• Parent program, meaning the program or
software that is used to create, execute, or
otherwise access the file.
• In most cases a file will contain data , its file
signature, from which its parent software will be
able to identify and handle its operation.
File Signatures
• File Signature – contained in the file header.
• File Header – Not see by the user of the software, but
very important for the file to function as designed.
– It is this data contained within the file header that is used
to identify the format of the file.
• File Headers – may also contain data regarding the
integrity of the file as well as information about itself
and its contents. This data is often referred to as
Metadata.
File Format Structures
• There is no one specific file format structure
that fits all file types.
• File formats will vary as well as file content.
• The contents of an image, as well as its
format, for example, will be different from the
contents and format of a word processing
document.
File Extensions
• File formats are easily identified by file extensions.
• Windows Operating System uses file extensions to bind
an application to a specific file type.
– Example: Windows binds Adobe Reader to the .PDF file
extension. Whereas, MS WORD to the .Doc or .DocX file
extension.
• File extensions are specific to the Window Operating
System and without an extension the Window
Operating System would not know how to open,
process, or handle a file.
Question:
What would occur if the file extension of an
executable (.EXE) file was changed to that of an
Adobe file extension (.PDF)????
ANSWER:
Windows would look at the file extension and
see that it’s a .PDF; it would therefore hand that
file over to Adobe to open. Adobe would
attempt to launch or open the file and report an
error since the file, regardless of its name, is not
actually an Adobe file.
Registry
• Window stores this application binding
information in a section of the Operating System
(OS) called the registry.
• Each file type contains a corresponding file
extension; this correlation stored within the
registry tells the OS what type of program is
needed to access a certain file type. This is
Window’s way of organizing the many different
types of files to their corresponding software.
OS
• When the OS identifies an extension say .CSV
(Comma Separated Values), the OS looks to
the registry and finds which application is
bound to this extension. In most cases, MS
Excel is bound to CSVs, so Windows will hand
it over to Excel.
• A file extension and/or its corresponding
registry information can be manipulated by a
savvy user.
Changing File Extensions
• Suppose a change was made to the registry so that the
.CSV file extension was associated to and therefore
opened with an image viewer such as Window Picture
Viewer.
• This will cause an error because the file was an Excel
file and not an image.
• A file with an incorrect file extension would open as
long as the Window Registry had that “incorrect” file
extension associated with the correct software.
• Remember, changing or renaming a file extension does
not change the content of the file; it only changes the
way in which Windows OS handles the file (i.e. which
application the file is sent to).
Computer Criminals
• So why is the way the OS handles the
interpretation of a file’s extension important
to a cyber forensic investigator?
• Computer criminals can use file extensions to
hide files simply by changing the file
extension.
• Example:
Changing A File’s Extension To Evade
Detection
• The process to change a file’s extension to
evade detection is quite simple:
– Step 1: Create a legitimate looking folder into
which you wish to place your files. Use a name
that will not be conspicuous.
Creating a file extension to evade
detection
• Step 2:
– Open the folder that you
created
– Select Organize menu, select
layout and select Menu Bar
• Step 3:
– Open the Tools tab and select
Folder Options, and select the
View Tab
Removing the file extension
• Step 4:
– Uncheck “Hide extensions for known file types”
– File extension type is revealed
• Step 5:
– Right-Click on the file name to Rename the file,
including providing any valid file extension type
(.doc,.xls, .exe,.txt) The file name is changed based
upon the extension provided (Do this to 4 images)
Removing the file extension
• Step 6:
– Click “Hide extensions for known file types, to
hide the new file extensions.
• Notice where there was once 10 image files
there are now only six.
• Scanning simply for image files will results in
missing the four files with modified
extensions!
Notes about Hiding Files
• Remember Windows looks at a file’s extension
first, and hands that file over to the
appropriate application to open. A Microsoft
Word application attempting to open a .JPEG
or .TIF file would attempt to launch or open
the file and report an error since the file,
regardless of its name, is not actually a
Microsoft Word file
File Signature
• File Signature – also known as the “Magic
Number”.
• File Signature – is the binary that identifies a
particular file: the data that will aid in the
identification of the file to its native or parent
software.
HEX Editor
• For common file formats, the file signatures
conveniently represent the names of the file
types.
– Example: Image file GIF87a format in HEX equals
0x474946383761. GIF89a format in HEX equals
0x3474946383961. GIF (Graphic Interchange Format)
– First 6 Bytes of the file.
JPEG
• JPEG – Joint Photographic Expert Group image
file is 0x4A464946, which is the ASCII
equivalent of JFIF (JPEG File Interchange
Format)
– JPEG begin at the seventh byte
Download