Hey all, I figured this is the most 'right' place for this topic, if I'm wrong please move it to the proper place.
Okay, I'm in a forensics class, and we are starting file carving. For those not in the know, we are using a hex editor to find the header and footer of specific file types within an image of a floppy disk.
My problem comes with the first task, we have to manually find the headers and footers by comparing several files of different types.
Does anyone have tips for this? I am going through five or so files (dll for example) and they all have so many in common. Going through this is taking some time, and I gotta finish this before I can look into the dump of the floppy.
The instructor said that headers and footers are usually the first and last 2-20 bytes, but I'm getting matches well past that. So I really don't know if say, the header should be ending after 6 bytes, or 26.
Yeah, we can use whatever program we want, but what I am really looking for is a method of finding these headers and footers manually (might be on a test or something).
I am looking into various linux hex editors right now, tried ghex, but it doesn't have a select range as far as I see, something that would be incredibly helpful for file carving. Anyone have ideas?
(EDIT: Started using hexedit, it's a command line hex editor. Very nice. It has all the features I'm looking for as far as carving goes...)
Still wondering about any tips for finding the headers and footers.
Last edited by 9to5cynic; September 2nd, 2011 at 09:48 PM.
Reason: Returning to Federation Space.
In general, Wotsit is a great resource for me, but I've never actually checked to see if it contains actual file structure info, such as headers - give it a shot - Wotsit.org
Thanks, checking out those links. I'll just have to wait and see what the instructor says about these file footers. I know I could just google them, and be done with it, but I'd really like to actually do the assignment. (lame)
Here's my take - I Google for information that will help me to better understand the problem - not information that is the answer.
It works much better in the long run - you look up the needed info and then do your work.
If you don't know, for example, that a certain file always has the footer
Quote:
%------#%%$@bbg
(imaginary example) then how the hell are you going to look for it? So, it's not a justification, it's a matter of fact and a matter of life. People are going online all the time to get info to make better informed decisions - credit reports, health related facts, entertainment choices, shopping advice, etc. - why should this be any different?
The Following User Says Thank You to johnlgalt For This Useful Post:
Well, we are getting an excel sheet with all the info on it eventually, but the instructor wants us to open several files in a hex editor and analyze them manually. Headers is easier, but I swear I have forty bytes match for the footer, no idea where it starts.
I agree, google for help, not the answer is the way to go.
Ahhh. I see now, you're almost in a pre-test situation, i which you have to see if you can figure out the headers and footers locations / beginning points on your own before receiving the info in the spreadsheet....
Were the types of files specified for you, or are you flying blind?
Nahh.. we have the excel sheet (which was half finished by the instructor) with about 20 files and the homework which has 15 total files, some are repeats though.
I just did the WMV file, and I got 3026b2758e66cf11a6d900aa0062ce6c, but I looked it up online and the website I checked said it stops at 3026b275 or so....
I have no idea know to know where to the header stops and the rest of the file begins. I guess I'll figure that out next class lol.
If you looked at 5 different WMV files then you'd have a basis to compare - the common parts would be the header and the place (position) where it changes would be the beginning of the next part...
Hey, another piece of advice - If you ever need to perform forensic analysis on an active registry hive, I highly recommend DCSoft's Registry Extender (RegeditX). Right now it is in Beta, so it is free, and he's also incorporated the old Registry Crawler into it - hands down the fastest registry search tool....
Use a knife with a serrated edge and simmer in olive oil for ten minutes prior to carving, then just a dash of thyme and serve. Goes best with white wine rather than red.
File Carving
