Download PDF User Manual

Transcript
274 | P a g e
Chapter 22 - File Signature Analysis
22.1 FILE SIGNATURE ANALYSIS
Signature analysis is the process of identifying a file by its header rather than by other
means (such as the file extension). The International Organization for Standardization
(ISO) has published standards for the structure of many file types. The standards
include a “file signature”, a recognizable header which usually precedes the file data
and assigns a file to a specific type, e.g. a jpeg.
For example, shown Figure 214, JPEG file signature Figure 214 below, is the beginning
of a photo taken with a digital camera. It is identified as a JPEG by the file header
ÿØÿà· (or in Hex: FF D8 FF E0 00).
Figure 214, JPEG file signature
Identifying a file by its signature is a more accurate method of classification than using
the file extension (e.g. .jpg), as the extension can easily be altered.
22.2 WHY RUN FILE SIGNATURE ANALYSIS?
File signatures are an important part of the examination process because gives the
investigator a confidence that they are seeing files for what they actually are. It is
recommended that a File Signature analysis is one of the first steps performed by the
investigator in each new case.
A file signature analysis with Forensic Explorer will:

Flag files for which the file extension does not match the file signature. These
files may have been deliberately manipulated to hide data;

Empower other components of Forensics Explorer, such as the Categories
view, to see files based on file signature, rather than extension;
22.3 RUNNING A FILE SIGNATURE ANALYSIS
To run a file signature analysis in Forensic Explorer:
1.
Click on the Signature Analysis button in the File System toolbar (shown
below) to open the Signature Analysis Options window shown in Figure 216,
Selecting file types for signature analysisFigure 216 below:
Copyright GetData Forensics Pty Ltd 2010 - 2015, All rights reserved.