WEBVTT 0:00:03.320000 --> 0:00:06.980000 Identifying files and understanding their true nature is extremely important, 0:00:06.980000 --> 0:00:10.160000 especially when the suspect has removed file extensions, as you won't 0:00:10.160000 --> 0:00:13.820000 be able to search for files of interest based on file extensions. 0:00:13.820000 --> 0:00:17.300000 Furthermore, sometimes a simple hiding technique is used to bypass security 0:00:17.300000 --> 0:00:20.920000 measures, especially if you're searching for extensions. 0:00:20.920000 --> 0:00:25.060000 I will be using the HXD tool, but you can use any hexadecimal editor you 0:00:25.060000 --> 0:00:30.040000 like. For this video, we're using a scenario in which the suspect has 0:00:30.040000 --> 0:00:33.400000 removed all extensions from files he is storing on his computer, so it 0:00:33.400000 --> 0:00:37.220000 is not worth searching for specific types of files using the file extension. 0:00:37.220000 --> 0:00:40.480000 As you may already know, file extensions are the three characters that 0:00:40.480000 --> 0:00:42.600000 are after the dot in a file name. 0:00:42.600000 --> 0:00:48.000000 Here we can see that all the files gathered do not have an extension. 0:00:48.000000 --> 0:00:50.900000 We have no idea what each of these files are. 0:00:50.900000 --> 0:00:54.460000 This is especially true on a Windows operating system because without 0:00:54.460000 --> 0:00:58.000000 a file extension, we will not be able to associate the exact application 0:00:58.000000 --> 0:00:59.860000 used to open the file. 0:00:59.860000 --> 0:01:05.460000 Let's start the HXD tool, which is a free hexadecimal editor. 0:01:05.460000 --> 0:01:08.700000 All we need to do is drag and drop the file of interest on top of the 0:01:08.700000 --> 0:01:13.220000 application. As you can see, on the left is the hex values for the content 0:01:13.220000 --> 0:01:18.080000 of this file, and on the right, or the ASCII text that could be displayed 0:01:18.080000 --> 0:01:23.740000 in text. So, in other words, the text on the right is the ASCII representation 0:01:23.740000 --> 0:01:26.360000 for the hex of values on the left. 0:01:26.360000 --> 0:01:30.520000 Now, if we check these first bytes, which represent the header of the 0:01:30.520000 --> 0:01:34.160000 file, and then search for a meaning for the values found using Gary Kester's 0:01:34.160000 --> 0:01:38.080000 file signature's table, hopefully we'll be able to identify the type of 0:01:38.080000 --> 0:01:39.740000 file this truly is. 0:01:39.740000 --> 0:01:44.100000 The site shows each file type with its associated headers and hex, and 0:01:44.100000 --> 0:01:47.000000 even an ASCII, if applicable. 0:01:47.000000 --> 0:01:51.160000 Let's now copy the first 4 bytes in hexadecimal from our file, and check 0:01:51.160000 --> 0:01:55.000000 it on the website. 0:01:55.000000 --> 0:01:59.120000 We'll press the control plus f buttons, and paste the copied values to 0:01:59.120000 --> 0:02:02.140000 show which files type these 4 bytes belong to. 0:02:02.140000 --> 0:02:05.780000 As you can see, it belongs to a JPEG file. 0:02:05.780000 --> 0:02:10.340000 Also, if you compare the other 4 bytes directly after the first 4 copied, 0:02:10.340000 --> 0:02:21.700000 we shall see that the file, and the 4A46 are exactly a match. 0:02:21.700000 --> 0:02:27.340000 So, here we can now truly say that this is a JPEG file. 0:02:27.340000 --> 0:02:31.880000 Let's go ahead and close the file and rename it, adding the JPEG file 0:02:31.880000 --> 0:02:41.760000 extension. As you can see, it turned out to be truly a JPEG file, and 0:02:41.760000 --> 0:02:44.120000 we can see that from its thumbnail. 0:02:44.120000 --> 0:02:46.300000 Let's now check on the second file. 0:02:46.300000 --> 0:02:49.260000 Again, just drag and drop the file over HXD. 0:02:49.260000 --> 0:02:53.240000 Again, we have some hex values on the left, but not all of them are explained 0:02:53.240000 --> 0:02:55.620000 on the right, and that's okay. 0:02:55.620000 --> 0:03:00.120000 Let's copy the first readable bytes, MZ, and check it out. 0:03:00.120000 --> 0:03:05.980000 Again, we'll control f and paste the copied values to show which file 0:03:05.980000 --> 0:03:08.100000 type these 4 bytes belong to. 0:03:08.100000 --> 0:03:12.320000 It seems it belongs to the Windows.executable file, which means this is 0:03:12.320000 --> 0:03:14.900000 a Windows.exe file. 0:03:14.900000 --> 0:03:19.860000 The two characters MZ are the initials of the scientist, Markz-Bygowski, 0:03:19.860000 --> 0:03:22.700000 who created the EXE file format. 0:03:22.700000 --> 0:03:26.560000 So, whenever you find MZ at the beginning of a file, it will usually mean 0:03:26.560000 --> 0:03:32.340000 you are dealing with a Windows .exe file, or DLL. 0:03:32.340000 --> 0:03:37.000000 Now, let's close the file from HXD, and rename it to check if we're right 0:03:37.000000 --> 0:03:44.600000 or not. As we can see, from its icon, we can say that this is the XF tool 0:03:44.600000 --> 0:03:49.620000 which we will use for metadata extraction, especially XF data and GPS 0:03:49.620000 --> 0:03:54.120000 coordinates. Let's move on to the third file and see what this is. 0:03:54.120000 --> 0:03:57.980000 Here we can see that the exact hexadecimal values on the left are represented 0:03:57.980000 --> 0:04:01.840000 on the most special or unusual characters. 0:04:01.840000 --> 0:04:05.020000 Plus, if you check the number of bytes on the left and characters on the 0:04:05.020000 --> 0:04:08.820000 right, we can say that this is a plain text file. 0:04:08.820000 --> 0:04:12.600000 By the way, don't get fooled with the sentence written inside the file, 0:04:12.600000 --> 0:04:15.980000 even though it says I'm a simple text file, we won't go for that, as it 0:04:15.980000 --> 0:04:18.840000 truly is a TXT file. 0:04:18.840000 --> 0:04:25.100000 Let's close it and rename it to check our work. 0:04:25.100000 --> 0:04:29.620000 As you noticed, Windows immediately identified it as a text file and showed 0:04:29.620000 --> 0:04:34.160000 the icon for Notepad++, which is the default application used on my system 0:04:34.160000 --> 0:04:36.220000 for opening text files. 0:04:36.220000 --> 0:04:39.560000 For verification purposes only, I will open the file. 0:04:39.560000 --> 0:04:42.540000 Don't do this when dealing with a true investigation. 0:04:42.540000 --> 0:04:45.480000 As we can see, it truly is a text file. 0:04:45.480000 --> 0:04:48.480000 Time for file number 4. 0:04:48.480000 --> 0:04:51.880000 I believe we saw something similar to this earlier in this video, but 0:04:51.880000 --> 0:04:54.820000 let's check it out. 0:04:54.820000 --> 0:05:04.100000 And yes, it truly is what we saw, which is for a JPEG file. 0:05:04.100000 --> 0:05:07.060000 Let's check the trailer of the file and see if this file has a trailer 0:05:07.060000 --> 0:05:13.860000 or not. On the web page, the trailer is FFD9. 0:05:13.860000 --> 0:05:17.420000 Let's check our file and make sure it truly exists. 0:05:17.420000 --> 0:05:21.040000 Let's go to the end of the file on HXD. 0:05:21.040000 --> 0:05:24.900000 Here we have the two bytes FF and D9. 0:05:24.900000 --> 0:05:28.080000 Exactly as mentioned on the web page for file signatures. 0:05:28.080000 --> 0:05:31.400000 Please note that not all files have a trailer, so only have a file header 0:05:31.400000 --> 0:05:33.060000 with no trailer. 0:05:33.060000 --> 0:05:44.360000 Let's close the file and rename it. 0:05:44.360000 --> 0:05:48.100000 Yep, we have a JPEG file of a kitten. 0:05:48.100000 --> 0:05:50.700000 On to the final file we need to check. 0:05:50.700000 --> 0:05:56.260000 Here we can see the file starts with the 4 bytes 25, 50, 44, 46, which 0:05:56.260000 --> 0:05:58.800000 corresponds to percentage PDF. 0:05:58.800000 --> 0:06:01.320000 Let's copy it and check that too. 0:06:01.320000 --> 0:06:03.860000 Let's paste the values and search the web page. 0:06:03.860000 --> 0:06:04.840000 Yes, it's a little bit more than that. 0:06:04.840000 --> 0:06:07.780000 It shows that it corresponds to a PDF file. 0:06:07.780000 --> 0:06:11.000000 As you can see, PDF files seem to have different trailers. 0:06:11.000000 --> 0:06:14.060000 This may be due to the version or the application used to create a PDF 0:06:14.060000 --> 0:06:17.960000 file. Let's check our file and see. 0:06:17.960000 --> 0:06:26.760000 Here we seem to have a third trailer used in this file, which is 0D, 0A, 0:06:26.760000 --> 0:06:35.780000 25, 25, 45, 4F, 46, 0D, 0A. 0:06:35.780000 --> 0:06:40.980000 Let's rename the file and add the PDF extension and see. 0:06:40.980000 --> 0:06:47.040000 The file immediately turned into a PDF file icon, which means now Windows 0:06:47.040000 --> 0:06:48.980000 managed to identify it. 0:06:48.980000 --> 0:06:52.580000 Just for validation purposes, and to prove our work is correct, I'm going 0:06:52.580000 --> 0:06:54.100000 to open the file. 0:06:54.100000 --> 0:06:57.940000 As a callout, do not open this file in a true investigation. 0:06:57.940000 --> 0:07:01.160000 You never know what the file might truly contain, as PDF files could potentially 0:07:01.160000 --> 0:07:02.800000 contain malicious content. 0:07:02.800000 --> 0:07:06.380000 As we can see, it is truly a PDF file. 0:07:06.380000 --> 0:07:08.340000 Let's go ahead and close it. 0:07:08.340000 --> 0:07:11.760000 As you saw in this video, we can use the Simple Analysis technique to 0:07:11.760000 --> 0:07:14.020000 identify a file's true nature. 0:07:14.020000 --> 0:07:17.260000 We saw how to check a couple of bytes and verify what file type it corresponds 0:07:17.260000 --> 0:07:20.760000 with. Make sure to bookmark this website for Gary Kessler. 0:07:20.760000 --> 0:07:23.620000 It will surely become handy to you soon. 0:07:23.620000 --> 0:07:28.940000 And this concludes this video lesson on Analyzing Files Based on Their 0:07:28.940000 --> 0:07:30.960000 Headers. Thank you for joining us.