WEBVTT 0:00:10.020000 --> 0:00:14.380000 Occasionally, we're going to come across unidentified files in forensics. 0:00:14.380000 --> 0:00:16.220000 They're not going to have an extension. 0:00:16.220000 --> 0:00:21.460000 The system, especially Windows, is not going to know what to do with it. 0:00:21.460000 --> 0:00:24.660000 What they can look like is sometimes they can look like this. 0:00:24.660000 --> 0:00:28.420000 If you can look here, Windows doesn't know what to do with it primarily 0:00:28.420000 --> 0:00:33.300000 because there's no extension on the file at all. 0:00:33.300000 --> 0:00:38.140000 See? What do we do? 0:00:38.140000 --> 0:00:41.960000 We have to take a deeper look at it. 0:00:41.960000 --> 0:00:45.840000 What we have is a tool called HexWorkshop. 0:00:45.840000 --> 0:00:50.360000 Any hexadecimal editor, even this tool for FTK up here can have a look 0:00:50.360000 --> 0:00:59.200000 at it and see what we manually think about this file. 0:00:59.200000 --> 0:01:03.080000 This particular lab is going to simulate you being a forensic examiner 0:01:03.080000 --> 0:01:09.500000 and a computer where important data is saved to, it has some files that 0:01:09.500000 --> 0:01:13.220000 kind of go corrupt and they end up looking like this as we've shown. 0:01:13.220000 --> 0:01:19.840000 In this lab, your goal is to go ahead and use the tool to analyze the 0:01:19.840000 --> 0:01:30.520000 file and figure out what type of file it is based on the hexadecimal data. 0:01:30.520000 --> 0:01:33.040000 What we're going to do is we're going to use a hex editor to have a look 0:01:33.040000 --> 0:01:38.920000 at these files and see if we can identify what they are. 0:01:38.920000 --> 0:01:47.640000 We're going to open up HexWorkshop. 0:01:47.640000 --> 0:01:51.020000 We're going to browse to our lab files. 0:01:51.020000 --> 0:02:06.460000 The first file we're going to look at is this top file 2DFA2A. 0:02:06.460000 --> 0:02:10.820000 Let's go ahead and open it up. 0:02:10.820000 --> 0:02:16.700000 Really, right away, you should be able to see what this might be here 0:02:16.700000 --> 0:02:21.020000 because it starts with PDF 1.5. 0:02:21.020000 --> 0:02:23.220000 That is a very good clue. 0:02:23.220000 --> 0:02:26.720000 To confirm it though, there's a really great compendium that's been put 0:02:26.720000 --> 0:02:32.220000 together by someone named Gary Keisler and that's at GaryKeisler.net. 0:02:32.220000 --> 0:02:35.640000 What he has is a file signature table. 0:02:35.640000 --> 0:02:40.680000 I think that it's PDF because of this PDF file. 0:02:40.680000 --> 0:02:43.160000 If we look over here, we can see the hexadecimal representation of this 0:02:43.160000 --> 0:02:48.720000 255044462D312E35. 0:02:48.720000 --> 0:02:51.960000 We have a clue that it's a PDF file. 0:02:51.960000 --> 0:02:54.040000 Let's go ahead and search for PDF. 0:02:54.040000 --> 0:03:00.880000 When I do this, I just use my browser search. 0:03:00.880000 --> 0:03:09.860000 PDF, okay. I can see that the file header for PDF files is 25504446. 0:03:09.860000 --> 0:03:11.540000 Let's have a look. 0:03:11.540000 --> 0:03:19.440000 25504446. That's how we identify a PDF file. 0:03:19.440000 --> 0:03:26.120000 What we could do with this file is rename it to .pdf. 0:03:26.120000 --> 0:03:29.720000 It will more than likely open. 0:03:29.720000 --> 0:03:32.740000 Here's one trick that we didn't cover. 0:03:32.740000 --> 0:03:38.240000 While Windows relies on the file extension to open up a file, Linux actually 0:03:38.240000 --> 0:03:43.340000 relies on the file signature. 0:03:43.340000 --> 0:03:49.120000 When the file signature matches, Linux just uses the appropriate application 0:03:49.120000 --> 0:03:55.240000 to open it up. One thing on the Gary Kistler is there are some what he 0:03:55.240000 --> 0:03:58.040000 calls trailers for into file. 0:03:58.040000 --> 0:04:00.720000 There may be multiple into file marks within the file. 0:04:00.720000 --> 0:04:02.680000 When carving, be sure to get the last one. 0:04:02.680000 --> 0:04:03.640000 Let's just have a look. 0:04:03.640000 --> 0:04:08.460000 Let's go all the way into this file. 0:04:08.460000 --> 0:04:18.080000 I see EOF here. Let's see what we're looking for. 0:04:18.080000 --> 0:04:20.920000 Let's see percent sign percent sign EOF. 0:04:20.920000 --> 0:04:25.740000 There we go. 252545 4F46. 0:04:25.740000 --> 0:04:27.240000 Let's see if we find that. 0:04:27.240000 --> 0:04:34.240000 252545 4F46. There's a 0D in there. 0:04:34.240000 --> 0:04:35.800000 They're all around the same one. 0:04:35.800000 --> 0:04:37.640000 Is there a 0A? Nope. 0:04:37.640000 --> 0:04:41.980000 It's going to end in 46. 0:04:41.980000 --> 0:04:43.000000 This is the one. 0:04:43.000000 --> 0:04:48.760000 ODOA. Right there. 0:04:48.760000 --> 0:04:53.360000 As it points out that there's multiple variations, but for forensic identification, 0:04:53.360000 --> 0:04:56.240000 it's close enough. 0:04:56.240000 --> 0:05:08.540000 We'll open up the next one and see what that one is. 0:05:08.540000 --> 0:05:14.680000 Just by looking at the ASCII data over here, I can get an idea. 0:05:14.680000 --> 0:05:18.540000 I see some JFIF. 0:05:18.540000 --> 0:05:24.900000 I see Adobe. There's some exit information in there. 0:05:24.900000 --> 0:05:34.340000 Exit information is going to be some metadata associated with JPGs. 0:05:34.340000 --> 0:05:39.980000 Let's look at these first four right here. 0:05:39.980000 --> 0:05:42.860000 Let's see if we can get a hit on any of that. 0:05:42.860000 --> 0:05:49.320000 FFD8FF. Let's just do a search for that. 0:05:49.320000 --> 0:05:57.720000 We didn't have to go any further. 0:05:57.720000 --> 0:06:07.200000 We see that FFD8 is a JPEG file header. 0:06:07.200000 --> 0:06:09.600000 Now we know that this is a JPEG. 0:06:09.600000 --> 0:06:13.640000 We can go even further as to maybe the different type. 0:06:13.640000 --> 0:06:21.040000 FFD8FFE0 is indeed a JFIF format file. 0:06:21.040000 --> 0:06:24.860000 In the trailer, the end of file marker is FFD9. 0:06:24.860000 --> 0:06:32.860000 There's our FFD9 at the very end. 0:06:32.860000 --> 0:06:35.640000 Now we know how we're file carving for files too. 0:06:35.640000 --> 0:06:41.260000 This is how our forensic tools and some of the other tools you see in 0:06:41.260000 --> 0:06:46.420000 these labs, car for files, they know the header and they know the footer. 0:06:46.420000 --> 0:06:51.280000 Then they represent everything in between as the file. 0:06:51.280000 --> 0:06:59.000000 I'm going to go ahead and open up our next one. 0:06:59.000000 --> 0:07:12.540000 MX-234. This was a little different. 0:07:12.540000 --> 0:07:15.120000 What do you think about this one? 0:07:15.120000 --> 0:07:22.440000 What types of files begin with PK or 54B? 0:07:22.440000 --> 0:07:25.280000 Let's have a look. 0:07:25.280000 --> 0:07:38.480000 PK is a archive. 0:07:38.480000 --> 0:07:41.640000 I see some XML data in here. 0:07:41.640000 --> 0:07:44.660000 Oh, look, this is interesting. 0:07:44.660000 --> 0:07:47.920000 This is why I go through this PPT slides. 0:07:47.920000 --> 0:07:55.140000 I know PPT is a PowerPoint. 0:07:55.140000 --> 0:08:04.560000 I go back down here and I look through and I see that not only are zip 0:08:04.560000 --> 0:08:07.600000 files but document formats or zip files. 0:08:07.600000 --> 0:08:09.300000 See, here's ODT. 0:08:09.300000 --> 0:08:14.840000 Open document. Microsoft open XML. 0:08:14.840000 --> 0:08:19.180000 Open office. EPUBS. 0:08:19.180000 --> 0:08:20.280000 This is interesting. 0:08:20.280000 --> 0:08:23.780000 EPUBS. Ah, look. 0:08:23.780000 --> 0:08:26.260000 Microsoft documents are actually zip files. 0:08:26.260000 --> 0:08:27.440000 Did you know that? 0:08:27.440000 --> 0:08:28.880000 Think about that for a second. 0:08:28.880000 --> 0:08:30.300000 Did you know that? 0:08:30.300000 --> 0:08:38.240000 What is the power, forensically, if you were to be able to extract the 0:08:38.240000 --> 0:08:43.120000 content out of a PowerPoint file as if it were a zip file? 0:08:43.120000 --> 0:08:44.320000 Let's go back and look at this. 0:08:44.320000 --> 0:08:48.180000 Here's how we're looking for. 0:08:48.180000 --> 0:08:51.360000 So, it's going to be 54B and it's going to end in O6O0. 0:08:51.360000 --> 0:08:54.140000 Let's just look at those two numbers. 0:08:54.140000 --> 0:09:02.660000 54B and we're going to go down to O6O0. 0:09:02.660000 --> 0:09:04.500000 Did we get it all? 0:09:04.500000 --> 0:09:18.920000 We got it. So, we have the file signature for a Microsoft Office document. 0:09:18.920000 --> 0:09:29.720000 And one thing I will actually show you too is if we rename this file to 0:09:29.720000 --> 0:09:39.400000 a zip file, let me close it next workshop first. 0:09:39.400000 --> 0:09:44.920000 Now, let's rename it. 0:09:44.920000 --> 0:09:55.680000 If we rename it to a .zip format, Windows now thinks this is a zip file 0:09:55.680000 --> 0:10:08.900000 and watch. We have all of the data as if it were a zip file and we can 0:10:08.900000 --> 0:10:11.000000 peruse through all of this. 0:10:11.000000 --> 0:10:13.480000 It's a really valuable thing. 0:10:13.480000 --> 0:10:16.000000 Just remember that we're still doing forensics. 0:10:16.000000 --> 0:10:21.880000 So, we have the document what we do and then we also have to ensure that 0:10:21.880000 --> 0:10:23.080000 we're not making changes. 0:10:23.080000 --> 0:10:27.040000 So, in this case, I opened it with a web browser and I know that I can't 0:10:27.040000 --> 0:10:29.160000 change the data with a web browser. 0:10:29.160000 --> 0:10:38.740000 Okay, moving on to the next file. 0:10:38.740000 --> 0:10:45.580000 What do you think this is? 0:10:45.580000 --> 0:10:49.280000 Just take a moment and think, what do you think this is? 0:10:49.280000 --> 0:10:54.320000 There's nothing but plain ASCII data in here. 0:10:54.320000 --> 0:11:03.780000 If you thought that it's just an ASCII text file, you're correct. 0:11:03.780000 --> 0:11:07.780000 It is just a normal text file that can be opened using Notepad. 0:11:07.780000 --> 0:11:13.440000 Notice there is no header information in here. 0:11:13.440000 --> 0:11:19.940000 It's just the ASCII and the hex decimal representation of the ASCII. 0:11:19.940000 --> 0:11:29.980000 Okay. We're going to do this other file here. 0:11:29.980000 --> 0:11:34.600000 Oh, this is familiar. 0:11:34.600000 --> 0:11:38.700000 54B, 03, Indian, 06. 0:11:38.700000 --> 0:11:43.800000 So, we have another office file and we can look down here and we can make 0:11:43.800000 --> 0:11:45.260000 some assumptions. 0:11:45.260000 --> 0:11:47.940000 We see the magic signature matches. 0:11:47.940000 --> 0:11:54.340000 If we look through here, we see a reference. 0:11:54.340000 --> 0:11:56.920000 There we go. Word. 0:11:56.920000 --> 0:12:01.260000 So, we can be pretty sure that this is a Word document file. 0:12:01.260000 --> 0:12:10.660000 Okay, we're going to do the last file now. 0:12:10.660000 --> 0:12:13.860000 Another 54B, 03, 04, 14. 0:12:13.860000 --> 0:12:19.360000 That looks a little different, but I think we're still in office file. 0:12:19.360000 --> 0:12:20.880000 I think we're still in office file. 0:12:20.880000 --> 0:12:22.280000 So, let's scroll here and look. 0:12:22.280000 --> 0:12:28.740000 I see what looks like workbook.xml. 0:12:28.740000 --> 0:12:33.660000 So, leaning towards a Excel spreadsheet. 0:12:33.660000 --> 0:12:38.320000 And yes, this is indeed an Excel spreadsheet. 0:12:38.320000 --> 0:12:40.420000 So, congratulations on completing this lab.