±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 0
New Yesterday: 0
Overall: 27350
Visitors: 57

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Making a file signature analyser tool

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Making a file signature analyser tool

Post Posted: Tue Jan 15, 2013 4:23 pm

Hi guys, i need help with making a file signature analyser but i'm a bit of a noob at it. An example of what i have to create is in this software called OS forensics:

www.osforensics.com/

So basically this software has two tabs that i need in my project. The first tab is a 'create signature' section which allows you to select a file or a group of files from your documents and from this save a seperate file with the extension ".OSFsig". (but lets say for this example i have converted a .doc file)

The second tab is a 'compare signature' tab.

To test this second tab you have to make a small change to the .doc file that you have converted into an OSFsig file, it can be as much as placing an extra character into a word document. This changed document has to be converted into an OSFsig document so that you now have two OSFsig documents.

You can then place these two OSFsig documents into the compare signature section and it will show you that the document has been modified.

I hope you understand what i mean. I really need help with this so i suppose my questons are:
how do i go about doing all of this?
what programming language should i use and what software should i write the code in?
is there any way that i can maybe extract the parts i need from the software i have provided above to see how they have gone about doing it?
Thank you  

tomb1992
Newbie
 
 
  

Re: Making a file signature analyser tool

Post Posted: Wed Jan 16, 2013 2:48 am

- tomb1992

what programming language should i use and what software should i write the code in?


This sounds very much like some kind of class assignment, and if it is, you'll have to work with whatever context and/or constraints you get from there.

Apart from that, use the programming language you know best, that you have access to, and which (directly or indirectly) provides the functionality you need. There's apparently a GUI involved, so you want something GUI-capable.

You should be able to whip up a 'demo' fairly quickly, doing nothing real, but which shows the GUI and how you operate it easily, but that fakes the main collection and application of signatures. If you can't do *that*, you're probably out of your depth -- go and have a chat with whoever gave you the assignment.

If you find the full assignment difficult, it splits easily in two: if you assume you have already collected a 'signature' (or several), can you do the second part?

And if this is something that builds on earlier classes (in programming), it may be that you need to revisit those.

is there any way that i can maybe extract the parts i need from the software i have provided above to see how they have gone about doing it?


Yes, is there? Does that software come with a license that allows that kind of thing, for starters?

I don't expect answers to any of those questions. I'm assuming this is a class assignment, which means it should mainly be done by you, not by someone else. Just like running the 110 m hurdle.  

athulin
Senior Member
 
 
  

Re: Making a file signature analyser tool

Post Posted: Wed Jan 16, 2013 2:59 pm

Additionally, it sounds more like you are looking/wanting/whatever a hash/checksum, rather than a "file signature", which I personally tend to interpret usually as "magic numbers", i.e. you need something like CRC32 or MD5 algorithms too. Question

What you asked about:
en.wikipedia.org/wiki/..._signature

What I understood at first glance:
en.wikipedia.org/wiki/...gic_number
www.garykessler.net/li..._sigs.html

What you probably meant:
en.wikipedia.org/wiki/Checksum


jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Making a file signature analyser tool

Post Posted: Wed Jan 16, 2013 6:05 pm

I guess I should be flattered that someone decided to set up a project or assignment around reverse engineering my software Smile

Seriously however, if you are starting from the point of not knowing a programming language, and not knowing which IDE to use, there is really no hope of just jumping in the deep end and getting it done. What you really need to be looking at is going to get a solid education first. Everyone who had a hand in writing our code has a degree computer science and 10+ years of experience coding.

Ignoring the question of legality, there is also zero chance of you just nicking our code and calling it your own, given your level of expertise. It would be a long detailed exercise to hack out the machine code for this particular function and turn in back into a standalone tool. Our code is more complex than it might initially appear. It looks inside Zip files, Email archives, does direct access into disk images via the MFT, can compare branches in the Windows registry, deals with re-parse points, use multiple hash algorithms, etc... It also does careful memory management to allow millions of files to be compared at a time with limited RAM. I am guessing you don't need a lot of this, in which case it would be quicker writing something from scratch, even though technically it isn't impossible to rip off our code.

For the record the source code is C++ in Visual Studio 2010. Assuming this is a class assignment here is a hint. The key to getting this to work well for large data sets is recursion, good memory management and fast sorting algorithms.  

Passmark
Senior Member
 
 
  

Re: Making a file signature analyser tool

Post Posted: Sat Jan 26, 2013 9:16 am

- tomb1992
You can then place these two OSFsig documents into the compare signature section and it will show you that the document has been modified.



Ask yourself, what do your really want to do: do you want to see if the file has been changed or if the file signatures differ (i.e. is this a Word 2003 document or a Word 2007 document, and has it been resaved in a later version?)

Checking file signatures (md5/sha256) for match/missmatch and detection of modification are two different problems.  

MDCR
Senior Member
 
 
  

Re: Making a file signature analyser tool

Post Posted: Mon Jan 28, 2013 4:16 am

- Passmark
Seriously however, if you are starting from the point of not knowing a programming language, and not knowing which IDE to use, there is really no hope of just jumping in the deep end and getting it done. What you really need to be looking at is going to get a solid education first. Everyone who had a hand in writing our code has a degree computer science and 10+ years of experience coding.


This. ^^

If you can'y even write the essential "Hello World", how are you going to code the rest of the assignment?

Walk before you can run  

alastairfay
Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 1