Notifications

Clear all

Altered File Extensions?!

General (Technical, Procedural, Software, Hardware etc.)

Last Post by jaclaz 16 years ago

5 Posts

5 Users

0 Reactions

3,308 Views

RSS

epyon1791

(@epyon1791)

New Member

Joined: 16 years ago

Posts: 2

Topic starter 28/09/2009 8:39 am

In my forensic class, we are do some basic image analysis and I am hitting a few snags. The snags are most often with files that have changed file extensions. I am using ProDiscover Basic, and can identify most often the original extension to the file, but if i change the file extension after copying the file, it will open, and be corrupt. I don't know if i'm doing something wrong or if anyone has any tips? Anything would be most appreciated! I'm getting so frustrated!!! x javascriptemoticon('post',%20'message',%20'x')

Thanks,

Nate

Quote

markg43

(@markg43)

Trusted Member

Joined: 18 years ago

Posts: 77

28/09/2009 11:22 am

Try to open the file with another tool to confirm that the file is corrupted.

If your evidence image has less than 5000 files in it, go to accessdata.com and download FTK v1.81.4. You will be able to use it in demo mode with an image that small.

If your image is greater than 5000 files, then download accessdata's FTK Imager. You can open the image with that and export the offending file(s) and change the extension and see if the file is corrupted.

Did your teacher explain about the first few bytes of the file being the file signature? if so, then open the offending file in a hex editor and find the first few bytes, then search for those bytes on Gary Kessler's file signature page here http//www.garykessler.net/library/file_sigs.html That will tell you the exact program the file uses and the correct extension.

Good luck

ReplyQuote

mscotgrove

(@mscotgrove)

Prominent Member

Joined: 17 years ago

Posts: 940

28/09/2009 8:23 pm

Just renaming a file to change it's extension will not corrupt a file. The file was probably already corrupted.

As Markg43 said you want to examine the file. I would suggest with a hex editor to see if the file looks valid - this will also test your knowledge of file structures, so another good exercise!

ReplyQuote

ForensicRob

(@forensicrob)

Eminent Member

Joined: 20 years ago

Posts: 26

28/09/2009 11:12 pm

If you want to use a tool to definitively identify what types of files you are really working with, use the trial version of FI TOOLS. You can download it from http//www.forensicinnovations.com/fitools.html

ReplyQuote

jaclaz

(@jaclaz)

Illustrious Member

Joined: 18 years ago

Posts: 5133

29/09/2009 11:52 pm

Been notoriously cheap, I find that this has a very good value for money (FREEWARE)
TRid
http//mark0.net/soft-trid-e.html

The expandable database concept allows for continue betterings/enhancements.

BTW, what do you mean by

but if i change the file extension after copying the file, it will open, and be corrupt.

Open with what?
How?

Can you post a practical example/report?

jaclaz

ReplyQuote

Podcast: Well-Being In Digital Forensics And Policing: Insights From Hannah Bailey

Hannah Bailey shares her journey from frontline policin...

By Zoe , 1 week ago
RE: Android Forensics

Hi, Try decompressing the file using zlib in python. ...

By Dexter4n6 , 1 week ago
Interview: Neal Ysart, Co-Founder, The Coalition of Cyber Investigators

Neal Ysart shares how The Coalition of Cyber Investigat...

By Zoe , 1 week ago

8 Forums
15.7 K Topics
92.3 K Posts
22 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed