Notifications
Clear all

Discover File Ext

9 Posts
3 Users
0 Likes
259 Views
(@si2013)
Posts: 36
Eminent Member
Topic starter
 

As part of my course, we've been given some files without extensions and have to figure out what the files are. For the most part, it has been straight forward, however, I've come across one file with a hex header beginning with 4d 65 73 73 61

It seems to have descendant emails and it's clearly something to do with outlook express 5 because filtered text shows this.

How can I find out what file it is? Any other methods I can try?

Many thanks

 
Posted : 18/04/2013 8:59 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

As part of my course, we've been given some files without extensions and have to figure out what the files are. For the most part, it has been straight forward, however, I've come across one file with a hex header beginning with 4d 65 73 73 61

What does that tell you, and what is the rest of the header?

 
Posted : 18/04/2013 9:05 pm
(@si2013)
Posts: 36
Eminent Member
Topic starter
 

Header is 4d 65 73 73 61 67 65 2d 49 44 3a 20 3c 32 30 30

The hex header should give me a hint as to what file ext it is, but after looking around, I can't make sense of it yet. I'm a bit confused. Sorry!

 
Posted : 18/04/2013 9:17 pm
(@twjolson)
Posts: 417
Honorable Member
 

Not all files have headers, not all file signatures are at the start of the file either.

 
Posted : 18/04/2013 9:31 pm
(@si2013)
Posts: 36
Eminent Member
Topic starter
 

thanks for the reply. That makes sense, but in that case, how would you find the extension?

I've looked at the file again in native format and it says "This is a multi-part message in MIME format"

So I assume that's my answer, but I still don't know the extension.

 
Posted : 18/04/2013 9:35 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Header is 4d 65 73 73 61 67 65 2d 49 44 3a 20 3c 32 30 30

What does that spell out?

Have you tried just opening the file in a hex editor, or even something like Notepad?

 
Posted : 18/04/2013 9:47 pm
(@si2013)
Posts: 36
Eminent Member
Topic starter
 

Spells out Message-ID <200

in hex.

I am using AccessData's Forensic Toolkit to look at the files

 
Posted : 18/04/2013 9:58 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

http//en.wikipedia.org/wiki/Message-ID

http//tools.ietf.org/html/rfc5322

 
Posted : 18/04/2013 10:07 pm
(@si2013)
Posts: 36
Eminent Member
Topic starter
 

thanks for the info much appreciated

 
Posted : 18/04/2013 10:25 pm
Share: