Notifications
Clear all

Discover File Ext  

  RSS
si2013
(@si2013)
Junior Member

As part of my course, we've been given some files without extensions and have to figure out what the files are. For the most part, it has been straight forward, however, I've come across one file with a hex header beginning with 4d 65 73 73 61

It seems to have descendant emails and it's clearly something to do with outlook express 5 because filtered text shows this.

How can I find out what file it is? Any other methods I can try?

Many thanks

Quote
Posted : 18/04/2013 9:59 pm
keydet89
(@keydet89)
Community Legend

As part of my course, we've been given some files without extensions and have to figure out what the files are. For the most part, it has been straight forward, however, I've come across one file with a hex header beginning with 4d 65 73 73 61

What does that tell you, and what is the rest of the header?

ReplyQuote
Posted : 18/04/2013 10:05 pm
si2013
(@si2013)
Junior Member

Header is 4d 65 73 73 61 67 65 2d 49 44 3a 20 3c 32 30 30

The hex header should give me a hint as to what file ext it is, but after looking around, I can't make sense of it yet. I'm a bit confused. Sorry!

ReplyQuote
Posted : 18/04/2013 10:17 pm
twjolson
(@twjolson)
Active Member

Not all files have headers, not all file signatures are at the start of the file either.

ReplyQuote
Posted : 18/04/2013 10:31 pm
si2013
(@si2013)
Junior Member

thanks for the reply. That makes sense, but in that case, how would you find the extension?

I've looked at the file again in native format and it says "This is a multi-part message in MIME format"

So I assume that's my answer, but I still don't know the extension.

ReplyQuote
Posted : 18/04/2013 10:35 pm
keydet89
(@keydet89)
Community Legend

Header is 4d 65 73 73 61 67 65 2d 49 44 3a 20 3c 32 30 30

What does that spell out?

Have you tried just opening the file in a hex editor, or even something like Notepad?

ReplyQuote
Posted : 18/04/2013 10:47 pm
si2013
(@si2013)
Junior Member

Spells out Message-ID <200

in hex.

I am using AccessData's Forensic Toolkit to look at the files

ReplyQuote
Posted : 18/04/2013 10:58 pm
keydet89
(@keydet89)
Community Legend

http//en.wikipedia.org/wiki/Message-ID

http//tools.ietf.org/html/rfc5322

ReplyQuote
Posted : 18/04/2013 11:07 pm
si2013
(@si2013)
Junior Member

thanks for the info much appreciated

ReplyQuote
Posted : 18/04/2013 11:25 pm
Share: