Hi all,
I'm just wondering how to locate a file footer within a hex view in FTK? I'm sure it's easy if you know how but I don't know how at the moment -( I expected the footer to be the final few bytes at the bottom of the file but they are sometimes 00 00 00 00 00 which cannot be right. Any help is appreciated.
Thank you
Not all files have a footer.
To determine if a file has a footer, you'd need to look at the file format specification.
A lot of files don't have unique footers or trailers. Some files have an exact length and no footer, others can be padded to a sector/cluster length, and typically padded with zeros.
Headers are interesting - I tend to ignore trailers and calculate file lengths by other means.
As ketdet89 said, it is totally file dependant, so you need to know and understand the relevant file format/structure.
Thanks guys, that makes sense. I'm going to investigate some more with Scalpel or Foremost and see what I can come up with. Chances are it probably doesn't have a footer.
What type of file are you looking at?
A .dat / regf file
Ah, okay…Registry hives are "assembled" in 4K blocks…so you don't need a footer. Just find the regf for the first block and get 4K, and then find 'hbin' for subsequent blocks and get 4K. Reassembling the entire hive file is the hard part.
You should be using Arsenal Security's Registry Recon. They have figured out how to locate and pull together the regf and hbin sections of hive files.
Excellent, thank you for the information. I'll look at Registry Recon, it looks good!
Registry Recon is fantastic