Notifications
Clear all

File Validation

The-Game
(@the-game)
New Member

Hello Experts,

It might sound dumb, but I would like to understand if anyone has encountered the below mentioned situation and if there is any work around for the same.

Situation:

I have exported XXXXX number of user files from an E01 image using EnCase and I have been asked to determine/provide a count stating out of XXXXX number of files N number of files open/are not corrupt.

Is there any automated way or script which can be used to determine if a particular bunch of files will open or not?

 

Cheers 

The-Game

Quote
Topic starter Posted : 07/01/2021 11:22 am
Topic Tags
hommy0
(@hommy0)
Member

Can I ask what file types are you reviewing?

Are the files allocated or deleted?

ReplyQuote
Posted : 12/01/2021 1:31 pm
pbobby
(@pbobby)
Active Member

Run signature analysis against all XXXXX. If they are valid, that's your number.

 

 

ReplyQuote
Posted : 12/01/2021 2:20 pm
Passmark
(@passmark)
Active Member

Signature analysis often only checks the first few bytes. For a JPG file the software might check for these 4 bytes, \xFF\xD8\xDD\xE0. Having these 4 bytes doesn't prove the file isn't corrupt. It is an extremely superficial check. 

If all the files are of a single type some scripting automation is probably possible. But a different verification tool will probably be needed for each file type.

Maybe you can create a searchable Word index of all the files. In most of the forensics tools that do this the files are implicitly parsed and verified and a log is produced. Example 1: EXIF data is extracted for JPG files. Example 2: DOCX files are uncompressed and checksums verified and the XML text content of DOCX file is parsed. One problem with this approach is that some files might not be corrupt, but still might not be parseable (eg. encrypted PDFs with a password). It might be hard to tell the difference between corrupt and inaccessible.

If you need more help with this let me know. I can post some instructions.

 

ReplyQuote
Posted : 13/01/2021 10:13 pm
Share: