Notifications
Clear all

File Validation

4 Posts
4 Users
0 Reactions
2,449 Views
(@the-game)
Eminent Member
Joined: 13 years ago
Posts: 22
Topic starter  

Hello Experts,

It might sound dumb, but I would like to understand if anyone has encountered the below mentioned situation and if there is any work around for the same.

Situation:

I have exported XXXXX number of user files from an E01 image using EnCase and I have been asked to determine/provide a count stating out of XXXXX number of files N number of files open/are not corrupt.

Is there any automated way or script which can be used to determine if a particular bunch of files will open or not?

 

Cheers 

The-Game


   
Quote
(@hommy0)
Trusted Member
Joined: 14 years ago
Posts: 98
 

Can I ask what file types are you reviewing?

Are the files allocated or deleted?


   
ReplyQuote
pbobby
(@pbobby)
Estimable Member
Joined: 16 years ago
Posts: 239
 

Run signature analysis against all XXXXX. If they are valid, that's your number.

 

 


   
ReplyQuote
Passmark
(@passmark)
Reputable Member
Joined: 13 years ago
Posts: 376
 

Signature analysis often only checks the first few bytes. For a JPG file the software might check for these 4 bytes, \xFF\xD8\xDD\xE0. Having these 4 bytes doesn't prove the file isn't corrupt. It is an extremely superficial check. 

If all the files are of a single type some scripting automation is probably possible. But a different verification tool will probably be needed for each file type.

Maybe you can create a searchable Word index of all the files. In most of the forensics tools that do this the files are implicitly parsed and verified and a log is produced. Example 1: EXIF data is extracted for JPG files. Example 2: DOCX files are uncompressed and checksums verified and the XML text content of DOCX file is parsed. One problem with this approach is that some files might not be corrupt, but still might not be parseable (eg. encrypted PDFs with a password). It might be hard to tell the difference between corrupt and inaccessible.

If you need more help with this let me know. I can post some instructions.

 


   
ReplyQuote
Share: