Hello Experts,
It might sound dumb, but I would like to understand if anyone has encountered the below mentioned situation and if there is any work around for the same.
Situation:
I have exported XXXXX number of user files from an E01 image using EnCase and I have been asked to determine/provide a count stating out of XXXXX number of files N number of files open/are not corrupt.
Is there any automated way or script which can be used to determine if a particular bunch of files will open or not?
Â
CheersÂ
The-Game
Can I ask what file types are you reviewing?
Are the files allocated or deleted?
Run signature analysis against all XXXXX. If they are valid, that's your number.
Â
Â
Signature analysis often only checks the first few bytes. For a JPG file the software might check for these 4 bytes, \xFF\xD8\xDD\xE0. Having these 4 bytes doesn't prove the file isn't corrupt. It is an extremely superficial check.Â
If all the files are of a single type some scripting automation is probably possible. But a different verification tool will probably be needed for each file type.
Maybe you can create a searchable Word index of all the files. In most of the forensics tools that do this the files are implicitly parsed and verified and a log is produced. Example 1: EXIF data is extracted for JPG files. Example 2: DOCX files are uncompressed and checksums verified and the XML text content of DOCX file is parsed. One problem with this approach is that some files might not be corrupt, but still might not be parseable (eg. encrypted PDFs with a password). It might be hard to tell the difference between corrupt and inaccessible.
If you need more help with this let me know. I can post some instructions.
Â