Forums
Main Category
General (Technical,...
linux Forensic ques...
 
Notifications
Clear all

linux Forensic question"Signature mismatch help"

 
Page 1 / 2
General (Technical, Procedural, Software, Hardware etc.)
Last Post by jaclaz 13 years ago
12 Posts
6 Users
0 Reactions
1,753 Views
RSS
 kalymistirl
(@kalymistirl)
Active Member
Joined: 16 years ago
Posts: 16
Topic starter 02/06/2012 3:20 pm  

Hi forensic focus.

I am trying to learn how to use Linux forensic tools so I can verify my results when using windows based tools. I have acquired a usb drive which I use for testing and mounted the image. I have a number of files which have signature mismatches jpegs as Zip's etc..

Can some point me in the right direction as to what tools I would apply to the mounted image to establish which files have signature mismatches.

Any help or advice is greatly appreciated.

Kaly


   
Quote
 mscotgrove
(@mscotgrove)
Prominent Member
Joined: 17 years ago
Posts: 940
02/06/2012 3:40 pm  

Tools are only tools. Most work but sometimes there will be issues.

As part of your learning skills you should be able to go down the the raw level of data to establish if the tools are giving the correct results. For instance a JPEG file will start 0xFF 0xD8 0xFF then 0xE0 or 0xE1. This is easy to determine using a hex editor. With all forensic examination I think you must be able to justify the result a certain tool may have produced.

A Zip file starts "PK"

The demo of my software (www.cnwrecovery.com) will display in the log signature found and extension found, so mis matches can be found. Most similar programs rely on a data base of signatures - some can be edited by the user, some are fixed.

Some file structure have the same basic signature for many file types, eg .EXE, .DLL, .OCX Another one is the current Office 2007 are all Zip files. To determine if a .DOCX or .XLSX the file has to be unzipped and the XML data examined. A signature sometimes needs to be more than just a match of a few bytes.


   
ReplyQuote
 kalymistirl
(@kalymistirl)
Active Member
Joined: 16 years ago
Posts: 16
Topic starter 02/06/2012 3:47 pm  

Thanks for the quick reply mscotgrove, So its a manual process in Linux?.

I was hoping there was a tool which I run at all files within the raw image and verify the file signature - similar to that in encase.

I dont mind doing this manual process on a small number of files but what if I have a large number of files to analyse using a Linux forensic tool. (I am trying to use the terminal by the way to carry out all my analysis)

Kaly…


   
ReplyQuote
 Anonymous 6593
(@Anonymous 6593)
Guest
Joined: 17 years ago
Posts: 1158
02/06/2012 5:01 pm  

I have a number of files which have signature mismatches jpegs as Zip's etc..

That – signature mismatch – is a Windows thing. Windows uses extensions to decide what the file is.

Linux doesn't do anything like that – in Linux the file names/extensions do not have any such connection, except as far as the user names the file according to his/her preferences.

For that reason, Linux tools may not be the right thing to use.

Anyway, check file(1). It looks at an unknown file, attempts to identify the file format, and then print out a report of what it find. You can invoke it for multiple files.


   
ReplyQuote
 mscotgrove
(@mscotgrove)
Prominent Member
Joined: 17 years ago
Posts: 940
02/06/2012 7:55 pm  

Kaly,

You mis understand what I am trying to say. Do use tools, but at the same time, do try some manual tests. A manual test will show you the raw data, and then let you determine if the tool you try is generating the correct signature / extension data. If you are then confident that the data and signatures are correct, a tool will probably produce the best results. However, never just rely on a tool, there are always possible cases of false positive matches, and sometimes mis-matches. Get to know what the raw data looks like.


   
ReplyQuote
 kalymistirl
(@kalymistirl)
Active Member
Joined: 16 years ago
Posts: 16
Topic starter 03/06/2012 2:18 am  

Thanks for the response mscotgrove, Made my way through the raw data as suggested..

Kaly..


   
ReplyQuote
jaclaz
 jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
03/06/2012 10:40 pm  

Just in case.
Trid
http//mark0.net/soft-trid-e.html

jaclaz


   
ReplyQuote
Beetle
 Beetle
(@beetle)
Reputable Member
Joined: 17 years ago
Posts: 318
03/06/2012 11:21 pm  

Just in case.
Trid
http//mark0.net/soft-trid-e.html

jaclaz

Hadn't seen this site before. Thanks for the link.


   
ReplyQuote
 trewmte
(@trewmte)
Noble Member
Joined: 19 years ago
Posts: 1877
03/06/2012 11:23 pm  

Linux doesn't do anything like that – in Linux the file names/extensions do not have any such connection, except as far as the user names the file according to his/her preferences.

athulin, I agree.

Just in case.
Trid
http//mark0.net/soft-trid-e.html

jaclaz

Jaclaz, I hold mark0 software in my software arsenal.


   
ReplyQuote
jaclaz
 jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
04/06/2012 4:37 pm  

Jaclaz, I hold mark0 software in my software arsenal.

..which is good ) , but have you actually explored the site?
like finding wink
http//mark0.net/soft-trid-deflist.html
http//mark0.net/soft-trid-deflist-j.html
http//file-extension.net/seeker/file_extension_jpg

and the tridscan (that allows for "automatical patterning" of *any* file type if you give it enough "examples")?
http//mark0.net/soft-tridscan-e.html

and that you can quickly check a file online?
http//mark0.net/onlinetrid.aspx

and that the tridnet triddefs_xml.rar is a set of "plain enough" .xml files that you can check for patterns/filetype?
http//mark0.net/soft-tridnet-e.html

and BTW, though we all have "better" tools, I have rarely found something as useful and "quick" as
http//mark0.net/soft-minidumper-e.html

and even the "bovine" scanner is sometimes handy
http//mark0.net/soft-bdllscan-e.html

jaclaz


   
ReplyQuote
Page 1 / 2
Forum Jump:
  Previous Topic
Next Topic  
Share: