Hi, I'm writing an essay on signature analysis and part of it asks "What processes could be carried out before a signature analysis, that could help in successfully identifying hidden files." However I can't think of any steps that would aid in it. Could anyone please give me some ideas?
Thanks,
Callum.
The question itself doesn't inherently make sense…assuming that by "signature analysis", you mean comparing the content of the file to the file extension, then if a file is hidden, how would you do either?
Is the context on a live system or during post-mortem analysis?
Hi, I'm not loving the questions myself, it's meant to take 40 hrs to write and I'm struggling to find enough to actually write about, signature analysis from what I can gather is a very simple process. This is the question I've been given
Give an overview of the forensic term `Signature Analysis' and the
reason why it is employed as a forensic technique.
* Describe, in detail, the `Signature Analysis' process.
* Each step of the process should be described in chronological order.
Describe the possible outcomes of a `Signature Analysis'
* What steps/processes could be taken during a forensic analysis, before
a `Signature Analysis' process is carried out, in order to maximise the
chances of identifying hidden files.
Thanks,
Callum.
Remove all known files, using hash sets (NSRL etc), then concentrate on the remaining files, making the amount you have to consider/review less.
Checking for encryption / encrypted files, and decrypting them if possible first.
Not entirely sure how i'd get 40hrs out of this question myself, so theres two freebies 😉
* What steps/processes could be taken during a forensic analysis, before
a `Signature Analysis' process is carried out, in order to maximise the
chances of identifying hidden files.
The first two questions should be fairly simple and straightforward to answer. There are documents and books out there you can reference…I know, I've written some of them. D
The above question is a minefield, in my mind, and perhaps not written by someone who understands forensic analysis. If by "forensic analysis" the author is referring to analyzing an acquired image, then technically, no files are "hidden", per se. Some files may have the DOS hidden attribute set, but within an acquired image, things like rootkits don't work…so what constitutes "hidden" at that point?
If by "hidden", the author means, "a file has a .jpg extension, but it's really a Windows PE file…", then again, the file isn't really "hidden", per se.
Now if the overall intention of the question is to get you to think beyond simple file signature analysis and extend the process, increasing accuracy, and reducing false positives, there are a number of approaches you can take. One is to extend the signature beyond just a couple of bytes. Another is to include digital signature checks. Yet another is to include things like file versioning information, hashes, etc.
You could extend the process to include analysis of unallocated and slack space, including slack space within MFT entries. Files in these places may well be considered hidden.
This could also high light issues of fragmented files within the unallocated space for which a simple header signature will not detect separate fragments of a file. You are then into joining fragments up and data carving.
The question is vague, is it analysis of the disk, or just files part of the file system on the disk.
Rewrite the question first…..
After reading the question, I'd have to go back to Harlan's question, what is the context? The initial gist of the question makes me believe the question is leaning toward a post-mortem examination, but the use of the the word "hidden" is confusing.
I would ask you, how familiar are you with EnCase or X-ways Forensics?
Hi, thanks for the replies. The bit about trying to decrypt files first and fragmented files were things I hadn't thought of.
In response to the question's context etc, I was just given the question I posted in my first reply after a computer forensics presentation from the senior director of training at AccessData.
Thanks,
Callum.
I would be remiss if I didn't point out that AccessData's tool performs a signature analysis on EVERY file on EVERY piece of media loaded into the tool no matter what. Period. No questions asked.
IOW, it performs the signature analysis before any other processes, functions or procedures are initiated.
So, your original question wouldn't even apply if the tool you are using is FTK. Hence, why I asked if you are familiar with EnCase and/or X-ways Forensics.