This is my first post..so apologies if any mistakes are made.
I wanted to ask a question. Can you create your own file signatures. For example i create a website using HTML, then am planning on investigating the browsing traces using Encase7. So when investigating to make the process quicker and easier i can just search for specific signatures..but how and at what stage can i create the signatures.
Sorry if i have confused anyone. Your feedback will be very much appriciated.
Some background would be appreciated, I'm sure. Are you a student? Is this an exercise?
Jamie
I am a part time student studying Digital Forensics (BcS)
I am going to do a forensic analaysis of in private browsing modes in popular browsers.
I am going to create a website as a test bed to help make my investigation a easier process. The website will include; URL, HTML, Images, Form Data, Password, Certificates and Cookies.
I have not yet created the website, just writing up the techical plan. As part of the challenges and solutions section i have written that i will use signatures to make searching for artifacts an easier process.
therefore i have put up the question on signatures. Thank You
Bear in the following is from EnCase 6, not *shudder* EnCase 7.
Do you mean signatures as in create new file signatures? If so, the answer is "yes", you can create your own file signatures in EnCase. View > File Signatures, then right-click and choose "New".
If you are doing testing using your own website, then I would suggest it would make things considerably easier if you put an absurd word on your site which would never normally appear on an exhibit, and then run a keyword search for that. Better still, put different words in both your title and your page filename and run a keyword search for them too.
Anyway, that's all from me. Good luck using EnCase *shudder* 7. I heard a rumour that if you say it's name 7 times in the mirror, it appears - is that true?
thank you, shudder shudder 7 times and Encase7 appears…
Can you create your own file signatures. For example i create a website using HTML, then am planning on investigating the browsing traces using Encase7. So when investigating to make the process quicker and easier i can just search for specific signatures..but how and at what stage can i create the signatures.
Encase questions may be slightly better asked in the Guidance support forum – or even from Guidance tech support themselves.
Encase 7 is – in my somewhat biased opinion - not a product to invest significant work in, at least not just yet – it's more like an alpha release in that important parts of the product are not present.
In Encase 6, however, you could create your own signatures, but only header signatures, situated within the first sector (or so) of the file. Some files have 'footer' signatures, situated at the end of the file, or even signatures at a larger distance from the first byte – Encase 6 could not do those, and I can't recall anything that makes me think Encase 7 is better in this respect.
Those file signatures are expressed in a very simple grep-like format – so basing a signature on a single bit is awkward, and expressing more complex relationships (e.g. only if bit 1 in byte 2 is set and bits 2..3 in byte 4 are 10) is a royal PITA.
Additionally, there was some interplay between signatures and extensions that seemed quite fragile – I tried to correct some of the Encase 6 signatures that I found were incorrect, and things got very confused. (I thing I concluded that file signatures – at least in 6 – were intended as a supplement to file extensions, and not really to be used to identify file types on their own.
So yes, you can, but only if you define 'file signature' as Guidance defines i, and implements it.
Actually, all that caused me to distrust Encase 6 file signatures altogether, and instead go for file(1) when I wanted to be sure to find files based on files types.
Thank you for your response
Can't you use file signatures in the "File Finder" bit of the Case Processor enscript to carve stuff out of unallocated? Personally I've never tried it, but I always assumed that was what it was for.