Basically I am trying to find different ways in which someone could use a hex editor to find information during an investigation. For example, what kind of metadata could be found when examining a jpg, a word doc, etc etc.
If you need a reference, open my book, Windows Forensic Analysis. You'll notice throughout the book that I do not show how things are done in EnCase and FTK…while I do make reference to ProDiscover, those are simply to illustrate a point already made in the book.
Many of the Perl scripts listed in the book started being developed by opening the target file in a hex editor and mapping out the various structures. This includes Word docs, Event Logs, even the Registry. It also includes Prefetch files, rp.log and changelog.x files, etc.
I've got an application I developed for parsing Windows 2000, XP and 2003 .evt files on a binary level, and producing a spreadsheet as well as a report of event record statistics. This entire application started with opening a .evt file in a hex editor.
Hope that helps.
Everyone, thanks for posting the replies.
I am guess I am looking for tips or things to look for in different types of files such as, jpg (type of camera that took the picture), word document (owner) etc. That kind of metadata.
Thanks,
Mark
Mark,
For JPGs, check the EXIF specs. You might also look to the GIF and TIFF specifications for any additional metadata in those formats.
I think that some movie files may also have metadata, though I'm not entirely clear on what fields may exist and be of use to forensic analysis.
My book lists metadata for a variety of file