Yeah, well the title pretty much says it all lol
I found this file named serials.txt with signature of *DOS System Driver. The file extension is .txt. The preview of the file is unreadable.
But when I use Recuva, I can recover the file straight away since it's not being overwritten.
And it contains list of softwares including their serial numbers.
Does this mean that the serials.txt file was previously encrypted or protected in any way?
And what does red text in file preview means?
Many thanks for helping )
I found this file named serials.txt with signature of *DOS System Driver. The file extension is .txt. The preview of the file is unreadable.
But when I use Recuva, I can recover the file straight away since it's not being overwritten.
And it contains list of softwares including their serial numbers.Does this mean that the serials.txt file was previously encrypted or protected in any way?
As you're using EnCase, have you tried posting this question to the EnCase user's forum.
I spent about 10 sec on Google this morning with this question, and found a great deal that might answer your question.
First off, it appears you've done some file signature analysis, which will go a LONG way toward answering your question. Doing a quick lookup for "DOS System driver", I found the following
http//
There were a couple of other hits that led to similar information.
So, it appears that during the file signature analysis run via EnCase, the software determined that the file signature matched that of a DOS system driver. Based on what you've said in your post, it appears that the file was deleted, which might account for the odd file signature…or, it could mean that the sectors pointed to by the MFT entry (if you're looking at NTFS) had been overwritten, but the MFT entry itself hadn't been reused yet.
Finally, based on what you've said, there's nothing to indicate that the file itself had been previously encrypted…one would think that if it were deleted, then the application used to view it would have been closed, the file re-encrypted, and then deleted. Had that been the case, its unlikely that you would've been able to see any intelligible ASCII text.
HTH,
h
Ah, thank you very much for helping.
Files created with Notepad (typically a .txt file) do not have headers. It could simply be a coincidence that the serial key (which is what i am assuming the txt file contained) begins with the same characters that a Dos System Driver uses as a header.
For example, if you created a text file with Notepad that began with 'MK' and then ran a file signature analysis against the file it would show up as an executable file in the Signature column in EnCase.
Now if you changed the extension to .exe, you have a pretty sneaky way of defeating EnCases File Signature Analysis.
For example, if you created a text file with Notepad that began with 'MK' and then ran a file signature analysis against the file it would show up as an executable file in the Signature column in EnCase.
Now if you changed the extension to .exe, you have a pretty sneaky way of defeating EnCases File Signature Analysis.
Interesting. Your copy of EnCase must be seriously broken. "MK" is not the file signature for executable files.
"Hiding" a file by putting the signature and extension on the file is a means for subverting the analyst, not the tool.
SPcavana, just so you are aware, you are close - the actual header for an exe file starts with MZ.
Cheers.
SPcavana, just so you are aware, you are close - the actual header for an exe file starts with MZ.
Cheers.
For example, if you created a text file with Notepad that began with 'MK' and then ran a file signature analysis against the file it would show up as an executable file in the Signature column in EnCase.
Now if you changed the extension to .exe, you have a pretty sneaky way of defeating EnCases File Signature Analysis.
Interesting. Your copy of EnCase must be seriously broken. "MK" is not the file signature for executable files.
"Hiding" a file by putting the signature and extension on the file is a means for subverting the analyst, not the tool.
Thank you for catching my typo (I made a hybrid .exe/.zip header by accident O.o) No need to be rude though. Just a typo.
When I mentioned defeating the file sig analysis, it is just a manual way of doing what popular anti-forensics tools (Transmogrify from Metasploit) automate. I think that you are incorrect in your opinion about subverting the analyst and not defeating the tool. It is obvious that the file modified is not not an executable file and encase recognizes it as an executable file.
Either way, at the end of they day, the info in the file will most likely not be found.
Thank you for catching my typo (I made a hybrid .exe/.zip header by accident O.o) No need to be rude though. Just a typo.
I apologize if you feel that I was rude…that was not my intention. I know that there are no time limits by which posts to FF are automatically sent, which means that they are not sent until the user presses the "Submit" button.
When I mentioned defeating the file sig analysis, it is just a manual way of doing what popular anti-forensics tools (Transmogrify from Metasploit) automate. I think that you are incorrect in your opinion about subverting the analyst and not defeating the tool. It is obvious that the file modified is not not an executable file and encase recognizes it as an executable file.
Either way, at the end of they day, the info in the file will most likely not be found.
If the analysts understands how the tools work…and the analyst should understand this…then by modifying a file so that the tool recognizes it as a legitimate EXE file is still subverting the analyst.
If all a carpenter knows how to use is a hammer, then handing him a wood screw doesn't defeat the hammer…it defeats the carpenter.
For example, if you created a text file with Notepad that began with 'MK' and then ran a file signature analysis against the file it would show up as an executable file in the Signature column in EnCase.
Now if you changed the extension to .exe, you have a pretty sneaky way of defeating EnCases File Signature Analysis.
Interesting. Your copy of EnCase must be seriously broken. "MK" is not the file signature for executable files.
"Hiding" a file by putting the signature and extension on the file is a means for subverting the analyst, not the tool.
Not trying to be rude? That was clearly your intent. You are still being rude. How about you offer some legitimate advice to the OP instead of sharpshooting people who are. Also, saying 'google it' is not helping the OP.
If you want a good example of how to politely correct someone look at the post by Wardy.
Either way, you are not being helpful to anyone. If you need to flame people on forums to make your self feel better, then go ahead. You are not behaving in a professional manner.