Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Signature Analysis

  1. #1
    All the Certs! 11001001's Avatar
    Join Date
    Mar 2002
    Location
    Just West of Beantown, though nobody from Beantown actually calls it "Beantown."
    Posts
    1,230

    Signature Analysis

    Question-

    Short of acquiring my hard drive into EnCase, does anyone know a way to compare file signatures with their extensions? ie: Trying to find out if a file's extension is a match to the file's header?

    Forensic Preservation is not an issue here.

    Looking for possibly a program that would search the HDD and compare extensions to headers, then give me a report of mismatches.

    Thanks for the help.
    Above ground, vertical, and exchanging gasses.
    Now you see me | Now you don't
    "Relax, Bender; It was just a dream. There's no such thing as two." ~ Fry
    sometimes my computer goes down on me

  2. #2
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,018
    One of the tools in ProDiscover does that, but I can't think of anything free (which is what I'm assuming you are looking for)

    But now that I think about it, how hard would it be to write a little app that would do it? The data sig is in the first 20 bits, and compare it to the file extension. Sounds like that may actually be a fun little project.

    Link for ProDiscover: http://www.techpathways.com/DesktopD...dex=3&tabid=12

  3. #3
    Senior Member
    Join Date
    Aug 2001
    Posts
    251
    Hmm, that would be a fun little project. On *nix there is a command-line tool called file which identifies file-types. So it would be a matter of a good script that sends the right arguments to file and comparing that against a list of extenstions.

    As with all utilities check for any know exploits on the version you are using and update to the safe version.

    Whoohoo, score one for SourceForge.

    The unix file utility for Windows:
    http://gnuwin32.sourceforge.net/packages/file.htm

    You might find other fun utilities from the rest of that project:
    http://gnuwin32.sourceforge.net/

    So really, it would still be a matter of writting some kind of script that compares the results from file to the extension of the file in question and returns true or false appropriately.

    Ofcourse, as it's a sourceforge progect, you could just edit the code and make your own utility.

    Hope that helps,
    Dhej
    The owl of Minerva spreads its wings only with the falling of dusk. -Hegel

  4. #4
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,018
    Cool..good info there. Thanks Dhej.

    I was actually thinking of doing it in Java and see if I really learned anything in my computer science classes Might as well make it cross platform

    I might tinker with that as soon as finals are over. I need to have a little project anyway, or I'll have coding withdrawal (no Gore, not codeine )

  5. #5
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,018
    I'm having trouble formulating a concise question here, so hopefully if I ramble enough, someone will understand what I am getting at, and be able to render an opinion.

    There are one of two ways I can parse the extension from the file listing. Neither way is difficult. I can either find the end of the string, and pull the last 3 letters (ie. create a new string txt from test.txt), or essentially starting from the end of the string and working backwards.

    Or I can start from the beginning of the string, search until I find the '.' before the extension, and create new string from everything after the '.'. It's two ways to skin a cat.

    The reason for comparing an extension against the file signature is to make sure the file extension has not been altered to "hide" info, but what about the case where there is a double extension, as in (for example) a malicious script that looks like "C:\Good_File.txt.sys"...

    Here's where the confusing part comes in. If I have my computer set to "Hide extensions for known file types", a malicious file named "test.txt.sys" is going to appear as "test.txt", making it look like a harmless text file.

    Ok, still with me? If I parse the text string from the right, I'll get a string holding "sys", and when it compares it to the file signature, it is going to pass, because the file will have the proper signature. If I parse from the left, I will end up with a string holding "txt", which when compared to the signature, will generate an error.

    So the question is, what is the name of the bus driver??

    By my little bit of logic, I want to compare the first extension with the file signature. I can't think of any case where we would ever want to check the second extension, in linux or windows. Am I correct in my logic? Does anybody really care? Will Batman escape from the clutches of the evil Penguin? Stay tuned??

  6. #6
    Senior Member
    Join Date
    Feb 2004
    Posts
    270

    how about this

    IMHO go for the second option. Then check the new string for double extensions. If there are. Give the user a warning or something(mutiple extensions could point to malware) and then check all those extensions.

    I for one would love to know if a file had the extensions .txt.sys that it was a .sys and not a .txt instead of yust knowing if its not a .txt

    I don't but can't you get the program to change the option of not showing the extension when you start it and then restore this option to the way it was when the program ends. I think this is .reg stuff but I don't know for sure.

    But its your project.

    Since the beginning of time, Man has searched for the answers to the big questions: \'How did we get here?\' \'Is there life after death?\' \'Are we alone?\' But today, in this very theatre, you will be asked to answer the biggest question of them all...WHO LIVES IN A PINEAPPLE UNDER THE SEA?

  7. #7
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Surely a more precise way of doing it would be to pass each string through first to determine how many periods there are. IMO, more than one is suspicious in the first place. Those that have multiples should be logged with their complete path and passed over for future investigation. Then start from the left and find the period and cut the remainder of the string as the extension since not all are 3 characters, (html comes to mind), you would cause an error if you only pull the last 3.

    My 2 cents.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #8
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,018
    Thanks MoonWolf & Tiger, that was my 3rd option... (checking for double extensions)

    (html comes to mind)
    /in my best Homer Simpson voice

    DOH!!

    /slaps self on forehead.

    I don't but can't you get the program to change the option of not showing the extension when you start it and then restore this option to the way it was when the program ends.
    I'm not sure I understand... why wouldn't you want it to show the extension? I can disable it in explorer, but Java shows the full path and extensions, regardless of how explorer is set.

  9. #9
    Senior Member
    Join Date
    Feb 2004
    Posts
    270
    Doh!

    me==stupid. I should think then write.
    Since the beginning of time, Man has searched for the answers to the big questions: \'How did we get here?\' \'Is there life after death?\' \'Are we alone?\' But today, in this very theatre, you will be asked to answer the biggest question of them all...WHO LIVES IN A PINEAPPLE UNDER THE SEA?

  10. #10
    Senior Member
    Join Date
    Nov 2003
    Posts
    107
    Even though you're doing this in Java, there's a C function strtok that comes to mind when discussing this. Were I to write a program like this, I think C strtok would be a nice choice because then I could check for all the extensions that are present in the file name (not limited to just finding two). I don't know enough java to know if there's a method that's equivalent to strtok, but if there is, I would suggest going with that instead of having to write your own method to handle it.
    Is there a sum of an inifinite geometric series? Well, that all depends on what you consider a negligible amount.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •