|
-
April 28th, 2004, 06:45 PM
#1
Signature Analysis
Question-
Short of acquiring my hard drive into EnCase, does anyone know a way to compare file signatures with their extensions? ie: Trying to find out if a file's extension is a match to the file's header?
Forensic Preservation is not an issue here.
Looking for possibly a program that would search the HDD and compare extensions to headers, then give me a report of mismatches.
Thanks for the help.
That's Officer 11001001 to you...
Now you see me | Now you don't
"Relax, Bender; It was just a dream. There's no such thing as two." ~ Fry
sometimes my computer goes down on me
-
April 28th, 2004, 07:28 PM
#2
One of the tools in ProDiscover does that, but I can't think of anything free (which is what I'm assuming you are looking for)
But now that I think about it, how hard would it be to write a little app that would do it? The data sig is in the first 20 bits, and compare it to the file extension. Sounds like that may actually be a fun little project.
Link for ProDiscover: http://www.techpathways.com/DesktopD...dex=3&tabid=12
-
April 28th, 2004, 08:05 PM
#3
Hmm, that would be a fun little project. On *nix there is a command-line tool called file which identifies file-types. So it would be a matter of a good script that sends the right arguments to file and comparing that against a list of extenstions.
As with all utilities check for any know exploits on the version you are using and update to the safe version.
Whoohoo, score one for SourceForge.
The unix file utility for Windows:
http://gnuwin32.sourceforge.net/packages/file.htm
You might find other fun utilities from the rest of that project:
http://gnuwin32.sourceforge.net/
So really, it would still be a matter of writting some kind of script that compares the results from file to the extension of the file in question and returns true or false appropriately.
Ofcourse, as it's a sourceforge progect, you could just edit the code and make your own utility.
Hope that helps,
Dhej
The owl of Minerva spreads its wings only with the falling of dusk. -Hegel
-
April 28th, 2004, 08:15 PM
#4
-
May 1st, 2004, 03:01 PM
#5
I'm having trouble formulating a concise question here, so hopefully if I ramble enough, someone will understand what I am getting at, and be able to render an opinion.
There are one of two ways I can parse the extension from the file listing. Neither way is difficult. I can either find the end of the string, and pull the last 3 letters (ie. create a new string txt from test.txt), or essentially starting from the end of the string and working backwards.
Or I can start from the beginning of the string, search until I find the '.' before the extension, and create new string from everything after the '.'. It's two ways to skin a cat.
The reason for comparing an extension against the file signature is to make sure the file extension has not been altered to "hide" info, but what about the case where there is a double extension, as in (for example) a malicious script that looks like "C:\Good_File.txt.sys"...
Here's where the confusing part comes in. If I have my computer set to "Hide extensions for known file types", a malicious file named "test.txt.sys" is going to appear as "test.txt", making it look like a harmless text file.
Ok, still with me? If I parse the text string from the right, I'll get a string holding "sys", and when it compares it to the file signature, it is going to pass, because the file will have the proper signature. If I parse from the left, I will end up with a string holding "txt", which when compared to the signature, will generate an error.
So the question is, what is the name of the bus driver?? 
By my little bit of logic, I want to compare the first extension with the file signature. I can't think of any case where we would ever want to check the second extension, in linux or windows. Am I correct in my logic? Does anybody really care? Will Batman escape from the clutches of the evil Penguin? Stay tuned?? 
-
May 1st, 2004, 03:19 PM
#6
how about this
IMHO go for the second option. Then check the new string for double extensions. If there are. Give the user a warning or something(mutiple extensions could point to malware) and then check all those extensions.
I for one would love to know if a file had the extensions .txt.sys that it was a .sys and not a .txt instead of yust knowing if its not a .txt
I don't but can't you get the program to change the option of not showing the extension when you start it and then restore this option to the way it was when the program ends. I think this is .reg stuff but I don't know for sure.
But its your project.
Since the beginning of time, Man has searched for the answers to the big questions: \'How did we get here?\' \'Is there life after death?\' \'Are we alone?\' But today, in this very theatre, you will be asked to answer the biggest question of them all...WHO LIVES IN A PINEAPPLE UNDER THE SEA?
-
May 1st, 2004, 03:22 PM
#7
Surely a more precise way of doing it would be to pass each string through first to determine how many periods there are. IMO, more than one is suspicious in the first place. Those that have multiples should be logged with their complete path and passed over for future investigation. Then start from the left and find the period and cut the remainder of the string as the extension since not all are 3 characters, (html comes to mind), you would cause an error if you only pull the last 3.
My 2 cents.....
Don\'t SYN us.... We\'ll SYN you..... 
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
May 1st, 2004, 03:41 PM
#8
Thanks MoonWolf & Tiger, that was my 3rd option... (checking for double extensions)
/in my best Homer Simpson voice
DOH!!
/slaps self on forehead.
I don't but can't you get the program to change the option of not showing the extension when you start it and then restore this option to the way it was when the program ends.
I'm not sure I understand... why wouldn't you want it to show the extension? I can disable it in explorer, but Java shows the full path and extensions, regardless of how explorer is set.
-
May 1st, 2004, 06:20 PM
#9
Doh!
me==stupid. I should think then write.
Since the beginning of time, Man has searched for the answers to the big questions: \'How did we get here?\' \'Is there life after death?\' \'Are we alone?\' But today, in this very theatre, you will be asked to answer the biggest question of them all...WHO LIVES IN A PINEAPPLE UNDER THE SEA?
-
May 1st, 2004, 07:13 PM
#10
Even though you're doing this in Java, there's a C function strtok that comes to mind when discussing this. Were I to write a program like this, I think C strtok would be a nice choice because then I could check for all the extensions that are present in the file name (not limited to just finding two). I don't know enough java to know if there's a method that's equivalent to strtok, but if there is, I would suggest going with that instead of having to write your own method to handle it.
Is there a sum of an inifinite geometric series? Well, that all depends on what you consider a negligible amount.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
Might as well make it cross platform