1 / 24

FILE CARVING: Reassembling files from fragments of bytes/hex data on a digital device

FILE CARVING: Reassembling files from fragments of bytes/hex data on a digital device. ASCII to Hex: A  41 B  42 C  43 D  44. IF the above data is in a .doc, .html, .txt THEN convert hex to ASCII IF .docx, .pdf THEN the content of the file has to be ‘mounted’ before being interpreted.

laurir
Download Presentation

FILE CARVING: Reassembling files from fragments of bytes/hex data on a digital device

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. FILE CARVING: Reassembling files from fragments of bytes/hex data on a digital device

  2. ASCII to Hex: A  41 B  42 C  43 D  44 IF the above data is in a .doc, .html, .txt THEN convert hex to ASCII IF .docx, .pdf THEN the content of the file has to be ‘mounted’ before being interpreted

  3. “With the release of Office ‘07, Microsoft Word documents now use the same file format signature as a .ZIP file. If we were to view the entirety of the file with our HEX editor we would not uncover any legible ASCII characters. Why? The file structure and assembly instructions are contained within the file; thus, the file would need to be mounted by its native software in order for the contents to be viewed. Viewing and, more importantly, searching the contents of these “complex” files are possible once they are mounted. Forensic tools incorporate the software to mount these so that searching is possible”

  4. 4D414453203639370000 The above code is the hex representation of a file Find out the file type (extension) (.txt,.doc,.zip,.html,.png,.jpg) What is the data stored in this file ?

  5. HEX values represent pixel colors • .bmp file hex  color • .png, jpg: same issue as .docx and .pdf • File has to be mounted first, hex cannot be interpreted as colors

  6. http://magazine.art21.org/2011/09/13/how-to-create-a-bitmap-image-file-by-hand-without-stencilshttp://magazine.art21.org/2011/09/13/how-to-create-a-bitmap-image-file-by-hand-without-stencils • Go to the link above and follow the step by step instructions • You will create a .bmp file by writing by writing hex code • Step 1: https://hexed.it/ and select new file • Step 2: Paste the hex representation of the HEADER of a .bmp file • Step 3: Choose a number of pixels that is divisible by 4: 4*4, 8*8, 16*16 • Step 4: Create an image that looks like the image below

  7. Take a Break This Photo by Unknown Author is licensed under CC BY-NC

  8. Research Paper Topics

  9. Research paper: 3000 words + Presentation • References: At least three academic articles published in the last 5 years • Reference: At least one theoretical chapter from a book or theoretical article explaining the concept you are investigating Research Paper Topics

  10. Choice of topic: • Specific • Relevant • Achievable within four/five weeks • Topic 1: The dark web • Topic 2: The selling/buying/sharing of illegal material on the Dark Web • Topic 3: The uses of Dark Web by law enforcement to gather digital evidence • Topic 4: Anti forensics • Topic 5: Methods of wiping data • Which topics are specific and which topics are NOT specific ? Research Paper Topics

  11. Choice of topic: • Specific • Relevant • Achievable within four/five weeks Write down 2 research topics that are NOT specific and one research topic that is specific Save your three topics to a file Email your list to louai@fdu.edu LATER Research Paper Topics

  12. Choice of topic: • Academic journals and Books

  13. “Timelining is a powerful tool for forensic analysis and contextual awareness. Many forensic tools can automatically structure files and data based on the time they were accessed, last changed, or deleted” (Arnes, 2018) Research Paper Topics

  14. Conceptual Map Create a conceptual map that summarizes the concepts related to file system forensics (Check the book, slides from class 8 and any other resources) Your map should include the following concepts: File carving, physical extraction, logical extraction, slack, partition table, file signature, file header, file mounting, RAM slack, drive slack, order of volatility Add to document, Email to louai@fdu.edu Research Paper Topics

  15. Writing Reports Case data Purpose of examination Findings Conclusions

  16. Writing Reports “Case data, or similar in a criminal setting is simply information that describes the investigation that the examination is part of. Case data would include the name of the person that ordered the examination, some identifier information that identifies the evidence pieces that are subject to examination. Key point here is to maintain chain of custody or similar as well as being able to distinguish the examination from other examinations”

  17. Writing Reports Examples of purpose of examination: “The purpose of this examination was to identify if documents stolen during the break-in at samplestreet 41 was present on the computer. The suspect stated, in an interrogation, that the computer was hacked. Thus, the examination also included looking for evidence of remote control software, malicious software and evidence of intrusion” “The aim of the examination was to extract all pictures from the device”

  18. Investigation of whether a suspect has used their laptop to visit a website where illegal services are advertised. (1) What is the case data, (2) Description of purpose of examination, (3) Findings and Conclusions.

  19. C:\Windows\System32 \winevt\Logs\Security.evtx • Checking when a user logged

  20. Internet Forensics Check Browser’s History Check Cached Memory Check Cookies

  21. Email Headers and the Limitations of IP addresses Received: from SAM-MBX03.ead.ubc.ca ([169.254.6.120]) by s-itsv-hub04p.ead.ubc.ca ([137.82.151.86]) with mapi id 14.03.0389.001; Tue, 26 Jun 2018 14:15:20 -0700 Content-Type: application/ms-tnef; name="winmail.dat" Content-Transfer-Encoding: binary Sometimes it is possible to find the ip address of the sender in the email header, other times the ip address found is the ip address of the mail server.

  22. https://www.forbes.com/sites/runasandvik/2013/12/18/harvard-student-receives-f-for-tor-failure-while-sending-anonymous-bomb-threat/#7d804b215457https://www.forbes.com/sites/runasandvik/2013/12/18/harvard-student-receives-f-for-tor-failure-while-sending-anonymous-bomb-threat/#7d804b215457

  23. https://www.forbes.com/sites/runasandvik/2013/12/18/harvard-student-receives-f-for-tor-failure-while-sending-anonymous-bomb-threat/#7d804b215457https://www.forbes.com/sites/runasandvik/2013/12/18/harvard-student-receives-f-for-tor-failure-while-sending-anonymous-bomb-threat/#7d804b215457

More Related