> If the files on the image are obvious (like .doc and stuff) Remember, file extensions can be changed very easily. Just b/c it says ".doc" and you see the Word icon doesn't mean 100% of the time that the file is, in fact, a Word document. > How can you determine the file type and, furthermore, > how do you conclude that this file is encrypted > (if it is) ? Actually, it's pretty simple. On a Win32 system (you didn't mention the OS of the system you're analyzing) file signatures are contained in the first 20 bytes of the file. Executables, for example...EXE, DLL, SYS, SCR, etc...all have "MZ" at the beginning of the file. Simply open any such file in Notepad and you'll see that. EnCase uses this information to compare the file extension to the signature. For graphics images, GIFs contain "GIF87a" or "GIF89a"...JPEGs contain "JFIF". I wrote a Perl script called sigs.pl: http://patriot.net/~carvdawg/perl.html ...that uses this same technique. The Perl script is also available as a standalone executable as part of my Win2K Live Forensics course. Now, regarding encryption...PGP files contain ¨PGP (which translates into A8 03 50 47 50) at the being of the file. HTH __________________________________________________ Do You Yahoo!? HotJobs - Search Thousands of New Jobs http://www.hotjobs.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Aug 13 2002 - 13:48:44 PDT