re: Handling, possibly, encrypted data

From: H C (keydet89at_private)
Date: Tue Aug 13 2002 - 11:35:09 PDT

  • Next message: H C: "Re: Handling, possibly, encrypted data" 

    > If the files on the image are obvious (like .doc and
stuff)

Remember, file extensions can be changed very easily. 
Just b/c it says ".doc" and you see the Word icon
doesn't mean 100% of the time that the file is, in
fact, a Word document.

> How can you determine the file type and,
furthermore, 
> how do you conclude that this file is encrypted
> (if it is) ? 

Actually, it's pretty simple.  On a Win32 system (you
didn't mention the OS of the system you're analyzing)
file signatures are contained in the first 20 bytes of
the file.  Executables, for example...EXE, DLL, SYS,
SCR, etc...all have "MZ" at the beginning of the file.
 Simply open any such file in Notepad and you'll see
that.  EnCase uses this information to compare the
file extension to the signature.  For graphics images,
GIFs contain "GIF87a" or "GIF89a"...JPEGs contain
"JFIF".  

I wrote a Perl script called sigs.pl:

http://patriot.net/~carvdawg/perl.html

...that uses this same technique.  The Perl script is
also available as a standalone executable as part of
my Win2K Live Forensics course.

Now, regarding encryption...PGP files contain ¨PGP
(which translates into A8 03 50 47 50) at the being of
the file.

HTH





__________________________________________________
Do You Yahoo!?
HotJobs - Search Thousands of New Jobs
http://www.hotjobs.com

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

    This archive was generated by hypermail 2b30 : Tue Aug 13 2002 - 13:48:44 PDT