Hello folks! While I was working with a case today, I stumbled across a large amount of binary material in unallocated space, which I am unable to identify. The material did not contain any specific words or other signatures that would enble me to see what kind of file it originally had been. While this is not important in this particular case, it struck me that it should be possible to produce new ways of identifying file types, based on content rather than on header/footer signature. One could for example build a frequency signature by counting the number of each byte in the data. Such a signature could be extended by frequencies of digraphs (2-byte combinations), trigraphs etc. When the proper way of building a signature has been found, one could build a database of signatures of all known file types, much like the signatures in /etc/magic in UNIX-systems. One would now be able to identify a file type just from a fragment, like in the situation above. I believe this would be of great value for computer forensic investigators. Have anyone heard of research along these lines, or perhaps even a tool to do this? -- Svein Y. Willassen, M.Sc investigation manager, computer forensics, Ibas AS ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Aug 11 2003 - 12:28:08 PDT