lowmanio.co.uk title image

Mini Forensics Challenge: File headers & Footers

Sun, 17 Feb 2013 06:42PM

Category: Digital Forensics & Malware

Written by Sarah | With 1 comment

Over the next wee while I am going to set some small forensic challenges for you to have a go at. The idea is that you don’t need expensive forensic software (i.e. EnCase!) to have a go; all of these are doable by hand using a hex/text editor. If you know how to do it manually, then you can explain what happens when EnCase or FTK do their magic and also be able to verify it.

First off, let’s have a look at headers and footers in files. Many files have special characters at the start and end of their files to identify them: Zip files are one of those. In Windows, unallocated clusters, the page file, the hibernate file and other large lumps of unprocessed data can contain many files within them. Tools like EnCase can carve out files that exist within these files by using the header and footer information.

Challenge 1: Using a hex editor, repair this zip file which has had its header and footer corrupted.

File MD5: d8ae233b09ca24aefd8cb6e22ee229f7

Challenge 2: Somewhere inside this file is a zip file. Can you carve out the zip file?

File Md5: 783b1c7f24f3dd172bdf9f5678c15a55

Challenge 3 (difficult): Can you write a script that carves out all zip files if given a chuck of unallocated clusters? Can you make this script generic so you can feed it any header and footer type to carve?

Challenge hints and useful pages:

Links to free hex editors:

  1. HHD Hex Editor Neo 
  2. WinHex

Comments

The answers are now available at http://lowmanio.co.uk/blog/entries/mini-forensics-challenge-answers:-file-headers-%26-footers/
Sarah
Wed, 30 Oct 2013 10:39AM

Add a comment

captcha