Tuesday, April 03, 2007

File Signatures Mobile Phone & Computer Forensics

File Signatures Mobile Phones & Computer Forensics
FILESIG MANAGER

Given the ever growing list of file signatures needed when drilling down into imaged data to determine varying file types that may be recorded in the data can be a real pain if, like me, you create every growing lists of file signatures copied and pasted into notepad documents. The raw data I see from imaging mobile telephones, SIM/USIM, Smart/MMC cards and hard disc drives means that I need to retain a single database for all the file signatures captured. I have found a great little tool called Filesig Manager, created by Tim Coakley (www.filesig.co.uk), which is a "file signature and keyword management tool, acting as an examiner's central repository of File Identification information." Importantly, not only does it work very well, but it's FREE.


Screen Image 1

The screen image 1 illustrates a range of captured file signatures stored in the database that includes file extensions, description and category of file and in addition fields that contain data for segments and offsets used by other computer forensic products. The database comes with some pre-defined file signatures, which are the most common and most useful and the user can enter their own file signatures as and when they are discovered.
Typically, file signatures usually contain the first eight bytes and last four bytes of a file. Below are some examples of common file signature types I have recovered following imaging of mobile phones and MMC cards saved and deleted data.
Header...........................................Footer...................Extension
[FF D8 FF E0 00 10 4A 46]........[A4 83 FF D9]......[.JPG]
[30 26 B2 75 8E 66 CF 11].........[23 AE 00 00].......[.WMA]
[FF FA 61 C0 EA 3D 00 00].......[00 00 00 00]........[.MP3]
[00 00 00 14 66 74 79 70]...........[31 31 31 30]........[.3GP]
[47 49 46 38 39 61 18 01]...........[00 00 00 00]........[.GIF]
[52 49 46 46 AC D3 01 00].........[0D 0A 0D 0A].....[.WAV]
It is worth mentioning that some signatures use a Header that does not require all 8 bytes to be used. For example, .JPG file signatures are commonly referenced with a Header FF D8 FF E0 or FF D8 FF E1.

Screen Image 2
The screen image 2 illustrates file extensions and description of file extension as a look-up table.

No comments: