Hi Guys,

I have two questions:

1. Whilst assessing a raw drive image, how do you determine the filetypes of files. Its easy to ID a text file for example since its visible in plaintext and same with images/videos etc as they have meta tag information at the beginning of the file, but then you have files which are just complete gobbledygook. How does one determine the filetype of such files ?

2. Ive been looking into various encryption algorithms and want to know if there any established way of determining what encryption a file is using (when assessing the raw output of file).

Hi pomi,

1. There are really two kinds of files, plain text and binary.   As you have already realized, text files are easily recognizable.   Binary files typically have a header and a footer element that identifies the file.   The header or footer are just a series of characters that are going to be common to all files of that type.   When you are looking for a file, you can search for a particular header to identify the beginning of a file.   Identifying the end can be somewhat more challenging though.   If the file doesn't have a footer, you can just cut chunks of a certain size and hope that the native software viewer can reconstruct the file using error correction. 

For example, a windows executable has a header signature of 4D5A.   

Like mambru said, data carving software will look for file headers.  Typically you set the headers you are seeking and a target file size.  The software will search for the header and copy out data chunks of the size you specified.   

The above is assuming that you don't have access to the file system table.   Most forensic software can interpret the file system type and its table of files and folders.  Rather than relying on file signatures, the software will simply reconstruct the directory and file structure. 

2. Some encryption protocols will include a header to identify itself.  Some will not.   In forensics, we get used to looking at data in hex.   If we see a long stream of hex without any recognizable text, it could indicate encryption or some sort of encoding, but it isn't always the case. 

Scalpel is a great data carving tool like mambru mentioned.   Of course, EnCase, X-Ways, FTK all have these capabilities and much more.   These are commercial and expensive tools though.

If you change data in a binary file, you are changing the structure of a file.  This has nothing to do with the MFT.  Each binary file will have its own structure as set forth by the developer.  Check the following article on the RIFF file structure:

http://www.tactilemedia.com/info/MCI_Control_Info.html

By remapped sectors, do you mean those moved the HDD firmware when bad sectors are discovered?   If so, you would need specialized hardware + software solution that allows access to the HDD firmware.   There are two such products that are popular.  One is from SalvationData and the other is from ACE Labs. 

Pomi,

Unless you strategically change a few hex values that are non-essential to the operation of a file, you are going to "break" the file.  Think of a binary file is a file system (some actually are).  It depends on which file you delete, whether or not the operating system will still boot.

The firmware area on a hard drive sits on the platters.   The issue is that hard disk controllers, not software, do not have access to this area.   A software tool alone will not be able to access the firmware.  What makes this even worse is that the access to this area varies from manufacturer to manufacturer.  For example, some Seagate drives make this area accessible through a custom serial interface.   None of this is well documented.  ACE Labs and SalvationData figured this out by reverse engineering and stealing engineers from the hard drive manufacturers