Presentation is loading. Please wait.

Presentation is loading. Please wait.

File Extractor Pro’s File Signature Builder

Published byΒηθεσδά Γιαννόπουλος Modified over 6 years ago

Similar presentations

Presentation on theme: "File Extractor Pro’s File Signature Builder"— Presentation transcript:

1 File Extractor Pro’s File Signature Builder
File Carving Tools File Extractor Pro’s File Signature Builder © Dr. D. Kall Loper, all rights reserved

2 File Signature Builder
Premise A data runs in unallocated space were at one time an active file. Propositions The program that created the file created more than one file. This program need not be on the computer. At least two sample files are still active on the system. © 2012 Dr. D. Kall Loper & 2006 Core Digital Forensics Inc. all respective rights reserved

3 File Signature Builder
Match Sample Files FSB examines each file in the folders selected. The file must be larger the 32K or else it is skipped. At least two files are needed for a match. System files and “locked” files are skipped. © 2012 Dr. D. Kall Loper & 2006 Core Digital Forensics Inc. all respective rights reserved

4 File Signature Builder
Identify matching file signatures, Matching bytes at the beginning plus various trigger points within the file Create a list of all newly identified file signatures Search unallocated space for any of the newly identified file signatures © 2012 Dr. D. Kall Loper & 2006 Core Digital Forensics Inc. all respective rights reserved

5 File Signature Builder
Files system objects are gathered. Illustration © Dr. D. Kall Loper, all rights reserved

6 File Signature Builder
FSB creates an MD4 hash from the first 2.5 MB. If the file is smaller than 2.5 MB then whole file is hashed. Illustration © Dr. D. Kall Loper, all rights reserved

7 File Signature Builder
Files with duplicate hashes are removed from the analysis. Illustration © Dr. D. Kall Loper, all rights reserved

8 File Signature Builder
FSB looks for files with similar first 15 bytes. Unique files are excluded from the analysis. Illustration © Dr. D. Kall Loper, all rights reserved

9 File Signature Builder
FSB compares file signatures by stepping through each byte of the matching groups. Illustration © Dr. D. Kall Loper, all rights reserved

10 File Signature Builder
FSB creates a 'draft' list of signatures. Illustration © Dr. D. Kall Loper, all rights reserved

11 File Signature Builder
Unworkable or useless (all 00xh) headers are removed. Illustration © Dr. D. Kall Loper, all rights reserved

12 File Signature Builder
Using File Extractor Pro The signatures are added to the custom signature list in File Extractor Pro. © 2012 Dr. D. Kall Loper & 2006 Core Digital Forensics Inc. all respective rights reserved

Download ppt "File Extractor Pro’s File Signature Builder"

Similar presentations

Hash-Based Indexes The slides for this text are organized into chapters. This lecture covers Chapter 10. Chapter 1: Introduction to Database Systems Chapter.

Hash-Based Indexes The slides for this text are organized into chapters. This lecture covers Chapter 10. Chapter 1: Introduction to Database Systems Chapter.
Database Management Systems 3ed, R. Ramakrishnan and J. Gehrke1 Hash-Based Indexes Chapter 11.

Database Management Systems 3ed, R. Ramakrishnan and J. Gehrke1 Hash-Based Indexes Chapter 11.
Database Management Systems 3ed, R. Ramakrishnan and J. Gehrke1 Hash-Based Indexes Chapter 11.

Database Management Systems 3ed, R. Ramakrishnan and J. Gehrke1 Hash-Based Indexes Chapter 11.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.

MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
1 Hash-Based Indexes Yanlei Diao UMass Amherst Feb 22, 2006 Slides Courtesy of R. Ramakrishnan and J. Gehrke.

1 Hash-Based Indexes Yanlei Diao UMass Amherst Feb 22, 2006 Slides Courtesy of R. Ramakrishnan and J. Gehrke.
FTK Imager 2.6.1

FTK Imager 2.6.1
Computer & Network Forensics

Computer & Network Forensics
Memory Management (II)

Memory Management (II)
COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.

COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.
Anti Virus Techniques Jordan & Ryan Use of Checksum The Binary for key files is added up to a number especially in the boot files When these files are.

Anti Virus Techniques Jordan & Ryan Use of Checksum The Binary for key files is added up to a number especially in the boot files When these files are.
Subtraction. Matching objects to numbers (less than 20) and then removing objects from the group.

Subtraction. Matching objects to numbers (less than 20) and then removing objects from the group.
Capturing Computer Evidence Extracting Information.

Capturing Computer Evidence Extracting Information.
July 9, 2004 www.nsrl.nist.gov 1 National Software Reference Library Douglas White Information Technology Laboratory July 2004.

July 9, National Software Reference Library Douglas White Information Technology Laboratory July 2004.
Mastering Your Word Processing Skills

Mastering Your Word Processing Skills
CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.

CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.
Understanding the Benefits and Costs of Deduplication Mahmoud Abaza, and Joel Gibson School of Computing and Information Systems, Athabasca University.

Understanding the Benefits and Costs of Deduplication Mahmoud Abaza, and Joel Gibson School of Computing and Information Systems, Athabasca University.
F8-Noncommercial-Based Forensic Duplications Dr. John P. Abraham Professor UTPA.

F8-Noncommercial-Based Forensic Duplications Dr. John P. Abraham Professor UTPA.

Similar presentations

Ads by Google