When investigating an image of a suspects drive, sometimes you need to restore deleted files that has been overwritten or destroyed in some manner. In these cases the files might be to damaged to recover, and can in some cases be a real pain to try and restore.

And considering that there are quite a few anti-forensics tricks out there, this one might be the simplest one – that might also be the hardest one to crack. At least as far as I have been able to research (and ask my peers about).

One thing I have enjoyed doing is looking at File Signatures (Wikipedia, 2016). Every file has some type of metadata, and the first thing a file starts out with (when looking at the raw data) is the file signature that tells the system what type of file it is (like photo, text, music and so on). A JPEG photo can start with the nibble “FF” for an example. But here is the catch – what if this was altered?

Lets say that we have a person that are suspected of molesting children, and you as a forensics analyst are asked to investigate a harddrive to find any evidence of this person having these types of tendencies. If this person had the technical skill to be able to alter the initial nibble of an incriminating photo, it would be very difficult and time consuming for an investigator to recover what is on the photo.

To give an example: The suspect has taken some illegal photos with a Canon digital camera. The files this camera generates would have the file signature starting with 49 49, which would have the file ending of .cr2. But, lets say this was altered to 25 50, it would seem like this file was indeed a PDF! You would try to open it, get an error saying it cant be opened – and perhaps then you would move on to another file thinking it is too damaged/overwritten to read. The alternative would be to try and rewrite the file signature in every possible combination known to the digital gods, which would not be possible to do in a reasonable timeframe. If this was a single file, and you knew the suspect had indeed a Canon camera – then you might want to give it a try. But without further knowledge, this could be a problem.

I tried to engage some of my peers with this issue, but so far it seems this a real issue in the world of digital forensics. Looking forward to someone perhaps giving some feedback on a possible solution?

 

References:
Wikipedia (2016) File Signatures
https://en.wikipedia.org/wiki/List_of_file_signatures (Accessed: 05 December 2016)