File Analysis

Dr. John P. AbrahamProfessor

UTPA

File analysis

• Content identification– Identify what a file is

• Metadata extraction– Retrieval of any embedded metadata associated

with a file

Content Identification

• Goal is to confirm the content of a given file• File extension can be change so don’t take it for

granted• A specific hexadecimal value is assigned to

particular file type (magic value) at a specific offset from the beginning of the file.

• In Linux you can examine this with the command file filename.

• You can download a similar program for windows.

Content examination

• We can use xxd (hexdump) to inspect the file in Unix.

• In windows you can use the debug command• The values are given in hexadecimal• There are other programs that is more

readable

Metadata Extraction• Data about data• Information stored within the file itself• Author, time stamp, program used to create the

file, etc.• Metadata can be altered or eliminated to confuse

the investigator.• There are tools that can be downloaded to

examine metadata.• There are also programs available to delete

metadata

Common file types• JPEG – (joint photographic experts group) for image• GIF – Graphics Interchange Format – images, graphics or icons.

Lossless.• PNG – Portable Network Graphics. Lossless compression of images.• TIFF – Tagged Image File Format – used in publishing and graphics

design• WAV – Waveform Audio File Format. For audio• MP3 & MP4 Moving Picture Experts Group – digital music

ASF/WMA – streaming media.• MPEG – video• AVI – video and audio• MOV – movies• ZIP, TAR, GZIP & RAR – file compression programs

Other formats

• Microsoft file formats• Rich Text Format• PDF (portable document format)