Data about a file is stored in several locations: system metadata (generated by the file system or doc management of the OS), substantive metadata (information that defines modifications to a document), embedded metadata (information embedded by the application that creates or edits the file), external metadata (separate doc, for example, a database).
There are several ways to determine file type: extension, signatures and structure. The most reliable is the last one, since extensions can be easily changed and signatures are not very reliable (polymorphic files). Some file types and signatures are listed here and in the book Digital Archaeology. Magic numbers can be viewed on a UNIX machine: /usr/share/file/magic.mgc
(compiled list of magic numbers), /usr/share/file/magic
(default list of magic numbers), /usr/share/file/magic.mime.mgc
(default compiled list), /usr/share/file/magic.mime
(default list). Use file
command to determine the file type.
Approach
With the files, you’d typically look out for several things:
- File system events/logs/registry (like
$MFT
for Windows orfseventsd
for macOS), which could help build a timeline of when the file was created/deleted/modified. - File metadata. Sometimes metadata occupies more space than the file itself. It can contain timestamps (which could be different from the file system ones and be an indicator that those were tampered with), notes, author and event modification history.
- File structure. Look out for steganography techniques used when something is hidden in a legit file or some indication that the file is a polygon (a valid file for different formats, like a php+png or bmp+php).
- File contents. Apart from the obvious (reading the file), look out for some stego techniques (if applicable) like data written in white or actual message mixed with garbage etc.
Hashing only applies to the file contents but not to the file name since the filename is stored in the file table, and the file itself is stored on the file system. Running ls -la
shows information about the files, including the hidden ones. You can run properties on a Windows machine to see the same data on the file. To see hidden files on the Windows machine, follow the instructions.
Looking for file permissions changes is significant (owners or write/read/execute permissions added).
Windows
C:\$MFT
C:\$LogFile
C:\$Extend\$UsnJrnl:$J
UserFolders
C: \Users\Desktop
C: \Users\Documents
C: \Users\Downloads
C: \Users Dropbox
Bin
C:\$Recycle.Bin\*
C:\RECYCLER\*