Description of Method
This anti-forensic method is basic and has been around for a while but it can be overlooked. The EnCase Forensic Software suite has two methods for identifying file types. These are:
- File Extension (.exe, .jpg, etc.)
- File Signature or “magic number” identification which is often located at beginning of file (such as the ASCII characters M and Z at the beginning of an executable file)
Here’s an example of where this method might be used:
A person may attempt to hide the existence of a RAR or Roshal Archive file on a Windows system by simply changing the file extension to some other file format, such as that of an executable (.exe). This is in the hopes that when someone else attempts to run the now “exectuable file” (based on file extension) they will simply encounter an error and move on completely oblivious to the RAR archive full of goodies. A computer forensics examiner using EnCase should notice that the file extension (.exe) does not match the file signature (.rar) and should become suspicious that this executable is likely a RAR archive based on the file signature. So we need to make the file signature match the .exe extension.
By changing the file signature and file extension of a RAR archive to match that of an executable, a person can effectively hide the true file type of a particular file. This simple operation may be enough to cause a computer forensics expert to overlook that particular file since they will see no file signature mismatch within the EnCase computer forensics software and is not the type of file they are looking for. There are probably digital forensics examiners out there who will still overlook a file signature and file executable mismatch like that of the first example in the paragraph above but why take the chance when you can modify the file signature so easily? The steps for doing this will be outlined below and gone into further detail further down.
The Quick Steps
The anti-computer forensics method described below is fairly basic in that it only consists of two tasks:
- Modifying a files extension (example: change mypictures.rar to mypictures.exe)
- Modifying a files magic number commonly located at the start of the file (use a hex editor to modify the magic numbers at the start of a file)
The Details
To start, the hex editor I used to modify the file signature of the file is “XVI32“. Any hex editor will work though. Also, by default on a Windows XP system, common file extensions are hidden from the user. This will make it difficult to do something as simple as changing a file extension.
To show all file extensions:
- Open “My Computer” and then choose “Tools” from the top menu
- From the “Tools” menu choose “Folder Options”
- Click the “View” tab and uncheck “Hide extensions for known file types”
There, you’re all set!
I first created a simple WinRAR Archive (.rar) and made three copies of it. The first copy I left alone and did not modify. The second copy of the RAR archive had only the file extension modified. I changed the “.rar” extension to a “.exe” extension like in the example you read in one of the previous paragraphs. The third copy of the RAR archive had the file extension changed as well as the “magic number” (file signature) in the header of the file modified with a hex editor to that of an executable file.
EnCase - WinRAR Archives
The screenshot above is of the EnCase forensic software and our three WinRAR archives like explained in the previous paragraph. Notice that the RAR that is selected in the screenshot is the unmodified file. Notice that in the hex view at the bottom pane that the “magic numbers” (file signature) for the file is “52 61 72 21″ in hexadecimal. These 4 bytes show that this file is an actual RAR archive.
The screenshot below is of the unmodified WinRAR archive loaded in the XVI32 hex editor. The “magic numbers” or file signature for this RAR archive is right at the beginning of the file and is “52 61 72 21″ in hexadecimal and “Rar!” in ASCII.
Original File Signature/Header
To change the file signature of this RAR archive we simply take the file signature of an executable file and add it to the start of this file. The screenshot below shows the modified RAR archive which now has an executable file signature.
Modified File Signature
Notice that “4D 5A” or “MZ” was added to the start of the file. This is the file signature for an executable.
Now, with all modifications finished and saved I then used the keyword search feature in EnCase to perform a file signature analysis across these three files.
EnCase - File Signature Analysis
This analysis is supposed to determine if the file signature matches the file extension for a file and if it does not, it will add “Bad Signature” to the “Signature” column within EnCase.
Here are the results of the analysis search: 
Notice that for whatever reason, EnCase has determined that the original RAR archive has a “bad signature”. This is a false positive as the original archive has not been modified in any way.
You will notice that the top file in the list which had only the file extension changed to “.exe” from “.rar” shows “bad signature” as expected. However, the WinRAR archive which had both the file signature and file extension changed to that of an executable now shows as a “match” for this file being an executable file!
Modified Signature and Extension
This simple technique has effectively fooled the EnCase forensic software. Now you can reverse this simple modification by changing the “magic numbers” back to that of a RAR archive so that the archived contents may once again be accessed.
Limitations
This technique can be limited depending on the situation. For example, if you attempt to “hide” the existence of a file which contains a lot of strings that could give it away, then it will be pretty obvious to a computer forensics examiner when he or she manually checks out that file. It can also be easily discovered if a keyword search is performed across the entire hard drive and the modified file contains one of those keywords which were part of the search.
If you’ve placed documents in a WinRAR archive and you’ve also provided a password for that archive, then the file names of those documents that you’ve placed in archive will still be visible to anyone who views it with a hex editor or with a similar software or technique. You’ll need to choose to “Encrypt file names” as you set a password for the RAR file. You can see in the example screenshots of EnCase above that I’ve placed an empty document in the RAR archive but did not choose to encrypt the file names of the files in that archive.
There are situations where someone may use this technique, so it’s not totally useless but depending on the type of file you’re modifying, it might just be too obvious. An example that sticks out in my mind of where this would work would be a password protected WinRAR archive with encrypted file names. If you wanted to hide the existence of data inside a modified archive like this it would probably be pretty difficult for an examiner to figure out that the file is not actually an executable file or whatever file type you’ve actually modified the signature and extension to be. I would go a step further and modify the timestamps of the file with Timestomp and place that file in a time frame that is as far from suspicion as possible.
If you’ve any other ideas, tips, want to point out a mistake and so on and so forth, please comment below!
I guess if you think about it, what else can encase do ya no?
Now why would you want to do anything on this website unless you were a criminal!?
minelab excalibur 1000
The best way to detect file types with high accuracy is to develop additional methods for creating comparable signatures/hashes of files and confirming the results with mini interpreters. This is how we see past tricks like the simple addition of “MZ” at the beginning of a file.
Excalibur ii 1000, I’ll answer…
For sensitive company information, we create a Truecrypt block volume on a device, create a hidden volume within that, with the datasets recorded being truecrypt containers with hidden volumes.
Being that we send analysis data to “hostile” countries (Such as China, Vietnam, America) where data interception by those governments is high – using this method to encrypt TB’s of data on a HDD is valuable indeed.
We have, over the past 12 monhts, “lost” 30-35 disks in international mail-handling system – luckily, those who have stolen these will not recover anything! This keeps our IP safe….
We aren’t doing anything illegal – (except for Veitnam, where any disk encryption is illegal) but we’ve never had any issues with “lost” disks there..
This is a great response Chris and the reasons you have given are very solid. Thank you for commenting on this topic.
There is one thing I did not see mentioned (maybe I missed it). This makes that file unusable until you correct the bytes that you changed. So, you need to mask the header to hide, but unmask to use, then mask again to hide.
I wonder why anyone would go through this hassle when you can hide data within a Truecrypt volume, or heck, even a hidden Truecrypt volume. That is a much easier solution, and investigators cannot do anything about it without the password.
By the way, EnCase has progressed 2 major versions beyond that hacked version in your screen shots.
Yes, depending on what type of file and the type of data and the type of OS accessing the data performing this type of data manipulation can render the file useless.
There are plenty of articles throughout the rest of the site on using TrueCrypt as well. You are very correct in saying that if someone has data that they feel they need to hide or mask then they probably aren’t going to do something tedious like this, but this is not the point of the article.
Yes, EnCase is into the version 6 series which I use as well, in fact I use all versions of EnCase going back to 3. This method exists throughout.
Chris Ford, you should not have replied to excalibur ii 1000
excalibur ii 1000 is a spamming bot, I have seen this kind of spam before, if you read again the one line sentence (it is usually a one line sentence), it is written in an ambigous way so that it can be posted at any blog, but that is not what gives it away, what gives “excalibur ii 1000″ is:
1) Nickname is “excalibur ii 1000″, a commercial product
2) “excalibur ii 1000″ has a signature link to, you guessed it “excalibur ii 1000″
3) “excalibur ii 1000″ also links to his minelabexcalibur selling “excalibur ii 1000″
I have no problem with people using their URL at all, but this is not a human being, this is a bot, whom obviously does not read the blog. I have seen spam like this a dozen times before, the traits are: always generic replies, one line sentence, a signature linking to a commercial product.