Over the next wee while I am going to set some small forensic challenges for you to have a go at. The idea is that you don’t need expensive forensic software (i.e. EnCase!) to have a go; all of these are doable by hand using a hex/text editor. If you know how to do it manually, then you can explain what happens when EnCase or FTK do their magic and also be able to verify it.
First off, let’s have a look at headers and footers in files. Many files have special characters at the start and end of their files to identify them: Zip files are one of those. In Windows, unallocated clusters, the page file, the hibernate file and other large lumps of unprocessed data can contain many files within them. Tools like EnCase can carve out files that exist within these files by using the header and footer information.
Challenge 1: Using a hex editor, repair this zip file which has had its header and footer corrupted.
File MD5: d8ae233b09ca24aefd8cb6e22ee229f7
Challenge 2: Somewhere inside this file is a zip file. Can you carve out the zip file?
File Md5: 783b1c7f24f3dd172bdf9f5678c15a55
Challenge 3 (difficult): Can you write a script that carves out all zip files if given a chuck of unallocated clusters? Can you make this script generic so you can feed it any header and footer type to carve?
Challenge hints and useful pages:
- Introduction to forensic file carving with many more challenges
- Zip file format specification
- Wikipedia section on Zip headers
Links to free hex editors:
