Scribd
Upload
18 views

forensic_Sample_Task2

e

Uploaded by

Raajeev Shrestha
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
18 views

forensic_Sample_Task2

e

Uploaded by

Raajeev Shrestha
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

ST4060CEM Digital Forensic Fundamental

Submitted by: Submitted to:


Rajeev Kumar Shrestha Ganesh Bhusal
Student Id: 240186
Analyze the provided binary file to discover hidden content, evaluate file
signatures, and identify padding and slack space using various forensic
tools. This exercise will test your ability to utilize hex editors and forensic
analysis tools to extract and interpret hidden data from a file.
Find the evidence from forensic_analysis_sample_hidden (1).bin

I used the windows hex editor neo to examine the file’s hex data before beginning to
analyse the provided binary file. As is well known, the first two to four are called magic
numbers which helps us determine the format or the file type and it always remains the same
even if the file extension is changed.

I then discovered that it is a ZIP archive file by looking up the magic numbers in Gary
Kessler's data in his file signature library.
I discovered that the ZIP file also includes a JPEG image file by investigating more and
confirming the magic number. The JFIF standard is followed in the metadata, and the file
begins with the typical JPEG markers (FF D8, FF E0).

Slack space on a hard drive is the storage that remains after a file fills the allocated cluster.
As we can see, the file is actually 2.60 KB in size, yet it only occupies 4 KB of the hard disc;
the remaining 1.4 KB is slack space. Sites like binvis can be used to visualize the wasted
space, as demonstrated by the dark void in the second picture below.
After that I moved to linux and started by using binwalk, a tool that allows us to search for
embedded files and data within a binary file. The command I used was: binwalk

The -e option automatically extracts any files found in the binary file. This command
analyzed the file forensic_analysis_sample_hidden (1).bin, identifying that it contains an
XML document and a JPEG image. Next, I created a directory called testing to store the files
extracted by the next tool, foremost. This was done with mkdir which ensures that my
extracted data is organized in a specific folder.

Now, I ran foremost, a tool designed for file recovery and extraction from binary
images. I used the following command foremost where -i specifies the input file, which is
forensic_analysis_sample_hidden (1).bin. and -o is for the output directory, where the
extracted files will be saved. I specified the testing folder here.
After running foremost, I checked the testing directory to see what files were extracted:

In the testing folder, I found an audit.txt file and a jpg directory, which likely contains
the extracted image. To confirm what was extracted, I opened the audit.txt file using the cat
command and the picture using feh command. This file provided details about the extraction
process, showing that a JPEG image of size 823 bytes was successfully extracted from the
binary file. The log also confirmed the exact offset where the image was located.

You might also like