LECTURE-6

CYBER FORENSICS
CSE344

Prof. Mohammed Alrahmawy

FILE SYSTEM AND DATA
STORAGE FORENSICS
Part 3
FILE FORMAT

 In the realm of digital data management and security, file formats and
data hiding techniques are pivotal.
 They not only determine how data is stored, accessed, and manipulated
but also play significant roles in cybersecurity and digital forensics.
 Understanding these concepts is essential for professionals involved in
data management, cybersecurity, and forensic investigations.
 This lecture delves deep into file formats, explores various data hiding
techniques, and examines their intricate relationship with digital
forensics.
FILE FORMAT
 A file format refers to the specific structure and encoding used to store data in a
file.
 A file format is a layout and organization of data within the file.
 If a file is to be used by a program, it must be able to recognize and have access to
the data in the file.
 For instance, a text document can be recognized by a program such as Microsoft
Word that is designed to run text files but not by a program that is designed to run
audio or video files.
 A file format is indicated along with the file name in the form of a file extension.
 A suffix at the end of a filename that indicates the file format, and it helps operating
systems and applications determine which program should open the file.
 The extension contains three or four letters identifying the format and is separated
from the file name by a period.
 Different file formats are tailored for various types of data and applications, such as
images, audio, text, or executable files.
 The header provides necessary context for interpreting the data stored in the file.
For instance, an audio file format will have a header that specifies sample rates and
bit depths, which are crucial for playback. If the software can read the header, it can
accurately decode and render the audio.
TYPES OF FILE FORMAT
File formats can be categorized based on the type of data they store and their
usage:
❑ Text Files:
 Description: Store data as readable characters using encoding standards like ASCII or UTF-8.
 Characteristics: Human-readable, editable with simple text editors, lack complex formatting.
 Examples: .txt, .csv, .json, .xml.
❑ Binary Files:
 Description: Store data in binary (machine-readable) format.
 Characteristics: Not human-readable, require specific applications for interpretation, more
efficient in terms of space.
 Examples: Executables (.exe), dynamic link libraries (.dll), compiled programs (.bin).
❑ Image Files:
 Description: Contain visual data encoded as pixels.
 Characteristics: May use compression (lossy or lossless), support color depth and resolution
specifications.
 Examples: .jpeg, .png, .bmp, .gif.
❑ Audio Files:
 Description: Encode sound data, including music, speech, and other audio forms.
 Characteristics: Can be compressed (lossy or lossless), support various sample rates and bit
depths.
 Examples: .mp3, .wav, .flac, .aac.
TYPES OF FILE FORMAT
❑ Video Files:
 Description: Store moving visual images accompanied by audio.
 Characteristics: Often use advanced compression algorithms to reduce size, support various
resolutions and frame rates.
 Examples: .mp4, .avi, .mkv, .mov.
❑ Document Files:
 Description: Contain formatted text, images, tables, and other media.
 Characteristics: Support rich formatting, embedded objects, and often include metadata.
 Examples: .docx, .pdf, .pptx, .xlsx.
❑ Database Files:
 Description: Hold structured data, often organized in tables with relationships.
 Characteristics: Support indexing, querying, and transactional operations.
 Examples: .db, .sql, .mdb, .sqlite.
❑ Compressed Files:
 Description: Archive multiple files into a single file, often reducing overall size.
 Characteristics: Use compression algorithms, support encryption and password protection.
 Examples: .zip, .rar, .7z, .tar.gz.
COMPONENTS OF FILE FORMATS
Most file formats consist of several key components:
❑ Header:
 Function: Contains metadata about the file, such as format version, size, type, and other
necessary information to interpret the file.
 Example: A JPEG image starts with a specific byte sequence (e.g., FFD8) that identifies
it as a JPEG.
❑ Body:
 Function: The main content of the file, holding the actual data, whether it's text, image
pixels, audio samples, etc.
 Example: In a .txt file, the body consists of the textual content; in a .png file, it contains
the pixel data.
❑ Footer (Optional):
 Function: Marks the end of the file or provides additional metadata. Not all file formats
include a footer.
 Example: Some video formats include a footer to indicate the end of the stream or to hold
index information.
FILE HEADER
 A file header is a specific section at the beginning of a file that contains
metadata about the file.
 This metadata typically includes information about the file's structure,
type, and the data it contains.
 Components of a File Header
 Magic Numbers:
 These act as file signatures

 They are specific sequences of bytes at the beginning of a file that uniquely
identify the file format.
 Unique identifiers (often in hexadecimal) that signify the file type. For

example, JPEG files start with the bytes 0xFF D8 FF.

 Provide a reliable way to detect file types, especially useful when file
extensions are misleading or altered.
 Version Information: Indicates the version of the file format.
 Metadata: Additional information, such as the size of the file, the
author, creation date, and last modified date.
 Data Format Information: Details about how the actual data is
organized within the file.
EXAMPLES OF FILE HEADERS AND THEIR CORRESPONDING FILE TYPES
•JPEG Image File:
•Header: Starts with FF D8 FF, indicating a JPEG file.
•File Type: .jpg, .jpeg
•Portable Network Graphics (PNG) File:
•Header: Starts with 89 50 4E 47 0D 0A 1A 0A, indicating a PNG file.
•File Type: .png
•Executable File (Windows):
•Header: Begins with the characters MZ, a signature used in DOS and
Windows executable files.
•File Type: .exe
•GIF Image File:
•Header: Begins with GIF8 (GIF89a or GIF87a).
•File Type: .gif
THE RELATIONSHIP BETWEEN FILE HEADERS AND FILE TYPES
❑ Identification:
o File headers serve as a reliable means to identify file types beyond just
looking at the file extension.
o While a file extension can be misleading (e.g., renaming a .jpg file to .txt), the
header will reveal its true nature.
o The file header serves as a means to identify the file format. By reading the
header, applications and operating systems can determine the specific format
of the file and how to process it..
❑ Standardization:
o Many file formats adhere to specific standards that define what data must
appear in the header.
o For example, both .png and .jpg files have distinct header structures defined
by their respective formats.
o This standardization allows various software to read and interpret these files
consistently.
❑ Interoperability:
o Because file headers contain information about the file format, they facilitate
interoperability between different systems and applications.
o For example, a photo editing application can open a .png file by reading its
header to understand how to decode the image data.
❑ Error Detection:
o By examining a file’s header, applications can often detect whether the file is
corrupt or incompatible with the expected file type.
o If the header does not conform to the expected format for a particular file
type, the application can issue an error message or prevent the file from
being opened.
IMPORTANCE OF FILE FORMATS IN DIGITAL FORENSICS
In digital forensics, understanding file formats is critical for:
❑ Data Recovery:
 Scenario: Recovering deleted or corrupted files by recognizing their format
through signatures.
 Application: Even if a file's extension is missing or changed, its signature can
help in recovery.
❑ Evidence Interpretation:
 Scenario: Parsing complex file formats to extract embedded evidence.
 Application: Analyzing a .docx file to uncover hidden metadata, tracked
changes, or embedded objects.
❑ Tampering Detection:
 Scenario: Identifying unauthorized modifications in files.
 Application: Comparing file hashes or checking metadata discrepancies to
detect alterations.
❑ Metadata Analysis:
 Scenario: Extracting creation, modification, and access times to build activity
timelines.
 Application: Using EXIF data in images to determine when and where a photo
was taken.
DATA HIDING TECHNIQUES

▪ Data hiding involves concealing information within files or file systems

to prevent unauthorized access or detection.
▪ While data hiding can serve legitimate purposes, such as digital
watermarking or copyright protection, it is often associated with
malicious activities like covert communication, data exfiltration, and
malware concealment.
▪ Common techniques for data hiding include:
o Steganography
o File System-Level Data Hiding
o Encryption as Data Hiding
o Anti-Forensics Techniques
1- STEGANOGRAPHY
▪ Steganography is the practice of hiding secret data within non-
secret, carrier files in such a way that the existence of the hidden
data is not detectable to casual observers.
A. Image Steganography
❑ Methodology:
o Least Significant Bit (LSB) Insertion:
• Process: Modify the least significant bit of each pixel's color channels (Red,
Green, Blue) to embed binary data.
• Impact: Minimal visual changes since LSB alterations are imperceptible to
the human eye.
o Palette-Based Steganography:
• Process: In indexed images (like GIFs), adjust the color palette to encode
data without altering pixel indices.
o Transform Domain Techniques:
• Process: Embed data in transformed representations of the image, such as
the Discrete Cosine Transform (DCT) or Discrete Wavelet Transform (DWT),
making detection harder.
❑ Tools and Libraries:
o Steghide, OpenStego, SilentEye: Popular tools for embedding and extracting
data from images.
❑ Detection Challenges:
o Statistical Analysis: Detecting anomalies in pixel distributions or LSB
patterns.
o Visual Inspection: Generally ineffective due to minimal changes.
1-STEGANOGRAPHY
B. Audio Steganography
❑ Methodology:
o LSB Coding:
• Process: Similar to image steganography, hide data in the least significant
bits of audio samples.
o Phase Coding:
• Process: Alter the phase of audio signals to embed data without affecting
the perceptible sound.
o Spread Spectrum:
• Process: Distribute hidden data across a wide frequency spectrum, making
it resistant to noise and detection
❑ Tools and Libraries:
o DeepSound, SilentEye: Tools designed for embedding data within audio files.
❑ Detection Challenges:
o Frequency Analysis: Examining the frequency spectrum for irregularities.
o Noise Analysis: Detecting unusual noise patterns introduced by data
embedding.
1-STEGANOGRAPHY
C.Text Steganography
❑ Methodology:
o Whitespace Manipulation:
• Process: Use spaces, tabs, or line breaks to encode binary data.
o Font and Formatting:
• Process: Alter font sizes, styles, or text alignment to represent hidden
information.
o Semantic Steganography:
• Process: Encode data through linguistic patterns, such as synonym
substitution or specific grammatical structures.
❑ Tools and Libraries:
o StegCloak, OpenPuff: Tools designed for embedding data within text files.
❑ Detection Challenges:
o Pattern Recognition: Identifying unusual whitespace patterns or formatting
anomalies.
o Linguistic Analysis: Detecting inconsistencies in language usage that may
indicate hidden data.
2- FILE SYSTEM-LEVEL DATA HIDING
▪ In this techniques, instead of embedding data within files, data are
hidden within the file system's architecture itself.
A. Alternate Data Streams (ADS)
❑ Definition: A feature of the NTFS file system that allows more than one data
stream to be associated with a single file.
❑ Usage:
o Concealing Data: Hide data within a file's ADS without altering its primary
content.
o Malware Concealment: Store malicious code within ADS to evade
detection.
❑ Example:
o Command: echo HiddenData > file.txt:secret
➢ Explanation: Stores "HiddenData" in an ADS named "secret"
associated with file.txt.
❑ Detection:
o Tools: streams.exe from Sysinternals, FTK Imager, EnCase.
o Indicators: Files with unexpected or multiple streams.
2- FILE SYSTEM-LEVEL DATA HIDING
B. File Slack Space
❑ Definition: The unused space between the end of a file's actual data and the end
of the last allocated cluster on disk..
❑ Usage:
o Data Residue: Residual data from previous files or operations can contain
hidden information.
o Covert Storage: Embed small amounts of data within slack space to hide it
from standard file system views.
❑ Detection:
o Tools: Forensic tools like EnCase, FTK can analyze slack space..
o Indicators: Non-zero values or patterns in slack space that do not align with
typical data storage.
C. Hidden Partitions
❑ Definition: Sections of a storage device partitioned off from the standard file
system, making them invisible to typical operating system tools.
❑ Usage:
o Concealing Large Data Sets: Store significant amounts of hidden data in
separate partitions.
o Operating System Concealment: Hide data on a partition not mounted or
recognized by the OS.
❑ Detection:
o Tools: Disk management utilities, partition scanners (e.g., TestDisk), forensic
imaging tools.
o Indicators: Discrepancies in reported disk size, missing partitions,
unallocated space.
END