Digital Forensics Report: File Signature

and Type Identification

Course: IAA CYU 08201

Instructor: Nicodemus Msafiri Mbwambo

Student Name: [Your Name Here]

Date of Submission: [Insert Date Here]

Lab Title: Lab 04 - Storage/File Physical Level Examination

1. Objectives

The primary objectives of this lab were to:

- Gain practical exposure to low-level digital forensic investigation using WinHex.
- Understand how to identify file signatures (also known as file headers or magic numbers).
- Determine actual file types with or without relying on file extensions.
- Practice identifying and analyzing files using their binary signature.
- Apply file carving principles using signature analysis.

2. Tools Used

- WinHex: A hexadecimal editor used for low-level file analysis.

- Gary Kessler's File Signature Table: https://www.garykessler.net/library/file_sigs.html

3. Procedure

Step 1: Setup

- Installed WinHex from http://x-ways.net.

- Stored the provided files (unknown.doc, and two additional files) in one directory for
analysis.
Step 2: Identification of File Signatures Using WinHex

File 1: unknown.doc

- Observed Signature: 89 50 4E 47 ...

- Analysis: According to Gary Kessler's signature list, this header corresponds to a PNG
image file.
- Conclusion: The file unknown.doc is actually a PNG file.

File 2: File with Signature 25 ...

- Observed Signature: 25 50 44 46 ...

- Analysis: The hexadecimal 25 50 44 46 translates to %PDF, indicating a PDF document.
- Conclusion: This file is a valid PDF file.

File 3: File with Signature E5 ...

- Observed Signature: FF D8 FF E5 ...

- Analysis: Based on the header FF D8 FF, it matches a JPG (JPEG) file.
- Conclusion: This file is a JPEG image file.

4. Screenshots

Note: Include the following screenshots in your submission document:

- Screenshot 1: Header analysis of unknown.doc in WinHex showing the 89 50 4E 47 PNG
signature.
- Screenshot 2: Header of the second file showing %PDF signature.
- Screenshot 3: Header of the third file showing JPEG header FF D8 FF.

Screenshots should include the right panel in WinHex showing differences to validate
originality.

5. Findings Summary
File Name Observed Signature Actual File Type Comment

unknown.doc 89 50 4E 47 PNG Image Misleading

extension, not a
Word document
file2.pdf 25 50 44 46 PDF Document File extension and
content match

file3.jpg E5 ... (w/ FF D8) JPEG Image File correctly

identified as image

6. Challenges Faced

- Misleading extensions required cross-verification with actual signatures.

- Decoding E5 signature required deeper analysis as it's not a primary file signature.

7. Conclusion

The lab successfully demonstrated how digital forensic tools like WinHex can be used to
uncover the true nature of files, regardless of misleading file extensions.
File signature analysis is an essential skill for forensics, malware investigation, and data
recovery.

8. Recommendations

- Users should not rely solely on file extensions for trust or validation.
- Encourage use of file verification tools to check for tampered or disguised files.
- Digital forensics learners should practice identifying a broader range of signatures
including compressed and encrypted formats.