Wednesday, October 1, 2014

Hiding data by changing the file extension



As simple as it may seem (or sound), simply changing a file extension as a way of hiding data is an effective technique against anyone who does not know how to investigate what type of file they may actually be dealing with. The reason this can be a challenge is because of the long list of file extensions which are out there. While there are some popular extensions like .zip, .pdf. doc, etc., deciding which one a specific file is can still be a challenge unless you plan to go through all of the known extensions.

For this post, we will use a file with an extension of .jpg. The objective is to open this file in its native application.

Without further ado, let’s get started.

Let’s double click this file “securitynik.jpg”in “Windows Explorer”




As can be seen above, we encountered an error. Now, a typical user may say this file is corrupt and thus probably delete the file and move on. While that may be acceptable for the regular user, a forensics analyst would need to dig a little deeper.

Let’s do that … Digging a little deeper.

To dig a little deeper, our shovel will be HxD Hexeditor. A point to note is that every file type has a header which can be used as a signature to identify the type of file. Similarly some file types have known trailers, which marks as the ending of the file. Considering this information, we can use the Internet to our advantage to learn about file extensions. To determine our actual file type we will rely on the work already done by garykessler.net. Let’s open our file in Hx.


If we compare the first 6 bytes “7B 5C 72 74 66 31” to one of the known entries on garykessler.net, we can see that this file should have an extension of .rtf. In addition, if we look at the trailer we see that within the last 10 bytes, we have a 4 byte sequence “5C 70 61 72” that matches part of the .rtf extension. Let’s focus on the header and change the file to .rtf instead of .jpg.

The file extension can be changed by either renaming the file in “Windows Explorer” or by “ren securitynik.jpg securitynik.rtf” in the command prompt. Once completed, let’s try to open the file again


 
Awesome!!! There we go, the file now has successfully been opened.
As stated earlier, typically when someone gets an error upon opening a file, it is typically assumed that the file may be corrupted. More than likely the average user pays no attention to the fact that this file can be opened in a Hexeditor to verify it has the correct extension. However, as a forensic analyst, being able to determine this type of information is crucial.

No comments:

Post a Comment