Computer Forensics Inc. Electronic Evidence Experts
What's New? Tip of the Month Site Map
Tip of the Month

Using File Signature Analysis During Forensic Review
Michael W. Finnie
Managing Consultant/Senior Computer Forensics Specialist
Navigant Consulting, Inc./Computer Forensics Inc.™

The extension appended to a file name is a method to identify it as a certain type of file. For instance, files ending with .doc are often word processing files. A file with a suffix of .jpg or .gif is a type of graphic or picture file.

Often, attempts are made to conceal or obfuscate the true type of a file or its contents by renaming a file with a misleading name and a different extension. For instance, a file called mysecretformula.doc might be renamed m0yst3rc3s.sys. A search of the files on a computer for all word processing files ending in .doc would not reveal this file’s presence, and potentially useful evidence could be overlooked. A spreadsheet named true-budget.xls could be easily renamed butterfly.jpg by a ‘clever’ user. Simply locating and reviewing all files ending with .xls would result in this file being ignored.

However, many types of files have a secondary code within the file itself that assists in identifying their genuine type. A file signature is a series of hexadecimal characters embedded in the file, most often at the beginning of each file. It is not viewable in a normal user environment, but often can be located and recognized during a forensic review.

A file created using Microsoft® Office, such as a word processing document, a spreadsheet, or a presentation, will typically have the hexadecimal string DO CF 11 E0 A1 B1 1A E1 at the beginning of the digital copy of the file. Another example would be a picture file, a .jpg, with the hexadecimal signature FF D8 FF E0 00 10 appearing at the beginning of the file. Most files associated with the operation of executable files (.exe), command files (.com), dynamic-link library (.dll) and system (.sys) files generally contain 4D 5A 90 as their signature.

These embedded signature remains in the ‘hidden’ data of the file, regardless of the naming convention used or the extension assigned to a file. Searching for mismatches between extensions and signatures is an important part of forensic analysis. While not all file types have unique signatures, many files with altered suffixes can be located using this procedure. Those same files would be overlooked when simply relying on file names, directory locations, or extensions and suffixes.

Important parts of deleted files can often be recovered by using file signature analysis. Even though the content may be obliterated, simply locating an artifact of a deleted Microsoft® Outlook Personal Folder – a ‘pst file’ by its embedded signature 21 42 44 4E – can be sufficient to confirm an allegation of spoliation.

Although not every type of file has a known, consistent signature, a thorough forensic analysis will include signature analysis and review.