Forensic Investigation: Examining Corrupted File Extension

In this article, we will learn how we can Examining Corrupted File Extension to identify the basic file header in a Forensic Investigation.

Let’s Understand this with the following Scenario

In this Scenario, a forensic investigator has gone for an investigation and found out a suspicious folder where no file has any kind of file extension. Now, what will he do to proceed in his forensic investigation?

Objective: Learn to use various techniques in Forensic Investigation to analyse and examine the various file headers

·         Examining Corrupted File Extension using Windows Platform.

·         Examining Corrupted File Extension using Linux Platform.

Table of Content

Cheatsheet for Hex File Header

Examining Corrupted File Extension using Windows Platform

·         File #1: app

·         File #2: apple

·         File #3: data

·         File #4: Final

·         File #5: lecture

·         File #6: Manual

·         File #7: Notes

·         Recovered all files successfully

Examining Corrupted File Extension using Linux Platform

·         Analyze in Linux with file command

·         Analyze in Linux with a script

Cheatsheet for Hex File Header

We all know that the hex file header is used to identify any file by examine the first 4 or 5 bytes of its hexadecimal content.

We have created our very own cheat sheet to examine these values more appropriately. Which contains all the basic files extensions and its 4 to 5 bytes starter hexadecimal value along with its ASCII translation.

Examining Corrupted File Extension using Windows Platform

As per given scenario, the first thing which comes in our mind that check these files in the command prompt [cmd]. So, we checked this folder in command prompt, as we can see still, we don’t have any kind of clue about the file extensions of these files.

Now Let’s try to examine each file we found this folder and try to restore them in their original format.

File #1: app

The first file, which we got its name is app. The first thing that comes in our mind is to open this file with the help of notepad. But always remember we won't supposed to open any evidence in the forensic investigation, it can be related to acting as a crime. We are doing it to show you guys that the file is in an unreadable format.

Now, to examine these files hexadecimal values we are opening this file into a Hexadecimal editor. We can use any kind of hexadecimal editor, that can show us a hexadecimal value of any file. After opening that file, we need to examine its stating hexadecimal value to know about the file type.

So, I have used Hex Workshop which you can download from here.

After, analyzing its starting bytes with our cheat sheet. We come to know that it is an .exe file with its ASCII translation MZ. MZ is the initials of Mark Zbikowski, he is the designer of the DOS executable file format. We have successfully investigated the first file as a .exe file.

Now, we have two methods to rename that file extension.

Method 1: With the help of the command line.

Follow this command to rename this file extension.

rename *app. *.exe

This command helps us to select only the app file to rename only this file extension. Because others are yet to be examined.

Method 2: We can simply change it directly by renaming the file name and providing it an extension which we already find above.

File #2: apple

Now, it’s time to examine the second file all we know about that file is its name apple. Straight away we opened that file in the hexadecimal editor. To start analyzing its hexadecimal values.

As we have to try to match its starting 4 bytes with our cheat sheet. We were quickly able to find out it is a .jpg file with ASCII translation ÿØÿà.

Now, just rename this file with the help of this command.

rename *apple. *.jpg

This command will only change the apple file to a .jpg file. Because others are yet to be examined.

File #3: data

Time to examine the third file which name is data. We are opening that file into a hexadecimal editor, to examine its hexadecimal values.

Now, try to match it first 4 bytes with our cheat sheet which we provide above. In a few moments, we find out that it is a .zip file with ASCII translation PK.

Change the file name and provide it an extension with the help of rename command.

rename *data. *.zip

As we know it will only make changes in data and change it into a .zip file.

File #4: Final

Here comes the fourth file which name is Final. Now, open that file in a hexadecimal editor to analyse its hexadecimal values.

After opening that file, try to match its first seven bytes with our cheat sheet. In a few moments, we found out that its values match with a .docx file. So, it is a .docx file with ASCII translation PK.

Just change its name and provide it a .docx extension with the help of [rename] command.

rename *Final. *.docx

File #5: lecture

The fifth file named as a lecture; we try to open that file in a hexadecimal editor. To analyse its hexadecimal values, which helps us to identify its file type.

Now, try to match its first four bytes. In a moment we found out that it is a .mp3 file with an ASCII translation ID3. Just provide that file a .mp3 extension with the help of [rename] command.

rename *lecture. *.mp3

File #6: Manual

The second last file in that folder named Manual. Open that file in a hexadecimal editor to examine its hexadecimal values.

Now, try to match its four bytes with our cheat sheet. Then we come to know that it is a .pdf file with ASCII translation %PDF. Change its name and provide .pdf extension to it, with the help of rename command.

rename *Manual. *.pdf

File #7: Notes

Finally, we have reached to the file in the folder named Notes. Straight away we opened that file in a Hexadecimal editor to examine its hexadecimal values.

After opening it is saying that “It is a simple text file.”. so, we provided a .txt extension with the help of [rename] command.

rename *Notes. *.txt

Recovered all File successfully

Now, look at the folder which itself saying that we have recovered all the files successfully.

And we can also see that these files were recovered in the command prompt along with its original extension, with the help of [dir] command.

Examining Corrupted File Extension using Linux Platform

Now suppose in your investigation, you are in the same scenario where the file extension is missing but this time the Victim machine operates on Linux Environment and you are not allow to copy this folder on other machine. Then How would you handler this situation?

Analysis using File command

The file command is Linux utility that analyzes each argument in an attempt to classify it. Hence, we can examine this forensic investigation in a Linux environment with the help of file command.

We are using the [ls] command to show you guys, these are the same files and the same scenario that we already explained above.

We just need to use [file] along with the file name, to know about the originality of that file. Pick the first file and use this command. It shows that it is an MS Windows executable file.

File app

Let us try the same technique with the second file named apple. Apply [file] command and provide its file name. It shows that it is a jpeg image along with its internal pieces of information.

File apple

Analyze using script

If we aren’t able to apply the [file] command again and again, in Linux we can also create a special script for that. Which tells us about all files in a single click. We named that script as script.sh.

We write this script to do these things for us.

for name in $(ls $1)

do

    file $name

done

After writing that script, we need to give this permission to read, write, and execute. With the help of chmod.

chmod 777 script.sh

After giving the permissions, we just need to execute our script to reveal the real identity of each file in this folder.

./script.sh

Now we can see that we successfully investigated every file in the folder and revealed their real identity in this forensic investigation scenario.

This article will help us to identify the true identity of a file during a Forensic Investigation in both the Windows and Linux environments.

Author: Shubham Sharma is a Pentester and Cybersecurity Researcher, Contact Linkedin and twitter.

WordPress Pentest Lab Setup in Multiple Ways

In this post, we will demonstrate how to set-up our own WordPress CMS for penetration testing on Ubuntu 20.04, Docker and Windows using XAMPP server.

WordPress is a free and open-source content management system (CMS) based on PHP and MYSQL. It is installed on a web server that is either part of an Internet hosting service or a network host in its own right. WordPress is reportedly the most popular website management or blogging system in use on the Web.
For more detail visit https://en.wikipedia.org/wiki/WordPress

Table of Content

Requirement

Web Server configuration

For Ubuntu 20.04

• Apache
• PHP
• MySQL
• php

For Docker in Ubuntu 20.04

·         Docker

·         Docker-composer

For XAMP server in Windows

·         XAMPP  server (32/64 bit)

Webserver Setup For Ubuntu 20.04

Install Apache

Apache is the most common web server and is easy to install on Linux. Let’s install apache by using following command

apt install apache2

Install MySQL
Next, we are going to install MariaDB server for the maintenance of our web server. MariaDB is a free  and open source fork of the MySQL RDBMS.
apt install mariadb-server mariadb-client

Now change the security by disallowing root login by entering the following command

mysql_secure_installation

First step will show an option to set the password for the root, by entering the password we enabled a root user for our database.

Second step will show an option to remove anonymous, by entering ‘y’ we have disabled all the by-default anonymous users in the server.

Third step will show the option to disallow root login remotely, by entering ‘y’ no-one can enter in the server by network.

Fourth step will show the option of removing database test, because by default MariaDB has a database by the name of test, which anyone can login into.

Install php
Now install the php php-mysql , which is the last component for the installation of the webserver. Use to access the database from the network.
Enter the following command to install the php
apt install php php-mysql

Create MySQL Database

Now, login as root user in MariaDB to create a database. After creating the database, we will create a user by which we will log in into the wordpress wp-admin.

To access the mysql, enter the following command

Install Worpdpress CMS

Now install the wordpress cms in the var/www/html to access the wordpress on localhost in any browser.

wget http://www.wordpress.org/latest.tar.gz

Now list all the files in the folder, and start extracting the .tar.gz file of wordpress.

ls

 tar –xvf latest.tar.gz

After completing the extraction of the worpress, let’s change the ownership and permissions to it.

chown -R www-data:www-data wordpress/

chmod -R 755  wordpress/

After giving the permissions to wordpress create a directory within the wp-content directory in wordpress directory which contains all the uploads for the web server.

chown wordpress/wp-content/uploads

chmod -R  www-data:www-data wordpress/wp-content/uploads

Now access the wordpress in your browser and start configuring it.

http://localhost/wordpress/

After selecting the preferred language, you’ll get a setup wizard like this

After clicking the Let’s go button, you have to fill the form to access the wp-admin.

After submitting the form, you’ll get the prompt, and press the button to run the installation to

 

After the installation, you have to fill another form in which the name and all the details of the site will have to be filled.

       

Now you have successfully completed the installation and have to login as admin so that you can access the wp-admin page of the WordPress.

                                                                                                                                               

This is how your wp-admin page look like

Open the wp-config.php file in wordpress directory and paste the following lines in it.

This is how your final page will look like

 

Wordpress Installation using Docker

Docker is an open source project to make user and system admins easier to create and deploy multiple application inside a docker container.

Install Docker

We will update the Ubuntu repository and then install the latest version of docker.io. Let’s start the installation of docker packages with the apt command as below:

apt install docker.io

                                                                                                                                      

Let’s start the Docker service by entering following command:

 systemctl start docker                                                                                                        

Install docker-compose

Docker Compose is used to run multiple containers as a single service.

Let’s begin the installation of docker-compose with the help of apt by entering following command.

apt install docker-compose

                                                                                                                                                   

After installing the composer for the Docker, we must create a directory by the name of wordpress.

After creating the directory, we will create a .yml file in the directory so that it will become a docker image.

mkdir wordpress

cd wordpress/

nano docker-compose.yml

 And now the copy pastes the following in the file

After saving the file, now let’s up the docker services and create the volume for the wordpress.

docker–compose up -d

After the doing all the configuration step-by-step, now open the browser and surf the local admin

Now open the setting bar and enter your localhost ip address with port number so that the wordpress after installation will work properly.

 

After doing all the changes, now our wordpress is ready to launch, and its home page will look like this.

For XAMP in Windows

XAMPP  is a free and open-source cross-platform web server solution stack package developed by Apache Friends, consisting mainly of the Apache HTTP Server, MariaDB database, and interpreters for scripts written in the PHP and Perl programming languages. Since most actual web server deployments use the same components as XAMPP, it makes transitioning from a local test server to a live server possible.

Source :- https://en.wikipedia.org/wiki/XAMPP

Let’s start the installation of XAMPP server

Download and install XAMPP on your computer

The first step to install WordPress locally is to download and install the XAMPP server. we can download the Windows installer file from Apache Friends.

You can download it from the provided link:- https://www.apachefriends.org/index.html

Once the download finishes, run the file we downloaded to install the XAMPP, during the installation we can choose which components needs to install. To install XAMPP we have to select only Apache, MySQL and php, to run the wordpress.

After the installation process is completed, we have to run the Apache and MYSQL servers in the XAMPP.

Paste extracted file of /WordPress in the /htdocs folder in /xampp folder in C-Drive.

Once you have pasted the file in the htdocs folder, now open the browser and surf for the localhost/WordPress. And create a database by the name of WordPress, in which all the user data will be stored.

After creating the database, create a username and assign a password to it to access the wp-admin page.

After following all the steps mentioned above, we have to login as the user we created and afterwards we have to setup the website credentials as shown below.

After doing all the configuration setup, our WordPress is set to launch and this is how it looks.