My friend May she found a strange file called "bkp.old" as below in the evidence files. She decided to use forensic tools to take a look at it and figure it out what's going on.

FTK said that it's an unknown file. But May was not satistify with this answer.

May used EnCase to conduct a file signature analysis on this evidence. Guess what? The signature analysis result was "Match". The file type was "Old Configuration Settings (ASCII)". May refused to believe it. That's too ridiculous!!!

May took a look at it's file header and compared with "File Type Signature Search.txt" . That's it. It's a Symantec Ghost Image file.

The suspect changed its ext name and bkp.gho became bkp.old. But to May's surprise forensic tools could not recognize this file correctly~ I taught May how to verify the file signature of a file. The verify result is as below.

Also I taught May how to mount a gho file and see what's inside this gho file. She did find some important files in this gho file and she exported those files to take a further examination.

File signature analysis fails to recognize .old file的更多相关文章

  1. File signature analysis failed to recognize .old file

    My friend May she found a strange file called "bkp.old" as below in the evidence files. Sh ...

  2. Natas Wargame Level 13 Writeup(文件上传漏洞,篡改file signature,Exif)

    aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAAqMAAADDCAYAAAC29BgbAAAABHNCSVQICAgIfAhkiAAAIABJREFUeF

  3. linux C file format analysis

    c语言文件格式 source file file.c C source, ASCII text pretreatment 预处理文件 file.i C source, ASCII text assem ...

  4. Azure File Storage 基本用法 -- Azure Storage 之 File

    Azure Storage 是微软 Azure 云提供的云端存储解决方案,当前支持的存储类型有 Blob.Queue.File 和 Table. 笔者在<Azure Blob Storage 基 ...

  5. Solved Unable to copy the source file ./installer/services.sh to the destination file /etc/vmware-t

    Sometimes when you intall vmwaretools there will be some problems such as "Unable to copy the s ...

  6. 【ZBar】ios错误ignoring file xxx missing required architecture x86_64 in file

    解决方法: 1.在Project target里"Architectures"设置为:Standard (armv7,armv7s)或者  Standard (armv7,arm6 ...

  7. linux,安装软件报错cannot create regular file '/usr/local/man/man1': No such file or directory

    make install时报错,如下 install: cannot create regular file '/usr/local/man/man1': No such file or direct ...

  8. mac 启动php-fpm报错 failed to open configuration file '/private/etc/php-fpm.conf': No such file or direc

    直接运行,有报错找不到配置文件. $ php-fpm [11-Jan-2014 16:03:03] ERROR: failed to open configuration file '/private ...

  9. 解决Warning: unlink(/storage/cache/cache.catalog.language.1556158719): No such file or directory in /system/library/cache/file.php on line 68问题

    ytkah在调试opencart项目时提示Warning: unlink(/storage/cache/cache.catalog.language.1556158719): No such file ...

随机推荐

  1. jQuery入门——注册事件

    下面举例介绍注册事件的几种方法: 以光棒效果为例 1.bind注册: <!DOCTYPE html> <html> <head> <meta charset= ...

  2. 手把手docker部署java应用(初级篇)

    本篇原创发布于 Flex 的个人博客:点击跳转 前言   在没有 docker 前,项目转测试是比较麻烦的一件事.首先会化较长的时间搭建测试环境,然后在测试过程中又经常出现测试说是 bug,开发说无法 ...

  3. Codeforces Round #565 (Div. 3) A

    A. Divide it! 题目链接:http://codeforces.com/contest/1176/problem/A 题目 You are given an integer n You ca ...

  4. 如何让apache支持.htaccess 解决Internal Server Error The server …错误

    如何让apache支持.htaccess 解决Internal Server Error The server …错误 文章来源:小灰博客| 时间:2013-12-25 12:17:08| 作者:Le ...

  5. epoll使用详解:epoll_create、epoll_ctl、epoll_wait、close

    epoll - I/O event notification facility 在linux的网络编程中,很长的时间都在使用select来做事件触发.在linux新的内核中,有了一种替换它的机制,就是 ...

  6. sql锁的类型介绍:悲观锁,乐观锁,行锁,表锁,页锁,共享锁,排他锁,意向锁

    1 悲观锁,乐观锁 悲观锁:顾名思义,很悲观,就是每次拿数据的时候都认为别的线程会修改数据,所以在每次拿的时候都会给数据上锁.上锁之后,当别的线程想要拿数据时,就会阻塞,直到给数据上锁的线程将事务提交 ...

  7. OC CollectionView和TableView自身高度的隐式递归计算,改变父试图布局

    CollectionView和TableView自身高度的隐式递归计算 1.前沿:我们一般会碰到这样的需求,一个tableview或者一个colletionview放在一个scrollview上边,而 ...

  8. ABP开发框架前后端开发系列---(15)ABP框架的服务端和客户端缓存的使用

    缓存在一个大型一点的系统里面是必然会涉及到的,合理的使用缓存能够给我们的系统带来更高的响应速度.由于数据提供服务涉及到数据库的相关操作,如果客户端的并发数量超过一定的数量,那么数据库的请求处理则以爆发 ...

  9. 学习 Python 心得

    脚本式编程: 通过脚本参数调用解释器开始执行脚本,直到脚本执行完毕.当脚本执行完成后,解释器不再有效. 让我们写一个简单的 Python 脚本程序.所有 Python 文件将以 .py 为扩展名.将以 ...

  10. 关于CMTS设备的一些备忘

    博主工作内容包括cable modem,对CM的工作方式有一些了解,但是对CMTS头端怎么带动一个用户小区长久以来一直是一头雾水.今天找了些资料,对这块有了一些了解,并把自己的理解总结下来. 比如我家 ...