/SI110/The Cyber Battlefield/Digital Data Activity

Goals

• that files are just bytes organized to represent information
• that file names use extensions to indicate the type of file
• that changing the extension in a file's name does not change the bytes within the file
• that the first few bytes of a file (its header) can help determine its type

Directions

1. Right click on the link "Exercise Documents" below (which is shown in red) and click Save link as.... Navigate to your Desktop and click Save.

   Exercise Documents

   This file is an archive file — collection of files packaged together as a single .zip file. If, at this point, you go to your desktop and double-click on the on the icon for Activity_1_Documents.zip, the zip file will be opened for viewing. However, the contents of the zip file have not yet been extracted. To extract the contents, look for a link at the top of the window that resulted from the double-clicking that says Extract all files . Click on that, and choose to put the files on your Desktop also.
   Close both of the file-viewer windows that are open. And verify that you now have on your desktop an icon for Activity_1_Documents as well as the icon .

2. From the Activity_1_Documents folder on your desktop, open the file Document_1.docx with Microsoft Word by double-clicking on the file's icon. See what's there then exit Microsoft Word.
   If you look through enough of this Word document in Frhed, you should be able to find some info on who created this document. Think about that when you e-mail out your next ransom note!
   Launch the hex editor Frhed (click , click All Programs, click Frhed) and with it open the file Document_1.docx. Now you're seeing what's really in the file, byte-by-byte. One interesting attribute of the .docx format that Microsoft introduced is evident in the first bytes of the file. The .docx file begins with PK, or hex 50 4b, which is actually the same first two bytes as the zip file format. Verify this by opening Document_4.zip in Frhed. These first few bytes are called the file's header.

3. Microsoft Windows uses extensions (the part of the file name after the ".") to associate programs with files. This often works well enough, but Windows can be fooled by messing with extensions. As an example, rename Document_1.docx as Document_1.zip — do this by returning to your Desktop (or whatever location you saved Document_1.docx at), right-clicking on the name Document_1.docx, selecting "Rename," and changing the file's name to Document_1.zip. Windows will offer a warning, but yes, you do intend to change the file extension!

4. You should see the icon for Document_1 change from the Word icon to a zip file icon. This is the normal behavior for windows: the icon you see depends only on the extension, i.e. on the name of the file. Now double click the Document_1.zip and see if it will open. Did it? What does this mean?

   So, in fact, Microsoft uses the zip file format for their .docx, .xlsx, .pptx, formats. This knowledge is useful in the forensics world!

5. In the same manner, change the extension of Document_1 to .jpg (an image file format). Did the icon change? Can you open it? Why or why not?
6. Another file you extracted onto your desktop is Document_2.pdf, which is a file in Portable Document Format. The header (first few bytes) for these files is always %PDF, or hex 25 50 44 46. Verify this for Document_2.pdf. How can you verify this?
7. Examine Document_3.txt. Does there appear to be a header for this text file? What can you do to try to verify this?
8. So what are the hex numbers on the left side of the hex editor? On the right side, highlight a letter in the text. What number is now also highlighted on the left? It should be two hex digits. Verify that the hex digits correspond to that letter in the ASCII Table. The hex editor shows you the actual raw bytes in a file, without trying to interpret them in any way.
9. Now, examine Unknown_1.txt. Does Windows think it is a text file? Is it actually a text file? Use the list below to determine the correct extension, rename the file appropriately, and open it up by double-clicking in order to see the files data in a meaningful way.
10. Now your last challenge is to identify the document Unknown_2. It has no extension, so Windows is very confused. However, if you open it up, you should still see an organization of data into information. Use the list below to determine the correct extension and fix the file!