/SI110/The Cyber Battlefield/Digital Data Activity

Goals

• that files are just an organization of data into information
• that files have typical associated extensions
• that extensions can be changed, but the data of the file is not changed
• that files have a header that helps determine their type

Directions

1. Right click on the link "Exercise Documents" below (which is shown in red) and click Save link as.... Navigate to your Desktop and click Save.

   Exercise Documents

   This file is an archive file — collection of files packaged together as a single .zip file. If, at this point, you go to your desktop and double-click on the on the icon for Activity_1_Documents.zip, the zip file will be opened for viewing. However, the contents of the zip file have not yet been extracted. To extract the contents, look for a link at the top of the window that resulted from the double-clicking that says Extract all files . Click on that, and choose to put the files on your Desktop also.

2. Open the file Document_1.docx (one of the newly extracted files that should be on your desktop) with Microsoft Word by double-clicking on the file's desktop icon. See what's there then exit Microsoft Word.
   If you look through enough of this Word document in Frhed, you should be able to find some info on who created this document. Think about that when you e-mail out your next ransom note!
   Also on your Desktop, you should see a green icon with a yellow "F". Double clicking it launches the hex editor Frhed. Launch Frhed and with it open the file Document_1.docx. Now you're seeing what's really in the file, byte-by-byte. One interesting attribute of the .docx format that Microsoft introduced is evident in the first bytes of the file. The .docx file begins with PK, or hex 50 4b, which is actually the same first two bytes as the zip file format. Verify this by opening Document_4.zip in Frhed. These first few bytes are called the file's header.

3. Microsoft Windows uses extensions (the part of the file name after the ".") to associate programs with files. This is often works well enough, but Windows can be fooled by messing with extensions. As an example, rename Document_1.docx as Document_1.zip — do this by returning to your Desktop (or whatever location you saved Document_1.docx at), right-clicking on the name Document_1.docx, selecting "Rename," and changing the file's name to Document_1.zip. Windows will offer a warning, but yes, you do intend to change the file extension!

4. You should see the icon for Document_1 change from the Word icon to a zip file icon. This is the normal behavior for windows: the icon you see depends only on the extension, i.e. on the name of the file. Now double click the Document_1.zip and see if it will open. Did it? What does this mean?

   So, in fact, Microsoft uses the zip file format for their .docx, .xlsx, .pptx, formats. This knowledge is useful in the forensics world!

5. In the same manner, change the extension of Document_1 to .jpg. Did the icon change? Can you open it? Why or why not?
6. Another file you extracted onto your desktop is Document_2.pdf, which is a file in Portable Document Format. The header (first few bytes) for these files is always %PDF, or hex 25 50 44 46. Verify this for Document_2.pdf. How can you verify this?
7. Examine Document_3.txt. Does there appear to be a header for this text file? What can you do to try to verify this?
8. So what are the hex numbers on the left side of the hex editor? On the right side, highlight a letter in the text. What number is now also highlighted on the left? It should be two digits.
   • Multiply the left number by 16, and add it to the second number. (a=10, b=11, c=12, d=13, e=14, f=15)
   • Does that equal your decimal number from the ascii table?
   The hex editor is actually holding exactly the same information as binary or decimal, but in a much more concise manner! Cool! How many fingers would you need to count hex on your hands?
9. Now, examine Unknown_1.txt. Does Windows think it is a text file? Is it actually a text file? Use the list below to determine the correct extension, rename the file appropriately, and open it up by double-clicking in order to see the files data in a meaningful way.
10. Now your last challenge is to identify the document Unknown_2. It has no extension, so Windows is very confused. However, if you open it up, you should still see an organization of data into information. Use the list below to determine the correct extension and fix the file!

Reference Headers