/SI110/The Cyber Battlefield/Digital Data Activity

Goals

At the end of this activity, students are expected to understand

Directions

  1. Right click on the link "Exercise Documents" below (which is shown in red) and click Save link as.... Navigate to your Desktop and click Save.

    Exercise Documents

    This file is an archive file — collection of files packaged together as a single .zip file. If, at this point, you go to your desktop and double-click on the on the icon for Activity_1_Documents.zip, the zip file will be opened for viewing. However, the contents of the zip file have not yet been extracted. To extract the contents, look for a link at the top of the window that resulted from the double-clicking that says Extract all files . Click on that, and choose to put the files on your Desktop also.
    Close both of the file-viewer windows that are open. And verify that you now have on your desktop an icon for Activity_1_Documents as well as the icon .

  2. From the Activity_1_Documents folder on your desktop, open the file Document_1.docx with Microsoft Word by double-clicking on the file's icon. See what's there then exit Microsoft Word.

    If you look through enough of this Word document in Frhed, you should be able to find some info on who created this document. Think about that when you e-mail out your next ransom note!
    Launch the hex editor Frhed (click , click All Programs, click Frhed) and with it open the file Document_1.docx. Now you're seeing what's really in the file, byte-by-byte. One interesting attribute of the .docx format that Microsoft introduced is evident in the first bytes of the file. The .docx file begins with PK, or hex 50 4b, which is actually the same first two bytes as the zip file format. Verify this by opening Document_4.zip in Frhed. These first few bytes are called the file's header.

  3. Microsoft Windows uses extensions (the part of the file name after the ".") to associate programs with files. This is often works well enough, but Windows can be fooled by messing with extensions. As an example, rename Document_1.docx as Document_1.zip — do this by returning to your Desktop (or whatever location you saved Document_1.docx at), right-clicking on the name Document_1.docx, selecting "Rename," and changing the file's name to Document_1.zip. Windows will offer a warning, but yes, you do intend to change the file extension!

  4. You should see the icon for Document_1 change from the Word icon to a zip file icon. This is the normal behavior for windows: the icon you see depends only on the extension, i.e. on the name of the file. Now double click the Document_1.zip and see if it will open. Did it? What does this mean?

    So, in fact, Microsoft uses the zip file format for their .docx, .xlsx, .pptx, formats. This knowledge is useful in the forensics world!

  5. In the same manner, change the extension of Document_1 to .jpg (an image file format). Did the icon change? Can you open it? Why or why not?
  6. Another file you extracted onto your desktop is Document_2.pdf, which is a file in Portable Document Format. The header (first few bytes) for these files is always %PDF, or hex 25 50 44 46. Verify this for Document_2.pdf. How can you verify this?
  7. Examine Document_3.txt. Does there appear to be a header for this text file? What can you do to try to verify this?
  8. So what are the hex numbers on the left side of the hex editor? On the right side, highlight a letter in the text. What number is now also highlighted on the left? It should be two hex digits. Verify that the hex digits correspond to that letter in the ASCII Table. The hex editor shows you the actual raw bytes in a file, without trying to interpret them in any way.
  9. Now, examine Unknown_1.txt. Does Windows think it is a text file? Is it actually a text file? Use the list below to determine the correct extension, rename the file appropriately, and open it up by double-clicking in order to see the files data in a meaningful way.
  10. Now your last challenge is to identify the document Unknown_2. It has no extension, so Windows is very confused. However, if you open it up, you should still see an organization of data into information. Use the list below to determine the correct extension and fix the file!

Reference Headers
File Type Header (Hex) Header (ASCII)
png 89 50 4e 47 .PNG
jpg FF D8 FF E0
bmp 42 4D  BM
avi 52 49 46 46 xx xx xx xx
41 56 49 20 4C 49 53 54
RIFF....
AVI LIST
mpg (video) 00 00 01 Bx ....
wav 52 49 46 46 xx xx xx xx
57 41 56 45 66 6D 74 20
RIFF....
WAVEfmt
xls D0 CF 11 E0 A1 B1 1A E1 .ࡱ.
mp3 FF Fx  .
pdf 25 50 44 46 %PDF
zip 50 4B 03 04 PK..
⇦ available on resources page!
* Periods in the ASCII column indicate that the ASCII representation of the associated hexadecimal value is variable or cannot be displayed.
Lowercase 'x' in the hex column indicates that the value will vary from file to file.