Chapter 8 – File Analysis

Publisher Summary The analysis of individual files will be of key importance in many different examinations. A malicious document may be the initial entry point in a system compromise investigation. By understanding these files, one can more successfully uncover and exploit any higher order forensic artifacts that may be present within the files. File analysis can be broken up into two distinct but complementary activities: content identification and metadata extraction. Content identification is the process of determining or verifying what a specific file is. Metadata extraction is the retrieval of any embedded metadata that may be present in a given file. Forensic analysis of any single digital media focuses on retrieving and exploiting forensic artifacts as part of an examination of activities on a computer system or systems. Because of the transient nature of the files, they have the capability of retaining information about the systems they are created or modified on even as they pass from host to host or volume to volume. Careful examination of artifacts contained within file formats can be the key that ties a remote user or system to the activity of interest.