Hello, first of all just want to say thanks for uploading these, they've helped me understand file signatures and such a lot more. I also have a question that is probably a dumb one, but here it goes. Why don't all file extensions have a trailer/header? Like for example, the .txt file and .ini do not have a header from what I can tell. Thank you.
Hi Treb! Firstly, thank you for your positive remarks on my content... This is my own opinion, but I believe you must first simply understand what exactly you NEED to "forensically investigate" as opposed to "simply investigate"... I don't think a (.txt) and (.ini) file have a Header and a Trailer due to the simple fact of them ALREADY being in "plain text" (not encrypted or compressed inside a cointainer). So since they are not inside a "container", they are readable using any kind of hex editor or even simply renaming the (.ini) file into a (.txt) extension... Additionally a (.ini) file is a simple set of instructions, kind of like Scripting, to perform certain tasks or apply certain settings to an Application...So if the file is easily decrypted, we no longer need to "forensically investigate", our mission is complete, as we have successfully been able to extract the contents of the file with accuracy by comparing the file size and the text/contents contained within the file...If you still have doubts that there could be hidden contents within a (.ini) file, simply copy the contents into a brand new (.txt) file, then save it as (.ini) and compare the file sizes, if the size is exactly the same, then you know there is no more hidden data, but it the file size is different, then you would proceed to forensically investigate where this additional file size is accumilated from...Hope you get my drift and stay safe, I'm glad to be of any help!
Hi Peter, yes I will be doing NTFS Manual File Carving series eventually, unfortunately I've just finished studies and haven't had time to create new content due to job hunting etc. But in the meantime would like to thank you for you interest in my work, it means a lot to me!
Excellent explanation. Thanks, it helped me a lot in the algorithm to find the date.
Hello, first of all just want to say thanks for uploading these, they've helped me understand file signatures and such a lot more. I also have a question that is probably a dumb one, but here it goes. Why don't all file extensions have a trailer/header? Like for example, the .txt file and .ini do not have a header from what I can tell. Thank you.
Hi Treb! Firstly, thank you for your positive remarks on my content... This is my own opinion, but I believe you must first simply understand what exactly you NEED to "forensically investigate" as opposed to "simply investigate"... I don't think a (.txt) and (.ini) file have a Header and a Trailer due to the simple fact of them ALREADY being in "plain text" (not encrypted or compressed inside a cointainer). So since they are not inside a "container", they are readable using any kind of hex editor or even simply renaming the (.ini) file into a (.txt) extension... Additionally a (.ini) file is a simple set of instructions, kind of like Scripting, to perform certain tasks or apply certain settings to an Application...So if the file is easily decrypted, we no longer need to "forensically investigate", our mission is complete, as we have successfully been able to extract the contents of the file with accuracy by comparing the file size and the text/contents contained within the file...If you still have doubts that there could be hidden contents within a (.ini) file, simply copy the contents into a brand new (.txt) file, then save it as (.ini) and compare the file sizes, if the size is exactly the same, then you know there is no more hidden data, but it the file size is different, then you would proceed to forensically investigate where this additional file size is accumilated from...Hope you get my drift and stay safe, I'm glad to be of any help!
@@Mamu_213thank you for the detailed explanation! that makes a lot more sense now, thank you so much
Will you be doing NTFS file carving?
Hi Peter, yes I will be doing NTFS Manual File Carving series eventually, unfortunately I've just finished studies and haven't had time to create new content due to job hunting etc. But in the meantime would like to thank you for you interest in my work, it means a lot to me!