Skip to document
Welcome to StudocuSign in to access the best study resources
Guest user
0followers
HomeMy LibraryAsk AI
  • You don't have any recent items yet.
My Library
  • You don't have any courses yet.
  • You don't have any books yet.
  • You don't have any Studylists yet.

Week 05 Metadata Report Shreyas Prakash Mhalsekar 25076112

fghjklkjhgfds
Course

Computer Science, Engineering (CSC502)

41 Documents
Students shared 41 documents in this course
Academic year: 2022/2023
Uploaded by:
Student
Shreyas Mhalsekar
Datta Meghe Institute of Medical Sciences
0followers
15Uploads
0upvotes

Recommended for you

Comments

Please sign in or register to post comments.

Students also viewed

Related documents

Preview text

Name: Shreyas Prakash Mhalsekar

Student ID: 25076112

Setup

You need to download this week’s samples onto a Linux Box.

Q1) Hex Viewer – cmd line

We can use xxd - l 256 to see the file signatures.

Note your response in the table

Exe files have a PE jump between 80 and FF

see slides. Add to the table.(exe only)

Why does the address of the PE marker vary?

Ans - It contains a range of resources,

including dilogs, version strings, and

organized file systems.

File Hex Signature exe PE

Jump

address

Trade_secrets Ascii text Na

logo GIF89a at 00 Na

MS Office Meta Data jfif Na

IMAG1672a BExif Na

Cygwin1 mz MZ

Strings MZ Rh...

Sample PK Na

Sample %PDF-1 Na

Flowers Mz Na

Cars MZ Na

Q2) Magic Files

We use Linux command file on your downloaded files.

Open a Linux shell window and cd to your Forensics folder.

Use the command file to check the file extensions.

file /mnt/c/Forensics_yourname * | cut - c 1- 120

Add the responses in the

table

Are any files imposters

as seen by file?

No

Run file again on ls2

without using cut.

ls2 is a compressed

form of ls using UPX

packing to avoid detection

in an IDS.

What is UPX packing?

Ans - Upx is used for

malware binary files that

cannot be made illegible.

File Magic Signature

Trade_secrets iso-8859 (simple) text, CRLF

logo version 89a, 220 x 50 pixels

MS Office Meta Data Jfif standed 1.

IMAG1672a Jfif standed 1.

cygwin1 PE32 executable (DLL) (console) Intel

80386, for MS Windows

strings PE32 executable (DLL) (console) Intel

80386, for MS Windows

Sample PE32 executable (DLL) (console) Intel

80386, for MS Windows

Sample PE32 executable (DLL) (console) Intel

80386, for MS Windows

Flowers PE32 executable (DLL) (console) Intel

80386, for MS Windows

cars PE32 executable (DLL) (console) Intel

80386, for MS Windows

Q3) Editing a File Header

Confirm you have the Image File C08InChp in your Forensics folder.

Run ProDiscover.

Add Image File C08InChp.

Search for FIF case sensitive

Click Show File. You should see a deleted file called

gametour4.

Right click, select copy file, save as Recover1 in your

Forensics folder. Exit ProDiscover.

Run HxD in your Forensics folder. (Download and Install HXD as required,)

Open Recover1

Change the header from 7A 7A 7A 7A to FF D8 FF E0 (see lecture slides).

Change the 7A at address 06 to 4A.

Does the image support the allegation?

Ans - Cannot open the reason I'm receiving an error indicating

check software publisher.

Q4) File Metadata

Confirm you have downloaded the sample files as in Q1.

Q4 A) docx files

Use the Windows 10 File Explorer.

Right click Sample and select properties. Select the details tab.

Note the metadata.

What is the Document Title? Forensic Sample

What is the Document Subject? Forensics

What are the Document Tags? Forensics, Metadata;

Who is the Author? G G Lee;

When was it last printed? 29/09/2013 4 PM

Q4 B) pdf files

Open Sample with a pdf reader such as pdf-XChange or Chrome. Select the File Tab.

tracker-software/product/pdf-xchange-editor

Check the Document Properties.

Note here data of forensic interest:

List the tag:value pairs of forensic interest and explain what they mean.

The Title Forensic Sample

The Keywords "Forensics, Metadata"

The Author 29/09/2013 4

The program that generated the pdf.

The date last modified 29/09/2013 4

(This is usually the same as the file modify date.)

The PDF Version 1.

Q4 C) Changing file dates

You need the Linux Box you used in Q1 again.

Open your Terminal shell and cd to the folder containing your sample files.

Let us now stat Sample

stat Sample

Create a text file called test with contents "I will pay you $1000" using echo. Note the back

slash. Check with cat test.

Create a second file called test1 with contents "I will pay you $9000" using echo.

Compare the two file lengths with ls ______________

Hash both files with md5 and then sha 256.

Compare the two md5 hash lengths and compare the two sha 256 hash lengths.

Ans – The comparison of the MD5 and SHA-256 hashes for the files test and test1

clearly indicates that the contents of the two files are different. The MD5 hash of test is

cf8d15fc95e0b135213148418eb370, while test1 has a different MD5 hash of

cc8823a43d59c98cad47c75f194291af. Similarly, the SHA-256 hashes also differ: test

produces 888dda432264c86321bcb87e0ee42f6055fdd415a0cb1e685cefa29bb977be8b, and

test1 produces

3faa20689783094ade8766551e23797f8f42b904ed194cd865e5429fb8a1d0ae. Since both the

MD5 and SHA-256 hashes are unique to each file, this confirms that the contents of test

and test1 are not identical. Hash functions like MD5 and SHA-256 are useful tools for

verifying the integrity and uniqueness of file content

Compare the hashes of the two files.

Ans - The MD5 and SHA-256 hash comparisons for test and test1 clearly show that the

two files contain different data. The MD5 hashes, which are

cf8d15fc95e0b135213148418eb370 for test and cc8823a43d59c98cad47c75f194291af for

test1, are completely different. Similarly, the SHA-256 hashes—

888dda432264c86321bcb87e0ee42f6055fdd415a0cb1e685cefa29bb977be8b for test and

3faa20689783094ade8766551e23797f8f42b904ed194cd865e5429fb8a1d0ae for test1—

also differ. These differences in both hash types confirm that the files are not identical, as

even minor changes in content result in completely different hash values. This demonstrates

the effectiveness of hash functions in detecting any changes or uniqueness in file content.

Comment on the results as follows:.

  • What is the change in file length as seen by ls?

Ans - The ls - l command output shows that both test and test1 have the same

file size of 22 bytes. Despite the files having different MD5 and SHA-256 hashes,

indicating that their contents are different, the size of the files remains identical when

viewed using ls. This illustrates that even though the content of the files has changed

enough to produce different hash values, the overall byte size of the files is

unchanged, both being 22 bytes long. Therefore, there is no change in file length as

seen by ls, even though the internal content differs.

  • How does MD5 output differ from SHA 256?

Ans- The MD5 and SHA-256 outputs differ significantly in both length and security.

MD5 produces a 128-bit hash represented by a 32-character hexadecimal string, such

as cf8d15fc95e0b135213148418eb370 for test. In contrast, SHA-256 generates a

256 - bit hash, resulting in a much longer 64-character string, like

888dda432264c86321bcb87e0ee42f6055fdd415a0cb1e685cefa29bb977be8b for the

same file. This difference in length illustrates the greater complexity and security of

SHA-256 compared to MD5. While MD5 is faster to compute, it is more vulnerable to

collision attacks, making SHA-256 a far more secure option for cryptographic

purposes, as it is less prone to such vulnerabilities.

  • What is the change in the hash lengths of the two files?

Ans - The change in hash lengths between the two files when using MD5 and SHA-

256 is significant. MD5 generates a 128-bit hash, which is represented as a 32-

character hexadecimal string for both test and test1. On the other hand, SHA-

256 produces a 256-bit hash, resulting in a much longer 64-character hexadecimal

string for each file. This means that SHA-256 outputs hashes that are exactly twice as

long as MD5. Although the contents of the two files are different, the length of the

MD5 and SHA-256 hashes remains consistent for each algorithm. Thus, the change in

hash lengths is not file-dependent but rather due to the inherent difference between

the MD5 and SHA-256 hashing algorithms, with SHA-256 producing much longer

and more secure hashes.

  • What is the change in the hash values of the two files?

Ans- The change in the hash values of the two files, test and test1, is evident in

both the MD5 and SHA-256 results. For MD5, the hash values for test

(cf8d15fc95e0b135213148418eb370) and test1

(cc8823a43d59c98cad47c75f194291af) are completely different, indicating that the

contents of the two files are not identical. Similarly, the SHA-256 hash values for

test (888dda432264c86321bcb87e0ee42f6055fdd415a0cb1e685cefa29bb977be8b)

and test1

(3faa20689783094ade8766551e23797f8f42b904ed194cd865e5429fb8a1d0ae) also

differ significantly. This difference in hash values highlights the sensitivity of both

MD5 and SHA-256 algorithms to even the smallest changes in file content, ensuring

that even if files are nearly identical, their hash values will still be distinct.

Try this command openssl speed sha256 sha512 What does it show you?

Ans - The openssl speed sha256 sha512 command benchmarks the performance of the SHA-

256 and SHA-512 hashing algorithms on your system. It measures how many operations each

algorithm can perform per second, processing different block sizes of data (e., 16 bytes, 64

bytes, 256 bytes, etc.). This helps you compare the relative speed and efficiency of the two

algorithms. Typically, SHA-512 may perform better on 64-bit systems due to optimization,

while SHA-256 may be faster on 32-bit systems. The command provides valuable insight into

the hashing performance specific to your hardware setup.

Was this document helpful?

Week 05 Metadata Report Shreyas Prakash Mhalsekar 25076112

Course: Computer Science, Engineering (CSC502)

41 Documents
Students shared 41 documents in this course

University: Datta Meghe Institute of Medical Sciences

Was this document helpful?
48436/32309 Week 05 Metadata Report
Name: Shreyas Prakash Mhalsekar
Student ID: 25076112
Setup
You need to download this week’s samples onto a Linux Box.
Q1) Hex Viewer – cmd line
We can use xxd -l 256 to see the file signatures.
Note your response in the table
Exe files have a PE jump between 80 and FF
see slides. Add to the table.(exe only)
Why does the address of the PE marker vary?
Ans - It contains a range of resources,
including dilogs, version strings, and
organized file systems.
File
Hex Signature
exe PE
Jump
address
Trade_secrets.txt
Ascii text
Na
logo.gif
GIF89a at 00
Na
MS Office Meta Data.jpg
jfif
Na
IMAG1672a.jpg
BExif
Na
Cygwin1.dll
mz
MZ
Strings.exe
MZ
Rh…
Sample.docs
PK
Na
Sample.pdf
%PDF-1.5
Na
Flowers.txt
Mz
Na
Cars.txt
MZ
Na

Students also viewed

Related documents