QUICK VIEW PLUS

Previous page
Table of content
Next page

For a forensic investigator, Quick View Plus is the equivalent of a backpacker's Swiss army knife . Quick View is useful because it can view many different types of file formats and open compressed files to display the contents in Windows. Quick View supports more than 225 file types including just about every known office document, database, graphic, presentation, compressed file, executable, spreadsheet, and deprecated DOS word processor that exists. Quick View Plus allows the investigator to render the file contents as appropriate regardless of what the extension says the file should be.

Because Quick View is not the original editor used to create many of the files, the danger of examining contaminated files is mitigated. For example, imagine a Microsoft Word document that contains nefarious macros discovered in a dataset seized from a suspect. If Word were used to view this document, it could potentially perform functions on the forensic workstation that the analyst wouldn't desire . Viewing the document in Quick View, on the other hand, does not execute the macros as Word would and therefore provides another layer of credibility and assurance for the analyst.

Quick View Plus is available from Avantstar. Visit http://www.avantstar.com/ and click the "Contact Us" link to fill out an evaluation form. If you want to purchase the program, you can do so from the same web site. We use it on every forensic workstation we own and find that it is well worth the price.

Implementation

Quick View's ability to toggle efficiently though many different files is facilitated by the Windows Explorerstyle interface in the left pane. This interface makes it possible to examine many files with the use of arrow and TAB keys only, which helps when time is of the essence.

To move from pane to pane in Quick View, press the TAB key. When in the directory tree pane, you can press the UP and DOWN ARROW keys to move up and down the directory listing. To enter a desired directory, press the RIGHT ARROW key to expand and enter it. To collapse a directory, press the LEFT ARROW key. Once a directory is selected, the files can be viewed by pressing TAB until the focus is in the directory contents pane. This is viewed as the lower-left pane in Figure 25-4.


Figure 25-4: Quick View's Explorer-like interface

After the directory contents are listed, the UP, DOWN, RIGHT, and LEFT ARROW keys can be pressed to display and highlight the files desired. In Figure 25-4, the file suspiciousfile.txt was viewed. The content of the file is displayed in the right pane.

Functionality built into Quick View allows it to determine different file types from the header and footer information instead of from only the filename. This is helpful for the analyst because Quick View will display a file correctly even though it may have an incorrect file extension. This situation often occurs during actual investigations as a suspect tries to hide files. Since the usual behavior of the Windows operating system is to examine the file extension and start the associated program to view and edit the file, Quick View is a better choice for the forensic analyst because it's unaffected by the extension.

Figure 25-5 demonstrates Quick View's ability, as the suspiciousfile.bin file is viewed and its real identity is shown as a GIF image.


Figure 25-5: Quick View's display pane

Not only can Quick View examine the usual data files discovered during an investigation, but it can also view information for system and executable files. This helps an analyst during the investigation when tool analysis is called for. The following two screenshots show various dynamic-link libraries (DLLs) and executable files found around a Microsoft Windows system. The information provided to the user is crucial in deciphering the file's purpose and the lab systems he or she will have to make available to continue the tool-analysis process.

It is important not to discount Quick View as simply a hexadecimal viewing tool. By choosing View View As and then toggling a switch in the submenu, you can view the file in different modes. Figures 25-6 and 25-7 present an arbitrary GIF found in the Internet Explorer cache that is viewed in GIF and hexadecimal mode.


Figure 25-6: Quick View can display files in native format.

Figure 25-7: Quick View can display files such as hexdump.

Previous page
Table of content
Next page
Anti-Hacker Tool Kit
Anti-Hacker Tool Kit, Third Edition
ISBN: 0072262877
EAN: 2147483647
Year: 2006
Pages: 175
Authors: Mike Shema, Chris Davis, David Cowen
BUY ON AMAZON
Cisco IP Communications Express: CallManager Express with Cisco Unity Express
Building Web Applications with UML (2nd Edition)
Microsoft Windows Server 2003(c) TCP/IP Protocols and Services (c) Technical Reference
Making Sense of Change Management: A Complete Guide to the Models, Tools and Techniques of Organizational Change
Google Maps Hacks: Tips & Tools for Geographic Searching and Remixing
Java All-In-One Desk Reference For Dummies
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy