The file Command

 < Day Day Up > 



Although the file command used with most Unix installations does not activate a viewer, it’s mentioned here because its fundamental uses will complement uses of the viewers discussed in the upcoming sections. Because the command is present on the open-source Unix operating systems (FreeBSD, Linux, and so on), the source code is readily available.

Implementation

The file command accepts a filename as an argument. When run in the following manner,

forensic# file <filename>

the file command looks up the headers and other properties of the specified file in the “magic” file. The magic file, on most Unix operating systems, is located somewhere beneath the /usr/share/ directory (such as /usr/share/misc/magic on FreeBSD). The magic file contains the signatures of many known files, such as text files, executables, compressed files, and more.

You may specify a magic file other than the default by using the -m switch:

forensic# file -m mymagicfile.txt <filename>

This command would use the file mymagicfile.txt in the current directory as the lookup table for the file signatures.

Here’s an example of the types of output the file command will provide:

forensic# file netcat.c netcat.c: ASCII C program text, with CRLF line terminators forensic# file nc.exe nc.exe: MS Windows PE 32-bit Intel 80386 console executable not relocatable forensic# file nc11nt.zip nc11nt.zip: Zip archive data, at least v2.0 to extract forensic# cd suspiciousfiles forensic# file * Finding Me.mp3: mp3 file with ID3 2.0 tag Finding Me.wma: Microsoft ASF Somebrowserimagefile.tif:  mp3 file with ID3 2.0 tag

As you can see, the file command simply maps the filenames with the signatures found in the magic file. Because the magic file has matured greatly, you can see that the file command is pretty accurate in determining the signatures of many file types, even if they are not native to Unix.

The file command can even recognize Unix devices, as shown here:

#file –s /dev/sda{,1,2,3,4,5} /dev/sda1:  Linux/i386 ext2 filesystem /dev/sda2:  x86 boot sector, extended partition table /dev/sda3:  can't read '/dev/sda3' (Device not configured). /dev/sda4:  can't read '/dev/sda4' (Device not configured). /dev/sda5:  Linux/i386 ext2 filesystem

The file command will be used when we observe files with the other viewers throughout this chapter.



 < Day Day Up > 



Anti-Hacker Tool Kit
Anti-Hacker Tool Kit, Third Edition
ISBN: 0072262877
EAN: 2147483647
Year: 2004
Pages: 189

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net