THE FILE COMMAND
| | ||
Although the file command used with most Unix installations does not activate a viewer, it's mentioned here because it's free and understanding its use builds an understanding of how several viewers discussed in the upcoming sections operate . Because the command is present on the open -source Unix operating systems (FreeBSD, Linux, and so on), the source code is also readily available.
| Note | Windows users can either run the file command from within Cygwin or use the GnuWin32 project utilities. Visit http://cygwin.com for Cygwin or http://gnuwin32. sourceforge .net for the GnuWin32 utilities. |
Implementation
The file command accepts a filename as an argument. When run in the following manner,
forensic# file <filename>
the file command looks up the headers and other properties of the specified file in the "magic" file. The magic file on most Unix operating systems is located somewhere beneath the /usr/share/ directory (such as /usr/share/misc/magic on FreeBSD). The magic file contains the signatures of many known files, such as text files, executables, compressed files, and more.
You may specify a magic file other than the default by using the -m switch:
forensic# file -m mymagicfile.txt <filename>
This command would use the file mymagicfile.txt in the current directory as the lookup table for the file signatures.
Here's an example of the types of output the file command will provide:
forensic# file netcat.c netcat.c: ASCII C program text, with CRLF line terminators forensic# file nc.exe nc.exe: MS Windows PE 32-bit Intel 80386 console executable not relocatable forensic# file nc11nt.zip nc11nt.zip: Zip archive data, at least v2.0 to extract forensic# cd suspiciousfiles forensic# file * Finding Me.mp3: mp3 file with ID3 2.0 tag Finding Me.wma: Microsoft ASF Somebrowserimagefile.tif: mp3 file with ID3 2.0 tag
As you can see, the file command simply maps the filenames with the signatures found in the magic file. Because the magic file has matured greatly, you can see that the file command is pretty accurate in determining the signatures of many file types, even if they are not native to Unix.
Notice the use of the wildcard "*" to test all files in the current directory. In the following example, a user tried to hide two files, mosaic and recore, by using the .dll extension. The files turned out to be GIF images.
forensic# file * file.exe; MS Windows PE Intel 80386 console executable not relocatable magic1.dll; MS Windows PE Intel 80386 console DLL mosaic.dll; GIF image data, version 89a, 360 x 273 pcre.dll; MS Windows PE Intel 80386 console DLL recore.dll; GIF image data, version 89a, 216 x 154
The file command can even recognize Unix devices, as shown here:
#file -s /dev/sda{,1,2,3,4,5} /dev/sda1: Linux/i386 ext2 filesystem /dev/sda2: x86 boot sector, extended partition table /dev/sda3: can't read '/dev/sda3' (Device not configured). /dev/sda4: can't read '/dev/sda4' (Device not configured). /dev/sda5: Linux/i386 ext2 filesystem The file command will be used when we observe files with the other viewers throughout this chapter.
| | ||
EAN: 2147483647
Pages: 175
- The Effects of an Enterprise Resource Planning System (ERP) Implementation on Job Characteristics – A Study using the Hackman and Oldham Job Characteristics Model
- Context Management of ERP Processes in Virtual Communities
- Distributed Data Warehouse for Geo-spatial Services
- Intrinsic and Contextual Data Quality: The Effect of Media and Personal Involvement
- Healthcare Information: From Administrative to Practice Databases