SecureArtisan

My Road to Digital Forensics Excellence

Enscript treat – dynamic signature checking

Posted by Paul Bobby on March 19, 2010

For a while, Enscript writers did not have access to Signature checking mechanisms from within the Enscript framework. One was required to kick off a signature analysis first, then run your script against predetermined signature criteria. This restriction was lifted for version 6, and when writing my Log2timeline enscript, I discovered that the example code to generate this type of dynamic signature check, was incorrect.

Here is the correct code. If you would like to test it, add some evidence to your case and manually select several ZIP files and several non-ZIP files. Then run the script. The Console will show which ones have valid ZIP signatures based on the magic and file extension. This sample code will be used within my Log2timeline enscript as a means to verifying input data prior to bookmarking.

   1: class MainClass {

   2:   void Main(CaseClass c) {

   3:     SearchClass search();

   4:     SearchClass::SigClass sig();

   5:     uint sigOptions = SearchClass::CHECKSIG;

   6:     String fileSigStr;

   7:     

   8:     FileSignatureClass myFileSignatureTree();

   9:     FileTypeClass myFileTypeTree();

  10:      

  11:     FileSignatureClass fileSig();

  12:     fileSig.SetExpression("\\x50\\x4B\\x03\\x04");

  13:     myFileSignatureTree.Insert(fileSig, NodeClass::INSERTLAST,myFileSignatureTree.FirstChild());

  14:     

  15:     FileTypeClass fileType();    

  16:     fileType.SetExtensions("ZIP");

  17:     myFileTypeTree.Insert(fileType, NodeClass::INSERTLAST, myFileTypeTree.FirstChild());

  18:  

  19:     forall (EntryClass e1 in c.EntryRoot()) {

  20:      if (e1.IsSelected()) { // For testing, select several ZIP files and non-zip files

  21:       if (search.Create(myFileSignatureTree, myFileTypeTree)) {

  22:         search.CheckSignature(e1, sig, sigOptions);

  23:         fileSigStr = SearchClass::SigClass::Types::SourceText(sig.Type());

  24:         if (fileSigStr.Compare("MATCH") == 0)

  25:           Console.WriteLine("Signature Match: " + e1.FullPath());

  26:         else

  27:           Console.WriteLine("Bad Signature for file: " + e1.FullPath());

  28:       }

  29:      }

  30:     }

  31:   }

  32: }

Advertisements

3 Responses to “Enscript treat – dynamic signature checking”

  1. Paul,

    A few things:

    1. You should move the call to SearchClass::Create() above the forall() loop. Create() is a relatively expensive operation, but it only needs to be called once. This can have a big impact on performance when running over a case with a lot of entries.

    2. Rather than using SourceText() to get the string tag of the enum, why not compare the enum value directly? Simpler and faster. Admittedly, it probably won’t make any perceptible difference, but it’s less code to maintain.

    3. IIRC (and watch out, I’m getting rusty), a signature is only considered “bad” when the file extension is associated with a pattern that doesn’t match the file’s actual header. It’s tough getting away from thinking in terms of “good/bad” with signature analysis, but the task is a bit more complex–hence, the different enum values.

    Jon

  2. gleeda said

    For (3), mentioned by Jon above, a file signature is considered “Bad” if the file extension is known, but the header is incorrect and not in the file signature table. If a file extension doesn’t match its header but the header is in the file signature table it will have an asterisk next to it like *[file type].

  3. Paul Bobby said

    Thanks for the comment – in this case I’m not really trying to determine if a signature is bad/aliased etc, just if it’s good. I’m looking more for the positive outcome rather than accounting for all outcomes. But I can understand the confusion with the example, it will be better if I just drop the else statement and move on.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: