Verify File Types

WinHex & X-Ways

Verify File Types

 

Part of volume snapshot refinement.

 

A forensic license allows you to verify file types based on signatures and various algorithms, i.e. detect filename/file type mismatches in all files in the volume snapshot except those whose original first cluster is known to be no longer available. For example, if someone has concealed an incriminating JPEG picture by naming it "invoice.xls" (wrong filename extension), the recognized file type "jpg" is stated in the Type column of the directory browser. For more information see the description of the columns Type and Status. The file signatures and extensions used for mismatch detection are defined in the accompanying file type definition files, which you may fully customize. It it the same database also used for file header signature searches. Please note that the link between the current data in a free cluster and a deleted file, that previously was stored in that cluster, and its filename is weak, so that a discrepancy between filename extension and detected type can simply be the natural result of a reallocation of this cluster to a totally different file in the meantime. If you wish to repeat the file type verification, e.g. after editing the file type signature database, be sure to check the Again option. For the status of the Type column of the directory browser, see the "Type status" column.

 

Most self-extracting .exe archives are internally detected by the file signature check, too. They are classified as the file type "sfx" and assigned to the category "Archives" so that they can be specifically targeted. This prevents that compressed files in such archives go totally unnoticed in an investigation. .exe archives with Zip compression can be viewed in Preview mode, other self-extracting archives need to be copied off the image and opened with an appropriate tool like WinRAR or 7-Zip.

 

The file signature check also reveals hybrid MS Office files, i.e. merged MS Word and MS Excel documents that can be opened in both applications, showing different contents. A notice in the messages window will be displayed, and any detected files will be associated with a special report table. Hybrid MS Office files are a clever attempt to conceal the contents of one of the merged documents.