• There are no suggestions because the search field is empty.

Digital Forensic News & Events
Bringing investigators digital forensics and cybersecurity related news from around the world. #AllinForensics

 

Back to News

How to Add a Custom File Type to an ADF Search Profile

Posted by Richard T. Frawley on April 10, 2019
Richard T. Frawley

When conducting an investigation, it is important to be flexible and follow the direction of your investigation with as few obstacles as possible. If your examination brings you a new file type, such as a video generated by a hand held camera, or a proprietary file created by a unique software, you want to be able to search for, or collect these files types right away either on-scene or back in the lab.

With ADF software, you can immediately add a custom file type to your library and have it for not only the current case but for any future cases that arise. This allows for file detection by

  • File extension
  • File header
  • File name and file header (for those files that do not have extensions but share a common header)

The header byte sequence, also known as the file header, file signature, and magic number, is a sequence of bytes, typically at the beginning of the file data, that defines the type of file, application association, and in most cases will match the file extension. An example is the file signature \x25\x50\x44\x46 (%PDF) is for an Adobe PDF file and will have the extension .pdf

One of the problems that forensic investigators face is that you cannot always rely on the extension indicating the true content of the file, whether because of user manipulation or because of applications changing the extension for their own purposes.

When creating a new file type, it is always best to enter the header byte sequence for proper identification, as well as the file extension.

  • Fast identification - Identifies file types using the file extension only
  • Thorough identification for files without extensions - Uses file signature analysis to identify files that have no file extension and fast identification on those that do (also referred to as Speed Optimized)
  • Thorough identification for all files - Uses file signature analysis to identify all files. This will increase the time the scan takes to run

Completely entering the information when creating a new file type will ensure that you get the most from your file identification.

Learn: What is a Search Profile

Topics: Search Profiles, Digital Evidence Investigator, Triage-G2, Custom Search Profiles, Early Case Assessment, How To Video, Mobile Device Investigator

Posts by Tag

See all

Recent Posts

New ADF Free Trial Website Ad

  • READY TO ACCELERATE YOUR DIGITAL INVESTIGATIONS?

  • Purchase