When conducting an investigation, it is important to be flexible and follow the direction of your investigation with as few obstacles as possible. If your examination brings you a new file type, such as a video generated by a hand held camera, or a proprietary file created by a unique software, you want to be able to search for, or collect these files types right away either on-scene or back in the lab.
With ADF software, you can immediately add a custom file type to your library and have it for not only the current case but for any future cases that arise. This allows for file detection by
The header byte sequence, also known as the file header, file signature, and magic number, is a sequence of bytes, typically at the beginning of the file data, that defines the type of file, application association, and in most cases will match the file extension. An example is the file signature \x25\x50\x44\x46 (%PDF) is for an Adobe PDF file and will have the extension .pdf
One of the problems that forensic investigators face is that you cannot always rely on the extension indicating the true content of the file, whether because of user manipulation or because of applications changing the extension for their own purposes.
When creating a new file type, it is always best to enter the header byte sequence for proper identification, as well as the file extension.
Completely entering the information when creating a new file type will ensure that you get the most from your file identification.