Determine file types.

eigen

Diamond Member
Nov 19, 2003
4,000
1
0
This question was posed on my local LUG and we dont seem to be getting anywhere any thoughts

"

I have a file that I recovered during a forensics investigation that I'm
trying to view. The original extension is .doc, but it's not a word
document. It might not be a text document at all, but rather a picture,
spreadsheet, executable... who knows.

How can I figure out what kind of file this is? More importantly, how can I
actually view it's contents? I've tried the file command in Linux, but it
just says data. I've also tried opening the file with OpenOffice, a picture
viewer, Mozilla, etc., but that's not helping.

"
 

MrChad

Lifer
Aug 22, 2001
13,507
3
81
You could whip up a C# program that calls IE's FindMimeFromData command (see link under urlmon). That might give you some insight.
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Strings maybe? Not sure if that will pick anything up for a non-compiled file though...

You can check the magic file to see why file labels it as "data."
 

eigen

Diamond Member
Nov 19, 2003
4,000
1
0
The string commaned has already been suggested
What is this majic file?
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Originally posted by: eigen
The string commaned has already been suggested
What is this majic file?

In Solaris it's /etc/magic . The file command refers to it to help determine what the file really is.
 

Nothinman

Elite Member
Sep 14, 2001
30,672
0
0
You can check the magic file to see why file labels it as "data."

Because that's the default when it can't determine what type it is.

Personally, I would guess that he didn't really recover the file he thought he did, it's probably just random data.