File

From Forensics Wiki
Revision as of 11:32, 3 June 2007 by Chrislee35 (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

File is a command-line tool that attempts to identify the type of data and format within the file. It has three tests: filesystem, magic number, and language, which are performed in that order. The result of first test that finds a match is returned. These heuristics are fairly simplistic and can easily be fooled.

The filesystem test examines the filetype and name of the file under examination, looking for execution flags and common filenames like core. The magic number test examines the first few bytes of a file in order to identify its type. The language test checks to see if the file is a text file and attempts to recover which encoding is being used for the text.

Other things I'd like to see on this page are: command-line usage, examples, and uses for forensic investigation.