File Extensions and Programs
Now and again in the lists, you'll see a post asking about a file extension, and what program it "belongs" to or what it does. Many times the way to determine some information about the file extension may be to search via Google of the Filext.com site. However, if you found the file while analyzing an acquired image, you already have the information you need at your finger tips, right there in the Registry within the image. The Registry maintains a list of file associations; that is, file extensions for installed applications, associated with the programs that should be used to open them. These are maintained for the system, as well as the user.
File extensions are the basis of traditional file signature analysis, where the file signature (usually a "magic number" within the first 20 bytes of the file) is compared to a set of known file extensions associated with that particular type of file. When a match is found, nothing happens...that's to be expected. However, when there's a mismatch...either a new file extension, or a new file extension and "magic number" combination...there should be a flag of some kind to notify the analyst.
I blogged on file associations over a year ago...sometimes circling back around to the older stuff is a good thing, can be very useful, and can remind us of things that might not have been useful at the time. So, the next time you run across an odd file extension, try taking a look at the Registry within the image; perform a little Registry analysis and post your findings to the list, rather than posting a question...because folks are just going to be asking you, "what did you find through Registry analysis?"
File extensions are the basis of traditional file signature analysis, where the file signature (usually a "magic number" within the first 20 bytes of the file) is compared to a set of known file extensions associated with that particular type of file. When a match is found, nothing happens...that's to be expected. However, when there's a mismatch...either a new file extension, or a new file extension and "magic number" combination...there should be a flag of some kind to notify the analyst.
I blogged on file associations over a year ago...sometimes circling back around to the older stuff is a good thing, can be very useful, and can remind us of things that might not have been useful at the time. So, the next time you run across an odd file extension, try taking a look at the Registry within the image; perform a little Registry analysis and post your findings to the list, rather than posting a question...because folks are just going to be asking you, "what did you find through Registry analysis?"