CHFI (312-49) Digital Forensics Simulation

Master data carving and file signature analysis. This simulation trains you to identify file types from raw hexadecimal headers extracted from unallocated disk space.

Investigation Scenario

A corporate fraud investigation is underway in Denver, Colorado. The primary suspect, a financial controller, reportedly attempted to permanently erase critical financial ledgers and communications prior to an unexpected internal audit.

The incident response team secured the suspect's workstation and acquired a bit-stream image (E01 format) of the primary NTFS volume. During the Examination phase, the forensic analyst ran data carving tools against the unallocated space to recover deleted files that bypass the Master File Table (MFT).

Evidence Collected

# CARVED FRAGMENT 1 - Offset 0x0000
D0 CF 11 E0 A1 B1 1A E1 00 00 00 00 ...
# Hex View Strings Analysis of Fragment 1:
... W.o.r.d.D.o.c.u.m.e.n.t ...

# CARVED FRAGMENT 2 - Offset 0x0000
25 50 44 46 2D 31 2E 34 ...
# ASCII Translation:
%PDF-1.4

Question

Question 21: During a fraud investigation in Denver, Colorado, two carved fragments are found: one begins with D0 CF 11 E0 A1 B1 1A E1, and another begins with %PDF. Hex view of the first fragment later reveals a stream labeled WordDocument. Which file type is most likely associated with the D0 CF 11 E0 A1 B1 1A E1 signature?

Forensic Hint: The magic number D0 CF 11 E0 A1 B1 1A E1 (often remembered as "DOCFILE") denotes an OLE Compound File (CFB). To differentiate which specific legacy Office application created it, look at the internal stream names discovered via strings/hex analysis.

Expert Analysis

1. What evidence shows:

The forensic tool carved two data fragments from unallocated space. Fragment 1 starts with the hex signature D0 CF 11 E0 A1 B1 1A E1 and contains a WordDocument stream. Fragment 2 starts with the ASCII equivalent of %PDF.

2. Identify forensic stage:

Examination & Analysis - Specifically involving Data Carving (extracting files based on headers/footers independent of the filesystem) and File Signature Verification.

3. Why correct answer is correct (A):

The signature D0 CF 11 E0 A1 B1 1A E1 belongs to the Microsoft OLE Compound File (CFB) format, acting like a miniature filesystem. Because both legacy Word (.doc) and legacy Excel (.xls) use this exact same header, the investigator must analyze the inner streams. The presence of the WordDocument stream decisively proves the fragment is a Microsoft Word Document (.doc).

4. Why others are wrong:

B (PDF): A PDF header is 25 50 44 46 (ASCII: %PDF), which aligns with Fragment 2, not Fragment 1.
C (.xls): While an Excel workbook utilizes the exact same OLE CFB header, its internal streams would be labeled Workbook or Book, not WordDocument.
D (.docx): Modern Office documents are Open XML formats (essentially ZIP archives) and begin with the standard ZIP header 50 4B 03 04 (ASCII: PK).

5. Real-world forensic action:

In practice, suspects frequently change file extensions (e.g., renaming ledger.xls to system.dll) to hide data. Digital forensics investigators never rely on extensions. They use hex editors (like WinHex) or automated carving utilities (like Scalpel or Foremost) to identify the true file type via magic numbers, and then parse the OLE structure to extract the raw data for evidence preservation.

MINI LESSON: Artifact Interpretation Workflow

File Signatures (Magic Numbers): Constant numerical values at the start of a file used by the OS to identify the file format.
Data Carving: The technique of recovering files based on headers and footers when MFT/FAT filesystem pointers are destroyed.
OLE CFB Analysis: Legacy Office files are composite files. Extracting evidence from them requires parsing the internal directory streams to differentiate a spreadsheet from a text document.