Bug #149
DFF fails to properly identify some file signatures
| Status: | New | Start date: | 10 Nov 2011 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 0% |
|
| Category: | - | |||
| Target version: | - |
Description
While using DFF to solve exercise 102 File Signature Analysis from 2011 DC3 Forensics Challenge, DFF failed to properly identified files, as follows:
File Magic Nbr DFF Actual
==== ========= === ======
06 78 VAX COFF executable not stripped - version 16959 Mac OS X Disk Copy Disk Image file
11 D0 CF 11 E0 A1 B1 1A E1 CDF V2 Document, corrupt: Can't read SAT MS Word document
It looks like /usr/share/misc/magic file is outdated. Maybe DFF needs to resort to some other library/framework in order to identify more file types.
Nautilus 2.30.1 identifies properly file 11 as Word document, so it may be using some other tool for file type identification.
History
Updated by sja 6 months ago
Even if this is not straightforward 'CDF V2 Document' correspond to MS Word document. So we can't tell that the magic library didn't identify well the document.
As you can plug different type detection library inside DFF we are open to other library to replace or to complete the lib magic if you know some good one.