commit

Skills/File Analysis/README.md

@@ -6,4 +6,16 @@ One of the more common activities in digital forensics is the recovery of delete
 
 Below is a screenshot of the output of the Sleuth Kit file listing tool (fls) which shows two files that have been “deleted” by the user but are still recoverable. The ability to recover and save what was previously thought to be deleted files can be very valuable in an investigation. <br>
 
-![File Analysis](https://github.com/crimsonDefense/CyberSecurityClub/blob/main/00_Archive/images/fileanalysis.png?raw=true) <br>
+<p align="center">
+<img width="350px" src="fileanalysis.png" alt="Logo"/>
+</p>
+
+![File Analysis](https://github.com/crimsonDefense/CyberSecurityClub/blob/main/00_Archive/images/fileanalysis.png?raw=true) <br>
+
+Specifically, when looking at the analysis of files, an investigator needs to start with the file header. File headers are information about a file that the computer stores so that it knows what type of file it is. Typically, file headers are stored in the first 4 or 5 bytes of a file. By using the hexdump tool, the hexadecimal version of a file can be viewed. Hexdump is available on most Linux distributions and there are many Windows interfaces to Hexdump (ex. https://sourceforge.net/projects/hexdump/). <br>
+
+One of the more interesting items that occur during an investigation is when a suspect tries to disguise a file by changing an incriminating file’s signature. Having a good understanding of file signatures is important. Below is an exert from a larger list of file signatures of the more common files seen during investigations. A larger list can be seen at the following location: https://en.wikipedia.org/wiki/List_of_file_signatures <br>
+
+<p align="center">
+<img width="450px" src="00_Archive/images/CD main logo-01.png" alt="Logo"/>
+</p>