Identify Hidden Image Files

Identify Hidden Image Files

Often, users with limited technical knowledge may assume that changing the file extension of an image will conceal it, but this is a misconception. Th

Managing VMware Snapshots with Powershell
Packet Capture with PowerShell
Create Local Administrator Account Remotely

Often, users with limited technical knowledge may assume that changing the file extension of an image will conceal it, but this is a misconception. This PowerShell script is designed to scan through any search path you choose to detect image files whose extensions have been altered in an attempt to hide them. The search path is adjustable, allowing you to extend the scan to various directories or even entire drives. Rather than relying on file extensions, the script searches for specific file headers that are characteristic of image files. The findings are then compiled into a CSV file, which you can save to a location of your choice.

#Set your CSV output path
$backupDrive = "c:\temp\"


#See if a sub folder exists. If not create one
$TARGETDIR = $backupDrive + "\hidden"
if(!(Test-Path -Path $TARGETDIR )){
    New-Item -ItemType directory -Path $TARGETDIR
}

#Create a path that will be used to make the file
$datetime = get-date -f yyyy-MM-dd_HH-mm
$backupPath = $backupDrive + "\hidden\"

#Create output from script
$TARGETDIR = $MyInvocation.MyCommand.Path
$TARGETDIR = $TARGETDIR -replace ".......$"
cd $TARGETDIR


$jpgheader = "255 216 255"
$bmpheader = "66 77"
$gifheader = "71 73 70"
$tifheader = "73 73 42"
$pngheader = "137 80 78 71 13 10 26 10"

$knownimageextensions = ("jpg", "jpeg", "bmp", "gif", "tif", "tiff", "png")

#Set search path
$files = Get-ChildItem $env:USERPROFILE -Recurse -ErrorAction silentlycontinue | select-object -Expand Fullname


foreach ($file in $files)
{

#get extension without . (dot)
$extension = [System.IO.Path]::GetExtension($file).Replace(".", "")
$extension = $extension.ToLower()

#Ignore known image extension
if (!$knownimageextensions.contains($extension) -and (Get-Item $file).length -gt 0.1kb) {

#reset $fileheader
$fileheader = "False"

#Grab header
$2bytes = [string](Get-Content $file -Encoding Byte -ReadCount 1 -TotalCount 2 -EA ignore)
$3bytes = [string](Get-Content $file -Encoding Byte -ReadCount 1 -TotalCount 3 -EA ignore)
$8bytes = [string](Get-Content $file -Encoding Byte -ReadCount 1 -TotalCount 8 -EA ignore)

If ($8bytes -eq $pngheader) {$fileheader = "png"}
Elseif ($3bytes -eq $jpgheader) {$fileheader = "jpg"}
Elseif ($3bytes -eq $gifheader) {$fileheader = "gif"}
Elseif ($3bytes -eq $tifheader) {$fileheader = "tif"}
Elseif ($2bytes -eq $bmpheader) {$fileheader = "bmp"}


if ($fileheader -ne "False") {
[PSCustomObject]@{
       File = $file
       Header = $fileheader
       } | Export-Csv $backupPath\$datetime.csv -notype -Append 
}
}
}

COMMENTS

WORDPRESS: 0