THUGON FILE INSPECTOR AND MODIFIER v3.10
(AKA - THUGON FILE INVESTIGATOR APP) YES, IT IS FREE.
Download (ZIP)
FB32B819032931A0A98D5DBB339B6993BD047039C0F5052203459CF56387D390
https://www.thugon.com/encryption_apps.html
Purpose
I built this tool based on my knowledge of how files, antivirus, viruses and the web work. Therefore, mistakes can be made. The original version was more detailed and very aggressive; this version is tamed. THUGON FILE INSPECTOR AND MODIFIER is a powerful Windows utility designed to inspect and manage file metadata, security zones, alternate data streams (ADS), URLs, PE information, and more. It provides users with strong control over downloaded and local files for security auditing, analysis, and modification purposes. Some of the attached information is technical, but I have tried to be as thorough as possible to help everyone understand how this application works. The app does not have a help menu, so this write-up is provided to guide users and explain what the application does behind the scenes. WARNING: This is a very powerful tool. Please use it responsibly. The original purpose of this tool is strictly for DEFENSIVE use only. Please read the attached disclaimer carefully. This tool has no sponsors; therefore, mistakes or limitations may be present.
Description
This application can:
- Find the website where a file was downloaded from. (If it was stamped.)
- Inspect file metadata including size, creation and modification timestamps.
- ** Detect, change and report Mark of the Web (MOTW) Zone.Identifier to know the file origin.
- ** Analyze, add, delete and extract Alternate Data Streams (ADS) including hidden text or embedded files.
- Extract URLs embedded within files.
- Report entropy to identify potentially packed or encrypted files.
- Analyze PE (Portable Executable) sections and detect high-risk characteristics.
- ** Modify Zone.Identifier or add/delete custom ADS for advanced file management.
- Export detailed inspection reports to TXT for record keeping or auditing.
- NOTE: It no longer allows risk scoring lowering, signature auto signs and etc.
It is designed for IT professionals, security analysts, investigators and power users who need to verify, manage, investigate and secure files in a Windows environment. Important: Alternate Data Streams (ADS) are supported only on the NTFS file system. Saving a file to a USB drive formatted with FAT32 will permanently remove any existing ADS. To preserve ADS during file transfer or investigation, ensure that your USB drive or storage device is formatted with NTFS rather than FAT32, as many removable drives are still configured with FAT32 by default. ReFS does NOT support ADS in the same way NTFS does.
Security Zone Explanation (Zone.Identifier)
Windows uses security zones (Mark of the Web / MOTW) to track where a file originated from. This information is stored in the Zone.Identifier Alternate Data Stream (ADS). Understanding these zones helps determine the trust level of a file.
| Zone ID | Zone Name | Description |
|---|---|---|
| 0 | Local Machine | File originates from the local computer. Fully trusted. |
| 1 | Local Intranet | File comes from a local network (LAN). Generally trusted within an organization. |
| 2 | Trusted Sites | File downloaded from explicitly trusted domains configured by the user or administrator. |
| 3 | Internet | File downloaded from the internet. This is the most common and considered untrusted by default. |
| 4 | Restricted Sites | File comes from blocked or highly untrusted sources. Highest risk category. |
Security Insight:
- ZoneId = 3 (Internet) is the most common flag and triggers Windows security warnings.
- ZoneId = 4 (Restricted) indicates a highly suspicious or blocked origin.
- Files without a Zone.Identifier may have been locally created or had the ADS removed.
THUGON uses this information as part of its risk scoring system to help determine whether a file should be trusted or further analyzed.
Entropy Calculation & Analysis
Entropy is a measurement of randomness within a file. This tool uses it to help determine whether a file contains normal structured data or potentially suspicious content such as compressed, packed, or encrypted data.
How It Works
- The file is read as raw binary data.
- Each byte value (0–255) is analyzed.
- The probability of each byte appearing is calculated.
- Entropy is computed using Shannon Entropy:
H = - Σ (p(x) * log2(p(x)))
Entropy Range
- 0.0 → Predictable data
- 8.0 → Maximum randomness
Interpretation
| Range | Meaning |
|---|---|
| 0.0 – 3.5 | Plain text / repetitive data |
| 3.5 – 6.5 | Normal files |
| 6.5 – 7.5 | Compressed or complex data |
| 7.5 – 8.0 | Highly random (often encrypted/packed) |
Security Insight
- Packed executables
- Encrypted payloads
- Embedded or hidden data
Important: High entropy does not automatically mean malicious.
How THUGON Uses It
- Entropy > 7.5 → flagged
- Adds 25 points to risk score
Advanced Entropy Analysis (Technical)
Full binary analysis across 256 byte values with Shannon entropy calculation.
p(x) = count(x) / total_bytes
H = - Σ (p(x) * log2(p(x)))
Used as a heuristic indicator, not a standalone detection.
Risk Scoring System
| Indicator | Condition | Points |
|---|---|---|
| MOTW | ZoneId = 3 | +20 |
| Entropy | > 7.5 | +25 |
| ADS | Custom streams | +20 each |
| Score | Verdict |
|---|---|
| 0–29 | SAFE |
| 30–69 | SUSPICIOUS |
| 70–100 | HIGH RISK |
Example: MOTW → +20 Entropy → +25 ADS → +20 Total = 65 → SUSPICIOUS
Why it is Valuable
This tool is valuable because it allows you to quickly assess file safety, uncover hidden content, and manage security metadata. It ensures files are properly verified and provides the ability to modify or clean potentially risky metadata safely. Whether for auditing downloaded files or managing sensitive data, it gives users confidence and control over their files.
Disclaimer: This is a powerful tool. Please use it responsibly. This application is designed for defensive, security analysis, and educational purposes only—not for offensive use. The authors assume no responsibility or liability for any misuse of this tool. You are solely responsible for your actions and how you use this software. Use of this tool for illegal or malicious purposes may violate applicable laws in your jurisdiction. This software is provided "AS IS" and "AS AVAILABLE", without any warranties of any kind, either express or implied, including but not limited to warranties of merchantability, fitness for a particular purpose, and non-infringement. This tool has no sponsors; therefore, mistakes or limitations may be present. Use at your own risk.