Forensics

Transcript

1. Forensics

2. Usually some similar themes —  Look for little weird tricks

   —  Can a zip file be appended to a JPEG? Yup —  Can a file be both a PDF and an exe? Sigh, yup —  Application of off-the-shelf software —  Oh it’s a dump of virtual memory? —  There’s a perl script somewhere (seriously) that parses dumps of virtual memory to rebuild all process memory from PTEs

3. Wait, a PDF is an EXE? —  Curious fact: file

   formats are less about the format as described on paper and more about the implementation of their parsers —  Sometimes the formats are just messed up —  The file header for a PDF can begin within some range of the header of the file —  So PDF files can be some other file too!

4. A general pattern I’ve observed —  You’re given files, or

   a disk image, or something —  Write everything down —  Enumerate everything you have —  Look for something —  Trendy —  Weird —  Exciting-sounding

5. Trivia —  One thing that is annoying is you just

   need to know a lot about file formats —  What file formats can contain additional information? Classic, EXIF —  Double classic, strings in PE headers —  BASE64 or other types of encoding —  “steganography” —  DEFCON CTF quals: the only thing that gets a room of professional research staff looking through 10,000 photos of antique furniture for a weekend