6 years ago (yikes!) I wrote about image steganography as a concept. At the moment there are a couple of pieces of malware that use steganography, such as Vawtrak (aka Neverquest) and ZeuS, to hide the command and control servers (C&C) or configuration files in images. This means that the malware does not need to contain a … Continue reading Malware Steganography
Category: code
QR codes for evidence tracking
QR codes seem to be popping up everywhere now, from adverts & marketing campaigns to tracking and tickets. It’s easy to see why; they are easy to generate, have a high level of error-correction and the ability to encode quite a lot of data (the maximum being 4,296 alpha-numeric characters). Since most modern smart phones have … Continue reading QR codes for evidence tracking
Self deleting malware
Have you ever wondered how some malware variants are able to delete themselves? A malicious executable is launched on a machine, and once launched in memory, the executable vanishes. This makes malware analysis very hard if no memory dump was taken, as there is seemingly nothing there. We can however use other artefacts to confirm … Continue reading Self deleting malware
Why you need programming skills to be a good computer forensics investigator
(certainly in the commercial world anyway) In the corporate world getting licenses for forensic software is a slow and painful process and using open sourced tools is usually a no go, so you have end up with a limited toolset to carry out forensics. So unless you have all the tools that do exactly what … Continue reading Why you need programming skills to be a good computer forensics investigator
File tunnelling: weird creation timestamps
File tunnelling is a little known Windows capability that stems back from MSDOS days. In MSDOS, a ‘safe save’ was done by saving a copy of the modified data to a temp file, deleting the original and then renaming the temp file to the original name whilst also retaining the original files metadata. Windows NT … Continue reading File tunnelling: weird creation timestamps
Next steps with Webscavator
Webscavator has been mentioned in the SANS forensics blog! It is very exciting when you see yourself being mentioned in a blog you read regularly! I am hoping over the summer to get the following things done with Webscavator: Get the Webscavator website hosted on a better server. I've finally got Google analytics working on the … Continue reading Next steps with Webscavator
Timezones in Python
One of the most important parts of digital forensics is working out when things happened. When did a file get last accessed or modified? When did a user access this website? What was happened yesterday at 4.30PM? This would be very easy if the entire world was based in UTC, or at least all operating … Continue reading Timezones in Python
Facebook Chat Forensics
Many parts of Facebook such as chat, messaging and posting statuses are written in Javascript/AJAX. This requires a lot of calls to the server to constantly have the most up-to-date information. To speed things up, Facebook stores some of the AJAX data in temporary files on the person's computer. These files can contain valuable forensic … Continue reading Facebook Chat Forensics
Visualising data: Search Terms
I've finally finished the first draft of my thesis, I now have a week and a few days to edit and finish it- which is plenty of time since I'm fairly happy with it as it stands. Another of Webscavator's visualisations is a word cloud for search engine query terms. The more a term has … Continue reading Visualising data: Search Terms
The Perils of JavaScript Objects
A few days ago I was desperately trying to solve a bug which made no sense. In most circumstances everything worked fine, but then when you added more data, everything broke. Steven eventually discovered it was because I was overriding my JavaScript object's length attribute causing problems when trying to loop over every element in the object. … Continue reading The Perils of JavaScript Objects