Thanks to everyone who emailed me in that they completed or had questions about the mini forensics challenge, Iām glad that someone out there reads this blog š Here are the answers below. I used Hex Editor Neo in the screenshots. Challenge 1: Using a hex editor, repair this zip file which has had its header … Continue reading Mini Forensics Challenge Answers: File headers & Footers
Category: forensics
Alternate Data Streams
Lots of apologies that I havenāt been blogging lately. I have recently got married, and as you can imagine that has taken up a lot of my time! Iām currently doing a course called the Certified Malware Investigator run by 7Safe, and one of the practical exercises in todayās session was on Alternate Data Streams (ADSs). Iāve … Continue reading Alternate Data Streams
Mini Forensics Challenge: File headers & Footers
Over the next wee while I am going to set some small forensic challenges for you to have a go at. The idea is that you donāt need expensive forensic software (i.e. EnCase!) to have a go; all of these are doable by hand using a hex/text editor. If you know how to do it … Continue reading Mini Forensics Challenge: File headers & Footers
Open Source Intelligence Searches
In the context of investigations and forensics, āopen source intelligenceā is information collected from publicly available sources, such as newspapers and the internet. In a commercial forensics environment you may be asked to work out who is behind a certain anonymous identity; for example they might be posting secret company information on a blog or … Continue reading Open Source Intelligence Searches
Why you need programming skills to be a good computer forensics investigator
(certainly in the commercial world anyway) In the corporate world getting licenses for forensic software is a slow and painful process and using open sourced tools is usually a no go, so you have end up with a limited toolset to carry out forensics. So unless you have all the tools that do exactly what … Continue reading Why you need programming skills to be a good computer forensics investigator
Link Files Forensic Cheat Sheet
I have created a one page 'cheat sheet' for Windows link file analysis. The information comes mostly of the link file paper written by Harry Parsonage who has kindly allowed me to use his wording for the cheat sheet. I hope to make a series of these on different forensics topics so if anyone has any suggestions please get … Continue reading Link Files Forensic Cheat Sheet
File tunnelling: weird creation timestamps
File tunnelling is a little known Windows capability that stems back from MSDOS days. In MSDOS, a āsafe saveā was done by saving a copy of the modified data to a temp file, deleting the original and then renaming the temp file to the original name whilst also retaining the original files metadata. Windows NT … Continue reading File tunnelling: weird creation timestamps
Windows Shellbags Forensics
There are many weird and wonderful registry entries that I have yet to know about that could contain useful forensics information. One of the most recent that Iāve learnt about are theĀ shellbagĀ entries. These keys are stored in the usersĀ ntuser.datĀ file, and store the viewing settings for users folders ā e.g. the size, position and icon of … Continue reading Windows Shellbags Forensics
UK Digital Forensics Conferences 2012
Last year I did aĀ postĀ with the symposiums and conferences I found relating to digital forensics for the coming year as I could not find an authoritative source. Here is the 2012 list. Please add any more conferences as a comment or email me and I'll add them in. I'm sure there will be at least … Continue reading UK Digital Forensics Conferences 2012
Unicode making malware easier
I recently discovered a wonderful unicode character that makes the following text reverse called right-to-left-override. For example: print "Hello[U+202E]World", produces the output: Hello dlroW. I'm not sure of what legitimate reason you would use the unicode character, but several blogs have warned that it can be used by malware writers to get people to click on files. Most people … Continue reading Unicode making malware easier
Lowmanio 