6 years ago (yikes!) I wrote about image steganography as a concept. At the moment there are a couple of pieces of malware that use steganography, such as Vawtrak (aka Neverquest) and ZeuS, to hide the command and control servers (C&C) or configuration files in images. This means that the malware does not need to contain a … Continue reading Malware Steganography
Tag: Python
Introducing Foreman
In my second to last post I alluded to a talk I did at the CyberForensics conference. You can access the presentation here. TLDR: In today’s market there is a plethora of Digital forensics software available for investigators, from small scripts that do a single task to full-featured toolkits that can aid an investigation from … Continue reading Introducing Foreman
QR codes for evidence tracking
QR codes seem to be popping up everywhere now, from adverts & marketing campaigns to tracking and tickets. It’s easy to see why; they are easy to generate, have a high level of error-correction and the ability to encode quite a lot of data (the maximum being 4,296 alpha-numeric characters). Since most modern smart phones have … Continue reading QR codes for evidence tracking
Self deleting malware
Have you ever wondered how some malware variants are able to delete themselves? A malicious executable is launched on a machine, and once launched in memory, the executable vanishes. This makes malware analysis very hard if no memory dump was taken, as there is seemingly nothing there. We can however use other artefacts to confirm … Continue reading Self deleting malware
Mini Forensics Challenge: File headers & Footers
Over the next wee while I am going to set some small forensic challenges for you to have a go at. The idea is that you don’t need expensive forensic software (i.e. EnCase!) to have a go; all of these are doable by hand using a hex/text editor. If you know how to do it … Continue reading Mini Forensics Challenge: File headers & Footers
Open Source Intelligence Searches
In the context of investigations and forensics, “open source intelligence” is information collected from publicly available sources, such as newspapers and the internet. In a commercial forensics environment you may be asked to work out who is behind a certain anonymous identity; for example they might be posting secret company information on a blog or … Continue reading Open Source Intelligence Searches
Timezones in Python
One of the most important parts of digital forensics is working out when things happened. When did a file get last accessed or modified? When did a user access this website? What was happened yesterday at 4.30PM? This would be very easy if the entire world was based in UTC, or at least all operating … Continue reading Timezones in Python
Facebook Chat Forensics
Many parts of Facebook such as chat, messaging and posting statuses are written in Javascript/AJAX. This requires a lot of calls to the server to constantly have the most up-to-date information. To speed things up, Facebook stores some of the AJAX data in temporary files on the person's computer. These files can contain valuable forensic … Continue reading Facebook Chat Forensics
Visualising data: Search Terms
I've finally finished the first draft of my thesis, I now have a week and a few days to edit and finish it- which is plenty of time since I'm fairly happy with it as it stands. Another of Webscavator's visualisations is a word cloud for search engine query terms. The more a term has … Continue reading Visualising data: Search Terms
Visualising data: File Directories
Some index.dat files record not only websites visited, but also the files on the computer (and any other devices) which have been opened. This gives an accurate account of what files have been viewed and possibly edited. Using the registry, any files accessed that are not on the C: drive can be linked to a USB stick … Continue reading Visualising data: File Directories