Forensic Blogs

An aggregator for digital forensics blogs

April 1, 2015 by LCDI

Windows 10 Forensics Part 2: Facebook Forensics

Windows 10 Forensics Part 2: Facebook App Forensics One of the most used applications on all mobile platforms is the Facebook App. Released in 2013, the Facebook Windows application runs on all Windows 8.1 and Windows 10 devices. Below is a detailed analysis of the artifacts found in the Modern Facebook app (As of March […]

The post Windows 10 Forensics Part 2: Facebook Forensics appeared first on Computer & Digital Forensics Blog.

Read the original at: Computer & Digital Forensics BlogFiled Under: Digital Forensics, Uncategorized Tagged With: Blog Post, Champlain College, computer forensics, Digital forensics, Facebook, LCDI, Projects, Update, Windows 10, Windows Facebook Forensics, Windows Forensics

March 28, 2015 by LCDI

Windows 10 Recycle Bin Activity Introduction

Introduction One of the most fundamental forensic artifacts in an investigation is the recycle bin. When crimes are committed on computers, one of the first locations to check for evidence is almost always in the Recycle Bin. As a result, we will focus on analyzing the recycling bin in Windows 10 for the first blog […]

The post Windows 10 Recycle Bin Activity Introduction appeared first on Computer & Digital Forensics Blog.

Read the original at: Computer & Digital Forensics BlogFiled Under: Digital Forensics, Uncategorized Tagged With: Blog Post, Champlain College, computer forensics, Digital forensics, LCDI, Projects, recycle bin, Update, Windows 10, windows 10 recycle bin, windows 10 recycle bin activity

March 26, 2015 by Didier Stevens

oledump And XML With Embedded OLE Object

I updated oledump to handle a new type of malicious document: an XML file, not with VBA macros, but with an embedded OLE object that is a VBS file.

And the man page is finished. Run oledump.py -m to view the man page.

The sample I’m using here is 078409755.doc (B28EF236D901A96CFEFF9A70562C9155). The extension is .doc, but it is an XML file, not an OLE file.

First check:

20150326-201918

The XML file contains an OLE file with 1 stream.

Let’s take a look inside the stream:

20150326-202105

Byte 0x78 could be the start of a ZLIB compressed data stream. Let’s checks this with option –decompress:

20150326-202544

It is indeed ZLIB compressed, and the decompressed data seems to be another OLE file (D0 CF 11 E0).

So let’s pipe this decompressed OLE file into a second instance of oledump:

20150326-203457

This OLE file contains an embedded object (Ole10Native). Let’s have a look:

20150326-203709

It seems to be a .VBS file. Let’s have a look:

20150326-203953

So this looks like VB Script with base64 strings. Let’s try to decode them with a plugin:

20150326-204225

So now it’s clear what this maldoc does: launch PowerShell, download a file and store it as a .cab file in a temporary folder. Expand the downloaded .cab file to an .exe file, and then launch the .exe file. In other words, it is a downloader.

oledump_V0_0_13.zip (https)
MD5: 6651A674F4981D9AEDE000C1F5895B69
SHA256: 4452DF48F7D852140B4CD662AD95C6BC695F5F04009B37A367EB392384935C51


Read the original at: Didier StevensFiled Under: Digital Forensics Tagged With: Malware, My Software, Update

  • « Previous Page
  • 1
  • …
  • 88
  • 89
  • 90
  • 91
  • 92
  • …
  • 95
  • Next Page »

About

This site aggregates posts from various digital forensics blogs. Feel free to take a look around, and make sure to visit the original sites.

  • Contact
  • Aggregated Sites

Suggest a Site

Know of a site we should add? Enter it below

Sending

Jump to Category

All content is copyright the respective author(s)