Have you been in a situation where there’s a file being flagged by A/V and you don’t really agree? I was in a situation where I was noticing files being flagged as a generic variant of ZeuS and while at first you can’t necessarily disregard the alert -no matter your...

I was talking recently with a coworker who brought up the fact that she was having a problem extracting something from a PDF. It was cheating a little bit since we knew there was definitely something there to extract and look for because of another analysis previously posted. When I...

updated 2012-08-20 - added two new signatures

Background

There were some recent discussions going on regarding the use, or possible use of bypassing security products or even the end user by having a XML Data Package (XDP) file with a PDF file. If you aren’t familiar with XDP files, don’t...

I’ve had this on the back burner for a few months but I’m finally getting around to writing up a post about it. I re-tested the scenarios listed below with log2timeline v0.63 in SIFT v2.12 and verified it’s still applicable.

The Scenario

I was investigating an image of a web...

A few months ago I was doing some research regarding various ways incident responders could unlock both a live and dead system for an article I was publishing in Digital Forensics Magazine entitled “Let Me In”. If you’re not a subscriber to that magazine the article essentially listed some tools...