:: hiddenillusion :: ... look beyond

Is that an Infection or a False Positive?

Have you been in a situation where there’s a file being flagged by A/V and you don’t really agree? I was in a situation where I was noticing files being flagged as a generic variant of ZeuS and while at first you can’t necessarily disregard the alert -no matter your...

Continue reading »

Getting what you want out of a PDF with REMnux

I was talking recently with a coworker who brought up the fact that she was having a problem extracting something from a PDF. It was cheating a little bit since we knew there was definitely something there to extract and look for because of another analysis previously posted. When I...

Continue reading »

XDP files and ClamAV

updated 2012-08-20 - added two new signatures


There were some recent discussions going on regarding the use, or possible use of bypassing security products or even the end user by having a XML Data Package (XDP) file with a PDF file. If you aren’t familiar with XDP files, don’t...

Continue reading »

What's in your logs?

I’ve had this on the back burner for a few months but I’m finally getting around to writing up a post about it. I re-tested the scenarios listed below with log2timeline v0.63 in SIFT v2.12 and verified it’s still applicable.

The Scenario

I was investigating an image of a web...

Continue reading »

Let Me In

A few months ago I was doing some research regarding various ways incident responders could unlock both a live and dead system for an article I was publishing in Digital Forensics Magazine entitled “Let Me In”. If you’re not a subscriber to that magazine the article essentially listed some tools...

Continue reading »