±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36312
New Yesterday: 0 Visitors: 141

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Create passport?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

imsdal
Member
 

Create passport?

Post Posted: Apr 25, 18 07:52

I am currently looking at a case where a suspect is believed to have created passports.
In the Office16/root/configuration folder there are several suspicious files.

card_expiration_terms_dict.txt which contains different translations of the word "expiration date", along with card_security_terms.txt and others. There is also an xml-file residing here called config.xml.

With a <rules> bracket and a bunch of function_id:s along the lines of "func_createcredit_card" and loads more. Has anyone come across this type of files before? I have not been successful in interpreting the config.xml file and see exactly what it does. Google have not been helpful in this instance. Any ideas?

EDIT: I just saw that these reside in my Office16 as well, so they are there by default, but how can they be put into use?  
 
  

athulin
Senior Member
 

Re: Create passport?

Post Posted: Apr 25, 18 16:10

- imsdal
In the Office16/root/configuration folder there are several suspicious files.


So it seems the natural thing would be to check an Office 2016 installation for traces of these files. I'm not sure how far NSRL hashes go, but it seems a distinct possibility that they already have hashed these files -- if they have, you know (more or less) that they're part of a Microsoft installation, or some other add on.

A very quick search in the NSRLFile.txt from NSRL 2.60 finds a hit for 'card_expiration_terms_dict.txt', belonging to product 15067, which is a MSDN disc, 3918.04, i.e. a Microsoft product or a product from one of their software partners. (I don't find that MSDN disc in my own collection, though 3981.1 is 'Microsoft Exchange Server 2007 Enterprise', so I would suspect 3981.4 to also be Exchange-related.) The same product also contains 'card_security_terms_dict.txt')

There's another file with the same hash 'mce_cet_dict.txt_olk.17DF5FC3_D882_4540_BC68_BB94FD7B2505' from product 15064, which is another MSDN disk 5001.02. Don't know what that is. (Similar situation for the other file.)

Looks pretty much like a product-related file from Microsoft.

There is also an xml-file residing here called config.xml.

With a <rules> bracket and a bunch of function_id:s along the lines of "func_createcredit_card" and loads more. Has anyone come across this type of files before? I have not been successful in interpreting the config.xml file and see exactly what it does. Google have not been helpful in this instance. Any ideas?


XML files can't necessarily be interpreted unless you know exactly what they're intended for, or what schema that is used. I've seen XML files containing VMScript or PowerShelll scripts, so it needs eyes-on to evaluate what you have. Look for comments, though. They may help explain the purpose. Or for other files referring to the XML file itself.

EDIT: I just saw that these reside in my Office16 as well, so they are there by default, but how can they be put into use?


What is their intended use? seems to be a better question That can probably only be answered by focussing on Office. Are they part of some kind of payment deal? Download Office 2016 for Free, test in for 30 days, and pay when you're satisifed? That might explain their presence. An Office 2016 product expert might know.  
 
  

redcat
Senior Member
 

Re: Create passport?

Post Posted: Apr 26, 18 08:04

- imsdal
I am currently looking at a case where a suspect is believed to have created passports.
In the Office16/root/configuration folder there are several suspicious files.


You've jumped ahead a bit here. What makes you believe that whatever device that you're examining with Office installed is the one upon which passports may have been forged? Have you attributed it to the suspect(s) yet? Are there other devices, different storage media etc? Criminals who rely upon data for their ill-gotten gains often keep that data backed up just like any sensible business does. Unless there's something you haven't mentioned, it just feels like you are far too focused on one area at the moment, which might prove to be a complete red herring.  
 

Page 1 of 1