Notifications
Clear all

Create passport?

3 Posts
3 Users
0 Likes
737 Views
(@imsdal)
Posts: 17
Active Member
Topic starter
 

I am currently looking at a case where a suspect is believed to have created passports.
In the Office16/root/configuration folder there are several suspicious files.

card_expiration_terms_dict.txt which contains different translations of the word "expiration date", along with card_security_terms.txt and others. There is also an xml-file residing here called config.xml.

With a <rules> bracket and a bunch of function_ids along the lines of "func_createcredit_card" and loads more. Has anyone come across this type of files before? I have not been successful in interpreting the config.xml file and see exactly what it does. Google have not been helpful in this instance. Any ideas?

EDIT I just saw that these reside in my Office16 as well, so they are there by default, but how can they be put into use?

 
Posted : 25/04/2018 7:52 am
(@athulin)
Posts: 1156
Noble Member
 

In the Office16/root/configuration folder there are several suspicious files.

So it seems the natural thing would be to check an Office 2016 installation for traces of these files. I'm not sure how far NSRL hashes go, but it seems a distinct possibility that they already have hashed these files – if they have, you know (more or less) that they're part of a Microsoft installation, or some other add on.

A very quick search in the NSRLFile.txt from NSRL 2.60 finds a hit for 'card_expiration_terms_dict.txt', belonging to product 15067, which is a MSDN disc, 3918.04, i.e. a Microsoft product or a product from one of their software partners. (I don't find that MSDN disc in my own collection, though 3981.1 is 'Microsoft Exchange Server 2007 Enterprise', so I would suspect 3981.4 to also be Exchange-related.) The same product also contains 'card_security_terms_dict.txt')

There's another file with the same hash 'mce_cet_dict.txt_olk.17DF5FC3_D882_4540_BC68_BB94FD7B2505' from product 15064, which is another MSDN disk 5001.02. Don't know what that is. (Similar situation for the other file.)

Looks pretty much like a product-related file from Microsoft.

There is also an xml-file residing here called config.xml.

With a &lt;rules&gt; bracket and a bunch of function_ids along the lines of "func_createcredit_card" and loads more. Has anyone come across this type of files before? I have not been successful in interpreting the config.xml file and see exactly what it does. Google have not been helpful in this instance. Any ideas?

XML files can't necessarily be interpreted unless you know exactly what they're intended for, or what schema that is used. I've seen XML files containing VMScript or PowerShelll scripts, so it needs eyes-on to evaluate what you have. Look for comments, though. They may help explain the purpose. Or for other files referring to the XML file itself.

EDIT I just saw that these reside in my Office16 as well, so they are there by default, but how can they be put into use?

What is their intended use? seems to be a better question That can probably only be answered by focussing on Office. Are they part of some kind of payment deal? Download Office 2016 for Free, test in for 30 days, and pay when you're satisifed? That might explain their presence. An Office 2016 product expert might know.

 
Posted : 25/04/2018 4:10 pm
BraindeadVirtually
(@braindeadvirtually)
Posts: 115
Estimable Member
 

I am currently looking at a case where a suspect is believed to have created passports.
In the Office16/root/configuration folder there are several suspicious files.

You've jumped ahead a bit here. What makes you believe that whatever device that you're examining with Office installed is the one upon which passports may have been forged? Have you attributed it to the suspect(s) yet? Are there other devices, different storage media etc? Criminals who rely upon data for their ill-gotten gains often keep that data backed up just like any sensible business does. Unless there's something you haven't mentioned, it just feels like you are far too focused on one area at the moment, which might prove to be a complete red herring.

 
Posted : 26/04/2018 8:04 am
Share: