Is anyone analyzing the subject files for indications of an initial infection vector? If so, what are the commonalities you're seeing?
Bueler?
Um, he's sick. My best friend's sister's boyfriend's brother's girlfriend heard from this guy who knows this kid who's going with the girl who saw Ferris pass out at 31 Flavors last night. I guess it's pretty serious.
I heard that he passed out because he saw what my IDX parser could do and was so amazed. He was so excited that he then ran all the way to 31 Flavors, had an ice cream, developed hyperglycemia, and passed out again! OMG!
Glad to see you're parsing the *.idx files and your stuff is all locked tight, BitHead.
In all seriousness I personally have not had a cause to examine Java deployment cache index files. Yet.
Interesting.
So, you may be concerned with malware on a system, but not so much as to how it got there?
I try to raise these topics for discussion, and the reason for doing so hit me last night. I was contacted by a member of LE (on the federal level) as one person amongst several in the email "To" field…this examiner has some misconceptions with respect to shellbag analysis that led to some pretty significant confusion…the kind that you find when you've gone too far down the wrong rabbit hole. I don't think that the folks doing the research could have anticipated the questions the examiner had, nor foreseen the assumptions that were made. This is why I tried multiple times to get a discussion going on the topic in this forum…
Harlan, can you elaborate a bit on the misconception, might be a useful learning experience for others as well.
Elucidate please.
Malware is not my bucket of things per se, but definitely can get a few guys interested if you can give me some more fodder.
Do you have more
jhup,
Here's good start
http//
The ForensicsWiki page that you linked to is an excellent resource that Joachim compiled. However, like many technical resources the format specification will only get you so far.
A while back, Corey Harrell posted here
http//
You'll notice that at that point, Corey tied an *.idx file to the malware infection, but wasn't able to get much further. Now, we have tools to parse these files, and as you can see from my post, Corey provide a sample of the file so I could parse it and provide the information.
The format spec is a great start, and allows tools to be written. Then, analysts can start using the tools and begin to see how to use the data…well, that doesn't really happen often, so what I was trying to do was bridge that gap and illustrate how to build on the format spec to not only develop tools, but analysis techniques.
I don't know, I often use format specs in analysis as well. Tools often cover a common basic of the format.
This approach has allowed me do very interesting findings, with e.g. the PST conversation index, partial emails in Windows Search databases, recovering NTFS compressed files, etc.
Agree that a file format does not makes much sense if you don't understand what it is used for.
Although I'm not the audience Harlan writes for, I think he makes a great effort to reach out to the community to try bridge that gap. Where I like to increase that gap by spitting out more file format specifications 😉