Mainframe forensic ...
 
Notifications
Clear all

Mainframe forensic - file

4 Posts
4 Users
0 Likes
1,188 Views
(@nefarsoc)
Posts: 1
New Member
Topic starter
 

Can anyone shed provide some insight. I was provided a file that was downloaded from a mainframe that the user thought it was malicious. We have a windows 10 environment designed for forensic. Using filezilla the admin connected to the mainframe and downloaded the file into the forensic environment.

Upon reviewing the file without internet (offline) i found the file and went to properties. The file shows as a REPORT FILE. I attempted to open the file with Notepad and Wordpad, both attempts merely showed a collection of unformated symbols.   

Need to scan the document to find out if there is any hidden scripts and then would like to open the document and find out what is written. 

Thank-You for any assistance. 

 
Posted : 21/09/2020 5:35 pm
(@mscotgrove)
Posts: 938
Prominent Member
 

Does the file have many @@@@ characters.  If so, it is almost certainly an EBCDIC file

 
Posted : 24/09/2020 9:15 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Visual example:

https://www.fileviewer.com/EBCDIC.html

There are many freeware converters available, try first with this online one:

https://www.dcode.fr/ebcdic-encoding

jaclaz

 
Posted : 25/09/2020 12:17 pm
(@athulin)
Posts: 1156
Noble Member
 
Posted by: @nefarsoc

Can anyone shed provide some insight. I was provided a file that was downloaded from a mainframe that the user thought it was malicious. We have a windows 10 environment designed for forensic. Using filezilla the admin connected to the mainframe and downloaded the file into the forensic environment.

Upon reviewing the file without internet (offline) i found the file and went to properties. The file shows as a REPORT FILE. I attempted to open the file with Notepad and Wordpad, both attempts merely showed a collection of unformated symbols.   

Need to scan the document to find out if there is any hidden scripts and then would like to open the document and find out what is written. 

Thank-You for any assistance. 

What kind of mainframe? What kind of file?  (You say that you looked at properties, but without knowing what file type those properties belong to, there's no way to say what 'REPORT FILE' really means.  It could be anything starting from RPG2 output ...)

Did you use Windows tools to open the file, because you know or guessed it is a Windows type file?  Or did you use them because you don't have anything else?  (Using a hex editor would have been better -- if the file is malicious, it may attack the tools you use ...)

Why did the user suspect the file was malicious?

 

1a. Find out what the file is.  I'd feed the file to something like Unix file(1) with latest set of file signatures. 

1b. Find out if it's a known malicious file -- if the file is not anything that could be considered as confidential, upload it to some of these malware analysis sites.

2a. Once you know what the file is, take it apart.  But that clearly depends on the results from 1a.

2a. While you're doing that, figure out how the file ended up in the place it was found.  (A user's home directory?  A system directory?  Somewhere else?)

 

 
Posted : 25/09/2020 3:28 pm
Share: