Mainframe forensic ...
 
Notifications
Clear all

Mainframe forensic - file  

  RSS
nefarsoc
(@nefarsoc)
New Member

Can anyone shed provide some insight. I was provided a file that was downloaded from a mainframe that the user thought it was malicious. We have a windows 10 environment designed for forensic. Using filezilla the admin connected to the mainframe and downloaded the file into the forensic environment.

Upon reviewing the file without internet (offline) i found the file and went to properties. The file shows as a REPORT FILE. I attempted to open the file with Notepad and Wordpad, both attempts merely showed a collection of unformated symbols.   

Need to scan the document to find out if there is any hidden scripts and then would like to open the document and find out what is written. 

Thank-You for any assistance. 

Quote
Posted : 21/09/2020 6:35 pm
Topic Tags
mscotgrove
(@mscotgrove)
Senior Member

Does the file have many @@@@ characters.  If so, it is almost certainly an EBCDIC file

ReplyQuote
Posted : 24/09/2020 10:15 pm
jaclaz
(@jaclaz)
Community Legend

Visual example:

https://www.fileviewer.com/EBCDIC.html

There are many freeware converters available, try first with this online one:

https://www.dcode.fr/ebcdic-encoding

jaclaz

ReplyQuote
Posted : 25/09/2020 1:17 pm
athulin
(@athulin)
Community Legend
Posted by: @nefarsoc

Can anyone shed provide some insight. I was provided a file that was downloaded from a mainframe that the user thought it was malicious. We have a windows 10 environment designed for forensic. Using filezilla the admin connected to the mainframe and downloaded the file into the forensic environment.

Upon reviewing the file without internet (offline) i found the file and went to properties. The file shows as a REPORT FILE. I attempted to open the file with Notepad and Wordpad, both attempts merely showed a collection of unformated symbols.   

Need to scan the document to find out if there is any hidden scripts and then would like to open the document and find out what is written. 

Thank-You for any assistance. 

What kind of mainframe? What kind of file?  (You say that you looked at properties, but without knowing what file type those properties belong to, there's no way to say what 'REPORT FILE' really means.  It could be anything starting from RPG2 output ...)

Did you use Windows tools to open the file, because you know or guessed it is a Windows type file?  Or did you use them because you don't have anything else?  (Using a hex editor would have been better -- if the file is malicious, it may attack the tools you use ...)

Why did the user suspect the file was malicious?

 

1a. Find out what the file is.  I'd feed the file to something like Unix file(1) with latest set of file signatures. 

1b. Find out if it's a known malicious file -- if the file is not anything that could be considered as confidential, upload it to some of these malware analysis sites.

2a. Once you know what the file is, take it apart.  But that clearly depends on the results from 1a.

2a. While you're doing that, figure out how the file ended up in the place it was found.  (A user's home directory?  A system directory?  Somewhere else?)

 

This post was modified 4 weeks ago 2 times by athulin
ReplyQuote
Posted : 25/09/2020 4:28 pm
Share: