Cointime

Cointime

Download App
iOS & Android

Where Would You Find Elf in Cybersecurity?

Validated Individual Expert

Well, we’ve all heard of the magic of Christmas, but let’s look at another magic thing … the magic of digital forensics. For this we have the concept of magic numbers, and which are identifiers of different file types. These magic numbers are special gifts for digital investigators, as they make the job of finding things a whole lot easier [here]. So, since it is Christmas, let’s have a bit of fun with 10 trivial facts on these magic numbers:

Trivial Fact 1: There’s an Elf in Linux. Unfortunately it’s not a Christmas Elf, but it is a magic file identifier for a LINUX executable, and where the file format starts with “.ELF” , and which defines the Executable and Linkable Format [here]:

Trivial Fact 2: The identifier for ZIP files was named after Phil Katz. At the start of a .ZIP file we will see the characters “PK”, and these are the initials of the creator of the ZIP file format. So what’s so special about PK? Ask any digital forensics investigator, and they will say that the two characters are often used to perform a quick search on a disk for ZIP files. We can see the “PK” magic number in all its glory [here]:

Trivial Fact 3: A Microsoft document is just a ZIP file. ZIP files are used to compress and package files, but it has also expanded its scope to integrate Microsoft Office documents which are now just ZIP files with an associated file extension to identify the file type [DOCX][XLSX][PPTX]:

If you ever have to change anything to do with the rights of a Microsoft document or extract some content, you just change the file extension to .ZIP, and can then open it as a ZIP file.

Trivial Fact 4: The identifier for EXE files is named after Mark Zbikowski(“MZ”). Mark was one of the lead developers of MS-DOS’s and his initials appear in the two characters of an EXE file [here]:

Trivial Fact 5: Sometimes it is good to look for TVs. Well, this fact is related to Trivial Fact 4, as the Base64 conversion for “MZ” is … “TV” [here]:

And so when an EXE is embedded into an email, it will travel in a Base64 format, such as with [here]:

Thus many network scanners look for the “TV” value within strings, as it might identify a Windows program that has been converted into a Base-64 format.

Trivial Fact 6: An Adobe Illustrator file is just a PDF. Adobe has long supported the PDF format as its main way to encapsulate a whole lot of files into a single package. The tell-tail sign of a PDF file is “%PDF”. Illustrator files are often just PDFs and can be opened in Adobe Reader [here]:

Here is an example of opening an AI file with Adobe Acrobat:

Trivial Fact 7: You don’t need X-ray eyes to see what’s going on in a program. Programs compiled from C++ often do not hide the strings within the program in the executable code. In the following we see a Linux executable and the text in the program is clear to see [link]:

The same thing happens with Microsoft Windows programs [here]:

An investigator can thus often scan across a disk and look for important identifiers, and where secret content could be embedded within an executable program.

Trivial Fact 8: Many documents just dump images and other content in their raw format. For file formats such as PDF and PPT we see images contained within the file in their original format, and where we can carve them out with tools such as scalpel. In the following we see TIF files, and PDFs contained in a single file [here]:

This helps digital forensics investigators as they can search a disk for images, even if they are contained in other files.

Trivial Fact 9: An encrypted ZIP file gives away its contents. And so you might think you can hide the contents of a ZIP files if you put a password on them. But, the names of the files can be seen in the plain when looking at the header of the ZIP file with a binary viewer. Here we see that this ZIP file contains the files “PROG2_02.PAS” and “PROG1_2.PAS” [here]:

Trivial Fact 10: RIFFs are used in music files (doh!). No, it’s not that kind of Jim Hendrix rif, as “RIFF” is defined as a Resource Interchange File Format bitstream, and is used in WAV files [here]:

Conclusions

So, after you have opened all your presents on Christmas Day, and bored with the Boxing Day film, here’s a little test for you:

Cybersecurity
Comments

All Comments

Recommended for you

  • TrumpAI tokens on Ethereum have been RUG

    PeckShield has monitored that the TrumpAI token on the Ethereum blockchain has fallen by 100%. An address starting with 0x935A sold 5,000,000,000,000,000,000,000 TrumpAI tokens, which is about 26.57 WETH (approximately $80,000). Note: rugpull tokens have the same name as legitimate tokens.

  • South Korea’s Monetary Authority: Confirmed to include token delisting standards in the Virtual Asset User Protection Act

    The Financial Supervisory Service (FSS) of South Korea has confirmed that token delisting standards will be included in the "Best Practice for Compliance with the Virtual Asset User Protection Act" released in early June. An official from the Financial Supervisory Service stated in a conversation with Bloomberg on Tuesday that the upcoming "Best Practices for Compliance with the Virtual Asset User Protection Act" will not only include listing standards for virtual assets, but also provide guidance on whether to maintain trading of listed virtual assets. The guidance will provide a basis for cryptocurrency issuers to delist in the event of problems. The guidance will be released from the end of May to early June. Currently, the Financial Supervisory Service is developing guidelines to support self-regulation by cryptocurrency exchanges under the Virtual Asset User Protection Act before it is implemented in July. The plan proposes standards for virtual asset issuance, circulation, and trading support, prohibits the listing of virtual assets with a history of hacking attacks, and requires the release of Korean white papers and technical manuals when listing overseas virtual assets.

  • HKEX CEO: Virtual asset exchanges have become HKEX’s competitors

    On May 10th, Hong Kong Exchanges and Clearing Limited's new CEO, Nicolas Aguzin, stated in an interview with the Shanghai Securities News that HKEX faces competition not only from other securities exchanges, but also from external competitors such as virtual asset exchanges. In order to meet the rapidly evolving demands of customers and technology, HKEX must balance innovation and stable business operations, continuously expand its resources for listed companies, and improve its market services.

  • WOOFi attacker address has transferred 100 ETH to Tornado cash

    PeckShield monitoring shows that the address marked by the WOOFi attacker has transferred 100 ETH to Tornado cash. The WOOFi attacker has already transferred 2200 ETH (worth about $6.5 million) to Tornado cash.

  • Trump will hold a private dinner on the day of the court recess, inviting NFT trading card buyers to attend

    On May 10th, according to sources, former US President Donald Trump will host a dinner at his Mar-a-Lago estate on a day off, inviting NFT trading card buyers to attend. This event is part of Trump's series of non-campaign activities, aimed at balancing his White House campaign and legal disputes. After Stormy Daniels testified in Trump's trial on Tuesday, Trump expressed his desire for campaigning rather than being tied up in court. Despite no public campaign activities on Wednesday, Trump's schedule includes private political meetings.

  • Tether: Deutsche Bank’s analysis lacks clarity and substantive evidence

    According to a report on stablecoins released on May 7, Deutsche Bank analyzed 334 currencies linked to stablecoins and found that 49% of stablecoins had failed during their median lifespan of about eight to ten years. The analysts concluded that most anchored assets in the cryptocurrency field will experience significant "turbulence" caused by speculative sentiment and ultimately suffer some form of decoupling event. Deutsche Bank analysts also pointed out that Tether's reserve transparency was lacking and described the company's solvency as "doubtful".

  • Yesterday, Solana’s on-chain DEX transaction volume surpassed Ethereum, reaching $1.314 billion

    On May 10th, according to DeFiLlama data, the trading volume of Solana's DEX reached 1.314 billion US dollars yesterday, surpassing the trading volume of 1.297 billion US dollars on Ethereum's DEX.

  • US court orders seizure of 279 virtual currency accounts containing criminal proceeds from North Korean hacking

    A US court has ordered the confiscation of 279 virtual currency accounts containing proceeds from North Korean hacker crimes. US District Court Judge Timothy Kelly in Washington, DC approved the federal prosecutor's request for a summary judgment on these accounts and ordered their confiscation on May 8. This ruling means that these accounts are now under the control of the US Department of Treasury.

  • Cointime精选 ·

    Blockchain Life 2024 thunderstruck in Dubai

    Dubai, April 17, 2024 - The 12th edition of the Blockchain Life Forum, known as the leading gathering for global cryptocurrency leaders, concluded with an impressive turnout of 10,162 attendees despite the unprecedented storm that happened in Dubai.

    Blockchain Life 2024 thunderstruck in Dubai
  • Cointime精选 ·

    UNVEILING THE CELESTIAL MASTERY: TREVOR JONES’ CRYPTOANGELS PROJECT

    Renowned digital artist Trevor Jones, a visionary in the fusion of traditional art with blockchain technology, is set to transcend boundaries with his latest project, CryptoAngels. This ambitious initiative is not merely an art drop; it’s a comprehensive ecosystem encompassing physical and digital realms, games, and a vibrant community engagement, promising to be a cornerstone event in the NFT landscape of 2024.

    UNVEILING THE CELESTIAL MASTERY: TREVOR JONES’ CRYPTOANGELS PROJECT

Daily Must-Read

Popular Activities

Delysium $AGI & AI Private Yacht Party

Delysium $AGI & AI Private Yacht Party

March 27 - March 27
Seoul

Popular Tags

Cointime
News
Contents
RSS
Company