Download App
iOS & Android

Where Would You Find Elf in Cybersecurity?

Validated Individual Expert

Well, we’ve all heard of the magic of Christmas, but let’s look at another magic thing … the magic of digital forensics. For this we have the concept of magic numbers, and which are identifiers of different file types. These magic numbers are special gifts for digital investigators, as they make the job of finding things a whole lot easier [here]. So, since it is Christmas, let’s have a bit of fun with 10 trivial facts on these magic numbers:

Trivial Fact 1: There’s an Elf in Linux. Unfortunately it’s not a Christmas Elf, but it is a magic file identifier for a LINUX executable, and where the file format starts with “.ELF” , and which defines the Executable and Linkable Format [here]:

Trivial Fact 2: The identifier for ZIP files was named after Phil Katz. At the start of a .ZIP file we will see the characters “PK”, and these are the initials of the creator of the ZIP file format. So what’s so special about PK? Ask any digital forensics investigator, and they will say that the two characters are often used to perform a quick search on a disk for ZIP files. We can see the “PK” magic number in all its glory [here]:

Trivial Fact 3: A Microsoft document is just a ZIP file. ZIP files are used to compress and package files, but it has also expanded its scope to integrate Microsoft Office documents which are now just ZIP files with an associated file extension to identify the file type [DOCX][XLSX][PPTX]:

If you ever have to change anything to do with the rights of a Microsoft document or extract some content, you just change the file extension to .ZIP, and can then open it as a ZIP file.

Trivial Fact 4: The identifier for EXE files is named after Mark Zbikowski(“MZ”). Mark was one of the lead developers of MS-DOS’s and his initials appear in the two characters of an EXE file [here]:

Trivial Fact 5: Sometimes it is good to look for TVs. Well, this fact is related to Trivial Fact 4, as the Base64 conversion for “MZ” is … “TV” [here]:

And so when an EXE is embedded into an email, it will travel in a Base64 format, such as with [here]:

Thus many network scanners look for the “TV” value within strings, as it might identify a Windows program that has been converted into a Base-64 format.

Trivial Fact 6: An Adobe Illustrator file is just a PDF. Adobe has long supported the PDF format as its main way to encapsulate a whole lot of files into a single package. The tell-tail sign of a PDF file is “%PDF”. Illustrator files are often just PDFs and can be opened in Adobe Reader [here]:

Here is an example of opening an AI file with Adobe Acrobat:

Trivial Fact 7: You don’t need X-ray eyes to see what’s going on in a program. Programs compiled from C++ often do not hide the strings within the program in the executable code. In the following we see a Linux executable and the text in the program is clear to see [link]:

The same thing happens with Microsoft Windows programs [here]:

An investigator can thus often scan across a disk and look for important identifiers, and where secret content could be embedded within an executable program.

Trivial Fact 8: Many documents just dump images and other content in their raw format. For file formats such as PDF and PPT we see images contained within the file in their original format, and where we can carve them out with tools such as scalpel. In the following we see TIF files, and PDFs contained in a single file [here]:

This helps digital forensics investigators as they can search a disk for images, even if they are contained in other files.

Trivial Fact 9: An encrypted ZIP file gives away its contents. And so you might think you can hide the contents of a ZIP files if you put a password on them. But, the names of the files can be seen in the plain when looking at the header of the ZIP file with a binary viewer. Here we see that this ZIP file contains the files “PROG2_02.PAS” and “PROG1_2.PAS” [here]:

Trivial Fact 10: RIFFs are used in music files (doh!). No, it’s not that kind of Jim Hendrix rif, as “RIFF” is defined as a Resource Interchange File Format bitstream, and is used in WAV files [here]:


So, after you have opened all your presents on Christmas Day, and bored with the Boxing Day film, here’s a little test for you:


All Comments

Recommended for you

  • Hong Kong Financial Secretary: The Hong Kong government is promoting the development of virtual assets and is working with the Hong Kong Stock Exchange to strengthen its ties with the mainland through

    Hong Kong Financial Secretary's Deputy Secretary Huang Weilun stated that in recent years, the Hong Kong government has focused on promoting innovation in the financial industry, including promoting the development of virtual assets and financial technology. Therefore, they are cooperating with the Hong Kong Stock Exchange to enhance their connection with the mainland through the mutual market access scheme, achieving a win-win cooperation relationship in investment product scope and opportunities.

  • Nomura Securities Subsidiary Laser Digital Plans to Issue Japanese Stablecoin

    Nomura Securities announced its cooperation with its digital asset subsidiary, Laser Digital, and the parent company of stablecoin issuer GMO-Z, GMO Internet. The two parties plan to jointly explore the issuance of US dollar and Japanese yen stablecoins in Japan, and provide stablecoin-as-a-service solutions in the Japanese market. It is reported that GMO-Z has a New York State (NYDFS) trust license, and its stablecoins GYEN and ZUSD can be used on Ethereum, Solana, and Stellar blockchains.

  • South Korean media: The Ministry of Justice will crack down on market manipulation and fraud in the virtual asset market

    According to Korean media Digital Asset, the Korean Ministry of Justice stated that "the virtual asset crime joint investigation team of the Seoul Southern District Prosecutor's Office is working hard to crack down on market manipulation of virtual assets, unreported virtual asset exchanges, and virtual asset deposit fraud." The Ministry of Justice selected the PICA fraud case of 90 billion Korean won, illegal exchange business of 5800 Korean won, and the Haru Invest deposit fraud case of 1.4 trillion Korean won as representative examples of the three crimes.

  • Argentina Securities Commission in Talks with Salvadoran Authorities on Bitcoin Adoption

    According to reports, a high-ranking official from the Argentine National Securities Commission (CNV) met with the head of the Salvadoran National Digital Asset Commission (CNAD) last week to discuss the issue of adopting Bitcoin.

  • Argentine Regulators in Talks with El Salvador Authorities on Bitcoin Adoption

    The regulatory authorities of Argentina and Salvador held talks on the issue of adopting Bitcoin. A senior official from the Argentine National Securities Commission (CNV) met with the head of the Salvadoran National Digital Asset Commission (CNAD) last week. The two sides discussed cooperation agreements related to digital assets, and Argentine officials hope to learn from Salvador's experience in making Bitcoin a legal currency and plan to sign a cooperation agreement.It is reported that the purpose of this dialogue is to strengthen cooperation between the two countries in the regulation of Bitcoin and encrypted assets, and to promote the development of Argentina in this field.

  • Ethereum L2 TVL jumps to $46.5 billion, a new all-time high

    According to L2BEAT data, the current Ethereum Layer2 TVL has reached a historical high of 46.533 billion US dollars, with a 7-day increase of 17.16%. The top five TVLs are:Arbitrum One TVL is 19.25 billion US dollars, with a 7-day increase of 18.55%;

  • Elon Musk's AI company xAI completes $6 billion Series B financing, with participation from a16z and others

    Elon Musk's AI company xAI has announced the completion of a $6 billion B-round financing, with participation from Valor Equity Partners, Vy Capital, Andreessen Horowitz (a16z), Sequoia Capital, Fidelity Management & Research Company, Prince Alwaleed Bin Talal, Kingdom Holding, and others. This round of financing will be used to bring xAI's first batch of products to market, build advanced infrastructure, and accelerate future technology research and development.

  • Brazil CBDC pilot delayed to 2025 due to inefficient privacy solutions

    The Brazilian central bank recently stated that due to the inefficiency of the privacy solution provided by drex for the CBDC project, its pilot has been postponed until 2025. The new pilot phase will begin in July and end in 2025, allowing third parties to implement new features including smart contracts.

  • Crystal Clear Lattice

    Inside the mind of a $100 million fund manager.

  • Genesis Global secures court approval for $3B payout

    According to Judge Lane, any available funds for distribution by Genesis are being exhausted by creditor claims, which take priority over DCG’s equity stake.