Cointime

Cointime

Download App
iOS & Android

Where Would You Find Elf in Cybersecurity?

Validated Individual Expert

Well, we’ve all heard of the magic of Christmas, but let’s look at another magic thing … the magic of digital forensics. For this we have the concept of magic numbers, and which are identifiers of different file types. These magic numbers are special gifts for digital investigators, as they make the job of finding things a whole lot easier [here]. So, since it is Christmas, let’s have a bit of fun with 10 trivial facts on these magic numbers:

Trivial Fact 1: There’s an Elf in Linux. Unfortunately it’s not a Christmas Elf, but it is a magic file identifier for a LINUX executable, and where the file format starts with “.ELF” , and which defines the Executable and Linkable Format [here]:

Trivial Fact 2: The identifier for ZIP files was named after Phil Katz. At the start of a .ZIP file we will see the characters “PK”, and these are the initials of the creator of the ZIP file format. So what’s so special about PK? Ask any digital forensics investigator, and they will say that the two characters are often used to perform a quick search on a disk for ZIP files. We can see the “PK” magic number in all its glory [here]:

Trivial Fact 3: A Microsoft document is just a ZIP file. ZIP files are used to compress and package files, but it has also expanded its scope to integrate Microsoft Office documents which are now just ZIP files with an associated file extension to identify the file type [DOCX][XLSX][PPTX]:

If you ever have to change anything to do with the rights of a Microsoft document or extract some content, you just change the file extension to .ZIP, and can then open it as a ZIP file.

Trivial Fact 4: The identifier for EXE files is named after Mark Zbikowski(“MZ”). Mark was one of the lead developers of MS-DOS’s and his initials appear in the two characters of an EXE file [here]:

Trivial Fact 5: Sometimes it is good to look for TVs. Well, this fact is related to Trivial Fact 4, as the Base64 conversion for “MZ” is … “TV” [here]:

And so when an EXE is embedded into an email, it will travel in a Base64 format, such as with [here]:

Thus many network scanners look for the “TV” value within strings, as it might identify a Windows program that has been converted into a Base-64 format.

Trivial Fact 6: An Adobe Illustrator file is just a PDF. Adobe has long supported the PDF format as its main way to encapsulate a whole lot of files into a single package. The tell-tail sign of a PDF file is “%PDF”. Illustrator files are often just PDFs and can be opened in Adobe Reader [here]:

Here is an example of opening an AI file with Adobe Acrobat:

Trivial Fact 7: You don’t need X-ray eyes to see what’s going on in a program. Programs compiled from C++ often do not hide the strings within the program in the executable code. In the following we see a Linux executable and the text in the program is clear to see [link]:

The same thing happens with Microsoft Windows programs [here]:

An investigator can thus often scan across a disk and look for important identifiers, and where secret content could be embedded within an executable program.

Trivial Fact 8: Many documents just dump images and other content in their raw format. For file formats such as PDF and PPT we see images contained within the file in their original format, and where we can carve them out with tools such as scalpel. In the following we see TIF files, and PDFs contained in a single file [here]:

This helps digital forensics investigators as they can search a disk for images, even if they are contained in other files.

Trivial Fact 9: An encrypted ZIP file gives away its contents. And so you might think you can hide the contents of a ZIP files if you put a password on them. But, the names of the files can be seen in the plain when looking at the header of the ZIP file with a binary viewer. Here we see that this ZIP file contains the files “PROG2_02.PAS” and “PROG1_2.PAS” [here]:

Trivial Fact 10: RIFFs are used in music files (doh!). No, it’s not that kind of Jim Hendrix rif, as “RIFF” is defined as a Resource Interchange File Format bitstream, and is used in WAV files [here]:

Conclusions

So, after you have opened all your presents on Christmas Day, and bored with the Boxing Day film, here’s a little test for you:

Cybersecurity
Comments

All Comments

Recommended for you

  • BTC Surpasses $70,000

    Market data shows that BTC has broken through $70,000, currently trading at $70,011.9. The 24-hour decline has narrowed to 1.11%. The market is experiencing significant volatility, so please implement risk control measures.

  • BTC Drops Below $69,500

    Market data shows that BTC has fallen below $69,500, currently trading at $69,492.81. It has experienced a 2.2% decline in the past 24 hours. The market is experiencing significant volatility, so please implement risk control measures.

  • CLARITY Act Draft: Ban on Stablecoin Yields for Holding Only

    On March 24, according to CoinDesk, cryptocurrency industry practitioners on Monday saw the latest provisions regarding stablecoin yields in the revised version of the Senate's "Digital Asset Market Clarity Act" for the first time during a closed-door review meeting on Capitol Hill in Washington. The initial impression was that the relevant language was too narrow and lacked clarity. This new provision was released last Friday by Senators Angela Alsobrooks and Thom Tillis. According to a person familiar with the current draft, the new provision will prohibit earning yields solely from holding stablecoins, while restricting any practices that equate such programs with bank deposits, and imposing further limitations on other potentially permissible activities. The specific mechanism for determining activity-based stablecoin rewards remains unclear. This compromise stems from the lobbying battle between the crypto and banking industries. The banking industry insists that stablecoin rewards should not resemble interest-bearing bank deposits, arguing that such competing products could harm the banking sector and stifle lending. The final compromise allows for reward programs based on user stablecoin activities but prohibits balance-based rewards. This closed-door review aims to push the Senate Banking Committee to schedule a hearing, a significant step for the bill towards a full Senate vote. Similar versions of the "Clarity Act" have passed the House of Representatives in previous years, and another version has also passed the Senate Agriculture Committee's markup process. The bill's progress still faces other obstacles: all parties still need to reach an agreement on the DeFi regulatory framework, and Democrats are simultaneously insisting on including provisions that prohibit senior government officials from seeking personal gain from the cryptocurrency industry, a clause clearly targeting President Trump. (Dongxin News Agency)

  • Iran's IRGC: All Vessels Must Coordinate Passage Through Strait

    According to Al Jazeera: The Iranian Revolutionary Guard Corps (IRGC) Navy stated that the container ship 'Celine' was forced to leave the area because it did not possess a permit to pass through the Strait of Hormuz. The IRGC Navy further stated that any vessel transiting the Strait of Hormuz must coordinate fully with Iranian maritime authorities. (Jins10)

  • Circle Shares Plunge Over 16%, Hitting Largest Single-Day Drop Since June 2025

    Circle (CRCL) shares fell by more than 16% intraday, marking the largest single-day decline since June 2025. The stock is currently trading at $106.1.

  • BTC Drops Below $70,000

    Market data shows that BTC has fallen below $70,000, currently trading at $69,995.57. The cryptocurrency has seen a 1.86% decrease in the last 24 hours, indicating significant price volatility. Investors are advised to manage their risk accordingly.

  • Nasdaq Extends Losses to 1%

    The Nasdaq extended its losses to 1%.

  • Iran Denies Peace Talks Rumors; US Stocks Open Lower

    March 24th news: US stocks opened lower, with the Dow Jones Industrial Average down 0.24%, the S&P 500 index down 0.62%, and the Nasdaq Composite down 0.63%. Li Auto (LI.O) rose 2.8% after announcing a $1 billion share buyback plan. Amazon (AMZN.O) fell 1% following a "service disruption" at its Amazon Web Services (AWS) region in Bahrain. (Jinshi)

  • Tether Hires Big Four Firm for First Full Audit

    On March 24, Tether announced it has engaged one of the Big Four accounting firms to complete its first full audit.

  • BlackRock Transfers 7,552 ETH to Coinbase Prime Address

    According to data monitored by Arkham, approximately one hour ago, BlackRock transferred a total of about 7,552 ETH to a Coinbase Prime address through its Ethereum exchange-traded fund, ETHA. The value of this transfer is approximately $16.31 million. Further transfer operations may follow.

Daily Must-Read

Popular Activities

RaveDAO at Terra Solis by Tomorrowland: A Female-Led Techno Night Where Web3 Culture Converges

RaveDAO at Terra Solis by Tomorrowland: A Female-Led Techno Night Where Web3 Culture Converges

April 30 - April 30
Dubai

Popular Tags

Cointime
News
Contents
RSS
Company