Recovering data from Garmin Edge 500 GPS

April 24th, 2014 No comments

A friend of me asked me if I wanted to take a look at his Garmin Edge 500 GPS bike computer, since it was missing some of his tracks. After opening the flash drive of the device in FTK Imager I noticed that the Activities directory did not contain any of the track data (.fit files) for 2014. Since I could not find the data on the device as lost or deleted items or something I decided to try some file carving. The first thing I did was creating an image of the full flash drive (which also included the currently present .fit files) with FTK Imager, the resulting image (uncompressed) was just 56MB big. There does not seem to be a lot of storage in the unit.

To be able to carve you need to know some specific information from the file type the device uses, such as the header, footer and filesize. If you are lucky this information is present in the config file of the carving tool you use (Scalpel in this case), however .fit files are not in that config file.

Read more…

Reverse Engineering Perl2Exe back to Perl

August 1st, 2012 1 comment

In the August issue of the Digital Forensics Magazine (DFM) my article on reverse engineering Perl2Exe can be found. The article describes a way to recover the source code of the Perl program back from the executable created with Perl2Exe program.

Reverse Engineering PERL2EXE Back to Perl

Perl2Exe is a program which converts Perl source code to standalone Windows executable files which hide the Perl code. When a forensic investigator encounters a Perl2Exe program (for example malware) it can take a lot of effort to analyse these files. This article describes a new and easy to follow approach to recover the full Perl source code from these Perl2Exe executable files, making the analysis of these files much easier..
Perl2Exe converts the source code of the Perl script by packing it inside a single executable together with a Perl interpreter. The Perl source code is included inside the executable in encrypted form and thus it cannot easily be recovered from the executable.
In the past there have been a couple of other projects to retrieve the Perl source code from Perl2Exe executable files (see boxout 1). However, none of these projects work with the current versions of Perl and Perl2Exe. In the past couple of years there have been a number of Perl2Exe versions released (see boxout 2) and each new version seems to break the previously found solutions to recover the Perl source code.

Read more…

Crypto hardware Plug-over attack

June 25th, 2012 5 comments

This article describes a vulnerability I found over two years ago in certain external USB and eSATA data carriers (hard drives, USB sticks) which use cryptography to help protect the data they carry. This vulnerability has been found during the evaluation of multiple data carriers of different manufacturers and it seems to be quite common. Since this vulnerability doesn’t seem device specific this paper has been written to be able to spread some knowledge and to warn the general public about it. All the manufacturers of the devices I tested which were vulnerable to this attack have been notified long ago. The vulnerability described in this paper has been named the ‘plug-over attack’.

Read more…

Getting rid of the Buma Stemra ransomware malware – Windows 7

March 9th, 2012 28 comments

Word reached me that my approach to get rid of the Buma Stemra Ransomware malware did not work on Windows 7. I initially only tested the approach on Windows XP, but I now took the time to test it on Windows 7 as well. The video below will show that the approach worked fine on Windows 7 in my test environment. While the approach is mostly the same there are some small differences.

Read more…

Getting rid of the Buma Stemra ransomware malware

March 3rd, 2012 59 comments

Since a week or so a new Dutch version of some ransomware malware is active in the Netherlands. This malware claims to be from The Buma Stemra, but of course has nothing to do with the real Buma Stemra.  The malware successfully takes over the system by replacing the start of explorer.exe with itself, so as soon as the system starts the malware will be loaded instead of the normal Windows environment. The malware further disables editing the registry, accessing the task manager and getting access to the system in any way. When infected with the malware you can not access your own system anymore, the only thing the system will do is show the screen below.

Read more…

Repair a broken HP LaserJet printer by baking it

October 18th, 2011 73 comments

After my HP printer died just after his warranty period I searched for a solution what to do to revive it. When reported to HP they wanted to charge €350 to repair the printer, which is around the same amount a new printer would cost, besides that I had to ship to whole bulky printer to them. When searching the internet for an alternative you will find a lot of people with the same problem using this printer series but not a lot of clear solutions.

This write-up will describe a way to repair the HP LaserJet M1522 series printer. While this idea is not new I wanted to create an easy to follow overview to repair this printer instead of a “just bake the formatter board”. I hope this write-up will be handy for some of the people out there with the same problem. While this write-up is focusing on the HP LaserJet M1522 MFP printer I would expect the same approach to work on other faulty hardware.

Read more…

Samsung WB650 Video file Scalpel rule

October 8th, 2011 1 comment

I recently ran into the issue that my new photo-camera (Samsung WB650) somehow decided to erase all the data of my SD card. Since the SD card was filled with a lot of photos and video files I decided to image the SD card and to try to recover my files. The photo files all were JPEGs, so it was pretty easy to recover them by using Scalpel. However the Video format this camera uses was not included in Scalpel so they weren’t recovered. To be able to recover the video files as well I created a Scalpel rule for them myself.

Read more…

Swiss Cyber Storm write-up 3: Social Challenge

October 6th, 2011 1 comment

This long delayed article is a write-up of the Swiss Cyber Storm Social Challenge which took place on May 14, 2011. Because of lack of time I simply did not finish this article earlier, however since I really enjoyed the challenge I decided to release it anyways, even though it is a bit dated now.

Read more…

Creating ACK-GET packets with scapy

June 6th, 2011 11 comments

During the recent Defcon 19 CTF pre-qualifications, one of the challenges included to connect ‘quicker’ to a web server. While figuring out what the solution was for this challenge one of the things I tried was to send the HTTP GET request already in the TCP handshake stage. Sadly enough this had nothing to do with the real solution of this case, the real solution was making use of SPDY to connect to the server, this is also explained by one of the other teams in a write up here. However it was a nice exercise to create packets with scapy again and since I could not find a lot of information on the topic I decided to create this short write up on the topic.

Read more…

Swiss Cyber Storm write-up 2: CarGame Challenge 5

May 25th, 2011 No comments

This article is a write-up of the Swiss Cyber Storm CarGame Challenge 5 (March/April 2011). For more info on the Swiss Cyber Storm Conference please check my post about the conference here.

I only joined the CarGame in level 4 (my write-up for level 4 can be found here), which meant I could not qualify any more to play the CarGame challenge during the conference. However since the challenges seemed fun I did the last two CarGame challenges anyway. The number and title of this challenge were:

  • 7035 CarGame Challenge #5

I submitted my solution and it was accepted by the organisation, however I do not know if this was the solution the organisation expected and if any other participants have other solutions.

Read more…