Archive

Archive for the ‘Forensics’ Category

Meaningful MD5 Collisions: Creating executables

January 19th, 2015 No comments

More than two years ago I worked on meaningful MD5 collisions, especially creating executables files, but I never finished my write up about this until now (hurray for having a sabbatical ūüėČ ). The idea behind this project was to create multiple executables with the same MD5, but with different behavior. I ended up creating a Perl script which enables you to create a simple skeleton source code which you can use as a basis for your own code, after compilation you can use the same Perl script to create the multiple executables with different behavior. This project does not show a new way to create MD5 collisions, but makes it easy to exploit the weakness by creating executables with MD5 collisions.¬†I based my project on existing research such as HashClash, and used fastcoll¬†to create the collisions. For further information about MD5 collisions, I would like to refer to HashClash.

The MD5 collision executables can potentially be a security issue for MD5 whitelisting, which is still used by some security products. An attacker could potentially first send an executable which is considered safe and then its counterpart which is evil. Since the files will have the same MD5 hash value the first file will have the second file white-listed. The files could further have impact on products which use MD5 hash values to uniquely identify files, such as certain forensics software.

The whole project was inspired by my first MD5 collision experience while playing SmashTheStack IO and by forensic products using MD5 hash values as unique identifiers for files.

Read more…

Motorola Droid 4 – Broken screen and data recovery

December 11th, 2014 No comments

At the beginning of this year my Motorola Droid 4 phone started dying on me. I looked for help on the XDA Developers Forum where I kept track of the different steps I took. For archiving reasons I created this write up to have a single page containing all information that I found on the issue. Sadly enough I was not able to repair the phone, however I was able to recover my data by rooting the device. The original XDA Forum thread can be found here: http://forum.xda-developers.com/showthread.php?t=2552978

Read more…

Forensic hardware – Don’t just blindly trust it

September 2nd, 2014 No comments

I recently found two pictures which I took in the last 2 years, of the Logicube Forensic Dossier misbehaving. I decided to write this very short article to show these pictures. Since this seems to be a 6th(!) generation forensic solution I would not expect this behavior. The Logicube hardware is widely accepted as ‘forensically sound’, there seems to be some sort of blind trust in forensic hardware by forensic experts, while everything else is always disputed at great length.

Read more…

Recovering data from Garmin Edge 500 GPS

April 24th, 2014 4 comments

A friend of me asked me if I wanted to take a look at his Garmin Edge 500 GPS bike computer, since it was missing some of his tracks. After opening the flash drive of the device in FTK Imager I noticed that the Activities directory did not contain any of the track data (.fit files) for 2014. Since I could not find the data on the device as lost or deleted items or something I decided to try some file carving. The first thing I did was creating an image of the full flash drive (which also included the currently present .fit files) with FTK Imager, the resulting image (uncompressed) was just 56MB big. There does not seem to be a lot of storage in the unit.

To be able to carve you need to know some specific information from the file type the device uses, such as the header, footer and filesize. If you are lucky this information is present in the config file of the carving tool you use (Scalpel in this case), however .fit files are not in that config file.

Read more…

Reverse Engineering Perl2Exe back to Perl

August 1st, 2012 1 comment

In the August issue of the Digital Forensics Magazine (DFM) my article on reverse engineering Perl2Exe can be found. The article describes a way to recover the source code of the Perl program back from the executable created with Perl2Exe program.

Reverse Engineering PERL2EXE Back to Perl

Perl2Exe is a program which converts Perl source code to standalone Windows executable files which hide the Perl code. When a forensic investigator encounters a Perl2Exe program (for example malware) it can take a lot of effort to analyse these files. This article describes a new and easy to follow approach to recover the full Perl source code from these Perl2Exe executable files, making the analysis of these files much easier..
Perl2Exe converts the source code of the Perl script by packing it inside a single executable together with a Perl interpreter. The Perl source code is included inside the executable in encrypted form and thus it cannot easily be recovered from the executable.
In the past there have been a couple of other projects to retrieve the Perl source code from Perl2Exe executable files (see boxout 1). However, none of these projects work with the current versions of Perl and Perl2Exe. In the past couple of years there have been a number of Perl2Exe versions released (see boxout 2) and each new version seems to break the previously found solutions to recover the Perl source code.

Read more…

Samsung WB650 Video file Scalpel rule

October 8th, 2011 1 comment

I recently ran into the issue that my new photo-camera (Samsung WB650) somehow decided to erase all the data of my SD card. Since the SD card was filled with a lot of photos and video files I decided to image the SD card and to try to recover my files. The photo files all were JPEGs, so it was pretty easy to recover them by using Scalpel. However the Video format this camera uses was not included in Scalpel so they weren’t recovered. To be able to recover the video files as well I created a Scalpel rule for them myself.

Read more…