Forensic Riddle #1

November 18, 2011 in Forensic Riddles

I have always been interested in riddles and puzzles, and I have a lot of respect for people who create them. So, when I’ve been thinking of opening this blog I always had in mind a section that would be dedicated to riddles. The idea is of course not new. I borrowed this particular one from Richard Wiseman – one of my favorite authors. He posts a puzzle every Friday and provides an answer to it on Monday.

So, stepping on giant’s shoulders I will be posting a new riddle every Friday as well. The topic will be forensics, malware analysis, and any sort of binary-data related fun facts. The goal is to post something short, simple, and relatively easy to crack, yet a bit quirky or with a twist, so that you may have fun and hopefully learn something new. Of course, if you are in the industry long enough, you will crack it in no time.

I will start with something I have came up with 2 years ago while working for my previous employer. I modified it to avoid potential copyright issues, yet the fundamental principle stays the same. In a hindsight, it is not that difficult, yet I think the guys who faced it found it challenging at that time and their interesting approach to the problem (they generated a lot of ideas!) led me to post a few more riddles on our internal mail list.

The Riddle:

  • command executed on the same system
  • command is “dir wimmount.sys”
  • 2 different windows, 2 different results
  • why?

Answer here

Forensic Riddle #1


    1. I think I came up with the answer. It took me a few minutes to find the article I read about how this behavior would be possible.

    2. imagi says:

      2 minutes ;)

Forensic Riddle #1

0 Trackbacks