You are browsing the archive for Forensic Riddles – Answers.

Forensic Riddle #12 – Answer

July 8, 2012 in Forensic Riddles - Answers

There are many answers to this one.

For starters, consider triplet A, W, UTF8 instead of usual A,W in:

  • DnsQueryExA
  • DnsQueryExUTF8
  • DnsQueryExW

or

  • DnsQuery_A
  • DnsQuery_UTF8
  • DnsQuery_W

Other examples include:

  • RunDll32ShimW for Unciode, but not ANSI version RunDll32ShimA
  • GetHashFromFile for ANSI and GetHashFromFileW for Unicode
  • triplet ShellExec_RunDLL and ShellExec_RunDLLA for ANSI and ShellExec_RunDLLW for Unicode

and many more…

Forensic Riddle #11 – Answer

May 2, 2012 in Forensic Riddles - Answers

The answer to the #11 is simple – it was an open-ended question really as it could be any executable file really that is dependent on configuration, config file, etc. I wanted to draw your attention to one type of executables specifically though – a type that I touched on in my recent post i.e. Installers. Their stub is always the same and based on their source code – the behavior depends on the installed application and user choices’. I told you it was easy ;)