Author Archives: adam

Thanks!

Posted on by

Over last few days Hexacorn blog has received quite a few good comments from various people who reached out to me personally and praised the content as well as provided suggestions on how to improve the usability and accessibility of the site. This is very encouraging and I would like to take this opportunity and thank you all for your compliments and constructive criticism.

I also want to include special thanks to Colin who wrote a very nice review of Hexacorn on his forensic blog. In my opinion Colin writes in a way that is unique in terms of quality – he makes an effort to research, understand and document everything he comes across while on the case – this makes for a great tutoring material. Second big thanks goes to Ange – he created a fantastic repository of everything RCE and Portable Executable-related (if you are into reversing and never visited his site you are in for a real treat) – Ange provided a really great feedback that made me re-think a few things and flip a few switches in the blog engine settings 🙂

Thanks!

Forensic Riddle #3 – Answer

Posted on by

The answer to riddle #3 may surprise you. First of all, it is not Base64-encoded – this is just to make life easier for people who are using portable devices to read this blog – now they can actually read the answer 🙂

Secondly, the actual answer. Prefetch file _is_ there. Or should I say, PrefetchADS is there.

It turns out that it is possible to hide the Prefetch data by fooling the OS to append it as an Alternate Data Stream (ADS) to an existing file. So, in this particular case the prefetch data is hidden inside the ADS attached to Layout.ini file.

I chose Layout.ini for this demo, yet malware could use _any_ existing file inside the %SystemRoot%\Prefetch directory, e.g. any of the .pf files residing there.

The following screenshots demonstate how it works:

  • Hiding the Prefetch data inside PrefetchADS

  • Viewing the content of the PrefetchADS with Notepad

The bottom line:

  • Next time you investigate the %SystemRoot%\Prefetch directory, make sure you look at the ADS as well

Thanks for trying & next riddle on Friday!