Author Archives: adam

Forensic Riddle #3

Posted on by

Another Friday, another riddle.

The Riddle:

  • The malicious Portable Executable (PE) file has been executed by another process immediately after all *.pf files have been removed from the %SystemRoot%\Prefetch folder; Prefetching is on, yet the Prefetch file associated with the malicious file cannot be found; why?


Answer here

Canyoucrackit?

Posted on by

Today I have read on The Register about http://canyoucrackit.co.uk/. The puzzle looked interesting at a first glance (x86 code!), so I tried to crack it. It wasn’t too difficult – there is a twist though, so it was a little victory. I won’t publish the solution, but I am sure soon many web sites will make it available anyway. Let’s just say, it starts with ’15b4′.

The second stage (there are 3) is about virtual memory, and I am not sure if I have time/skills/patience to play with it. But who knows… GCHQ jobs are waiting 😉