Today I released a post over at the SANS Digital Forensics Blog discussing how to find evidence that may have been base64 encoded and therefore not found by traditional tools that categorize files based on magic numbers.
The technique is really simple, but I hadn't seen it discussed elsewhere, perhaps because it's so obvious.
Enjoy.
Update: Here's a text file containing some magic byte sequences for common image types that have been base64 encoded: http://trustedsignal.com/forensics/b64_enc_img_types.txt.
Sunday, January 9, 2011
Subscribe to:
Comments (Atom)
A Walk in the Park
In August of 2024 I stopped in my local book shop (shoutout to The Raven Bookstore ) as I often do to browse the shelves and see if there wa...
-
I've been playing around with the matasano crypto challenges for my own edification. Let me say up front, I'm a noob when it comes t...
-
My last post here, XOR'd play: Normalized Hamming Distance, was a lengthy bit about the reliability of Normalized Hamming Distance to d... -
If you're fortunate enough to be running a modern endpoint detection and response (EDR) product or even endpoint protection (EPP), you m...