SANS Digital Forensics and Incident Response Blog: Daily Archives: Feb 25, 2009

Perl scripts for parsing PDFs, MACs, IPs, URLs, etc.

By Michael Cloppert

I hoped to be writing to you about how I found a great chi-square technique to identify trojaned PDF's (we've certainly seen our share - 8.1, 8.1.1, and now 8.3/9.0...). Sadly, it's not so. I couldn't even get as far as rejecting my null hypothesis since component bytes, as random variables, are - no surprise - not