SANS Digital Forensics and Incident Response Blog: Daily Archives: Apr 13, 2009

Why I Chose Not To Post My Interview With The Twitter Attacker

by Ira Victor

The blogosphere was atweet this weekend with news of a DarkWeb attack on Twitter users. As co-host of the Data Security Podcast, I believe I was the first to contact the man who claims to be the creator of the attack.

We thought better of using his voice on our podcast, though, when we realized he's only 17 years old. That makes him too young to consent legally to a globally-distributed interview. He may also be too immature to be a reliable source. The jury's out on that.

At this point, we've decided to sit on the tape, even though the young man's identity and his claims of responsibility for the Twitter hack have been widely

...


Application Metadata of Nested Documents

by John McCash

I was drawn to consider someting by a question on a certification practical exam I recently took. The problem had been presented as "find the specified text in the supplied disk image". However the text actually turned out to be viewable in a jpeg file which was nested inside a Word document. Once I'd found the text, the question was essentially answered, but then I started thinking about extraction options and the origins of that JPEG file.

I recalled a tool I'd recently discovered thanks to traffic on the GCFA mailing list, hachoir-subfile. The original email context was about using this tool to extract executable objects from PPS files, but it turns out that it works equally well to extract .jpg files. I had always assumed that when image files were incorporated into MS Office documents, they were somehow re-encoded,

...