SANS Digital Forensics and Incident Response Blog: Tag - Flash

How to Extract Flash Objects From Malicious MS Office Documents

Authors of malicious Microsoft Office document can execute code on the victim's system using several techniques, including VB macros and exploits. Another approach, which has been growing in popularity, involves embedded Flash programs in the Office document. These Flash programs can download or directly incorporate additional malicious code without the victim's knowledge. This note demonstrates several steps for extracting malicious Flash objects from Microsoft Office document files, so you can analyze them. We take a brief look at using strings, Pyew, hachoir-subfile, xxxswf.py and extract_swf.py tools for this purpose. Continue reading How to Extract Flash Objects From Malicious MS Office Documents


How to Extract Flash Objects from Malicious PDF Files

Authors of malicious PDF documents have often relied on JavaScript embedded in the PDF file to produce more reliable Adobe Reader exploits. The attackers now also embed Flash programs, which incorporate ActionScript, in a similar manner. This note demonstrates several steps for extracting malicious Flash from PDF files, so you can analyze it for malware artifacts. We will take a brief look at using pdf-parser, PDF Stream Dumper and SWFDump for this purpose. Continue reading How to Extract Flash Objects from Malicious PDF Files


Flash Cookie Forensics

Flash cookies have been a hot topic lately with the release of an excellent research paper titled Flash Cookies and Privacy. Flash Cookies, or local Shared Objects in Macromedia parlance, are a great example of a forensic artifact that has existed for a long time but was virtually ignored until someone decided to shine some light on it. Whenever I see new research about problematic privacy controls, I immediately get out my notepad, because I know that I am going to find some great artifacts that can help in my forensic investigations.

First some basics:

  • Macromedia Flash has become ubiquitous on the web, providing features such as streaming video and a "rich client" experience. Many of the most popular sites on

...


Code in a Flash

by Craig Wright

Recently I have been involved with the analysis of a number of rogue web sites linked to a fast flux network. Tracking websites is hard enough, but the process to analyse the flash code and other scripts has been a head-ache in the past. There are a number of tools that can be used (mostly commercial, though there are some on the OWASP site that are open). The issue being that few of these help to filter the content of the code.

In small cases, this is not an issue. Decompiling flash when there is only one or two files to verify is easy. The problem comes when you have several hundred (or more sites) with a variety of code samples - some good, some bad and no easy way to determine which is which.

In the past this has been a process of decompiling all of the samples (where a hash cannot be used to show that the files are the same) and

...