SANS Digital Forensics and Incident Response Blog: Tag - unicode

Simple Anti-Forensic and Signature stamping techniques using Unicode

by Craig Wright

The introduction of Unicode characters (such as Persian, Cyrillic and Arabic characters) has introduced both a simple means of fingerprinting intellectual property (signature stamping) and a very simple steganographic data hiding technique.

The following is an extract from the Cyrillic Unicode character set [1].

Unicode #Character

0410 ? CYRILLIC CAPITAL LETTER A

0430 ? CYRILLIC SMALL LETTER A

0412 ? CYRILLIC CAPITAL LETTER VE

0415 ? CYRILLIC CAPITAL LETTER IE 0435 ? CYRILLIC SMALL LETTER IE

041C ?CYRILLIC CAPITAL LETTER EM

041E ? CYRILLIC CAPITAL LETTER O

043E ? CYRILLIC SMALL LETTER O

0420 ? CYRILLIC CAPITAL LETTER ER

0440 ?

...


Strings, Strings, Are Wonderful Things

One of the basics of doing forensics involves gathering the ASCII and Unicode strings in the file system and searching for keywords. Using Linux we can gather the strings for both ASCII and Unicode using the strings command.

To Gather the ASCII Strings

# strings -td /dev/sdb > sdb.ascii

Note: The -td in the above line tells strings to print the offset in decimal for the line.

To Gather the Unicode Strings

# strings -td -el /dev/sdb > sdb.unicode

Note: The -el option will have the strings command handle 16-bit little endian encoding. Strings can handle other types of encoding such as 32-bit big/little endian. See the man page on strings and the -e option.

Below is a sample output from the command:

192301896     
192301972 This field is deprecated. Deprecated components of Microsoft

... Continue reading Strings, Strings, Are Wonderful Things