One of my projects was to develop a specialized tool written in Python for forensics experts in corporate environments. The finished tool incorporates user input on file features, in order to specify behavior and filter files by interest. For example, malicious actors might rename a RAR-compressed executable ‘X.rar’ to ‘X.jpg’ and exfiltrate it. This tool helps forensics experts locate the renamed file. In another example, when an actor encrypts compressed files to bypass AV signature scans, this tool can help detect these malicious files. The tool supports several filtering features and users can easily tweak the configuration to find whatever they are suspicious of.
The biggest part of this project is that we built our own signature library to recognize file types–this is different from most existing ones (WinHex, Scalpel, file UNIX command) which are doing rigid static-header and -footer searching. My project provides an open architecture to add more signature-searching methods. On the backend, we are implementing modules to provide searching-behavior functionality; on the frontend, signatures in the library are simply JSON objects that calls methods on corresponding tags. The objective behind the tool is that we want to explicitly know how the signatures are matched and make further extending signatures work as easily as we could.
This is a diagram of the architecture of the tool:
Currently the signature library supports several signature-searching methods, including dynamic signatures. This is really useful when handling executables (PE or ELF structured) which have file-specific computed offsets. As the needs from forensics experts increase, we will continue to develop more powerful features.
Here is a signature snippet for the DLL file type:
ASSET Senior Manager Mohit Kalra, ASSET Security Researcher Karthik Raman and I have been cooperating with experts from other Adobe teams and justifying a few concepts behind the project. After the tool passed several phases of testing, I showcased the tool to other interns and team members at the Adobe Intern Expo, and separately to various forensic experts at Adobe. The project was difficult, and I couldn’t have completed it without the help of my co-workers. This is one of the things I appreciated the most about my internship: teamwork that proved to be productive, solid, and congenial!
Through the internship, I’ve gained hands-on experience on industry-level projects. It has given me insight into project development cycles and let me use many coding skills that I never had the chance to use previously. Apart from the technical side, there are many aspects of life you can learn in such a big corporate environment, and I’ve enjoyed the process of adapting to it.