Wednesday, April 7, 2010

Embedded files

Lumension vendor visited the office. During their presentation, they mentioned whitelisting and blacklisting files to tackle data leakage. I inquired if the Lumension agent was able to detect blacklisted files (eg. executables, audio) embedded inside whitelisted files (Office documents). The vendor couldn't answer my question.
That piqued my curiosity. I embedded the same PDF file inside a Word doc twice by manually copying and pasting it into the doc as well as inserting it as an object. Firing up my trusty Hex editor, I was only able to find the magic bytes (ie. ASCII "%PDF" or hex values "25 50 44 46") for the PDF file that was embedded using the insert object method. I was not able to detect the embedded PDF file that was manually copied.

This is an interesting loophole from a hacker and forensics perspective.

No comments:

Post a Comment