Logo
RSS Feed

👈🏼 Back to
📜 Artefacts DB

📜 User Files

📘 Manual

Data about a file is stored in several locations: system metadata (generated by the file system or doc management of the OS), substantive metadata (information that defines modifications to a document), embedded metadata (information embedded by the application that creates or edits the file), external metadata (separate doc, for example, a database).

🎞 Media Files

Windows

Recent documents

Key 🔑: NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Contains the list of all recent documents as a bunch and also the same data sorted by extension. MRUListEx is list. It has a number of 4 byte values, each noting the sequence number of a document. It starts from the document’s number that was accessed some time age (first in the list) and ends with the most recently used one. This key also has a list of recently accessed folders.

🍺 IPA

I wish this article were about hazy ipa, but it’s far from that fascinating. I will dissect the IPA file format, Apple’s proprietary file format, for application packaging. This article will also provide useful tips on patching and repackaging it.

CAR

CAR is a proprietary file format used by Apple. It is a compiled asset catalogue created by Apple Xcode to store assets, such as icons, images, and textures, for iOS, tvOS, watchOS, and macOS applications.

plist

plist files are Apple config proprietary file format. It serves a similar purpose as the registry on Windows, but the files are scattered across the file system instead.

JPEG

This is about … .

Office Documents

File Structure

Macros

A letter m at the end of extension means that doc has some macros inside. Not always when there is some macros inside, the doc has a different extension.

oleid <docname> # see info about a file 
oleobj <docname>

oledump.py -s 3 --vbadecompresscorrupt report.docm

olevba <docname> # get the macro from the doc

Templates

Another way to get naughty for an office doc is to use remote templates. You can see many legit templates in Word GUI when you open the program (without opening any file). Open _rels folder, settings.xml.rels file, and check the Relationship tag and Target attribute. Check out the link to decide if this is malware. More here.

PDFs

File Structure

Malicious PDFs

See more here.

References

Expand… [1]

PNG

Structure

Malicious PNG

It’s possible to craft polygon files that are legitimate PNG and PHP simultaneously.

References

Expand… Something here

Temp Files

This is about … .