Author Archives: Daniel Pistelli

Profiler 2.9

Profiler 2.9.1 is out with the following news (entries with the plus sign apply only to the advanced edition): + added parsing of Windows heap + added file detection in memory regions and heap + added file detection in memory … Continue reading

Posted in Profiler, Profiler Advanced | Tagged | Comments Off on Profiler 2.9

Heap & File Carving

Along with the newly released 2.9 version of Profiler Advanced, we have improved support for memory images. Before going into the main topics of this post, it is worth mentioning that loading and scanning times have been drastically improved for … Continue reading

Posted in Forensics, Memory, Profiler Advanced | Tagged , | Comments Off on Heap & File Carving

Microsoft Office DDE Detection

In this article we’re not going to discuss how DDE works, there are plenty of excellent resources about this topic already (also here and here). Instead we’re going to see how to inspect DDE field codes in Profiler. In fact, … Continue reading

Posted in CFBF, Profiler, Security | Tagged , , , | 2 Comments

Profiler 2.8 – Windows Memory Forensics

Windows memory forensics on OSX. Profiler 2.8 is out with the following news: + added support for Windows raw memory images – added unhandled exception debug tools on Windows – added unhandled exception notification for Python – exposed tree control … Continue reading

Posted in Uncategorized | Tagged | 2 Comments

Windows Memory Forensics: Close to Release

We’re extremely proud to announce that the upcoming 2.8 version of Profiler Advanced comes with full-fledged support for raw Windows memory images! As few of our users might remember a two years old demo about this topic. Thanks to the … Continue reading

Posted in Forensics, Memory, Profiler Advanced | Tagged , | Comments Off on Windows Memory Forensics: Close to Release

Profiler 2.7

Profiler 2.7 is out with the following news: + added experimental support for Windows raw memory images + added support for EML files + added TOR-based URL download action – added JBIG2 decoder for PDFs – improved PDF parsing against … Continue reading

Posted in Uncategorized | Tagged | Comments Off on Profiler 2.7

URL Download Action (Tor)

In the upcoming version of Profiler Advanced we have introduced a new useful action, namely the URL Download action. Many times in previous posts we have analyzed some malware which at the end of its shellcode ended up downloading a … Continue reading

Posted in Action, Profiler Advanced, Security | Tagged , , | Comments Off on URL Download Action (Tor)

EML support

The upcoming 2.7 version of Profiler Advanced introduces support for the EML file format. Support for EML files had until now only been present as experimental hook to extract attachments. We have now introduced full-fledged EML support and have removed … Continue reading

Posted in Format, Profiler Advanced | Tagged , | Comments Off on EML support

Profiler Advanced

With the upcoming 2.7 version of Profiler, we will start releasing an Advanced edition alongside the Standard one. All our users who have bought a license until this point in time will automatically have their license work with the Advanced … Continue reading

Posted in Profiler Advanced | Tagged | Comments Off on Profiler Advanced

JBIG2 Encoded Malware in PDFs

The upcoming version of Profiler 2.7 adds support for JBIG2 encoding inside PDFs. Although JBIG2 isn’t intended to encode data other than images, it can be used to do so. Quoting the PDF documentation: The JBIG2Decode filter (PDF 1.4) decodes … Continue reading

Posted in PDF, Profiler | Tagged | 2 Comments