From deb9921e499cc37e6d5572394399116c3ed1b805 Mon Sep 17 00:00:00 2001 From: Translator Date: Tue, 26 Aug 2025 20:12:01 +0000 Subject: [PATCH] Translated ['src/generic-methodologies-and-resources/basic-forensic-meth --- src/SUMMARY.md | 2 + .../basic-forensic-methodology/README.md | 109 +++++++++-- .../ios-backup-forensics.md | 124 +++++++++++++ .../README.md | 9 +- ...tructural-file-format-exploit-detection.md | 173 ++++++++++++++++++ 5 files changed, 401 insertions(+), 16 deletions(-) create mode 100644 src/generic-methodologies-and-resources/basic-forensic-methodology/ios-backup-forensics.md create mode 100644 src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/structural-file-format-exploit-detection.md diff --git a/src/SUMMARY.md b/src/SUMMARY.md index 781ca1ac5..1659bf643 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -41,6 +41,7 @@ - [Anti-Forensic Techniques](generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.md) - [Docker Forensics](generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics.md) - [Image Acquisition & Mount](generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.md) + - [Ios Backup Forensics](generic-methodologies-and-resources/basic-forensic-methodology/ios-backup-forensics.md) - [Linux Forensics](generic-methodologies-and-resources/basic-forensic-methodology/linux-forensics.md) - [Malware Analysis](generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md) - [Memory dump analysis](generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/README.md) @@ -61,6 +62,7 @@ - [Office file analysis](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md) - [PDF File analysis](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md) - [PNG tricks](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/png-tricks.md) + - [Structural File Format Exploit Detection](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/structural-file-format-exploit-detection.md) - [Video and Audio file analysis](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/video-and-audio-file-analysis.md) - [ZIPs tricks](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md) - [Windows Artifacts](generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/README.md) diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/README.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/README.md index cc7501f4c..b56ccab42 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/README.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/README.md @@ -1,8 +1,8 @@ -# Msingi wa Mbinu za Kisheria +# Mbinu za Forensiki za Msingi {{#include ../../banners/hacktricks-training.md}} -## Kuunda na Kuweka Picha +## Kuunda na Kupakia Image {{#ref}} @@ -11,23 +11,50 @@ ## Uchambuzi wa Malware -Hii **siyo hatua ya kwanza kufanya mara tu unapo kuwa na picha**. Lakini unaweza kutumia mbinu hizi za uchambuzi wa malware kwa uhuru ikiwa una faili, picha ya mfumo wa faili, picha ya kumbukumbu, pcap... hivyo ni vizuri **kumbuka hatua hizi**: +Hii **si lazima iwe hatua ya kwanza mara tu unapopata image**. Lakini unaweza kutumia malware analysis techniques hizi kivyake ikiwa una file, file-system image, memory image, pcap... hivyo ni vyema **kukumbuka hatua hizi**: {{#ref}} malware-analysis.md {{#endref}} -## Kukagua Picha +## Kukagua Image -ikiwa umepatiwa **picha ya kisheria** ya kifaa unaweza kuanza **kuchambua sehemu, mfumo wa faili** ulio tumika na **kuokoa** faili ambazo zinaweza kuwa **za kuvutia** (hata zile zilizofutwa). Jifunze jinsi katika: +ikiwa umetolewa **image ya forensiki** ya kifaa unaweza kuanza **kuchambua partitions, file-system** iliyotumika na **kurejesha** files zinazoweza kuwa **zeneza kuvutia** (hata zile zilizofutwa). Jifunze jinsi katika: + + +{{#ref}} +partitions-file-systems-carving/ +{{#endref}}# Mbinu za Forensiki za Msingi + + + +## Kuunda na Kupakia Image + + +{{#ref}} +../../generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.md +{{#endref}} + +## Uchambuzi wa Malware + +Hii **si lazima iwe hatua ya kwanza mara tu unapopata image**. Lakini unaweza kutumia malware analysis techniques hizi kivyake ikiwa una file, file-system image, memory image, pcap... hivyo ni vyema **kukumbuka hatua hizi**: + + +{{#ref}} +malware-analysis.md +{{#endref}} + +## Kukagua Image + +ikiwa umetolewa **image ya forensiki** ya kifaa unaweza kuanza **kuchambua partitions, file-system** iliyotumika na **kurejesha** files zinazoweza kuwa **zeneza kuvutia** (hata zile zilizofutwa). Jifunze jinsi katika: {{#ref}} partitions-file-systems-carving/ {{#endref}} -Kulingana na OS zinazotumika na hata jukwaa, vitu tofauti vya kuvutia vinapaswa kutafutwa: +Kulingana na OS zilizotumika na hata platform tofauti artifacts zenye kuvutia zinapaswa kutafutwa: {{#ref}} @@ -44,40 +71,94 @@ linux-forensics.md docker-forensics.md {{#endref}} -## Ukaguzi wa kina wa aina maalum za faili na Programu -Ikiwa una **faili** ambayo ni **ya kushuku sana**, basi **kulingana na aina ya faili na programu** iliyoiunda, mbinu kadhaa **zinaweza kuwa na manufaa**.\ -Soma ukurasa ufuatao kujifunza mbinu za kuvutia: +{{#ref}} +ios-backup-forensics.md +{{#endref}} + +## Uchunguzi wa kina wa aina za faili maalum na Software + +Ikiwa una file yenye **shaka sana**, basi **kulingana na file-type na software** iliyoiunda tricks kadhaa zinaweza kuwa muhimu.\ +Soma ukurasa ufuatao kujifunza tricks zenye kuvutia: {{#ref}} specific-software-file-type-tricks/ {{#endref}} -Nataka kufanya kumbukumbu maalum kwa ukurasa: +Ninataka kutoa kumbukumbu maalum kwa ukurasa huu: {{#ref}} specific-software-file-type-tricks/browser-artifacts.md {{#endref}} -## Ukaguzi wa Dump ya Kumbukumbu +## Uchunguzi wa Memory Dump {{#ref}} memory-dump-analysis/ {{#endref}} -## Ukaguzi wa Pcap +## Uchunguzi wa Pcap {{#ref}} pcap-inspection/ {{#endref}} -## **Mbinu za Kupambana na Kisheria** +## **Mbinu za Anti-Forensic** -Kumbuka matumizi yanayowezekana ya mbinu za kupambana na kisheria: +Kumbuka matumizi ya uwezekano wa anti-forensic techniques: + + +{{#ref}} +anti-forensic-techniques.md +{{#endref}} + +## Uwindaji wa Vitisho + + +{{#ref}} +file-integrity-monitoring.md +{{#endref}} + + + +## Uchunguzi wa kina wa aina za faili maalum na Software + +Ikiwa una file yenye **shaka sana**, basi **kulingana na file-type na software** iliyoiunda tricks kadhaa zinaweza kuwa muhimu.\ +Soma ukurasa ufuatao kujifunza tricks zenye kuvutia: + + +{{#ref}} +specific-software-file-type-tricks/ +{{#endref}} + +Ninataka kutoa kumbukumbu maalum kwa ukurasa huu: + + +{{#ref}} +specific-software-file-type-tricks/browser-artifacts.md +{{#endref}} + +## Uchunguzi wa Memory Dump + + +{{#ref}} +memory-dump-analysis/ +{{#endref}} + +## Uchunguzi wa Pcap + + +{{#ref}} +pcap-inspection/ +{{#endref}} + +## **Mbinu za Anti-Forensic** + +Kumbuka matumizi ya uwezekano wa anti-forensic techniques: {{#ref}} diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/ios-backup-forensics.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/ios-backup-forensics.md new file mode 100644 index 000000000..bd125725d --- /dev/null +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/ios-backup-forensics.md @@ -0,0 +1,124 @@ +# Forensiki za Backup za iOS (Triage inayojikita kwenye Ujumbe) + +{{#include ../../banners/hacktricks-training.md}} + +Ukurasa huu unaelezea hatua za vitendo za kujenga upya na kuchambua backups za iOS kwa dalili za utoaji wa exploit wa 0‑click kupitia viambatisho vya apps za ujumbe. Inalenga kubadilisha muundo wa backup uliopo wa Apple ulioshughulikiwa kwa hashed kuwa njia zinazosomeka na binadamu, kisha kuorodhesha na kuchunguza viambatisho katika apps zinazotumika sana. + +Malengo: +- Jenga tena njia zinazosomeka kutoka Manifest.db +- Orodhesha databases za ujumbe (iMessage, WhatsApp, Signal, Telegram, Viber) +- Tatua njia za viambatisho, chunguza vitu vilivyowekwa ndani (PDF/Images/Fonts), na ziingize kwa structural detectors + + +## Kujenga upya backup ya iOS + +Backups zilizohifadhiwa chini ya MobileSync zinatumia majina ya faili yaliyohashishwa ambayo hayawezi kusomwa na binadamu. Manifest.db SQLite database inaunganisha kila kitu kilichohifadhiwa na njia yake ya kifikishi. + +Utaratibu wa juu: +1) Fungua Manifest.db na usome rekodi za faili (domain, relativePath, flags, fileID/hash) +2) Jenga upya muundo wa saraka wa awali kulingana na domain + relativePath +3) Nakili au tengeneza hardlink kwa kila kitu kilichohifadhiwa hadi njia yake iliyojengwa tena + +Mfano wa mtiririko wa kazi na zana inayotekeleza hii kutoka mwanzo hadi mwisho (ElegantBouncer): +```bash +# Rebuild the backup into a readable folder tree +$ elegant-bouncer --ios-extract /path/to/backup --output /tmp/reconstructed +[+] Reading Manifest.db ... +✓ iOS backup extraction completed successfully! +``` +Vidokezo: +- Shughulikia encrypted backups kwa kutoa backup password kwa extractor yako +- Hifadhi timestamps/ACLs za asili inapowezekana kwa thamani ya ushahidi + + +## Orodhesha viambatanisho vya app za ujumbe + +Baada ya ujenzi upya, orodhesha viambatanisho kwa apps maarufu. Muundo halisi (schema) unatofautiana kwa app/toleo, lakini mbinu ni sawa: fanya query kwenye database ya ujumbe, unganya jumbe na viambatanisho, na tatua paths kwenye diski. + +### iMessage (sms.db) +Jedwali muhimu: message, attachment, message_attachment_join (MAJ), chat, chat_message_join (CMJ) + +Mifano ya query: +```sql +-- List attachments with basic message linkage +SELECT +m.ROWID AS message_rowid, +a.ROWID AS attachment_rowid, +a.filename AS attachment_path, +m.handle_id, +m.date, +m.is_from_me +FROM message m +JOIN message_attachment_join maj ON maj.message_id = m.ROWID +JOIN attachment a ON a.ROWID = maj.attachment_id +ORDER BY m.date DESC; + +-- Include chat names via chat_message_join +SELECT +c.display_name, +a.filename AS attachment_path, +m.date +FROM chat c +JOIN chat_message_join cmj ON cmj.chat_id = c.ROWID +JOIN message m ON m.ROWID = cmj.message_id +JOIN message_attachment_join maj ON maj.message_id = m.ROWID +JOIN attachment a ON a.ROWID = maj.attachment_id +ORDER BY m.date DESC; +``` +Njia za attachment zinaweza kuwa absolute au relative kwa mti uliorejeshwa chini ya Library/SMS/Attachments/. + +### WhatsApp (ChatStorage.sqlite) +Unganisho la kawaida: message table ↔ media/attachment table (majina yanatofautiana kulingana na toleo). Query media rows ili kupata on-disk paths. + +Mfano (ya jumla): +```sql +SELECT +m.Z_PK AS message_pk, +mi.ZMEDIALOCALPATH AS media_path, +m.ZMESSAGEDATE AS message_date +FROM ZWAMESSAGE m +LEFT JOIN ZWAMEDIAITEM mi ON mi.ZMESSAGE = m.Z_PK +WHERE mi.ZMEDIALOCALPATH IS NOT NULL +ORDER BY m.ZMESSAGEDATE DESC; +``` +Badilisha majina ya jedwali/safu kulingana na toleo la app yako (ZWAMESSAGE/ZWAMEDIAITEM are common in iOS builds). + +### Signal / Telegram / Viber +- Signal: DB ya ujumbe imefungwa; hata hivyo, viambatanisho vilivyohifadhiwa kwenye diski (na thumbnails) kawaida vinaweza kuchunguzwa +- Telegram: chunguza saraka za cache (photo/video/document caches) na ziunganishe na mazungumzo pale inapowezekana +- Viber: Viber.sqlite ina meza za ujumbe/viambatanisho zenye marejeleo kwenye diski + +Tip: hata pale metadata imefungwa, kuchunguza saraka za media/cache bado huibua vitu hatarishi. + + +## Kuchunguza viambatanisho kwa structural exploits + +Mara tu unapokuwa na njia za viambatanisho, ziingize kwenye structural detectors ambazo zinathibitisha file‑format invariants badala ya signatures. Mfano kwa ElegantBouncer: +```bash +# Recursively scan only messaging attachments under the reconstructed tree +$ elegant-bouncer --scan --messaging /tmp/reconstructed +[+] Found N messaging app attachments to scan +✗ THREAT in WhatsApp chat 'John Doe': suspicious_document.pdf → FORCEDENTRY (JBIG2) +✗ THREAT in iMessage: photo.webp → BLASTPASS (VP8L) +``` +Detections covered by structural rules include: +- PDF/JBIG2 FORCEDENTRY (CVE‑2021‑30860): hali za kamusi za JBIG2 zisizowezekana +- WebP/VP8L BLASTPASS (CVE‑2023‑4863): miundo ya meza za Huffman zilizopitiliza ukubwa +- TrueType TRIANGULATION (CVE‑2023‑41990): opcodes za bytecode zisizoandikwa +- DNG/TIFF CVE‑2025‑43300: migongano kati ya metadata na vipengele vya stream + + +## Uthibitisho, tahadhari, na matokeo ya uwongo + +- Ubadilishaji wa muda: iMessage huhifadhi tarehe katika Apple epochs/vitengo kwa baadhi ya matoleo; badilisha ipasavyo wakati wa kuripoti +- Schema drift: schema za SQLite za app hubadilika kwa muda; thibitisha majina ya jedwali/safina kwa kila build ya kifaa +- Uchimbaji wa rekursive: PDF zinaweza kujumuisha streams za JBIG2 na fonti; chimba na skani vitu vilivyomo +- Matokeo ya uongo: heuristics za muundo ni za tahadhari lakini zinaweza kuonyesha vyombo vya habari vilivyopangwa vibaya lakini visivyo hatari + + +## References + +- [ELEGANTBOUNCER: When You Can't Get the Samples but Still Need to Catch the Threat](https://www.msuiche.com/posts/elegantbouncer-when-you-cant-get-the-samples-but-still-need-to-catch-the-threat/) +- [ElegantBouncer project (GitHub)](https://github.com/msuiche/elegant-bouncer) + +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/README.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/README.md index 3f2e2dadb..332711ad5 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/README.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/README.md @@ -1,8 +1,8 @@ -# Hila Maalum za Programu/Aina ya Faili +# Mbinu Maalum za Programu/Aina za Faili {{#include ../../../banners/hacktricks-training.md}} -Hapa unaweza kupata hila za kuvutia za aina maalum za faili na/au programu: +Hapa unaweza kupata mbinu za kuvutia kwa aina maalum za faili na/au programu: {{#ref}} @@ -35,6 +35,11 @@ pdf-file-analysis.md {{#endref}} +{{#ref}} +structural-file-format-exploit-detection.md +{{#endref}} + + {{#ref}} png-tricks.md {{#endref}} diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/structural-file-format-exploit-detection.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/structural-file-format-exploit-detection.md new file mode 100644 index 000000000..d9d9da5fa --- /dev/null +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/structural-file-format-exploit-detection.md @@ -0,0 +1,173 @@ +# Ugunduzi wa Udhalilishaji wa Muundo wa Faili (0‑Click Chains) + +{{#include ../../../banners/hacktricks-training.md}} + +Ukurasa huu unatoa muhtasari wa mbinu za vitendo za kugundua faili za exploit za 0‑click za simu kwa kuthibitisha invarianti za kimuundo za miundo yao badala ya kutegemea byte signatures. Mbinu hii inatumika kwa sampuli tofauti, aina za polymorphic, na exploits za baadaye zinazotumia mantiki ile ile ya parser. + +Wazo kuu: kodeka jinsi inkomeshanavyoweza kutokea kimuundo na kukosa muafaka kwa sehemu mbalimbali ambazo zinaonekana tu wakati hali dhaifu ya decoder/parser inafikiwa. + +See also: + +{{#ref}} +pdf-file-analysis.md +{{#endref}} + + +## Kwanini muundo, si signatures + +Wakati samples zilizofanyiwa kuwa silaha hazipatikani na payload bytes zinabadilika, pattern za jadi za IOC/YARA zinashindwa. Ugunduzi unaotegemea muundo unachunguza muundo uliotangazwa wa kontena dhidi ya kile kinachowezekana kimaandalizi au kimantiki kwa utekelezaji wa format. + +Mikaguzi ya kawaida: +- Thibitisha ukubwa wa jedwali na mipaka inayotokana na spec na implementations zenye usalama +- Tandaza opcodes isiyo halali/isiyo dokumentiwa au mabadiliko ya state katika embedded bytecode +- Kagua metadata dhidi ya sehemu za kweli za stream zilizokodishwa +- Gundua mashamba yanayopingana yanayoashiria parser confusion au maandalizi ya integer overflow + +Hapo chini kuna mifumo halisi, iliyojaribiwa shambani kwa chains nyingi zenye athari kubwa. + +--- + +## PDF/JBIG2 – FORCEDENTRY (CVE‑2021‑30860) + +Target: JBIG2 symbol dictionaries embedded inside PDFs (often used in mobile MMS parsing). + +Structural signals: +- Hali ya kamusi yenye migongano ambayo haiwezi kutokea katika yaliyomo ya kawaida lakini inahitajika ili kusababisha overflow katika arithmetic decoding. +- Matumizi ya kushtukiza ya global segments pamoja na idadi isiyo ya kawaida ya symbols wakati wa refinement coding. + +Pseudo‑logic: +```pseudo +# Detecting impossible dictionary state used by FORCEDENTRY +if input_symbols_count == 0 and (ex_syms > 0 and ex_syms < 4): +mark_malicious("JBIG2 impossible symbol dictionary state") +``` +Triage ya vitendo: +- Tambua na toa mitiririko ya JBIG2 kutoka PDF +- Tumia pdfid/pdf-parser/peepdf kupata na kutoa mitiririko +- Thibitisha bendera za arithmetic coding na vigezo vya kamusi ya alama dhidi ya JBIG2 spec + +Vidokezo: +- Inafanya kazi bila saini za payload zilizojengewa ndani +- False positives (FP) ni chache kwa vitendo kwa sababu hali iliyotajwa haiendani kihesabu + +--- + +## WebP/VP8L – BLASTPASS (CVE‑2023‑4863) + +Lengo: WebP lossless (VP8L) jedwali za Huffman prefix‑code. + +Sinyali za kimuundo: +- Jumla ya ukubwa wa jedwali za Huffman zilizojengwa inazidi kikomo salama cha juu kinachotarajiwa na implementations za rejea/ zilizorekebishwa, ikibainisha masharti ya awali ya overflow. + +Mantiki ya kuiga: +```pseudo +# Detect malformed Huffman table construction triggering overflow +let total_size = sum(table_sizes) +if total_size > 2954: # example bound: FIXED_TABLE_SIZE + MAX_TABLE_SIZE +mark_malicious("VP8L oversized Huffman tables") +``` +Practical triage: +- Angalia WebP container chunks: VP8X + VP8L +- Parsa VP8L prefix codes na hesabu ukubwa halisi wa jedwali lililotengwa + +Notes: +- Imara dhidi ya byte‑level polymorphism ya payload +- Bound imetokana na uchambuzi wa mipaka/patch za upstream + +--- + +## TrueType – TRIANGULATION (CVE‑2023‑41990) + +Target: TrueType bytecode ndani ya fpgm/prep/glyf programs. + +Structural signals: +- Uwepo wa opcodes zisizoandikwa/zinazoruhusiwa katika interpreter ya Apple zinazotumiwa na mfululizo wa exploit. + +Pseudo‑logic: +```pseudo +# Flag undocumented TrueType opcodes leveraged by TRIANGULATION +switch opcode: +case 0x8F, 0x90: +mark_malicious("Undocumented TrueType bytecode") +default: +continue +``` +Triage ya vitendo: +- Dump font tables (mfano, kutumia fontTools/ttx) na skana programu za fpgm/prep/glyf +- Hakuna haja kuiga kabisa interpreter ili kupata thamani kutoka kwa presence checks + +Vidokezo: +- Inaweza kusababisha rare FPs ikiwa nonstandard fonts zina unknown opcodes; thibitisha kwa secondary tooling + +--- + +## DNG/TIFF – CVE‑2025‑43300 + +Lengo: metadata ya picha ya DNG/TIFF dhidi ya idadi halisi ya vipengele katika encoded stream (mfano, JPEG‑Lossless SOF3). + +Sinyali za kimuundo: +- Kutokuelewana kati ya EXIF/IFD fields (SamplesPerPixel, PhotometricInterpretation) na idadi ya vipengele iliyochanganuliwa kutoka kwenye header ya image stream inayotumika na pipeline. + +Mantiki ya mfano: +```pseudo +# Metadata claims 2 samples per pixel but stream header exposes only 1 component +if samples_per_pixel == 2 and sof3_components == 1: +mark_malicious("DNG/TIFF metadata vs. stream mismatch") +``` +Triage ya vitendo: +- Changanua tagu kuu za IFD na EXIF +- Gunda na changanua header iliyojengwa ndani JPEG‑Lossless (SOF3) na linganisha idadi za komponente + +Vidokezo: +- Imeripotiwa exploited in the wild; mgombea mzuri kwa ukaguzi wa uthabiti wa muundo + +--- + +## Mifumo ya utekelezaji na utendaji + +Skana ya vitendo inapaswa: +- Gundua aina ya faili kwa otomatiki na peleka wachambuzi husika pekee (PDF/JBIG2, WebP/VP8L, TTF, DNG/TIFF) +- Tumia stream/partial‑parse ili kupunguza ugawaji wa kumbukumbu na kuwezesha kusitisha mapema +- Endesha uchambuzi kwa sambamba (thread‑pool) kwa triage ya wingi + +Mfano wa mtiririko wa kazi na ElegantBouncer (utekelezaji wa chanzo wazi kwa Rust wa ukaguzi hivi): +```bash +# Scan a path recursively with structural detectors +$ elegant-bouncer --scan /path/to/directory + +# Optional TUI for parallel scanning and real‑time alerts +$ elegant-bouncer --tui --scan /path/to/samples +``` +--- + +## DFIR vidokezo na kesi za pembezoni + +- Vitu vilivyowekwa ndani: PDFs zinaweza kujumuisha picha (JBIG2) na fonti (TrueType); toa na skana kwa kurudia +- Usalama wa dekompressi: tumia maktaba zinazoweka kikomo thabiti kwa jedwali/mabafa kabla ya kugawa +- Matokeo ya uwongo chanya: weka sheria kwa tahadhari, pendelea migongano ambayo haiwezekani chini ya spec +- Mabadiliko ya toleo: fanya upya msingi wa mipaka (mf., VP8L table sizes) wakati parsers za upstream zinabadilisha vizingiti + +--- + +## Zana zinazohusiana + +- ElegantBouncer – skana ya kimuundo kwa utambuzi ulio hapo juu +- pdfid/pdf-parser/peepdf – uchimbaji wa vitu vya PDF na static analysis +- pdfcpu – PDF linter/sanitizer +- fontTools/ttx – toa nje jedwali za TrueType na bytecode +- exiftool – soma TIFF/DNG/EXIF metadata +- dwebp/webpmux – changanua WebP metadata na chunks + +--- + +## References + +- [ELEGANTBOUNCER: When You Can't Get the Samples but Still Need to Catch the Threat](https://www.msuiche.com/posts/elegantbouncer-when-you-cant-get-the-samples-but-still-need-to-catch-the-threat/) +- [ElegantBouncer project (GitHub)](https://github.com/msuiche/elegant-bouncer) +- [Researching FORCEDENTRY: Detecting the exploit with no samples](https://www.msuiche.com/posts/researching-forcedentry-detecting-the-exploit-with-no-samples/) +- [Researching BLASTPASS – Detecting the exploit inside a WebP file (Part 1)](https://www.msuiche.com/posts/researching-blastpass-detecting-the-exploit-inside-a-webp-file-part-1/) +- [Researching BLASTPASS – Analysing the Apple & Google WebP PoC file (Part 2)](https://www.msuiche.com/posts/researching-blastpass-analysing-the-apple-google-webp-poc-file-part-2/) +- [Researching TRIANGULATION – Detecting CVE‑2023‑41990 with single‑byte signatures](https://www.msuiche.com/posts/researching-triangulation-detecting-cve-2023-41990-with-single-byte-signatures/) +- [CVE‑2025‑43300: Critical vulnerability found in Apple’s DNG image processing](https://www.msuiche.com/posts/cve-2025-43300-critical-vulnerability-found-in-apples-dng-image-processing/) + +{{#include ../../../banners/hacktricks-training.md}}