Wednesday, April 11, 2012

HELLO - Almost missed it.

Computer Forensic tools are rapidly improving and make forensic examinations easier for the masses. Only a qualified forensic practitioner however can reliably produce consistently good results.
For example at present no computer forensic tool can properly detect, search and index text in the Unicode escape sequence. I have recently been working with the image containing some iPad sqlite3 backup files and found an extremely important piece of evidence almost by accident. Well, not exactly by accident, just have been thorough really.
\u0048 \u0045 \u004c \u004c \u004f means HELLO when you convert it from the Unicode-escape, which Apple tends to use quite extensively for recording non Latin characters. Python comes to rescue (once again) with its built-in sqlite3 library to pull the data and .decode('unicode_escape').

A quick script solved the problem, so I get some free time to finally watch "George Harrison: Living in the Material World" this weekend which has been on my to-do list for a couple of months now.

And to make it clear, the important piece of evidence I found wasn't "HELLO" word   



No comments: