Files
Download Full Text (350 KB)
Description
Polyglot files are problematic as payloads can be hidden inside them while simultaneously evading discovery by current forensic tools. Autopsy, one of the most used forensic tools in investigations, uses known signatures of file types (e.g., headers, trailers) to identify and recover files. Polyglot files are a unique case in which files are intentionally combined with other file types to make them appear benign while still containing malicious payloads. Polyglots are possible due to combinations being considered valid in both formats. Polyglot files inherently evade detection from signature-based forensic tools and malware scanners because the tools and malware scanners are designed to search for a single type of file without additional validation. The challenge of detecting malicious files is further exacerbated by polyglot files appearing as benign in the file system. File systems are mainly concerned with managing file storage by checking file structures, but not necessarily their content. This is also true in forensic investigations where the payload embedded within the polyglot file is obfuscated. To address this, an algorithm is being evaluated that will utilize a data carving-based approach to perform block level analysis of a raw disk image to detect polyglot files.
Publication Date
3-2025
Department
Information Systems & Technology
City
Mobile
Disciplines
Information Security | Other Computer Sciences
Recommended Citation
Stevens, Chase, "Polyglot File Detection for Forensics" (2025). Shelby Hall Graduate Research Forum Posters. 7.
https://jagworks.southalabama.edu/southalabama-shgrf-posters/7
