Time to look over the edge of this cliff.
The paper I went to Monterey to present is this one:
"File Fragment Encoding Classification: An Empirical Approach"
It is several parts about how the digital forensics community
has failed to approach the fragment identification problem in
a reasonable manner, a few parts suggestions, and a study of
all things DEFLATE (.docx/.xlsx/.png/.zip etc). Presentation
should be a little easier to understand, though since the demo
was live it is not included.
I wrote a tool (by fuzzing and fixing an open-source png decoder)
to gather the statistics in the paper, and reworked it into a
classifier for the conference. It's purpose is to classify
compressed data in the way that we can classify data with clear
and easy file formats.
Its name is zsniff and it is on github. The tool works by
brute-force searching for tiny DEFLATE headers and Huffman code
tables in the input stream. It is not fast, but it works as
advertised and it's three-platform portable (as long as your mac
has a reasonable compiler.)
It identifies compressed text (xml-ish or plain or spreadsheets)
about 99% of the time so far. We can also separate compressed
executables from PNG about 81% of the time. I've noticed that
we can fairly definitively say "Not DEFLATE" for high entropy
data as well but that isn't baked into the tool.
Side note: I am @candicenonsense on github and in theory I am
going to have time to put more code up there. Really. Not
looking forward to impending svn->git migration for sdhash.
candice at 21:29 | link to post
I married an engineer. We tour bridges. (On this trip I drove both the Bay Bridge and the Golden Gate, both ways.) So when I saw this one, driving alone, I knew I had to get close to it. You can see it from several miles away at another overlook. The light was at just the right angle to make it glow.
What you can see from this same spot is lovely. I did a lot of standing on cliffs, with crazy wind hair carrying two cameras and a phone, just in case. The colors here are fujipro 400h, the black and white my dear friend tmax400.
candice at 16:24 | link to post
Fujipro/Canon AE-1. Pretty.
Tmax400/Nikon Nikkormat FT. Contrasty.
Droid Razr, of all things. It was so bright I could barely see the screen most of the afternoon, but I took pictures just in case all the film got ruined at the airport.
Tsunami Hazard Zone signs were on all of the beaches that I stopped at while driving Hwy 1. Handrails on stairs not so much.
candice at 21:11 | link to post
Carmel itself is not really my deal, but the beach is pretty, and has nice white sand. Nearby Monastery Beach is on the pretty-but-dangerous list.
This was the end of the big sur odyssey, so to speak, and the color camera had run out of film, so you get hand-developed tmax400, and me having to photoshop the devil out of the dust. ICE on the scanner, it is for color only.
candice at 7:33 | link to post
Monterey was, while I was there, cold, gray, and boat-y. We missed Pebble Beach by a week.
Just look at all the people in sweatshirts on this beach in the beginning of August.
Clay flew out with me and stayed in Monterey one night, too. Very helpful. I had forgotten how much flying alone sucked.
I got to drive Hwy 1 both to Big Sur and to Half Moon Bay, and if I ever decide what pictures are best you shall see them.
(film: fujipro400h. camera: Nikkormat FT)
candice at 22:51 | link to post