Wednesday, September 1, 2010

The Mystery of ROT (-29)

I know if your reading my blog you've seen ROT13 and know it is used by Microsoft in the UserAssist Registry Key.

But now I’ve found Microsoft using ROT(-29) or Rotate Minus 29 which is considerably more devious, then ROT13, for the forensic investigator.

Do the following steps to uncover ROT(-29):

1. First find a computer running Windows 7 or Vista.

2. Open Notepad and type: “ForensicZoneaaaaaaaaaabbbbbbbbbbcccccccccddddddddddForensicZone”.

3. Run Task Manager (taskmgr.exe).

4. Application Tab > Select the Notepad Task >Right Click and “Create Dump File”.

This action creates a "user-mode process dump file" at C:\Users\Your-UserName\AppData\Local\Temp\notepad.dmp

5. Open notepad.dmp using your favorite hex editor.
Scroll up from the bottom of the dump file approximately 6000 to 11000 bytes and you should see the following:

So if we decipher the information in the notepad.dmp file we see that

ASCII “F” (Dec 70) became ASCII “)” (Dec 41) – A Rotation of Minus 29
ASCII “o” (Dec 111) became ASCII “R” (Dec 82)
ASCII “r” (Hex 72) became ASCII “U” (Hex 55)
ASCII “e” - You get the picture

So “ForensicZone” becomes “ ) R U H Q V L F = R Q H”

Ok. So it is Rotation (-29) and a conversion to Unicode.

The Rotation -29 is more devious then ROT-13 because:

- Numbers and most of the Special Characters do not convert to a printable ASCII range.

- Capitol Letters are converted to numbers and special characters.

- The Unicode also makes it easy to overlook this information.

I then started conducting searches on dead Windows 7 and Vista Machines looking for the ROT (-29) in the wild. I used several search terms but haven’t been able to find much practical use for this information, as of yet. I also couldn't find a consistent magic number and the only hits I could find was on the word Microsoft (Microsoft + ROT(-29) = 0 L F U R V I Q) mostly dealing with Microsoft Office Document Metadata. (Note: The funny looking 0 is a zero)

There might be an easy explanation for Microsoft using ROT (-29) but I don't know what it is. If I am way off base or someone else has information about this please let me know.

I discovered ROT(-29) while preparing for my presentation for the Wisconsin Association Computer Crimes Investigators (WACCI) Conference 2010. One of the Keynote Speakers I am really looking forward to meeting at the WACCI 2010 Conference is Harlan Carvey.