I was asked how I knew that the content of the email in my last diary entry, was compressed RTF.
At first, I didn’t know this. The reader, Salil, told us that he suspected that the URLs he was looking for, were in stream 67. I looked at stream 67, but couldn’t find the content of the email.
Then I analyzed the content of the stream with my tool byte-stats.py, and noticed it was about 5 KB with a high entropy: 7.5…
So I thought that the content of this stream was probably compressed. But looking at the hexdump, I didn’t recognize the compression method:
The first string in this hexdump is LZFu. LZ reminded me of Lempel-Ziv compression. A Google search for LZFu gave this:
That’s when I found out about Compressed RTF, and then I created a decompression tool with the right module and a couple of lines.
I also updated my file-magic tool to detect Compressed RTF using this definition:
# Compressed RTF: file(1) magic Compressed RTF
8 string LZFu Compressed RTF
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Source: SANS Internet Storm Center
Detecting Compressed RTF, (Sun, Oct 28th)