I have a quick question I came through an analysis of an evidence. The “file extractor” ingest module allows you to extract media from certain file types. When comparing the analysis results with another forensic tool, Autopsy however does not seem to extract the content of a .DLL file.
Was this made on purpose? Wouldn’t it make sense to also consider these files for extraction?
From my understanding, .DLL files may not be the typical file type for hiding media, but theoretically that would be possible.
While I cannot answer your question from the development side, I can answer your question from the practitioner/incident responder side.
Any file could theoretically be used to hide something. There is/are/were/ many workarounds that individuals/threat actors have utilized in the past, including file names, file extensions, system folders, file sizes, etc to try to either blend files in, or hope that they would be overlooked, or would be considered too large to be scanned/detected by AV/EDR/etc. There could easily be a 40 hour course on this, and it would still only cover a fraction of a percentage of tactics, techniques, and procedures that an analyst should/could look for.
The point of modules/processes/etc. is not to give you, the examiner, a 100% answer, the purpose is to help guide and focus your attention on some areas rather than others, because at the day, you are the analyst, and the entirety of the analysis process is something that you must complete.