Typical scenarios
- Unknown file format
- Missing drivers
- Network protocol analysis
Unknown file format
I need to read files stored by another software but the binary file format used by the author is not documented.
In this case, reverse engineering focuses on input/output operations responsible for reading and writing. Data flowing through these operations are observed and mapped onto data structures, creating a documentation of the file format layout.
Missing drivers
Such problem occurred to me with a Voltcraft DL-120 TH thermometer. The accompanying mini CD contained only drivers for 32-bit Windows. In the today’s world 32-bit operating systems are considered obsolete because of their 32-bit address bus limits and thus memory limitations. I desperately wanted to access measured data from my Mac and did not want to run a virtual machine each time to configure the device and to retrieve measured data. Reverse engineering was used to understand how the Windows application communicates with the device and libusb was used to create a replacement application running on Linux, macOS, and Windows in both 32 and 64-bits.
Network protocol analysis
First, the hard drive was extracted from the device and then its contents analyzed. Reverse engineering was used to analyze few applications from the device and the locking mechanism was analyzed. It was discovered that the device was communicating with an encrypted custom protocol. The protocol was documented and a substitute remote part was created unlocking the device and allowing the expert evidence completion.