Deceptive NTFS short file names

Are you aware of DLL hijacking? If yes, let’s suppose there is a program that executes the following line of code:


Its executable has the following name: “i_use_riched32.exe” (just as an example).

Now, take a look at the following contents of a directory containing this executable, the screenshots were taken of three tools: Explorer, FTK Imager Lite, The Sleuth Kit (each one points to the same directory).

FTK Imager Lite
The Sleuth Kit

Is the “riched32.dll” library hijacked for the “i_use_riched32.exe” executable? Let’s assume that no attempts to hijack the library have been made outside of the directory shown above.

Continue reading “Deceptive NTFS short file names”