Add “Protobuf Expert” to your examiner’s resume

It’s night shift, you’re staring at your hex editor and staring back at you is your forensic arch-nemesis: a protobuf-encoded blob. You’ve heard the horror stories, and maybe even battled with one previously. Looking at it now, there’s no doubt about it though: these things are just plain unintelligible.

And yet, you won’t do digital forensics for long without encountering it. Clearly, to be so popular it must have its merits. Why else would app developers far and wide be increasingly convinced to implement the tech over something far easier to work with, like JSON? Computers are so fast that a minor increase in parsing performance doesn’t explain such widespread adoption. Serving as a source of consternation for digital forensic examiners is another humorous possibility, but that’s not it either.

In this technical session, we will attempt to answer this question and more, with topics including:

  • examining the problems protobuf can actually solve from a developer’s perspective (as compared to JSON, XML, etc.) and an end-to-end demonstration
  • an overview of various tools you can use to interpret them, common pitfalls, and key things to understand
  • reverse engineering techniques (including dynamic analysis with Frida) that can be used achieve increased understanding of a particularly complex object.