That program appears to creates evidence on the target machine. I hope there will be a way to link this to the parallel construction group. Don't like the guy, plant evidence!/s
I was under the impression that they were planting files on the user's computer to incriminate them. I don't really understand where this code is getting it's payload from though.
That could plausibly be a tool for generating test data for forensics tools. The hardcoded paths don't make a lot of sense for actually trying to plant evidence.
What's so interesting? They have a default value, most likely for testing.
I find it very hard to believe anyone thinks "child_porn.avi" is a compelling filename for child pornography. I'd imagine they'd be more like "<age> <gender> <explicit act>.mp4".
It's software sold to law enforcement/intelligence agencies, and it is designed explicitly to plant false evidence. Even post-Snowden I think that qualifies as interesting.
Look at the change. They went from a unix-like file system path name to a Windows one. Considering they call to_utf16le_binary_null I'm going to guess they just wanted it to look reasonable (and perhaps not crash?) on Windows.
Take a look at the GeoTrust repo...
This is a very interesting file, too: https://github.com/hackedteam/rcs-common/blob/master/lib/rcs...