Ahmed F.Shosha

Ahmed F. Shosha started his research in the Digital Forensics Investigation Research Laboratory at University College Dublin in April, 2010. His M.Sc is in Software Engineering, and his research focus is now on malware analysis and formalization of malicious code investigation.

Oct 042012
 
Evasion-Resistant Malware Signature Based on Profiling Kernel Data Structure Objects

Malware creators are continually looking for new methods to evade malware detection engines. A popular evasion method is based on malicious code obfuscation that changes the syntax of the code while preserving its execution semantics. If the malware signature relies on the syntactic features of the malicious code, it can be evaded by obfuscation techniques. In this […]

Oct 042012
 
Towards Automated Forensic Event Reconstruction of Malicious Code

Many existing methods of forensic malware analysis rely on the investigators’ practical experience rather than hard science. This paper presents a formal (i.e. based on mathematics) approach to reconstructing activities of a malicious executable found in a victim’s system during a post-mortem analysis. The behavior of the suspect executable is modeled as a finite state automaton where […]

Oct 042012
 
A Novel Methodology for Malware Intrusion Attack Path Reconstruction

When a malware outbreak happens in an organization, one of the main questions that needs to be investigated is how the malware got in. It is important to get an answer to this question to identify and close the exploited technical and/or human vulnerabilities. This paper proposes a method for malware intrusion path reconstruction in a […]

Sep 132012
 
Limitations of Malware Sandbox Usage in Digital Forensic Investigation

When digital investigators are confronted with suspicious executable during investigation, a standard, well-known incidents response process is applied. This process encompasses, hashing the suspect executable and look-up with the hash value in an online malware analysis and scanning service such as VirusTotal [1] to verify if suspect executable belongs to a known malware family. If […]