Category: Malware Forensics

  • Evasion-Resistant Malware Signature Based on Profiling Kernel Data Structure Objects

    Evasion-Resistant Malware Signature Based on Profiling Kernel Data Structure Objects

    Malware creators are continually looking for new methods to evade malware detection engines. A popular evasion method is based on malicious code obfuscation that changes the syntax of the code while preserving its execution semantics. If the malware signature relies on the syntactic features of the malicious code, it can be evaded by obfuscation techniques. In this…

  • Towards Automated Forensic Event Reconstruction of Malicious Code

    Towards Automated Forensic Event Reconstruction of Malicious Code

    Many existing methods of forensic malware analysis rely on the investigators’ practical experience rather than hard science. This paper presents a formal (i.e. based on mathematics) approach to reconstructing activities of a malicious executable found in a victim’s system during a post-mortem analysis. The behavior of the suspect executable is modeled as a finite state automaton where…

  • A Novel Methodology for Malware Intrusion Attack Path Reconstruction

    A Novel Methodology for Malware Intrusion Attack Path Reconstruction

    When a malware outbreak happens in an organization, one of the main questions that needs to be investigated is how the malware got in. It is important to get an answer to this question to identify and close the exploited technical and/or human vulnerabilities. This paper proposes a method for malware intrusion path reconstruction in a…

  • Limitations of Malware Sandbox Usage in Digital Forensic Investigation

    When digital investigators are confronted with suspicious executable during investigation, a standard, well-known incidents response process is applied. This process encompasses, hashing the suspect executable and look-up with the hash value in an online malware analysis and scanning service such as VirusTotal [1] to verify if suspect executable belongs to a known malware family. If…