Month: October 2012

  • Evasion-Resistant Malware Signature Based on Profiling Kernel Data Structure Objects

    Evasion-Resistant Malware Signature Based on Profiling Kernel Data Structure Objects

    Malware creators are continually looking for new methods to evade malware detection engines. A popular evasion method is based on malicious code obfuscation that changes the syntax of the code while preserving its execution semantics. If the malware signature relies on the syntactic features of the malicious code, it can be evaded by obfuscation techniques. In this…

  • Towards Automated Forensic Event Reconstruction of Malicious Code

    Towards Automated Forensic Event Reconstruction of Malicious Code

    Many existing methods of forensic malware analysis rely on the investigators’ practical experience rather than hard science. This paper presents a formal (i.e. based on mathematics) approach to reconstructing activities of a malicious executable found in a victim’s system during a post-mortem analysis. The behavior of the suspect executable is modeled as a finite state automaton where…

  • A Novel Methodology for Malware Intrusion Attack Path Reconstruction

    A Novel Methodology for Malware Intrusion Attack Path Reconstruction

    When a malware outbreak happens in an organization, one of the main questions that needs to be investigated is how the malware got in. It is important to get an answer to this question to identify and close the exploited technical and/or human vulnerabilities. This paper proposes a method for malware intrusion path reconstruction in a…

  • Some Pitfalls of Interpreting Forensic Artifacts in Windows Registry

    This post is on behalf of one of our students, Ms. Jacky Fox. Given below is the archive that contains her MSc dissertation and the Bash scripts she wrote to extract and correlate Windows registry artifacts. During her research she discovered that recent versions of Microsoft Windows introduced subtle changes to forensic interpretation of Windows…

  • InfoSecurity Russia 2012: Digital Forensics, Cloud Computing, Future of Cybercrime Investigation

    InfoSecurity Russia 2012: Digital Forensics, Cloud Computing, Future of Cybercrime Investigation

    Last week Joshua and I gave invited talk about digital forensics at InfoSecurity Russia 2012. The slides of the talk are here: Slides of DigitalFIRE Talk at InfoSecurity Russia 2012 Our talk explored the issues of digital forensics in the cloud environment. The first part of the talk introduced the concepts of cyber crime investigations and the challenges…