There are numerous ways of concealing sensitive data and code within malicious files and programs. Fortunately, attackers use one particular XOR-based technique very frequently, because offers sufficient protection and is simple to implement. Here's a look at several tools for deobfuscating XOR-encoded data during static malware analysis.
MASTIFF is an open source framework for automating static malware analysis. This tool, created by Tyler Hudak, determines the type of file that is being analyzed and then applies only the static analysis techniques that are appropriate for that file type. MASTIFF offers a useful way for performing triage on a large set of suspicious files.
Memory analysis skills are one of the most in-demand skills for digital forensics, incident response, and malware analysts today. SANS is introducing a brand new 5-day class dedicated to Windows Memory Forensics. The hands-on course, written by memory forensics pioneer Jesse Kornblum, is incredibly comprehensive and a crucial course for any investigator who is analyzing intrusions.
SANS is offering a 10% discount off the FOR526 course for the following events: Discount Code: WINDEX
This week in Case Leads we have a great new update to REMnux, two new tools for registry analysis and be sure to vote for the Forensic 4cast Awards right after you hop over to the new REM community on Stack Exchange.
If you have an item you'd like to contribute to Digital Forensics Case Leads, please send it email@example.com.
- REMnux, the linux distro designed for malware reverse-engineering, has been updated to version 4 and it's now distributed as a VMware virtual appliance, a bootable ISO and as an OVA virtual appliance. An overview of the appliance installation was covered on this blog a couple of days ago, and SANS is hosting a webcast to go over what's new in
REMnux is a lightweight Linux distribution for assisting malware analysts with reverse-engineering malicious software. Here is how to install the REMnux virtual appliance using common virtualization tools, such as VMware and VirtualBox, thanks to the Open Virtualization Format (OVF/OVA).