Malware Analysis Tools - SANS Computer Forensics

12.07.2013 • Views

Share Embed Flag

Malware Analysis Tools - SANS Computer Forensics

ePAPER READ

DOWNLOAD ePAPER

computer.forensics.sans.org

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

START NOW

Densityscout

Mathematically

based on Bytehist

Computing (all)

files of a filesystem

location

Result is a

descending

ordered list

Reveals potentially

unwanted

software

(0.03763) | c:\Windows\System32\bootres.dll

(0.05214) | c:\Windows\System32\WdfCoinstaller01009.dll

(0.05963) | c:\Windows\System32\VAIO S Series ‐ Summer 2011.scr

(0.11521) | c:\Windows\System32\LkmdfCoInst.dll

(0.12726) | c:\Windows\System32\mcupdate_GenuineIntel.dll

(0.20664) | c:\Windows\System32\iglhsip64.dll

(0.27113) | c:\Windows\System32\pegibbfc.rs

(0.27516) | c:\Windows\System32\usk.rs

(0.27633) | c:\Windows\System32\cero.rs

(0.28895) | c:\Windows\System32\pegi.rs

(0.30524) | c:\Windows\System32\AuthFWGP.dll

(0.30681) | c:\Windows\System32\iscsicpl.exe

(0.32147) | c:\Windows\System32\msshavmsg.dll

(0.32388) | c:\Windows\System32\SrpUxNativeSnapIn.dll

(0.32859) | c:\Windows\System32\qedwipes.dll

(0.34056) | c:\Windows\System32\imagesp1.dll

(0.34697) | c:\Windows\System32\oflc.rs

(0.36592) | c:\Windows\System32\auditpolmsg.dll

(0.36870) | c:\Windows\System32\onexui.dll

(0.38369) | c:\Windows\System32\resmon.exe

07.10.2012 6

Building, Maturing & Rocking a Security Operations Center - SANS ...

Sniper Forensics “One Shot, One Kill” - SANS Computer Forensics

examples of recent apt persistence mechanisms - SANS Computer ...

Ovie Carroll - SANS Forensic Trends and Futures.pdf

Analysis & Correlation of Mac Logs - SANS

“ANN'S AURORA” - SANS Computer Forensics

Encryption v20.10 - SANS Computer Forensics

Tales from the Crypt - TrueCrypt Analysis - SANS

Digital Forensics for IaaS Cloud Computing - SANS Computer ...

All the Gear..and No Idea.. - Scalable, fast - SANS

Protecting Privileged Domain Accounts during Live Response

Taking Registry Analysis to the Next Level - SANS Computer ...

Mark McKinnon RedWolf Computer Forensics Mark ... - SANS

Brendan Dolan-Gavitt Georgia Institute of Technology - SANS

Densityscout Mathematically based on Bytehist Computing (all) files of a filesystem location Result is a descending ordered list Reveals potentially unwanted software (0.03763) | c:\Windows\System32\bootres.dll (0.05214) | c:\Windows\System32\WdfCoinstaller01009.dll (0.05963) | c:\Windows\System32\VAIO S Series ‐ Summer 2011.scr (0.11521) | c:\Windows\System32\LkmdfCoInst.dll (0.12726) | c:\Windows\System32\mcupdate_GenuineIntel.dll (0.20664) | c:\Windows\System32\iglhsip64.dll (0.27113) | c:\Windows\System32\pegibbfc.rs (0.27516) | c:\Windows\System32\usk.rs (0.27633) | c:\Windows\System32\cero.rs (0.28895) | c:\Windows\System32\pegi.rs (0.30524) | c:\Windows\System32\AuthFWGP.dll (0.30681) | c:\Windows\System32\iscsicpl.exe (0.32147) | c:\Windows\System32\msshavmsg.dll (0.32388) | c:\Windows\System32\SrpUxNativeSnapIn.dll (0.32859) | c:\Windows\System32\qedwipes.dll (0.34056) | c:\Windows\System32\imagesp1.dll (0.34697) | c:\Windows\System32\oflc.rs (0.36592) | c:\Windows\System32\auditpolmsg.dll (0.36870) | c:\Windows\System32\onexui.dll (0.38369) | c:\Windows\System32\resmon.exe 07.10.2012 6

Minibis Automation framework based on virtual machines (since 2009!!) Highly flexible and configurable Easy automation of behavioral analysis tasks It does what YOU want Can be used in any kind of scenario Used in CERT.at's productive processes Too complex to summarize Update is about to come soon 07.10.2012 7

Page 1 and 2: 07.10.2012 Christian Wojner, CERT.a
Page 3 and 4: Crossplatform Our tools are availa
Page 5: Bytehist PE‐Sections! 07.10.2012
Page 9 and 10: ProcDOT 07.10.2012 9
Page 11 and 12: ProcDOT Searching for strings (her
Page 13 and 14: 07.10.2012 13

Malware Analysis Tools - SANS Computer Forensics

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?