SANS Digital Forensics and Incident Response Blog: Category - Reverse Engineering

Dealing with ASLR When Analyzing Malware on Windows 8.1

If you're migrating your malware lab from Windows XP, watch out for the forced ASLR feature of the operating system, especially when using Windows 8.1. ASLR is good for security, but it complicates malware analysis efforts. IDA Pro, OllyDbg, UPX and other tools could get confused. Here is how to get around these issues. Continue reading Dealing with ASLR When Analyzing Malware on Windows 8.1


Reverse-Engineering Malware Course Expanded to Include Capture-the-Flag Challenges

SANS expanded the Reverse-Engineering Malware course (FOR610) to include a day's worth of capture-the flag malware analysis challenges. The challenges are built upon the NetWars tournament platform and are designed to reinforce the skills learned earlier in the course by experimenting with real-world malware. You can get a sneak peak at the new experience. Continue reading Reverse-Engineering Malware Course Expanded to Include Capture-the-Flag Challenges


Tools for Examining XOR Obfuscation for Malware Analysis

There are numerous ways of concealing sensitive data and code within malicious files and programs. Fortunately, attackers use one particular XOR-based technique very frequently, because offers sufficient protection and is simple to implement. Here's a look at several tools for deobfuscating XOR-encoded data during static malware analysis. Continue reading Tools for Examining XOR Obfuscation for Malware Analysis


Automating Static Malware Analysis With MASTIFF

MASTIFF is an open source framework for automating static malware analysis. This tool, created by Tyler Hudak, determines the type of file that is being analyzed and then applies only the static analysis techniques that are appropriate for that file type. MASTIFF offers a useful way for performing triage on a large set of suspicious files. Continue reading Automating Static Malware Analysis With MASTIFF


Digital Forensics Case Leads: New REMnux, Registry tools and more APT1 analysis

This week in Case Leads we have a great new update to REMnux, two new tools for registry analysis and be sure to vote for the Forensic 4cast Awards right after you hop over to the new REM community on Stack Exchange. If you have an item you'd like to contribute to Digital Forensics Case … Continue reading Digital Forensics Case Leads: New REMnux, Registry tools and more APT1 analysis