A Survey of XOR as a Digital Obfuscation Technique in a Corpus of Real Data
Garfinkel, Simson L.
MetadataShow full item record
To determine the usage of XOR and the need to adapt additional tools, we analyzed 2,411 drive images from devices acquired around the world for the use of bytewise XOR as an obfuscation technique. Using a modified version of the open source digital forensics tool bulk˙extractor, evidence of XOR obfuscation was found on 698 drive images, with a maximum of 21,031 XOR-obfuscated features on a single drive. XOR usage in our corpus was observed in files with timestamps between the years 1995 and 2009, but the majority use was found in unallocated space. On the corpus tested, XOR obfuscation was used to circumvent malware detection and reverse engineering, to hide information that was apparently being exfiltrated, and by malware detection tools for their quarantine directory and to distribute malware signatures. We conclude that XOR obfuscation is important to consider when performing malware investigations.
NPS Report NumberNPS-CS-13-005
Showing items related by title, author, creator and subject.
Rowe, Neil C. (Monterey, California. Naval Postgraduate School, 2012-08);The National Software Reference Library (NSRL) is an essential data source for forensic investigators, providing in its Reference Data Set (RDS) a set of hash values of known software. However, the NSRL RDS has not ...
Authorship attribution in the e-mail domain a study of the effect of size of author corpus and topic on accuracy of identification Levy-Minzie, Kori. (Monterey, California. Naval Postgraduate School, 2011-03);We determined that it is possible to achieve authorship attribution in the e-mail domain when training on "ersonal" e-mails and testing on "work" e-mails and vice versa. These results are unique since they simulate two ...
Ortiz, Pedro. (Monterey, California. Naval Postgraduate School, 2010-06);We determined that it is possible to automatically detect persuasion in conversations using three traditional machine learning techniques, naive bayes, maximum entropy, and support vector machine. These results are the ...