A Survey of XOR as a Digital Obfuscation Technique in a Corpus of Real Data
| dc.contributor.author | Zarate, Carolina | |
| dc.contributor.author | Garfinkel, Simson L. | |
| dc.contributor.author | Heffernan, Aubin | |
| dc.contributor.author | Gorak, Kyle | |
| dc.contributor.author | Horras, Scott | |
| dc.date.accessioned | 2014-01-30T16:05:07Z | |
| dc.date.available | 2014-01-30T16:05:07Z | |
| dc.date.issued | 2014-01-17 | |
| dc.identifier.uri | https://hdl.handle.net/10945/38680 | |
| dc.description.abstract | To determine the usage of XOR and the need to adapt additional tools, we analyzed 2,411 drive images from devices acquired around the world for the use of bytewise XOR as an obfuscation technique. Using a modified version of the open source digital forensics tool bulk˙extractor, evidence of XOR obfuscation was found on 698 drive images, with a maximum of 21,031 XOR-obfuscated features on a single drive. XOR usage in our corpus was observed in files with timestamps between the years 1995 and 2009, but the majority use was found in unallocated space. On the corpus tested, XOR obfuscation was used to circumvent malware detection and reverse engineering, to hide information that was apparently being exfiltrated, and by malware detection tools for their quarantine directory and to distribute malware signatures. We conclude that XOR obfuscation is important to consider when performing malware investigations. | en_US |
| dc.description.sponsorship | The Department of the Navy | en_US |
| dc.language.iso | en_US | |
| dc.publisher | Monterey, California. Naval Postgraduate School | en_US |
| dc.rights | This publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. Copyright protection is not available for this work in the United States. | en_US |
| dc.subject | XOR | en_US |
| dc.title | A Survey of XOR as a Digital Obfuscation Technique in a Corpus of Real Data | en_US |
| dc.type | Technical Report | en_US |
| dc.contributor.department | Computer Science | |
| dc.identifier.npsreport | NPS-CS-13-005 | |
| dc.description.distributionstatement | Approved for public release; distribution is unlimited. |
Files in this item
This item appears in the following Collection(s)
-
All Technical Reports Collection
Includes reports from all departments. -
Computer Science (NPS-CS)
-
Faculty and Researchers' Publications
Related items
Showing items related by title, author, creator and subject.
-
Analysis of the Use of XOR as an Obfuscation Technique in a Real Data Corpus
(2014);The only digital forensic tools known to provide an automated approach for evaluating XOR obfuscated data are DCCI Carver and DC3 Carver, two general-purpose carving tools developed by the Defense Cyber Crime Center ... -
Chris Eagle: Attacking Obfuscated Code with IDA Pro-(Partial Japanese)
(2006-10-31);Virtually every virus and worm that circulates the Internet today is ""protected"" by some form of obfuscation that hides the code's true intent. In the Window's world where worms prevail, the use of tools such as UPX, ... -
TOWARD UNDERSTANDING THE LONGITUDINAL STABILITY OF AN IP GEOLOCATION DATABASE
(Monterey, CA; Naval Postgraduate School, 2020-03);While many IP Geolocation Database (IPGD) studies exist gauging "accuracy" by comparing to ground truth (and other IPGDs), there is a dearth of studies looking at the stability of IPGD locations in longitudinal context. ...
