Analysis of the Use of XOR as an Obfuscation Technique in a Real Data Corpus
Author
Zarate, Carolina
Garfinkel, Simson
Heffernan, Aubin
Horras, Scott
Gorak, Kyle
Date
2014Metadata
Show full item recordAbstract
The only digital forensic tools known to provide an automated approach
for evaluating XOR obfuscated data are DCCI Carver and DC3 Carver,
two general-purpose carving tools developed by the Defense Cyber Crime
Center (DC3). In order to determine the use of XOR as an obfuscation
technique and the need to adapt additional tools, we analyzed 2,411
drive images from devices acquired from countries around the world.
Using a modified version of the open source tool bulk extractor, evidence of XOR obfuscation was found on 698 drive images, with a maximum of 21,031 XOR-obfuscated features on a single drive. XOR usage
in the corpus was observed in files with timestamps between the years
1995 and 2009, with the majority of the usage found in unallocated
space. XOR obfuscation was used in the corpus to circumvent malware detection and reverse engineering, to hide information that was
apparently being exfiltrated, and by malware detection tools for their
quarantine directories and to distribute malware signatures. The results
indicate that XOR obfuscation is important to consider when performing malware investigations. However, since the corpus does not contain
data sets that are known to have been used by malicious entities, it
is difficult to draw conclusions regarding the importance of extracting
and examining XOR obfuscated files in criminal, counterintelligence and
counterterrorism cases without further research.
Description
IFIP International Conference on Digital Forensics
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 433)
Rights
This publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. Copyright protection is not available for this work in the United States.Collections
Related items
Showing items related by title, author, creator and subject.
-
A Survey of XOR as a Digital Obfuscation Technique in a Corpus of Real Data
Zarate, Carolina; Garfinkel, Simson L.; Heffernan, Aubin; Gorak, Kyle; Horras, Scott (Monterey, California. Naval Postgraduate School, 2014-01-17); NPS-CS-13-005To determine the usage of XOR and the need to adapt additional tools, we analyzed 2,411 drive images from devices acquired around the world for the use of bytewise XOR as an obfuscation technique. Using a modified version ... -
Chris Eagle: Attacking Obfuscated Code with IDA Pro-(Partial Japanese)
Eagle, Chris (2006-10-31);Virtually every virus and worm that circulates the Internet today is ""protected"" by some form of obfuscation that hides the code's true intent. In the Window's world where worms prevail, the use of tools such as UPX, ... -
TOWARD UNDERSTANDING THE LONGITUDINAL STABILITY OF AN IP GEOLOCATION DATABASE
Culbert, Jonathan A. (Monterey, CA; Naval Postgraduate School, 2020-03);While many IP Geolocation Database (IPGD) studies exist gauging "accuracy" by comparing to ground truth (and other IPGDs), there is a dearth of studies looking at the stability of IPGD locations in longitudinal context. ...