When we sit down and think about our analysis workflow, one of the things we may
often come across is, "..look at data X for suspicious entries…", and then the
question becomes, "what is 'suspicious'?"
Doing some reading this morning, I ran across the MS malware encyclopedia
description for a variant of Dorkbot, and I saw that the description stated that
the malware uses the user's Run key for persistence, using a random .exe name.
The path that it uses within the file system is apparently "%AppData%", and MS
gave a full description of the path on WinXP and Windows 7.
With all of the data we have to look at, does it make sense to add grep()
statements to our parsers to extract the "low-hanging fruit" for us? If we
know, for example, that we would want to take a closer look at any value beneath
the Run (regardless of hive) that includes 'temp' or 'AppData' or 'Application
Data' in the path, does it make sense to include code to look for those things
and highlight them for us?
Would this be useful to anyone?
For anything with malware or a "virus did it" defence I'm going to run my standard registry reports which inter alia list all the run keys. Anything with AppData in the path would instantly stand out for me.
So in my case, it's not a value add. It may be for others.
Would this be useful to anyone?
Yes.
will help highlight data of interest.
e.g. When using msconfig I like how i can hide all the MS services, makes it easier to see potientially interesting services.
it's quite helpful to bring to the front the items which are more likely to be of interest.
I think it's a good idea and it kinda fits with your forensic scanner concept in a way.
Intelligent processing which highlights and brings to the forefront information of interest.
When we sit down and think about our analysis workflow, one of the things we may
often come across is, "..look at data X for suspicious entries…", and then the
question becomes, "what is 'suspicious'?"
I guess there are different ways of finding what is suspicious. there are black lists where we know what is suspicious and there are whitelists to remove what we know isn't.
Maybe a project for someone for Registry Ripper , log2timeline … etc , which highlights items for interest, and possibly removes known good items.
Please PM me if you'd like to receive a copy of our (unfinished) whitepaper on detecting malware with Windows Debugger scripts. Specifically, we're describing various things that are "suspicious" in terms of malware.
Maybe a project for someone for Registry Ripper …
Already being done…take a look at version 2.8.
