Malware Forensics: Discovery of the Intent of Deception

Journal of Digital Forensics, Security and Law. 2010;5(4):31-42

 

Journal Homepage

Journal Title: Journal of Digital Forensics, Security and Law

ISSN: 1558-7215 (Print); 1558-7223 (Online)

Publisher: Association of Digital Forensics, Security and Law

Society/Institution: Association of Digital Forensics, Security and Law

LCC Subject Category: Law: Law in general. Comparative and uniform law. Jurisprudence: Comparative law. International uniform law: Criminal law and procedure

Country of publisher: United States

Language of fulltext: English

Full-text formats available: PDF

 

AUTHORS

Murray Brand (Security Research Centre Edith Cowan University)
Craig Valli (Security Research Centre Edith Cowan University)
Andrew Woodward (Security Research Centre Edith Cowan University)

EDITORIAL INFORMATION

Double blind peer review

Editorial Board

Instructions for authors

Time From Submission to Publication: 10 weeks

 

Abstract | Full Text

Malicious software (malware) has a wide variety of analysis avoidance techniques that it can employ to hinder forensic analysis. Although legitimate software can incorporate the same analysis avoidance techniques to provide a measure of protection against reverse engineering and to protect intellectual property, malware invariably makes much greater use of such techniques to make detailed analysis labour intensive and very time consuming. Analysis avoidance techniques are so heavily used by malware that the detection of the use of analysis avoidance techniques could be a very good indicator of the presence of malicious intent. However, there is a tendency for analysis tools to focus on hiding the presence of the tool itself from being detected by the malware, and not on recording the detection and recording of analysis avoidance techniques. In addition, the coverage of anti-anti-analysis techniques in common tools and plugins is much less than the number of analysis avoidance techniques that exist. The purpose of this paper is to suggest that the discovery of the intent of deception may be a very good indicator of an underlying malicious objective of the software under investigation.