Analysis of the Use of XOR as an Obfuscation Technique in a Real Data Corpus - Archive ouverte HAL Access content directly
Conference Papers Year : 2014

Analysis of the Use of XOR as an Obfuscation Technique in a Real Data Corpus

(1) , (2) , (3) , (3) , (3)
1
2
3

Abstract

The only digital forensic tools known to provide an automated approach for evaluating XOR obfuscated data are DCCI_Carver and DC3_Carver, two general-purpose carving tools developed by the Defense Cyber Crime Center (DC3). In order to determine the use of XOR as an obfuscation technique and the need to adapt additional tools, we analyzed 2,411 drive images from devices acquired from countries around the world. Using a modified version of the open source tool bulk_extractor, evidence of XOR obfuscation was found on 698 drive images, with a maximum of 21,031 XOR-obfuscated features on a single drive. XOR usage in the corpus was observed in files with timestamps between the years 1995 and 2009, with the majority of the usage found in unallocated space. XOR obfuscation was used in the corpus to circumvent malware detection and reverse engineering, to hide information that was apparently being exfiltrated, and by malware detection tools for their quarantine directories and to distribute malware signatures. The results indicate that XOR obfuscation is important to consider when performing malware investigations. However, since the corpus does not contain data sets that are known to have been used by malicious entities, it is difficult to draw conclusions regarding the importance of extracting and examining XOR obfuscated files in criminal, counterintelligence and counterterrorism cases without further research.
Fichier principal
Vignette du fichier
978-3-662-44952-3_9_Chapter.pdf (808.54 Ko) Télécharger le fichier
Origin : Files produced by the author(s)
Loading...

Dates and versions

hal-01393766 , version 1 (08-11-2016)

Licence

Attribution - CC BY 4.0

Identifiers

Cite

Carolina Zarate, Simson Garfinkel, Aubin Heffernan, Scott Horras, Kyle Gorak. Analysis of the Use of XOR as an Obfuscation Technique in a Real Data Corpus. 10th IFIP International Conference on Digital Forensics (DF), Jan 2014, Vienna, Austria. pp.117-132, ⟨10.1007/978-3-662-44952-3_9⟩. ⟨hal-01393766⟩
172 View
1337 Download

Altmetric

Share

Gmail Facebook Twitter LinkedIn More