Skip to Main content Skip to Navigation
Conference papers

Analysis of the Use of XOR as an Obfuscation Technique in a Real Data Corpus

Abstract : The only digital forensic tools known to provide an automated approach for evaluating XOR obfuscated data are DCCI_Carver and DC3_Carver, two general-purpose carving tools developed by the Defense Cyber Crime Center (DC3). In order to determine the use of XOR as an obfuscation technique and the need to adapt additional tools, we analyzed 2,411 drive images from devices acquired from countries around the world. Using a modified version of the open source tool bulk_extractor, evidence of XOR obfuscation was found on 698 drive images, with a maximum of 21,031 XOR-obfuscated features on a single drive. XOR usage in the corpus was observed in files with timestamps between the years 1995 and 2009, with the majority of the usage found in unallocated space. XOR obfuscation was used in the corpus to circumvent malware detection and reverse engineering, to hide information that was apparently being exfiltrated, and by malware detection tools for their quarantine directories and to distribute malware signatures. The results indicate that XOR obfuscation is important to consider when performing malware investigations. However, since the corpus does not contain data sets that are known to have been used by malicious entities, it is difficult to draw conclusions regarding the importance of extracting and examining XOR obfuscated files in criminal, counterintelligence and counterterrorism cases without further research.
Document type :
Conference papers
Complete list of metadatas

Cited literature [26 references]  Display  Hide  Download
Contributor : Hal Ifip <>
Submitted on : Tuesday, November 8, 2016 - 10:47:52 AM
Last modification on : Thursday, March 5, 2020 - 4:46:28 PM
Long-term archiving on: : Tuesday, March 14, 2017 - 10:41:58 PM


Files produced by the author(s)


Distributed under a Creative Commons Attribution 4.0 International License



Carolina Zarate, Simson Garfinkel, Aubin Heffernan, Scott Horras, Kyle Gorak. Analysis of the Use of XOR as an Obfuscation Technique in a Real Data Corpus. 10th IFIP International Conference on Digital Forensics (DF), Jan 2014, Vienna, Austria. pp.117-132, ⟨10.1007/978-3-662-44952-3_9⟩. ⟨hal-01393766⟩



Record views


Files downloads