An Experimental Evaluation on Proposing a Methodology for Assessment of Packing in DFIR of Ransomware Binaries
Guardado en:
| Publicado en: | International Conference on Cyber Warfare and Security (Mar 2025), p. 679 |
|---|---|
| Autor principal: | |
| Otros Autores: | |
| Publicado: |
Academic Conferences International Limited
|
| Materias: | |
| Acceso en línea: | Citation/Abstract Full Text Full Text - PDF |
| Etiquetas: |
Sin Etiquetas, Sea el primero en etiquetar este registro!
|
MARC
| LEADER | 00000nab a2200000uu 4500 | ||
|---|---|---|---|
| 001 | 3202190641 | ||
| 003 | UK-CbPIL | ||
| 035 | |a 3202190641 | ||
| 045 | 2 | |b d20250301 |b d20250331 | |
| 084 | |a 142229 |2 nlm | ||
| 100 | 1 | |a Ribeiro, João |u Graduate School of Informatics, Nagoya University, Aichi, Japan | |
| 245 | 1 | |a An Experimental Evaluation on Proposing a Methodology for Assessment of Packing in DFIR of Ransomware Binaries | |
| 260 | |b Academic Conferences International Limited |c Mar 2025 | ||
| 513 | |a Conference Proceedings | ||
| 520 | 3 | |a When investigating ransomware incidents, DFIR (Digital Forensics and Incident Response) personnel and law enforcement agents are often tasked with performing Forensic Analysis and Reverse Engineering of malware to understand, evaluate and assess key features of the malicious executable to be able to establish authorship and materiality of the cyber-attack. In this light, there is often the challenge of dealing with packing of executable files, a feature that malware authors employ to hide malicious features, to avoid detection or to hinder reverse engineering. Although there are many options for malware analysts to deal with this issue, such as online sandbox services and platforms designed for automated, large-scale malware analysis of binaries, they might not be the suitable for DFIR personnel and law enforcement actors entrusted with the investigation of cyber incidents, because, amongst other factors, they might entail the submission of a live sample to a external website or platform, leading to a breach in the chain of custody and confidentiality. They may not output pertinent information of forensic value, act as black boxes, or they may not accurately or sufficiently replicate the environment or IT ecosystem present in each incident. They are often paid-for services or with often limited or inflexible resources and time constraints for free analysis options. Given this, we discuss some of the peculiarities of assessing the packing aspect of malware in the context of ransomware incidents, while carrying out an experimental evaluation of a methodology for assessing that feature in ransomware binaries. The main goal of this assessment is to determine whether a given ransomware sample unpacks itself and how, while also providing the analyst valuable insights about key characteristics of its unpacking process. The proposed methodology combines static and dynamic analysis indicators, in a dynamic multi-pass approach for increased robustness, while also adopting previously established metrics for measuring unpacking found in previous, generic malware research. | |
| 653 | |a Software | ||
| 653 | |a Personnel | ||
| 653 | |a Methodology | ||
| 653 | |a Forensic sciences | ||
| 653 | |a Reverse engineering | ||
| 653 | |a Law enforcement | ||
| 653 | |a Forensic engineering | ||
| 653 | |a Malware | ||
| 653 | |a Ransomware | ||
| 653 | |a Computer forensics | ||
| 653 | |a Evaluation | ||
| 653 | |a Forensic computing | ||
| 653 | |a Authorship | ||
| 653 | |a Forensic analysis | ||
| 653 | |a Police | ||
| 653 | |a Robustness | ||
| 653 | |a Forensic science | ||
| 653 | |a Engineering | ||
| 653 | |a Confidentiality | ||
| 653 | |a Research methodology | ||
| 653 | |a Ecosystems | ||
| 700 | 1 | |a Shimada, Hajime |u Information Technology Center, Nagoya University, Aichi, Japan | |
| 773 | 0 | |t International Conference on Cyber Warfare and Security |g (Mar 2025), p. 679 | |
| 786 | 0 | |d ProQuest |t Political Science Database | |
| 856 | 4 | 1 | |3 Citation/Abstract |u https://www.proquest.com/docview/3202190641/abstract/embedded/75I98GEZK8WCJMPQ?source=fedsrch |
| 856 | 4 | 0 | |3 Full Text |u https://www.proquest.com/docview/3202190641/fulltext/embedded/75I98GEZK8WCJMPQ?source=fedsrch |
| 856 | 4 | 0 | |3 Full Text - PDF |u https://www.proquest.com/docview/3202190641/fulltextPDF/embedded/75I98GEZK8WCJMPQ?source=fedsrch |