July 31, 2012

Sharing of Forensically Interesting Objects

As I go through various forensic cases and malware studies, I often find myself producing memory dumps of the host systems under examination.  I also dump registry hives and other objects related to my analysis.  I gave some thought as to whether there would be a benefit to the community in my sharing of these objects.  A few months back, I had a nice email exchange with Harlan Carvey of the Windows Incident Response blog.  We discussed various ways in which the malware analysis community could better collaborate with the forensics community, particularly in the area of sharing objects for analysis.  I had mentioned my thoughts as far as sharing memory dumps and other objects from various malware cases that I was working on.  Harlan encouraged me to move forward on this, and provide forensically "interesting" objects, just short of a disk image that would require Microsoft licensing.

So going forward, I will be posting analysis of various malware, along with objects consisting of memory dumps, registry hives, pcaps, and anything else that might be interesting.  You can use analysis tools such as Volatility or Mandiant's Redline with the memory dumps, while RegRipper is a very cool tool to use on registry hives.  It would be great to hear feedback on how you'll be using these objects, and the tools used in your analysis.

I'll rely on the community to let me know what is useful, and what else they might like to see.  I'd also be happy to take in any samples or items for analysis, which I'll post, as well as the objects.  None of what I post here will be related to my dayjob. It will be only what I research for myself, my other efforts, or as part of DeepEnd Research.

Please feel free to contact me with any ideas or suggestions. I'm looking forward to making this a useful resource for all who are interested!  Many thanks to Harlan for the encouragement!