Case Study: 2012 DC3 Digital Forensic Challenge Basic Malware Analysis Exercise
By Kenneth J. Zahn
The 2012 DC3 Digital Forensic Challenge included two malware analysis-related exercises, one described as “basic” and one described as “advanced.” For each exercise, competing teams were provided with an ostensibly malicious—though ultimately innocuous—sample and asked to conduct an analysis befitting the sample’s complexity. The author’s challenge team, Plan 9, placed 2nd in the Government-only category, 3rd in the US-only category, and 5th in the overall competition. This paper will discuss an updated version of Plan 9’s solution to the basic malware analysis exercise using a combination of goal-driven and process-driven approaches. It should be noted that one of Plan 9’s goals in the competition was to use only freely available or open source tools to guarantee the portability of the exercise solutions. To improve the utility of this paper, the tools that were presented in the original solution have been updated to reflect their latest versions at the time of writing. Further, the solution has been expanded to include additional analysis tools that were not presented in the original exercise submission.