Capture - A behavioral analysis tool for applications and documents

Authors:
Christian Seifert;Ramon Steenson;Ian Welch;Peter Komisarczuk;Barbara Endicott-Popovsky
Affiliations:
School of Mathematics, Statistics and Computer Science - Te Kura Tatau, Victoria University of Wellington - Te Whare Wnanga o te poko o te Ika a Mui, P.O. Box 600, Wellington 6140, New Zealand;School of Mathematics, Statistics and Computer Science - Te Kura Tatau, Victoria University of Wellington - Te Whare Wnanga o te poko o te Ika a Mui, P.O. Box 600, Wellington 6140, New Zealand;School of Mathematics, Statistics and Computer Science - Te Kura Tatau, Victoria University of Wellington - Te Whare Wnanga o te poko o te Ika a Mui, P.O. Box 600, Wellington 6140, New Zealand;School of Mathematics, Statistics and Computer Science - Te Kura Tatau, Victoria University of Wellington - Te Whare Wnanga o te poko o te Ika a Mui, P.O. Box 600, Wellington 6140, New Zealand;The Information School, University of Washington, Box 352840, Seattle, WA 98195-2840, USA
Venue:
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Year:
2007

Citing 2
Cited 2

Toward Automated Dynamic Malware Analysis Using CWSandbox

IEEE Security and Privacy
A sense of self for Unix processes

SP'96 Proceedings of the 1996 IEEE conference on Security and privacy

Run-time malware detection based on positive selection

Journal in Computer Virology
Anatomy of drive-by download attack

AISC '13 Proceedings of the Eleventh Australasian Information Security Conference - Volume 138

Quantified Score

Hi-index	0.00

Visualization

Abstract

In this paper, we present Capture, a tool for behavioral analysis of applications for the Win32 operating system family. Capture is able to monitor the state of a system during the execution of applications and processing of documents, which provides the analyst with insights on how the software operates even if no source code is available. Capture differs from existing behavioral analysis tools in its ability to monitor state changes on a low kernel level and its ability to be easily used across operating systems, various versions and configurations. Capture provides a powerful mechanism to exclude event noise that naturally occurs on an idle system or when using a specific application. This mechanism is fine-grained and allows an analyst to take into account the process that causes the various state changes. As a result, this mechanism even allows Capture to analyze the behavior of documents that execute within the context of an application. We demonstrate Capture's capabilities by analyzing a malicious Microsoft Word document.