Monday, March 17, 2008

XOR entire file or selected text

XOR is a common and simple symmetric encryption algorithm. It is commonly used by malware to 'hide' certain identifiable information in a data file or executable. It is a very simple algorithm, so there is very little processing power needed to quickly encrypt or decrypt data, making it a popular technique.

Some software vendors also use it to 'obfuscate' data. Norton Antivirus uses it to store identified malware files in the quarantine folder. When Norton AV detects a virus, it will XOR the virus with a constant key and then place it in the quarantine folder. I had previously written an EnScript to extract files from the quarantine folder in Norton version 7.5 so they could be examined in their native form. Norton also stores its logs encrypted using XOR (most versions). I wrote this EnScript specifically so I could quickly decrypt Norton logs within EnCase when doing an investigation so I could see what kind of virus activity had recently taken place, but then I quickly found other uses for the EnScript.

The EnScript allows you to simply highlight (highlight, not check) a file in the table pane (upper right) of EnCase and then supply a hex value as the XOR key.

You can have the resulting XOR data displayed in the console, or if dealing with binary data, such as with a malware executable, you can have the data written to a local file that you can then examine with some other 3rd party tool.

Download here (EnCase v6)


Jonathan Care Tuesday, 01 April, 2008  

Hi Lance,
Do you know of a repository of Enscripts for download? Also is there a meta-blog post on here that lists your Enscripts/Enpacks?

Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles