General short overview of how do file analysis and decomposition engines work and what components do they consist of, problems associated with the domain, etc. Slides are from FSec 2012 conference.
4. • Collect as much information as possible
from files/binary objects
– Other contained files/objects
– Metadata, e.g. mobile app permissions,
geolocation, IP addresses, domains, etc.
• Strip protection layers for additional
analysis
• Do it really, really fast
• Do it at scale
16. • Signatures
• Various complexity
– Simple (e.g. PEiD)
• Simple byte and wildcard matching, hash matching
• 12 ?? 56 ?8 9?
– Medium (e.g. TitanMist)
• Small Regex like subset
– High (e.g. TLang)
• Almost full fledged programming language
• Other
17.
18. • Some parts depend on identification
• Dedicated analysis modules
• Internal/external modules