THE DFIR BLOG
Menu

Incident Response Forensics

Density Scout

7/24/2019

 
This tool was written by Christian Wojner for finding Malware on an infected system. The tool will basically look for the density of the code of the each file and present it in the descending order.
Picture

    
It's a pretty handy tool for identifying malicious files. This is just and indicator - don't completely rely on the results of density scout. Run is data by couple of other tools like PEscan and Sigcheck etc.

In case if the traditional forensics/IR tool fails to identify a malware. This is one of the good methods to run the image/mounted volume though density scout and get a list of suspicious binaries with lower score, run and MD5 and check in Virus total.


In case if you don't have forensic tools on your machine or you are using a Mac machine. You can use a SIFT docker container to perform the action. 
Docker SIFT Image: ​https://hub.docker.com/r/gourav5660/sans_sift_forensics
Once you have docker image pulled run following command:


    

Comments are closed.

    Archives

    April 2020
    September 2019
    August 2019
    July 2019
    June 2019
    April 2019
    February 2019
    March 2018

    Categories

    All
    Aws
    Cloud
    Dfir
    Incident Response
    Linux
    Recon

    RSS Feed

  • Infosec
  • Mac Forensics
  • Windows Forensics
  • Linux Forensics
  • Memory Forensics
  • Incident Response
  • Blog
  • About Me
  • Infosec
  • Mac Forensics
  • Windows Forensics
  • Linux Forensics
  • Memory Forensics
  • Incident Response
  • Blog
  • About Me