Capture - a tool for behavioural analysis of applications and documents

Seifert, C., Steenson, R., Welch, I. and Komisarczuk, Peter (2007) Capture - a tool for behavioural analysis of applications and documents. In: the Digital Forensic Research Workshop, 13-15 August 2007, Pittsburgh, PA, USA.

Full text not available from this repository.


In this paper, we present Capture, a tool for behavioral analysis of applications for the
Win32 operating system family. Capture is able to monitor the state of a system during
the execution of applications and processing of documents, which provides the analyst
with insights on how the software operates even if no source code is available. Capture differs
from existing behavioral analysis tools in its ability to monitor state changes on a low
kernel level and its ability to be easily used across operating systems, various versions and
configurations. Capture provides a powerful mechanism to exclude event noise that naturally
occurs on an idle system or when using a specific application. This mechanism is finegrained
and allows an analyst to take into account the process that causes the various state
changes. As a result, this mechanism even allows Capture to analyze the behavior of documents
that execute within the context of an application. We demonstrate Capture’s capabilities
by analyzing a malicious Microsoft Word document.

Item Type: Conference or Workshop Item (Paper)
Subjects: Computing
Depositing User: Vani Aul
Date Deposited: 21 Mar 2014 14:34
Last Modified: 11 Dec 2015 10:47

Actions (login required)

View Item View Item