Capture – A behavioral analysis tool for applications and documents

Christian Seifert, Ramon Steenson, Ian Welch, Peter Komisarczuk, Barbara Endicott-Popovsky
2007 Digital Investigation. The International Journal of Digital Forensics and Incident Response  
Forensics Behavioral analysis Application analysis Document analysis a b s t r a c t In this paper, we present Capture, a tool for behavioral analysis of applications for the Win32 operating system family. Capture is able to monitor the state of a system during the execution of applications and processing of documents, which provides the analyst with insights on how the software operates even if no source code is available. Capture differs from existing behavioral analysis tools in its ability
more » ... o monitor state changes on a low kernel level and its ability to be easily used across operating systems, various versions and configurations. Capture provides a powerful mechanism to exclude event noise that naturally occurs on an idle system or when using a specific application. This mechanism is finegrained and allows an analyst to take into account the process that causes the various state changes. As a result, this mechanism even allows Capture to analyze the behavior of documents that execute within the context of an application. We demonstrate Capture's capabilities by analyzing a malicious Microsoft Word document.
doi:10.1016/j.diin.2007.06.003 fatcat:oxj2xlnz5zerjeojcxkhlkpejm