Dear like-minded people,
I'm very proud to announce that our latest contribution to the malware analysis community is finally available as open beta.
It's called ProcDOT - I already gave a preview of the alpha version some months ago at SANS Forensics Summit in Prague - and it is an absolute must have tool for everyone's lab, at least in my humble opinion ;-)
It correlates Procmon logfiles and PCAPs to an interactively investigateable graph. Besides that ProcDOT is now also capable of animating the whole infection evolution based on a timeline of activities. This feature lets you even quickly find out which server or which requests were responsible that specific data/code got on the underlying system, by which process it was written, how often, who injected what, which autostart registry key was set, what happened when, and so forth ...
ProcDOT's approach of correlating Procmon logs and PCAPs to a directed animateable graph has the potential to reduce one's efforts to behavioral analyze a malicious situation to an absolute minimum.
=> Find out if there's something malicious going on under the hood with one quick glance.
=> Find out what it does in minutes.
To let users get the most out of ProcDOT I took the effort to create 50 minutes of tutorial videos which show the use of ProcDOT in a case of a typical drive-by-infection.
Get it for free from our website: http://www.cert.at/downloads/software/procdot_en.html
... and be sure to follow the included readme file!
Still there are so many things that I have planned to add, but from my experience regardless how many of them will be implemented this situation won't change ;-)
As always, feedback - good and bad - is very much appreciated.
PS: There's an upcoming (April) ProcDOT presentation at First Symposium in Amsterdam. See you there, maybe.
Author: Christian Wojner