Orion Incident Response Live CD
Figure 22: McAfee FileInsight running in Orion under WINE
For a quick review of a suspected bit of malicious data, Orion provides a script called analyze-win-malware that currently uses the following tools to perform some quick checks:
feagent.exe: Nick Harbour’s tool for detecting packed and armored executables.
XORsearch.exe: Didier Stevens’ tool for searching for a string that has been XOR, ROL, or ROT encoded. Orion searches for “http” and “exe” in files.
extractscripts.py: A python script, also written by Stevens, to extract scripts from html files.
exiftool: A perl script written by Phil Harvey that extracts meta data information from a variety of file types.
xxd: Creates a hex dump of the file.
John Jarocki, email@example.com