Software Forensics/Forensic Programming course assembly language and disassembly resources


(maintained by Rob Slade)

In order to perform forensic programming you have to be really, really good at assembly language, or machine language, programming and disassembly. In order to understand forensic programming, you have to understand machine language programming concepts, which is not quite as difficult.

An excellent text to explain the concepts of assembly language programming, and some of the architecture of Intel processors, DOS, and Linux, is:

"Assembly Language Step-by-Step", Jeff Duntemann. The author also has a page with some recommendations for other references, as well as additional resources.

For practice in assembly language, you may find it easier to use simulators and emulators of early computers, rather than try to find out what is going on in a computer running Windows.

There is an open source assembly, and an editor/development environment, available for DOS and Linux: NASM-IDE. (The assembler itself can be found through a link at this site or searching for the NASM name.) Documentation for NASM can be found at various sites.

DEBUG is a very basic tool, but it is available with all DOS and Windows systems. (In order to get the documentation, you do have to find a DOS manual prior to version 4.) A more Windows aware version is available in DEBUG095, which also has assembly source code and therefore may be of some tutorial value. It is available at the BCIT server. A very detailed tutorial on DEBUG is available from Fran Golden.

A very basic resource for assembly programming and particularly disassembly is the x86 Interrupt List aka "Ralf Brown's Interrupt List" or "RBIL." It is also available on the BCIT server as well as in the partial files a, b, c, d, e, and f.

Another important resource is the Intel architecture manual (part two, covering opcodes). It is also available at the BCIT server. There is also a collection of documentation for disassembly work.

A very small sample program for disassembly practice is the EICAR signature test file. This is a working program that uses only printable characters. It can be created by copying the following 68 characters:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

exactly as shown, into a file, which can then be named with an executable extension, such as .COM or .EXE. More information on the file (and various downloadable versions) can be found at EICAR.

DEBUG has all the basic functions needed for forensic programming and analysis, but a number of other tools are easier to use for certain aspects. For example, NASM has a disassembler. The makers of the IDA Pro disassembler also have a free version available. Frhed is a free hex editor which is easier to use to view contents of files. It is also available at the BCIT server.

Collections of tools and resources related to assembly and disassembly can be found at the Fravia site, Assembler is not for Dummies page, Programmers Heaven, Protools, Foudstone (including tools by Robin Keir), forensic tools from Sysinternals, and Winalysis.

A number of academic papers are available online in Printer Definition Fromat (.PDF) or PostScript (.PS). Both formats may be viewed with The GhostView add-on for Ghostscript. Both are freely available. Information on downloading the software may be found at the Ghostscript Home Page, Ghostscript.com, GNU Project Ghostscript, and GNU Project Ghostview. (An excellent source of research papers is the NEC Research Institute ResearchIndex [also known as CiteSeer]. The citation index allows you to quickly find papers on the same or related topics.)

Papers related to security and software forensics may be found at the COAST Library. Included are the 1994 and 1996 versions of a paper on authorship analysis is software, as well as a source code. Another paper on authorship analysis examines the use of fuzzy logic.

A paper on reverse engineering malware, by Lenny Zeltser, follows the process of testing a network trojan. A number of papers deal with measuring or finding similarity in source code, often in terms of detecting plagiarism. Among these are one covering case-based reasoning (CBR), a language independent approach, the YAP3 program, secure online submission of papers including plagiarism detection, the JPLag program, and using program patterns.

Resources for the previous lesson, "black hat"/cracker communities, available here or here.

(Lesson 4 is a lab session on disassembly and tools.)

Resources for the next lesson, on legal and ethical issues, available here or here.

For the course given at BCIT, a number of resources are available on the BCIT server at http://cstbtech.bcit.ca/FP.


Software forensics/forensic programming table of contents: here or here.

Top level menu for security related book reviews: here or here.

Security glossary: here or here.