An official website of the United States government
Here's how you know
A .mil website belongs to an official U.S. Department of Defense organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .mil website. Share sensitive information only on official, secure websites.

Events

Today 
OctoberNovember 2024December
SunMonTueWedThuFriSat
27
28
29
30
31
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
1
2
3
4
5
6
7

AFPIMSMediaPlayer

Announcements

ArticleCS - Dashboard

StephanieFLaherty.2017Transition_LeftSideNav

ArticleCS - Article View

News | Feb. 18, 2020

DC3 Framework Expedites Malware Analysis

The Defense Cyber Crime Center (DC3) released the DC3 Malware Configuration Parser (DC3-MWCP) framework to the open source community on May 6, 2015.

The Defense Cyber Crime Center (DC3) released the DC3 Malware Configuration Parser (DC3-MWCP) framework to the open source community on May 6, 2015.

The DC3-MWCP framework provides a structure for malware reverse engineers to easily codify knowledge of where important configuration data are hidden within malicious files. This codified knowledge can be leveraged in future analyses to quickly extract valuable configuration information.

With DC3-MWCP, a tool development process that could previously take weeks may be shortened to just days. 

How DC3-MWCP works

A given piece of malware can be authored by one entity, and then reconfigured and used by other groups. Before launching an attack with the malware, a hacker customizes configuration settings within the malware, much like the user of a home PC customizes preferences. The hacker might select options for the Command and Control (C2) server, the time the malware should sleep before executing, or notes about the malware’s purpose. These customized configuration details are embedded and obfuscated within the malware files.

Malware reverse engineers work to locate this information within the files to provide valuable indicators to cyber analysts.  In addition, malware analysts often create a script to automatically extract this configuration data. Each script is unique with its own run commands, output format, and naming scheme.

DC3-MWCP standardizes these aspects of a configuration parser, providing a single interface for running and receiving responses, as well as easing the creation of new parsers. The framework can be accessed as a standalone utility, through a REST API, or Python API. This flexibility allows any configuration parser to be immediately used and incorporated into any organization’s workflow.

DC3-MWCP improves workflow between malware analysts

Prior to the creation of DC3-MWCP, the process of creating a new configuration parser and integrating it into DC3’s automation system took between four and six weeks. With the advent of DC3-MWCP, this process is shortened to as little as one to two days. Malware reverse engineers can quickly create, test, and deploy a parser into DC3’s system. The release of DC3-MWCP provides new capabilities for the malware analysis community, and creates a new standard to improve the sharing of tools among community members.

How to Get DC3-MWCP

DC3-MWCP is available for download at https://github.com/Defense-Cyber-Crime-Center/DC3-MWCP.

Background

DC3 has a history of supporting the digital forensics community. The widely used Dc3dd was open sourced in 2008 with the latest release for 64-bit versions of Windows posted on March 3, 2015. 

Established as an entity within the Department of the Air Force in 1998, DC3 provides digital and multimedia (D/MM) forensics, cyber investigative training, technical solutions development, and cyber analytics for the following DoD mission areas: information assurance (IA) and critical infrastructure protection (CIP), law enforcement and counterintelligence (LE/CI), document and media exploitation (DOMEX), and counterterrorism (CT). For more information, visit www.dc3.mil.

ArticleCS

Nov. 1, 2022

Special agents, investigators share forensic skills at JBSA

When crimes occur on Joint Base San Antonio, multiple law enforcement and investigative agencies stand ready on a regular basis during incidents and for specialized training sessions, like the one held at JBSA-Fort Sam Houston Oct. 21, 2022, hosted by OSI Detachment 404.

Feb. 19, 2020

Specht Biography

MR. JEFFREY D. SPECHTJeffrey D. Specht is Executive Director, Department of Defense Cyber Crime Center (DC3), Linthicum, Maryland. Operating under Secretary of the Air Force executive agency, DC3 functions as a designated Federal Cyber Center and as a DoD Center of Excellence for digital and multimedia forensics. Mr. Specht directs a business and

Feb. 18, 2020

UMUC Lauds DC3 Executive Director

The University of Maryland University College is commending DC3's Executive Director's team-first leadership style with its Leadership Award in Cybersecurity. Since 2011, at two year intervals UMUC has conferred the Leadership and Pioneer Awards in Cybersecurity.

Feb. 18, 2020

DC3 Framework Expedites Malware Analysis

The Defense Cyber Crime Center (DC3) released the DC3 Malware Configuration Parser (DC3-MWCP) framework to the open source community on May 6, 2015.