GView: A Versatile Assistant for Security Researchers
Raul Zaharia, Dragoş Gavriluţ, Gheorghiţă Mutu, Dorel Lucanu
TL;DR
GView addresses the growing complexity of cyber-attack kill chains by delivering a portable, offline-capable analysis assistant that automatically identifies artifacts across file formats, correlates information, and provides guided visualizations. It unifies a plugin-based data-identification system with smart viewers and a collaboration framework to enable end-to-end malware analysis on local hardware, avoiding cloud processing. The paper demonstrates substantial improvements in analysis speed and result quality, and outlines a scalable plugin architecture for extending coverage to more file types and dynamic analysis. The work has practical impact for security operations and on-site forensics by enabling rapid triage, hypothesis generation, and integrated tooling.
Abstract
Cyber security attacks have become increasingly complex over time, with various phases of their kill chain, involving binaries, scripts, documents, executed commands, vulnerabilities, or network traffic. We propose a tool, GView, that is designed to investigate possible attacks by providing guided analysis for various file types using automatic artifact identification, extraction, coherent correlation &,inference, and meaningful & intuitive views at different levels of granularity w.r.t. revealed information. The concept behind GView simplifies navigation through all payloads in a complex attack, streamlining the process for security researchers, and Increasing the quality of analysis. GView is generic in the sense it supports a variety of file types and has multiple visualization modes that can be automatically adjusted for each file type alone. Our evaluation shows that GView significantly improves the analysis time of an attack compared to conventional tools used in forensics.