/ Insights

Forensic Analysis of the NetWire Stack

June 2nd, 2023
Mark Spencer

Those of you who have either worked with Joakim Schicht or used his tools know that he applies an incredible combination of technical skills, creativity, and determination into casework and software development. We are extremely fortunate to have him on the Arsenal team!

Joakim has recently gone on some adventures involving the NetWire RAT (Remote Access Trojan) that we believe all our colleagues in digital forensics should dig into.

First, Digital Forensics Magazine recently published Joakim's extremely detailed article "Forensic Analysis of the NetWire Stack" in Issue 52 which you can access at https://www.digitalforensicsmagazine.com. Imagine if you could determine with specificity what an attacker using NetWire had been doing with a victim's computer (in some cases, quite far back in time), if you only had a disk image of that computer... now go and read the article. If your reaction to the article is anything less than "Joakim's techniques are fucking amazing" I will be quite disappointed.

Second, in concert with the article publication we made a related GitHub project public which you can access at https://github.com/ArsenalRecon/NetWireStackForensics. This GitHub project will contain code and additional resources mentioned in the article so that you can apply the new analysis techniques to your own cases.

Third, we've been getting word out on social media about Joakim's article and the associated GitHub project:





Fourth, don't forget about NetWire Log Decoder, another tool we released on GitHub in 2021 that you can access at https://github.com/ArsenalRecon/NetWireLogDecoder.

As you spend some time becoming familiar with the awesome NetWire-related analysis techniques and tools designed by Joakim, keep in mind that some of the techniques can be adapted to assist victims of other RATs as well.

Enjoy, and good hunting!


Join the List

Arm yourself with updates about Arsenal tools, training, and research. Our mailing list is double opt-in so you will need to check your email and confirm your subscription before receiving our mailings.