Who cares?
First investigative principles is knowing who is watching the investigation. At fire and major police incidents common practice is to photograph or video tape the crowd. Your suspect is likely the one most interested in the investigation. The second principle is the likely suspects are called that for a reason. They’re likely. Whomever has a high ICT index, a large enough population, and the interest is the most likely suspect.
If you know the husband caught his wife cheating, bought a handgun, was seen loading it, loud arguments were heard, and shots were fired you won’t go investigate the priest living in another state who never met the couple with the dead wife. You haul the husband down to the station and advise him of his rights. You might go one step further and look to see who might be taking advantage of the preponderance of the evidence (taking advantage of a bad situation to set the husband up) but in general the police are about putting people in jail not looking for exculpatory evidence.
My eternal admiration for the laconic “kicks” in the upper right hand corner. So appreciative of the fact that you didn’t right lulz.
I would argue that obsessing about the internals (and going into a lot of detail about how the tool was built) will help you correlate to any future tool(s) – which may help with the attribution and motive at that time. And it’s also one of the few pieces of data that is concrete. Almost everything else is speculative.
Gah! s/right/write/ at the end of the first line.
There are strategies for obscuring authorship when writing mal code. Something like five years ago I remember a dark reading or defcon talk on obscuring attribution. Then again I’m shocked every time I see a guid in some mailcode.
You’ve a good point but the analysis isn’t being done for attribution. They’re reverse engineereing the tool. Totally different goal and end state.