Skip navigation.

Scalable, Automated Baremetal Malware Analysis

This week I will be presenting on scalable, automated baremetal malware analysis at Black Hat Europe. My presentation will coincide with the release of NVMTrace, a tool that facilitates automated baremetal sample processing using inexpensive hardware and freely available technologies. More information is available at the following link:

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis

If you are attending Black Hat Europe and malware analysis is a topic of interest to you, please attend my talk. If you are interested but will not be in attendance, please let me know and I will make my whitepaper and slide set available to you.

Let us know when the

Let us know when the presentation is available for download, please.

Black Hat EU Materials Download

I am also very interested in

I am also very interested in your white paper and slides. Please contact me at, I would love to hear more! Thanks!



I have sent you email.

The paper says: "Similarly,

The paper says:

"Similarly, the baremetal node's disk contents, which exist as a mountable block device on the Linux host, can be used to identify and record changes to
the file system (e.g., files created or modi ed, registry keys created or changed)."

Are you going to provide the tools that compare infected's machine disk contents with baremetal node's disk contents?

What about the tools that analyze the malware and let you know that the malware ended a windows session, elevated privileges, etc?

nvmtrace.nfo file

nvmtrace.nfo file says:

"Temporarily connect a hard drive to a SuperMicro 5015A-PHF and install Windows XP on the system. As this installation will be turned into a file that will reside in memory, keep the partition size small (e.g., 2GB)."

Any actual HD has 250 GB of space or more, so coding a nvmtrace environment detection would be pretty simple: just check if the HD has, let´s say, 8 GB of space or less.

Don´t forget to reply to the questions in my previous post, please.