Windows Forensics Tools : Densityscout

DensityScout is a tool used for finding (possibly unknown) malware on a potentially infected system. it takes advantage of the typical approach of malware authors to protect their "products" with obfuscation like run-time-packing and -encryption. This tool can be used to scan a desired file-system-path by calculating the density of each file to finally print out an accordingly descending list. Usually most Microsoft Windows executables are not packed or encrypted in any way which throws the hits of malicious executables to the top of the list where one can easily focus on.

Website : https://www.cert.at/en/downloads/software/software-densityscout

How to Use

1. Download software from website : https://www.cert.at/media/files/downloads/software/densityscout/files/densityscout_build_45_windows.zip

2. Unzip the folder

3. Go to the folder directory where you unzip the files

4. Type cmd.exe on the explorer like below and click enter.


5. Type the command on the cmd promt

densityscout -pe -p 0.1 -o results.txt c:\Windows\System32

Using the above command you can scan system32 folder for any "suspicious" file

Output on the cmd promt

Densityscout scan the directory and give you the full result in text file in the folder and show the files which is less than the given density on the command prompt itself

5. You can scan the files using https://www.virustotal.com to check any malicious activity