Malware is growing increasingly complex and it’s difficult to analyze with a variety of tools that are cobbled together. REcon, in conjunction with HBGary’s Responder Professional, provides incident response teams a single tool that is forensically sound and easy to use. This new technology allows small security teams to automate analysis (typically outsourced in the past) giving them run-time information. For larger teams, it allows a deeper analysis and the ability to quickly correlate pertinent streams of information.
REcon’s performance outclasses everything that is currently available in the market, operating orders of magnitude faster than any other known tracing solution. REcon is so fast that users can still interact with a program’s GUI while at the same time single-step recording every instruction in that program - something that has never been possible before now. REcon supports advanced performance features when on native hardware, such as the use of the branch-trace mode on Intel processers.
REcon can record the entire lifecycle of a software program, from the first instruction to the last. All behavior is recorded, including all loaded DLL’s, plugins, browser helper objects (BHO’s), file system activity, network activity, and registry access. Users can configure additional tracks of data to be recorded in almost limitless ways. Any function point can be recorded, including DLL exported functions, and internal undocumented functions (aka API-spy type capability). Users can control the sampling behavior, including number and type of arguments to a call. The full control flow graph is recovered for a program, including all basic blocks and branch conditions, even branches not taken. The opcodes, top of stack, and register context can be captured at a single-step resolution. This allows the recovery of packed executables, such as those packed by ASProtect, ASPack, Armadillo, UPX, and even Themida. REcon operates entirely in kernel mode and remains hidden from many anti-debugger checks, including checks for kernel mode debuggers.
Beyond the recording capabilities, the data itself can be graphed and replayed in HBGary Responder Professional. A new track-control has been added to the graph that allows the user to interact with the recorded program timeline similar to the way they might interact with a recorded video or audio track. The user can graph individual tracks of behavior (such as networking), or they can graph just regions of behavior (such as only the decryption routine). Any region that can be graphed can also be placed into a separate layer and managed independently. All of the existing graph features that users expect from Responder Professional can also be applied to any recorded track of behavior, thus exposing an entirely new set of data that will augment existing analysis.

REcon is included in the latest version of HBGary Responder Professional™ the most comprehensive memory investigation and malware analysis platform available on the market today.