We will be posting into it the various forensic tools we've used in our research thus far, and encouraging others with specialised expertise to expand and deepen the collection from there.
some contributions from pj:
Static analytic techniques to identify komodia libraries in unpacked executables:
From a technical perspective, the Komodia library is easy to detect. In our research, we found that the software that installs the root CA contains a number of easily searchable attributes that enabled us to match up the certificates we see in the wild with the actual software. These functions, which are Windows PE exports, include “CertInstallAll”, “GetCertPEMDLL”, “InstallFirefoxDirectory”, “SetCertDLL”, and “SetLogFunctionDLL.” Most of these libraries are designed to work on Windows 8 and will not install on older operating systems. Hopefully this information will give some good leads to researchers for further investigation.
From parityboy, a pcap scrubber: