Forensic analysis techniques in computer security will allow us to perform analysis of a threat once it has materialized. Malware forensic analysis is different from malware scanning. Malware analysis involves capturing a sample of the malware and performing a static or dynamic analysis of that.
In forensics, compiled and obfuscated code is reversed to try to determine what the malware was programmed for in this way. Malware forensic analysis, on the other hand, attempts to locate and examine the forensic artifacts that exist in the system media, RAM and network to help the system was compromised, how it was made, what the infection vector was, what was involved in a particular malware, what data was leaked, etc.
- The start of the attack
- YARA, the Swiss pattern-matching knife
- Key elements in forensic analysis
- Examine the master boot record (MBR)
- Identify the operating system
- Examine the RAM
- Browse and encode files on disk
- Examine the log
- Checks the programs that are running on the system
- Examine the system logs
- Review web browsing history
- Check file artifacts
- Build a timeline
- Re-examine everything
The start of the attack
An IOC (Indicator of Compromise) is first performed to help identify whether a system or network has been compromised. While this helps in cases where the security incident has been caused by a known malware. However, there may be zero-day or an unknown malware or its variants, and in this case a forensic malware investigation should be initiated.
The first indicator of a malware infection is some kind of anomalous behavior. At the time this is reported, a system administrator causes the system to run an updated malware detection program, such as malware bytes or tools such as YARA with the well-known IOC.
In case the behavior persists and there is no positive detection it is imperative to conduct an in-depth malware forensic investigation.
YARA, the Swiss pattern-matching knife
For malware researchers it is very useful to use YARA. YARA is a tool that aims to help malware researchers identify and classify malware samples. With YARA you can create descriptions of malware families based on textual or binary patterns. Each description, also known as a rule, consists of a set of strings and a Boolean expression that determine its logic.
YARA is cross-platform, runs on Windows, Linux, and Mac OS X, and can be used through its command-line interface or from its own Python scripts with the yara-python extension. You can access the tool from here -> https://virustotal.github.io/yara/.
Key elements in forensic analysis
The key element to remember when performing forensic analysis on a malware affecting a machine is to search and acquire all available data in order to reduce volatility. This means that we must consider taking RAM, all relevant network logs, as well as an image of the hard drive. In addition, we need to closely monitor all traffic to and from the affected system.
We need to follow a number of steps to carry out the research such as:
Examine the master boot record (MBR)
This is usually the first sector of a hard disk and is 512 bytes in size. In the constant fight between malware and anti-malware, the fight is to ensure who loads first. In the event that the malware does it first, it can prevent the anti-malware from detecting it. This is where the MBR comes in. When a computer boots up, the first piece of code that runs is the boot code in this sector. If the malware manages to modify this to its advantage, the anti-malware will fail in its task and the malware will remain resident. In this case, it helps if we have a copy of the reference MBR.
Identify the operating system
Once this has been done properly, the service packages and patches identified, then it is easy to download the well-known hash files (from the National Institute of Standards and Technology (NIST)/Hashkeeper)to allow the researcher to remove known good files from theresearch. Conversely, it is really easy to identify files whose MD5 hash are different from what they should be and these could be potentially infected or modified files.
Examine the RAM
We must proceed to examine the RAM image of the system in an offline manner. Alternatively, a live RAM analysis can be performed. However, it should be noted that this runs the risk of compromising volatile data, since every activity we perform on a system affects volatile memory. Volatile memory forensics is actually a vast independent field.
Examining volatile memory
An examination of volatile memory may reveal the following:
- Currently running processes (malware active in RAM).
- Other hidden processes.
- Recently completed processes.
- Open files (for example, files accessed by malware).
- Record identifiers are accessed.
- Network connections (volatile memory has more reliable information than that obtained by executing commands, such as netstat whose output may have been compromised by malware)
- Listening ports.
- Cryptographic keys and passwords.
- Complete files.
- File fragments.
- Unencrypted content that can be searched with keywords
- Hidden data
- Malicious code (malware without files)
Browse and encode files on disk
Volatile memory analysis shows us files that are in use or opened by malware. This leads us to locate them on disk and examine them in great detail. This is very useful for identifying where the malware collects the data for exfiltration. Files identified as in use by malware can be hashes and suspicious files can be sent to online malware identification portals such as VirusTotal,and hash values can be consulted with the National Software Reference Library (NSRL) at http://www.hashsets.com/nsrl/search/.
Examine the log
Look in the auto-start locations, any program in several auto-start locations should be suspicious. Malware tends to identify and place itself or its different variants in various auto-start locations in order to increase its persistence.
Checks the programs that are running on the system
Identify what each program does and ask yourself if the programs serve to perform a legitimate task. Unidentified programmes need to be examined in more detail.
To see the programs running on Windows 10, you can use the Task Manager app, accessible by searching the Start menu.
- Run it from the Start menu or with the keyboard shortcut Ctrl + Shift + Esc.
- Sorts applications by memory usage, CPU usage, and so on.
- Get more details or “End Task” if necessary.
Examine the system logs
Look for things that seem out of place. Identifies outbound connections. The Windows registry is where information about basic operating system settings and settings is stored. It also stores and centralizes data about programs, devices, users, and computer hardware. It works like a control at an airport, everything that enters and leaves the system is recorded.
Review web browsing history
This could help identify whether the user has visited known compromised sites, as well as identify locations where a download boost has occurred.
To check browsing history in Chrome you have to:
- Open Chrome on your computer.
- Top right, click More.
- Click History and then History .
To check the browsing history in Firefox you have to:
- Open Firefox
- Press ctrl+ h + keys
- You will see the history of pages visited sorted by date.
Check file artifacts
Especially in downloads and temporary folders, this can help identify the entry point of malware. It also searches for deleted files; malware can delete files that you no longer need just to cover your trail.
Build a timeline
Trace all activities obtained from file dates, emails, websites visited, cookies, logs, etc. to try to create a sequence of events. Files that appear in your timeline within the period in which you suspect that the system was compromised definitely require a second look.
Last but not least, everything must be re-examined. The forensic analysis must be repeated to check each link in the chain and leave nothing unchecked.
Learning network forensics by Samir Datt.