Photo by Anete Lusina on Pexels.com
Forensic analysis techniques in computer security will allow us to perform analysis of a threat once it has materialized. Malware forensic analysis is different from malware scanning. Malware analysis involves capturing a sample of the malware and performing a static or dynamic analysis of that.
In forensics, compiled and obfuscated code is reversed to try to determine what the malware was programmed for in this way. Malware forensic analysis, on the other hand, attempts to locate and examine the forensic artifacts that exist in the system media, RAM and network to help the system was compromised, how it was made, what the infection vector was, what was involved in a particular malware, what data was leaked, etc.
An IOC (Indicator of Compromise) is first performed to help identify whether a system or network has been compromised. While this helps in cases where the security incident has been caused by a known malware. However, there may be zero-day or an unknown malware or its variants, and in this case a forensic malware investigation should be initiated.
The first indicator of a malware infection is some kind of anomalous behavior. At the time this is reported, a system administrator causes the system to run an updated malware detection program, such as malware bytes or tools such as YARA with the well-known IOC.
In case the behavior persists and there is no positive detection it is imperative to conduct an in-depth malware forensic investigation.
For malware researchers it is very useful to use YARA. YARA is a tool that aims to help malware researchers identify and classify malware samples. With YARA you can create descriptions of malware families based on textual or binary patterns. Each description, also known as a rule, consists of a set of strings and a Boolean expression that determine its logic.
YARA is cross-platform, runs on Windows, Linux, and Mac OS X, and can be used through its command-line interface or from its own Python scripts with the yara-python extension. You can access the tool from here -> https://virustotal.github.io/yara/.
The key element to remember when performing forensic analysis on a malware affecting a machine is to search and acquire all available data in order to reduce volatility. This means that we must consider taking RAM, all relevant network logs, as well as an image of the hard drive. In addition, we need to closely monitor all traffic to and from the affected system.
We need to follow a number of steps to carry out the research such as:
This is usually the first sector of a hard disk and is 512 bytes in size. In the constant fight between malware and anti-malware, the fight is to ensure who loads first. In the event that the malware does it first, it can prevent the anti-malware from detecting it. This is where the MBR comes in. When a computer boots up, the first piece of code that runs is the boot code in this sector. If the malware manages to modify this to its advantage, the anti-malware will fail in its task and the malware will remain resident. In this case, it helps if we have a copy of the reference MBR.
Once this has been done properly, the service packages and patches identified, then it is easy to download the well-known hash files (from the National Institute of Standards and Technology (NIST)/Hashkeeper)to allow the researcher to remove known good files from theresearch. Conversely, it is really easy to identify files whose MD5 hash are different from what they should be and these could be potentially infected or modified files.
We must proceed to examine the RAM image of the system in an offline manner. Alternatively, a live RAM analysis can be performed. However, it should be noted that this runs the risk of compromising volatile data, since every activity we perform on a system affects volatile memory. Volatile memory forensics is actually a vast independent field.
An examination of volatile memory may reveal the following:
Volatile memory analysis shows us files that are in use or opened by malware. This leads us to locate them on disk and examine them in great detail. This is very useful for identifying where the malware collects the data for exfiltration. Files identified as in use by malware can be hashes and suspicious files can be sent to online malware identification portals such as VirusTotal,and hash values can be consulted with the National Software Reference Library (NSRL) at http://www.hashsets.com/nsrl/search/.
Look in the auto-start locations, any program in several auto-start locations should be suspicious. Malware tends to identify and place itself or its different variants in various auto-start locations in order to increase its persistence.
Identify what each program does and ask yourself if the programs serve to perform a legitimate task. Unidentified programmes need to be examined in more detail.
To see the programs running on Windows 10, you can use the Task Manager app, accessible by searching the Start menu.
Look for things that seem out of place. Identifies outbound connections. The Windows registry is where information about basic operating system settings and settings is stored. It also stores and centralizes data about programs, devices, users, and computer hardware. It works like a control at an airport, everything that enters and leaves the system is recorded.
This could help identify whether the user has visited known compromised sites, as well as identify locations where a download boost has occurred.
To check browsing history in Chrome you have to:
To check the browsing history in Firefox you have to:
Especially in downloads and temporary folders, this can help identify the entry point of malware. It also searches for deleted files; malware can delete files that you no longer need just to cover your trail.
Trace all activities obtained from file dates, emails, websites visited, cookies, logs, etc. to try to create a sequence of events. Files that appear in your timeline within the period in which you suspect that the system was compromised definitely require a second look.
Last but not least, everything must be re-examined. The forensic analysis must be repeated to check each link in the chain and leave nothing unchecked.
Learning network forensics by Samir Datt.
If you've used artificial intelligence to create images with text, you may have noticed that…
Si has utilizado la inteligencia artificial para crear imágenes con texto quizás te hayas dado…
Security breaches and cyberattacks are still major headaches today. Until something different is invented, consumers…
Las brechas de seguridad y los ciberataques siguen siendo importantes quebraderos de cabeza hoy en…
HTML, which stands for HyperText Markup Language, is the standard language used to create web…
HTML, que significa Lenguaje de Marcado de Hipertexto (por sus siglas en inglés, HyperText Markup…