Malware analysis is the practice of determining the functionality, source and possible impact of a given malware such as a virus, worm, Trojan horse, rootkit, or backdoor. The rapidly emerging significance of malware in digital forensics and the rising sophistication of malicious code has motivated advancement in tools and techniques for performing concentrated analysis on malware. As more investigation relies on indulgent and counteracting malware, the demand for formalization and supporting documentation has also grown which is done in malware analysis process.
Malware analysis involves two fundamental techniques: static analysis and dynamic analysis.
1. Static Malware Analysis
Static analysis of malware entails the investigation of executable files without going through the actual instructions. The static analysis can validate whether a file is malicious, give information about its functionality, and sometimes provide information that will allow you to create simple network signatures. It is basic and can be quick, but it is mostly useless against sophisticated malware, and it can miss significant behaviors.
2. Dynamic Malware Analysis:
Unlike static analysis, the dynamic analysis executes malware to observe its activities, comprehend its functionality and identify technical indicators which can be used in revealing signatures. The dynamic analysis can reveal domain names, IP addresses, file path locations, registry keys, additional files locations and can also classify communication with an attacker-controlled external server for command and control intentions or to download other malware files.
Memory forensics is the analysis of volatile data in a computer’s memory dump. It is conducted by many information security professionals to examine and identify attacks or malicious behaviors that do not leave readily detectable tracks on hard drive data. Moreover, it includes investigation of advanced computer attacks which are stealthy enough to avoid leaving data on the computer’s hard drive.
Here are some favorite memory forensics tools and framework that can aid you in conducting effective memory analysis and forensics:
Volatility is the memory forensics framework. It used for incident response and malware analysis. With this tool, you can extract information from running processes, network sockets, network connection, DLLs and registry hives. It also has support for extracting information from Windows crash dump files and hibernation files.
WindowsSCOPE is another memory forensics and reverse engineering tool used for analyzing volatile memory. It is primarily used for reverse engineering of malware. It provides the capability of analyzing the Windows kernel, drivers, DLLs, virtual and physical memory.
Mandiant RedLine is a favorite tool for memory and file analysis. It collects information about running processes on a host, drivers from memory and gathers other data like metadata, registry data, tasks, services, network information and Internet history to build a proper report.
HELIX3 is a live CD-based digital forensic suite created to be used in incident response. This tool can collect data from physical memory, network connections, user accounts, executing processes and services, scheduled jobs, Windows Fegistry, chat logs, screen captures, SAM files, applications, drivers, environment variables and Internet history. Then it analyzes and reviews the data to generate the compiled results based on reports.
Real Life Forensics
There are many reported cases of computer hacking that are prevented by applying computer forensics techniques and analyzing the victim’s machine. On one occasion Marquis-Boire and University of Toronto colleague Bill Marczak analyzed e-mails received by Bahraini activists and found a piece of spyware designed to steal information from their computers. Further studies on the spyware showed similarities with the FinFisher surveillance software that Gamma International sells to law enforcement agencies.
This shows that how significantly the computer forensics is being used to prevent major incidents and analyzing incidents to reveal its origin. It will help security teams to ban such traffic and contacts that are sending malicious and infected files.
Be aware that malware developers continue to find new ways to determine forensics techniques to bypass them. However, a variety of tools and techniques are available to the digital world to overcome anti-forensics measures taken by cybercriminals. Moreover, bypassing forensic techniques require knowledge and programming skills that are beyond expectations. So, forensics has proved itself in collecting evidence by using its refined processes and techniques.