16 3
VBA macro, payload of MO document, embedded flash program, embedded javascript
4 most popular methods to attack microsoft office document
whole disk, file level, partition level, encrypted containers
4 way to use encryption
data hiding, artifact wiping, trail obfuscation, attacks against computer forensics processes and tools
4 ways to perform anti-forensics
.rsrc
PE header that contains the executable resources that are not a part of the executable
.rdata
PE header that contains the import and export info
.text
PE header that contains the instruction that the CPU executes
.data
PE header that contains the programs global data
dropped file
a file created during malware execution
dll injection
a piece of malware designed to run code into the address space of another process by forcing it to load a DLL
dropper
a program designed to install malware to a target system
disassembler
a program that takes a program's executable binary as input and generates textual files that contain the assembly language code for the entire program
trojan
a seemingly innocent file that contains malicious code underneath
worm
a self-replicating program with malicious intent
string
a sequence of chars representing text
ransomeware
a type of malware that restricts access to the computer system it infects and demands a ransom for the malware creator to remove the restirction
virus
a user-triggered program with malicious intent
botnet
allows an attacker system access, receives instructions from a single command and control server
reports
analysts use these to detail the discovery of info during an investigation, describe actions performed, determine what other actions to perform, and recommend improvements to policies
dynamic analysis
analyzing a file by observing its behavior; triage
static analysis
analyzing a file in a constant, non changing state; code level
file system, hidden partitions, host protected area of harddrive
common locations for data hiding in a computer system
callback
destination IP or domain to which malware is trying to connect
sim card
device user phone number or the MSISDN call logs text messages
reasons why reports are useful
evidence to help prosecute specific individuals actionable intel to help stop or mitigate some activity generate new leads for a case
portable executable
file format is a data structure containing the info necessary for the windows OS loader to manage the wrapped executable code
NMEC
intel gathered in theater along with the collected image are sent to this
code obfuscation
intentionally hiding or misleading source code to prevent reverse engineering or masquerade the true intent of a program
trail obfuscation
log cleaners, spoofing, misinfo, zombie accounts, trojaned commands
DLLMain, DLLENTRYPOINT
main functions of a DLL
downloader
malicious code that exists only to download the primary malicious payload
backdoor
malicious code that installs itself onto a computer to allow attacker access
laucnher
malicious program used to launch other malicious programs
info-stealers
malware that collects info from a victims computer and sends it to an attacker
scareware
malware that makes users believe their computers are infected, and the only way to remove infection is to click a specific link on the screen
wsock32.dll, ws_32.dll
networking dlls
debugger
program that allows software developers to observe their program while its running
rootkit
stealthy type of malware designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer
dynamic, static
the two disciplines of malware analysis
file wiping
these type of utilities can delete individual files as well as unallocated/free space from an OS
disk wiping
these type of utilities use a variety of methods to overwrite the existing data on disks
kernel32.dll
this dll contains core functionality, such as access and manipulation of memory, files, and hardware
wininet.dll
this dll contains higher-level networking functions
user32.dll
this dll contains user interface components, such as buttons, scroll bars, and components for controlling and responding to user actions
ntdll.dll
this dll is the interface to the windows kernel
DLL
this is a binary file that cannot execute on its own, but exports functions that can be utilized by other apps
encryption
this is a commonly used data hiding technique using a key and an algorithm to change the data in a way to make the info unreadable
trail obfuscation
this is a data hiding technique used to confuse, disorient, and divert the forensic examination process
disk degaussing
this is a process that applies a magnetic field to a digital media device making it entirely clean of any previously stored data
Harmony database
this is a repository of electronics versions of captured material such as paper notes and documents as well as electronic files found on a variety of different media sources
steganography
this is a technique used to hide info or files within another file attempting to hide data by leaving it in plain sight
physical destruction
this is accomplished by disintegration, incineration, pulverizing, shredding, and melting can render a device useless
anit forensics
this is an approach to manipulate, erase, or obfuscate digital data or to make its examination difficult, time consuming, or virtually impossible
malware
this is programming designed to disrupt or deny operations, gather info leading to loss of privacy or exploitation, gain unauthorized access to system resources, or otherwise exhibit abusive behavior
malware analysis
this is the process of analyzing malware to determine what the malware is designed to do
data hiding
this is the process of making it difficult to find data while keeping it accessible for future use
artifact wiping
this is the process of permanently eliminating particular files or entire file systems
mobile forensics
this is the science of retrieving digital evidence from a mobile device using forensically sound tools and techniques
rundll32.exe
this program lets user run DLL files
store malicious code, use existing windows dlls, use third party dlls
three way malware writers use DLLs
ADS
using this on NFTS provides the ability to attach a file to another file without affecting the original file's metadata. $DATA attribute
device is on
while a mobile device is in this state do everything possible to keep the device in the current stat until able to perform a full examination