Intro to Computer Forensics Test 2
physical machines
- Can see a more accurate execution of malware - Malware can be difficult to fully remove on a physical machine
Virtual machines
- Can use snapshots to quickly reload a machine state - Easily distributable
How does memory acquisition differ from disk-based acquisition?
- No plug pulling - No before and after hash - Not generally repeatable - Image smear - can be subverted
Why is a Timeline important?
- We can find a file that may not mean much by itself. -Knowing the time the file was created can give us additional information
Two key issues that areas when using data carving on physical memory
1. Data carving relies on locating a file signature form a header/footer and tries to carve out a contiguous space into a file/ pages file are not contiguous data which makes it hard to data carving tools to extract complete files, unless the file is less than or equal to 4096 bytes in size. 2. Unconstructed analysis of memory images, like data carving, have no context. So, even if a file is obtained from data carving a memory image, there is no way to know which process was utilizing the file that was collected. For example, if we find a confidential pdf file in memory, we don't know if it was being used by the currently running ftp process address space or the adobe read process address space - the implications of which is key to an investigation.
When analyzing malware during an investigation about a network intrusion, what are the two primary goals of the analysis?
1. Establish what occurred on the system/network 2. Ensure that you locate all infected machines and files.
List four reasons that we are interested in analyzing the contents of memory:
1. Identify indicators of compromise (IOC's) 2. Persistence mechanisms 3. Initial compromise point 4. User activity 5. Support disk and packet analysis
Name five sources of timestamps that can be used to construct a timeline for a digital device
1. Prefect files 2. User assist key 3. Recycle bin 4. Registry files (hive files - SOFTWARE, SAM, SECURITY, etc.) 5. Web history logs (browser logs, .dat's) 6. Windows firewall logs 7. Filesystem stamps (MAC times)
What are the two primary methods of constructing a super timeline? Briefly describe what is involved in both methods, giving both an advantage and a disadvantage
1. The first approach is to gather every timestamp on the machine possible. This gives the most information to the investigator, but can be an overwhelming amount of information. 2. The second approach is to do a layered approach which starts at a particular window of time and slowly expands to analyze and add further information to the timeline. This method can often cause tunnel vision of the problem by focusing too much on a particular timeframe and losing sight of some events on the system.
List three questions that we try to answer when analyzing suspected malware.
1. What actions does the binary take? 2. How to detect the malware on your network/system? 3. Ho wot measure and contain the damage?
Hashing
A common method used to uniquely identify malware The hashing program creates a has that identifies the malware (MD5/SHA-1)
Antivirus Scanning
A good first step to getting some initial feedback about the file and any known data/hashes Generally work using a database of known malware data
Linked Libraries
A list of imports is one of the most important pieces of information about an executable
Finding Strings
A string in a program is a sequence of characters Strings can be collected from programs that have a variety of functionality This is a simple way to get hints about the functionality of a program
Packed Malware
A subset of obfuscated malware The malicious program is compressed to hinder analysis attempts Need to unpack the malware before static analysis can take place
Advanced Techniques of Static Analysis
Advanced techniques involve reverse engineering malware internals using a disassembler and viewing the program instructs. This often tells you exactly what the malware will do and requires specialized knowledge of disassembly, code constructs and OS concepts.
Host-Only Networking
Always ensure host machine is fully updated/patched before attempting dynamic malware analysis on a guest VM Host-only networking creates a separate private LAN between the host OS and guest OS The malware is contained to the VM with some small amount of network connectivity
Forms of Basic Static Analysis
Antivirus Scanning Hashing Finding Strings Packed and Obfuscated malware Portable Executable File Format Linked Libraries and Functions PE File Headers and Sections
Uses of the hash
As a label for the malware Share the hash with other analysts to help them identify the malware Search for the hash online to see if the file has already been identified
Basic Techniques of Static Analysis
Basic techniques consist of examining a file without looking at the actual instructions that make up the malware. The focus is on determining functionality and producing simple network signatures based on contents of a PE file- based on strings, API calls, etc. It is quick but generally less effective against more sophisticated malware that would require execution to catch.
Why is antivirus scanning not a perfect system?
Can miss zero-day malware that isn't in the database or malware that modifies the code to change the signature
Dynamic analysis
Dynamic analysis consists of actually running the malware and documenting what happens
Advanced Techniques of Dynamic Analysis
For advanced dynamic analysis a debugger is utilized to examine the internal state of the malicious executable by walking through the executable one instruction at a time and documenting the actions taken. This gives a detailed accounting of information about a particular malware and is out useful when other techniques have not produced results.
host based signature
Host-based signatures, aka indicators, are primarily used to identify files created/modified by the malware or changes in the registry. The focus is on actions taken by the malware on a system and not characteristics of the malware itself. This type of signature is more effective at detecting malware that changes form each time it executes or that has been deleted from the hard disk.
File Signatures
Identifiable pieces of known suspicious code
MAC(E) Times
M- Modified. This is the last time the file's contents were modified A- Accessed. The last time the file was accessed C- Created. The time the file was created E- Entry Modified. The last time the MFT entry for the file was modified
Networking
Need some form of Internet connection to monitor network activity for dynamic analysis. In some cases, it can be beneficial to disconnect/remove the virtual network adapter Static analysis can generally be done with any need for an active connection Two recommended network setups for containing threats while monitoring network activity from malware
Network Signature
Network signatures are used to detect malicious code by monitoring network traffic. These signatures create identifiable patters of activity based on network traffic sent/received during the execution of a particular malware. These signatures are used to establish when the malware is currently running or when it exists on a system or network based on the patterns found.
Imported Functions
PE file header includes information about specific functions The names of the functions can be used to establish what the malware might do Important to become familiar with and learn to use the Windows API through the Microsoft Developer Network (MSDN) library
Difference Between Physical and Virtual Address Space
Physical: referes to the set of addresses used by the processor to access physical memory. This address spam is rarely accessed directly. Virtual: the single contiguous range of addresses exposed to a running process. This virtual address space is particular to each process that is currently executing. Two virtual address location may map to the same physical address space.
Using Multiple VMs
Requires more than one VM to be linked by LAN, but disconnected from the Internet Example - two VMs connected to the same VMNet virtual switch and not to the host OS A virtual machine team can be used to monitor network activity while maintaining benefits of VMs
What is the purpose of signatures when dealing with malware?
Signatures are used to detect the malware infection on a network or system. It is based on some disk or network specific activity or component that can be identified on another system/network as belonging to the malware.
Static Analysis
Static analysis consists of techniques to analyze malware without running
Which aspect of the computer architecture handles the translation between physical and virtual addresses?
The CPU and the MMU are responsible for translating the virtual addresses into physical offsets in RAM.
Tool-Strings
The Strings tool searches an executable for ASCII and Unicode strings and ignores context and formatting. Any file type can be analyzed and it is possible to detect strings across an entire file. The Strings program will end up with some false positives from catching sequences of bytes and converting them to ASCII regardless of whether or not they mean anything Up to the user to filter out what is and is not useful
Basic Techniques of Dynamic Analysis
The focus of basic analysis here is on removing the infection and producing effective signatures.
Which (physical or virtual address space) is used by the OS and any running applications?
The operating system and running applications use virtual address spaces, which are translated into physical address spaces when accessing data in RAM.
What is time stomping and what effect does it have on a forensics investigation? Is it difficult for a criminal to complete time stomping on a digital device? Why?
Timestomping is the act of intentionally overwriting timestamps for files, logs, and other artifacts that can be used to create a timeline. This can make analysis of a timeline much more difficult as there will be gaps in the timeline or events that are impossible to place on the timeline at the correct time. A criminal must be careful to overrate ALL of the file time sources because there will be redundancy from timeline sources that can be used to place events correctly. Perfecting stomping timestamps can be difficult. For example, you can zero out MAC times of a file, but the prefect files and .lnk files will still have the file MAC times.
Heuristics
behavioral and pattern-matching analysis
imports
functions used by one program that are actually stored in another program, e.g. code libraries
air-gapped networks
isolated networks to prevent the malware from spreading, but miss out on any functionality requiring an Internet connection
Example of Finding Strings
print and output message connects to a URL/ip address copies a file to a location/file path
Obfuscated Malware
programs where the malware author has attempted to hide or disguise the execution Can severely limit analysis options initial analysis: obfuscated/packed malware generally contains very few strings compared to legitimate programs Need to identify the type of obfuscation/packing done and work to reverse it to allow for analysis
Exported Functions
similar to imports, DLLs and EXEs export functions to interact with other grams and code Generally, a DLL implements one or more functions and then exports them fro sue by some executable The PE file also contains information about which functions a file exports Most commonly seen in DLLs
static linking
the least commonly used method Involves all code from the linked file being copied into the executable Can be difficult to separate original code and imported code Increases the size of the executable that is linking the code library
linking
the method used to connect the main executable to these code libraries linking can occur statically, at runtime, or dynamically and understanding how/when linking occurs can be crucial to understanding the malware
dynamic linking
the most common method for malware The host OS searches for the necessary libraries once the program is loaded When the program calls the linked library function, the function executes within the library The PE file will store information about every library that will be loaded and every function that will be used
runtime linking
uncommon in legitimate programs Commonly used in malware, especially in cases of obfuscated or packed malware Executable links to the libraries only when the imported function is needed, not a program start Commonly used Windows functions to support this functionality: LoadLibrary, GetProcAddress, LdrGetProcAddress, LdrLoadDII
PE File Format
used by Windows executables, object code, and DLLs contains information necessary for Windows OS loader to manage wrapped executable code PE files contain headers that include information about the code, application type, required lib functions, and space requirements Tool such as PEView can look through header for valuable malware analysis data
Image Smear
when the contents of RAM change over time due to the dynamic nature of memory. This can occur during the acquisition of particularly large samples of RAM and can cause some important information that was in RAM when the acquisition began to not be there when it ends.