Intro to Computer Forensics Test 2

Ace your homework & exams now with Quizwiz!

physical machines

- Can see a more accurate execution of malware - Malware can be difficult to fully remove on a physical machine

Virtual machines

- Can use snapshots to quickly reload a machine state - Easily distributable

How does memory acquisition differ from disk-based acquisition?

- No plug pulling - No before and after hash - Not generally repeatable - Image smear - can be subverted

Why is a Timeline important?

- We can find a file that may not mean much by itself. -Knowing the time the file was created can give us additional information

Two key issues that areas when using data carving on physical memory

1. Data carving relies on locating a file signature form a header/footer and tries to carve out a contiguous space into a file/ pages file are not contiguous data which makes it hard to data carving tools to extract complete files, unless the file is less than or equal to 4096 bytes in size. 2. Unconstructed analysis of memory images, like data carving, have no context. So, even if a file is obtained from data carving a memory image, there is no way to know which process was utilizing the file that was collected. For example, if we find a confidential pdf file in memory, we don't know if it was being used by the currently running ftp process address space or the adobe read process address space - the implications of which is key to an investigation.

When analyzing malware during an investigation about a network intrusion, what are the two primary goals of the analysis?

1. Establish what occurred on the system/network 2. Ensure that you locate all infected machines and files.

List four reasons that we are interested in analyzing the contents of memory:

1. Identify indicators of compromise (IOC's) 2. Persistence mechanisms 3. Initial compromise point 4. User activity 5. Support disk and packet analysis

Name five sources of timestamps that can be used to construct a timeline for a digital device

1. Prefect files 2. User assist key 3. Recycle bin 4. Registry files (hive files - SOFTWARE, SAM, SECURITY, etc.) 5. Web history logs (browser logs, .dat's) 6. Windows firewall logs 7. Filesystem stamps (MAC times)

What are the two primary methods of constructing a super timeline? Briefly describe what is involved in both methods, giving both an advantage and a disadvantage

1. The first approach is to gather every timestamp on the machine possible. This gives the most information to the investigator, but can be an overwhelming amount of information. 2. The second approach is to do a layered approach which starts at a particular window of time and slowly expands to analyze and add further information to the timeline. This method can often cause tunnel vision of the problem by focusing too much on a particular timeframe and losing sight of some events on the system.

List three questions that we try to answer when analyzing suspected malware.

1. What actions does the binary take? 2. How to detect the malware on your network/system? 3. Ho wot measure and contain the damage?

Hashing

A common method used to uniquely identify malware The hashing program creates a has that identifies the malware (MD5/SHA-1)

Antivirus Scanning

A good first step to getting some initial feedback about the file and any known data/hashes Generally work using a database of known malware data

Linked Libraries

A list of imports is one of the most important pieces of information about an executable

Finding Strings

A string in a program is a sequence of characters Strings can be collected from programs that have a variety of functionality This is a simple way to get hints about the functionality of a program

Packed Malware

A subset of obfuscated malware The malicious program is compressed to hinder analysis attempts Need to unpack the malware before static analysis can take place

Advanced Techniques of Static Analysis

Advanced techniques involve reverse engineering malware internals using a disassembler and viewing the program instructs. This often tells you exactly what the malware will do and requires specialized knowledge of disassembly, code constructs and OS concepts.

Host-Only Networking

Always ensure host machine is fully updated/patched before attempting dynamic malware analysis on a guest VM Host-only networking creates a separate private LAN between the host OS and guest OS The malware is contained to the VM with some small amount of network connectivity

Forms of Basic Static Analysis

Antivirus Scanning Hashing Finding Strings Packed and Obfuscated malware Portable Executable File Format Linked Libraries and Functions PE File Headers and Sections

Uses of the hash

As a label for the malware Share the hash with other analysts to help them identify the malware Search for the hash online to see if the file has already been identified

Basic Techniques of Static Analysis

Basic techniques consist of examining a file without looking at the actual instructions that make up the malware. The focus is on determining functionality and producing simple network signatures based on contents of a PE file- based on strings, API calls, etc. It is quick but generally less effective against more sophisticated malware that would require execution to catch.

Why is antivirus scanning not a perfect system?

Can miss zero-day malware that isn't in the database or malware that modifies the code to change the signature

Dynamic analysis

Dynamic analysis consists of actually running the malware and documenting what happens

Advanced Techniques of Dynamic Analysis

For advanced dynamic analysis a debugger is utilized to examine the internal state of the malicious executable by walking through the executable one instruction at a time and documenting the actions taken. This gives a detailed accounting of information about a particular malware and is out useful when other techniques have not produced results.

host based signature

Host-based signatures, aka indicators, are primarily used to identify files created/modified by the malware or changes in the registry. The focus is on actions taken by the malware on a system and not characteristics of the malware itself. This type of signature is more effective at detecting malware that changes form each time it executes or that has been deleted from the hard disk.

File Signatures

Identifiable pieces of known suspicious code

MAC(E) Times

M- Modified. This is the last time the file's contents were modified A- Accessed. The last time the file was accessed C- Created. The time the file was created E- Entry Modified. The last time the MFT entry for the file was modified

Networking

Need some form of Internet connection to monitor network activity for dynamic analysis. In some cases, it can be beneficial to disconnect/remove the virtual network adapter Static analysis can generally be done with any need for an active connection Two recommended network setups for containing threats while monitoring network activity from malware

Network Signature

Network signatures are used to detect malicious code by monitoring network traffic. These signatures create identifiable patters of activity based on network traffic sent/received during the execution of a particular malware. These signatures are used to establish when the malware is currently running or when it exists on a system or network based on the patterns found.

Imported Functions

PE file header includes information about specific functions The names of the functions can be used to establish what the malware might do Important to become familiar with and learn to use the Windows API through the Microsoft Developer Network (MSDN) library

Difference Between Physical and Virtual Address Space

Physical: referes to the set of addresses used by the processor to access physical memory. This address spam is rarely accessed directly. Virtual: the single contiguous range of addresses exposed to a running process. This virtual address space is particular to each process that is currently executing. Two virtual address location may map to the same physical address space.

Using Multiple VMs

Requires more than one VM to be linked by LAN, but disconnected from the Internet Example - two VMs connected to the same VMNet virtual switch and not to the host OS A virtual machine team can be used to monitor network activity while maintaining benefits of VMs

What is the purpose of signatures when dealing with malware?

Signatures are used to detect the malware infection on a network or system. It is based on some disk or network specific activity or component that can be identified on another system/network as belonging to the malware.

Static Analysis

Static analysis consists of techniques to analyze malware without running

Which aspect of the computer architecture handles the translation between physical and virtual addresses?

The CPU and the MMU are responsible for translating the virtual addresses into physical offsets in RAM.

Tool-Strings

The Strings tool searches an executable for ASCII and Unicode strings and ignores context and formatting. Any file type can be analyzed and it is possible to detect strings across an entire file. The Strings program will end up with some false positives from catching sequences of bytes and converting them to ASCII regardless of whether or not they mean anything Up to the user to filter out what is and is not useful

Basic Techniques of Dynamic Analysis

The focus of basic analysis here is on removing the infection and producing effective signatures.

Which (physical or virtual address space) is used by the OS and any running applications?

The operating system and running applications use virtual address spaces, which are translated into physical address spaces when accessing data in RAM.

What is time stomping and what effect does it have on a forensics investigation? Is it difficult for a criminal to complete time stomping on a digital device? Why?

Timestomping is the act of intentionally overwriting timestamps for files, logs, and other artifacts that can be used to create a timeline. This can make analysis of a timeline much more difficult as there will be gaps in the timeline or events that are impossible to place on the timeline at the correct time. A criminal must be careful to overrate ALL of the file time sources because there will be redundancy from timeline sources that can be used to place events correctly. Perfecting stomping timestamps can be difficult. For example, you can zero out MAC times of a file, but the prefect files and .lnk files will still have the file MAC times.

Heuristics

behavioral and pattern-matching analysis

imports

functions used by one program that are actually stored in another program, e.g. code libraries

air-gapped networks

isolated networks to prevent the malware from spreading, but miss out on any functionality requiring an Internet connection

Example of Finding Strings

print and output message connects to a URL/ip address copies a file to a location/file path

Obfuscated Malware

programs where the malware author has attempted to hide or disguise the execution Can severely limit analysis options initial analysis: obfuscated/packed malware generally contains very few strings compared to legitimate programs Need to identify the type of obfuscation/packing done and work to reverse it to allow for analysis

Exported Functions

similar to imports, DLLs and EXEs export functions to interact with other grams and code Generally, a DLL implements one or more functions and then exports them fro sue by some executable The PE file also contains information about which functions a file exports Most commonly seen in DLLs

static linking

the least commonly used method Involves all code from the linked file being copied into the executable Can be difficult to separate original code and imported code Increases the size of the executable that is linking the code library

linking

the method used to connect the main executable to these code libraries linking can occur statically, at runtime, or dynamically and understanding how/when linking occurs can be crucial to understanding the malware

dynamic linking

the most common method for malware The host OS searches for the necessary libraries once the program is loaded When the program calls the linked library function, the function executes within the library The PE file will store information about every library that will be loaded and every function that will be used

runtime linking

uncommon in legitimate programs Commonly used in malware, especially in cases of obfuscated or packed malware Executable links to the libraries only when the imported function is needed, not a program start Commonly used Windows functions to support this functionality: LoadLibrary, GetProcAddress, LdrGetProcAddress, LdrLoadDII

PE File Format

used by Windows executables, object code, and DLLs contains information necessary for Windows OS loader to manage wrapped executable code PE files contain headers that include information about the code, application type, required lib functions, and space requirements Tool such as PEView can look through header for valuable malware analysis data

Image Smear

when the contents of RAM change over time due to the dynamic nature of memory. This can occur during the acquisition of particularly large samples of RAM and can cause some important information that was in RAM when the acquisition began to not be there when it ends.


Related study sets

(Gillesania)ALGEBRA SETS 7, 8, 9

View Set

Chapter 23 "The Great Depression"

View Set

Chapter 4: Patient Safety and Quality Improvement

View Set

Purchasing and Buyer Behavior Exam 3 Review: Connect Quizzes

View Set

Ch. 12: Food, Soil, and Pest Management

View Set