No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
Malware Forensics Field guide for Windows Systems
Abstract
The Syngress Digital Forensic Field Guides series is a hand-held companion for any digital and computer forensic investigator and analyst. Each book is a "tool" with checklists for specific tasks, case studies of difficult situations, and expert analyst tips. Growth in technology has resulted in more technology crimes spurring the need for more computer forensics analysts and investigators. A Computer Forensics Analyst, recovers data from digital media that will be used in criminal prosecution. Digital media refers to all methods of electronic data storage and transfer devices including computers, laptops, PDAs and the images, spreadsheets and other types of files stored on these devices. Many forensics analysts work across a variety of platforms for different job. *A condensed hand-held guide complete with on-the-job tasks and checklists*Specific for Windows-based systems, the largest running OS in the world*Authors are world-renowned leaders in investigating and analyzing malicious code.
... These domains are typically named after the data source of digital evidence as the proliferation of these devices and technologies in everyday lives makes them a necessary aspect that requires unique skill sets and idiosyncrasies for investigation. Wellestablished domains in digital forensics have been documented [35,[37][38][39], which include Storage Forensics and Its Relevant Sub-Domains for the different kinds of media such as Memory Forensics [40][41][42][43], Filesystems Forensics [44], Database Forensics [35,45,46], and Disk Forensics [47]. Other domains include Network Forensics [48][49][50]; Mobile Forensics [37,51,52]; Multimedia Forensics [53][54][55]; IoT Forensics [56,57]; Cloud Forensics [58,59]; Malware Forensics [60]; Blockchain Forensics [12]. ...
Blockchain technology has risen in recent years from its initial application in finance to gain prominence across diverse sectors, including digital forensics. The possible application of blockchain technology to digital forensics is now becoming increasingly explored with many researchers now looking into the unique inherent properties that blockchain possesses to address the inherent challenges in this sector such as evidence tampering, the lack of transparency, and inadmissibility in court. Despite the increasing interest in integrating blockchain technology into the field of digital forensics and its domains, no systematic literature review currently exists to provide a holistic perspective on this integration. It is a challenge to find a comprehensive resource that examines how blockchain is being applied to enhance the digital forensics process. This paper provides a systematic literature review to explore the application of blockchain technology in digital forensics, focusing on its potential to address these challenges and enhance forensic methodologies. Through a rigorous review process, this paper examines selected studies to identify diverse frameworks, methodologies, and blockchain-driven enhancements applied to digital forensic investigations. The discussion highlights how blockchain properties such as immutability, transparency, and automation have been leveraged to improve evidence management and forensic workflows. Furthermore, this paper explores the common applications of blockchain-based forensic solutions across various domains and phases while addressing the associated limitations and challenges. Open issues and future research directions, including unexplored domains and operational gaps, are also discussed. This study provides valuable insights for researchers, investigators, and policymakers by offering a comprehensive overview of the state of the art in blockchain-based digital forensics, summarizing key contributions and limitations, and identifying pathways for advancing the field.
... Dynamic analysis observes malware by running it and compares it between the infected state and the base environment [7]. During execution, the malware interacts with the host from the perspective of process, file system, registry, and network activity [8]. This method is appropriate if the analyst wants information on malware functionality [9]. ...
... ; Casey 2011b;Ferraro, Casey, and McGrath 2005;Jones, Bejtlich, and Rose 2005;Kipper 2004;Malin, Casey, and Aquilina 2012;Malin et al. 2014;Mohay 2003;Reiber 2019;Sammes and Jenkinson 2000;Steel 2006;Williams 2006). ...
... Malware is typically used to steal information that can be readily monetized, such as login credentials, credit card and bank account numbers, and intellectual property such as computer software, financial algorithms, and trade secrets [11]. Although many cyber-criminal groups are trafficking in commodities shared by multiple industry sectors, such as credit card numbers, there are some situations wherein a single company is obviously the target of a single adversary, whether it be an organized crime syndicate, nation-state, or a single operative [12]. For example, the work of a single nation-state adversary was evident to Google upon analysis of its 2009 cyber-attack. ...
p>Malware is an application that is harmful to your forensic information. Basically, malware analyses is the process of analysing the behaviours of malicious code and then create signatures to detect and defend against it.Malware, such as Trojan horse, Worms and Spyware severely threatens the forensic security. This research observed that although malware and its variants may vary a lot from content signatures, they share some behaviour features at a higher level which are more precise in revealing the real intent of malware. This paper investigates the various techniques of malware behaviour extraction and analysis. In addition, we discuss the implications of malware analysis tools for malware detection based on various techniques.</p
... Since the technique raises issues in respect of the forensical sound collection of evidence, the standard approach to computer analysis remains the capture of static systems, or what is colloquially known as "Pull The Plug". There are arguments to support both methods but live memory capture is now seen as an imperative for network and malware investigations as well as live response (Anson et al., 2012;Malin et al., 2012). ...
... Since the technique raises issues in respect of the forensical sound collection of evidence, the standard approach to computer analysis remains the capture of static systems, or what is colloquially known as 'Pull The Plug'. There are arguments to support both methods but live memory capture is now seen as an imperative for network and malware investigations as well as live response (Anson et al., 2012;Malin et al., 2012). ...
... However, there is a significant challenge for the examiner in dealing with modern malware since it is being designed to leave limited traces on the compromised host and to misdirect the forensics examiner. However, every examiner should perform a thorough and robust examination that might include all the approaches to extract the maximum amount of information relating to the malware incidents (Malin, Aquilina, & Casey, 2012). Heriyanto (2012) reveals that the volatile memory forensics is the most effective approach in comparison with liveresponse and Windows registry analysis on banking Trojan malware incidents. ...
Whenever a program runs within the operating system, there will be data or artefacts created on the system. This condition applies to the malicious software (malware). Although they intend to obscure their presence on the system with anti-forensic techniques, still they have to run on the victim's system to acquire their objective. Modern malware creates a significant challenge to the digital forensic community since they are being designed to leave limited traces and misdirect the examiner. Therefore, every examiner should consider performing all the forensics approaches such as memory forensic, live-response and Windows file analysis in the related malware incidents to acquire all the potential evidence on a victim's system. There is a challenge when an examiner only has an option to perform post-mortem forensic approach. It leads to a question: what is a forensic examination and analysis that available to obtain evidence in such incidents? The paper shows how the Prefetching process works on a system, common characteristics and the differences in the Prefetching process related to the various versions of Windows. Thus, the paper shows how the Prefetch files contain the evidentiary value which could answer what, how, and when the banking Trojan malware infects the system. Finally, the paper shows that forensic examination and analysis of the Prefetch files can find the data remnants of banking Trojan malware incidents.
This paper explores the application of programming code in computer network forensics, with a focus on methods for collecting, analyzing and preserving network data. We discuss various techniques and tools for detecting network threats, monitoring network traffic, and identifying anomalies that may indicate security incidents. The goal is to show how programming code can improve the efficiency of forensic investigations and enable more accurate analyses.
Main steps for Communication and Information systems penetration testing and the respective results.
This chapter describes different antivirus (AV) technologies and how they work. AV scanners try to watch everything that is going on around them, look out for suspicious behavior, and attempt to intercede when they think something bad is happening or about to happen. AV scanners look for certain patterns and behaviors, and they leap into action when a suspect crosses a predetermined threshold of acceptability. The AV engine and its signature database work in concert to prevent and detect malware trying to enter a system. The engine generally provides a library of commonly used functions. AV scanners can be installed on the desktop or on servers. Each strategy has its advantages and disadvantages. If an organization's computer security policy allows unrestricted use of thumb drives, floppies, and compact disks, then AV scanners are deployed to the desktop. A server-based AV scanner can be configured to send alerts to administrators when suspected malware is detected. Like the desktop-based scanners, the response to malware detection can be predetermined.
Malware represent a real threat to the security of our computers, and with the continued
proliferation and the development of anti-detection techniques, it has become vital to have
effective protection against such threats. Unfortunately, commercial antivirus software are
not able to provide the required level of protection, mainly because they use signature-based
detection techniques. These techniques are known for their limitations in the detection of
unknown malware as well as variants of existing ones. During the past twenty years, security
researchers have introduced a variety of approaches to address the weaknesses in signature-
based detection systems. However, most of these approaches focus on improving the accuracy
and ignore an important factor, which is the detection time. Indeed, being able to detect and
neutralize a threat in a short time can be vital for the security of the system. In addition,
knowing the nature of the threat (in this case the malwares type) is also an important factor
that will determine the nature of the measures to be taken. Finally, we believe that whatever
its degree of accuracy, a local tool working in an isolated way will be quickly overwhelmed,
and this is due to the huge number of malware circulating on the Internet.
In this thesis, we propose first a real time system for detecting PE (Portable Executable)
malware. In this first contribution, we tried to find a good compromise between detection
accuracy and processing time. Second, we introduce a new approach based on a data anaysis method, namely the multiple correspondence analysis (MCA) that extracts the different
associations of APIs (Application Programming Interfaces) used by different types of malware. These associations will be of great importance for the identification of different types
of malwares.
Finaly, we propose a novel approach for collaborative malware detection using multi-agent
systems (MAS). Our approach provides a cooperative mechanism with autonomous agents
that will allow the collaboration of different heterogeneous malware detection tools. We will
also discuss the necessity to have a universal identification method for executable files using
an Opcode-based signature. Thus, the collective decision that results can significantly improve the detection accuracy.
The book Executing Windows Command Line Investigations targets the needs of cyber security practitioners who focus on digital forensics and incident response. These are the individuals who are ultimately responsible for executing critical tasks such as incident response; forensic analysis and triage; damage assessments; espionage or other criminal investigations; malware analysis; and responding to human resource violations. The authors lead readers through the importance of Windows CLI, as well as optimal configuration and usage. Readers will then learn the importance of maintaining evidentiary integrity, evidence volatility, and gain appropriate insight into methodologies that limit the potential of inadvertently destroying or otherwise altering evidence. Next, readers will be given an overview on how to use the proprietary software that accompanies the book as a download from the companion website. This software, called Proactive Incident Response Command Shell (PIRCS), developed by Harris Corporation provides an interface similar to that of a Windows CLI that automates evidentiary chain of custody and reduces human error and documentation gaps during incident response. Includes a free download of the Proactive Incident Response Command Shell (PIRCS) software Learn about the technical details of Windows CLI so you can directly manage every aspect of incident response evidence acquisition and triage, while maintaining evidentiary integrity.
The past years have shown an increase in the both number and sophistication of cyber-attacks targeting Windows and Linux operating systems. Traditional network security solutions such as firewalls are incapable of detecting and stopping these attacks. In this paper, we describe our distributed firewall solution Distfw and its integration with a sandbox for malware analysis and detection. We demonstrate the effectiveness and shortcomings of such a solution. We use Cuckoo to perform automated analysis of malware samples and compare the results with the ones from manual analysis. We discover that Cuckoo provides similar results in a considerable amount of time.
Malware Analysis and Classification Systems use static and dynamic techniques, in conjunction with machine learning algorithms, to automate the task of identification and classification of malicious codes. Both techniques have weaknesses that allow the use of analysis evasion techniques, hampering the identification of malwares. In this work, we propose the unification of static and dynamic analysis, as a method of collecting data from malware that decreases the chance of success for such evasion techniques. From the data collected in the analysis phase, we use the C5.0 and Random Forest machine learning algorithms, implemented inside the FAMA framework, to perform the identification and classification of malwares into two classes and multiple categories. In our experiments, we showed that the accuracy of the unified analysis achieved an accuracy of 95.75% for the binary classification problem and an accuracy value of 93.02% for the multiple categorization problem. In all experiments, the unified analysis produced better results than those obtained by static and dynamic analyzes isolated.
Cloud computing is a technological advancement that provide resources through internet on pay-as-you-go basis. Cloud computing uses virtualisation technology to enhance the efficiency and effectiveness of its advantages. Virtualisation is the key to consolidate the computing resources to run multiple instances on each hardware, increasing the utilization rate of every resource, thus reduces the number of resources needed to buy, rack, power, cool, and manage. Cloud computing has very appealing features, however, lots of enterprises and users are still reluctant to move into cloud due to serious security concerns related to virtualisation layer. Thus, it is foremost important to secure the virtual environment. In this paper, we present an elastic framework to secure virtualised environment for trusted cloud computing called Server Virtualisation Security System (SVSS). SVSS provide security solutions located on hypervisor for Virtual Machines by deploying malicious activity detection techniques, network traffic analysis techniques, and system resource utilization analysis techniques. SVSS consists of four modules: Anti-Virus Control Module, Traffic Behavior Monitoring Module, Malicious Activity Detection Module and Virtualisation Security Management Module. A SVSS prototype has been deployed to validate its feasibility, efficiency and accuracy on Xen virtualised environment.
Nowadays a lot of botnet are being used for the purpose of cybercrime such as distributed denial of services (DDos) or information stealing. Botnet is a collection of computers connected through Internet that has been taken over by an attacker using malwares. These infected computer are known as bot or zombie. These bot are controllable for the attacker through an infrastructure called Command and Control (C&C) server. In general, the spread of botnets Windows operating system as its main target in the form of executable file (.exe).
Right now Windows have a massive number of application in the form of executable file and almost all of it doing connection to the Internet. So it make it very difficult to distinguish an executable file as a malware botnet or not. Therefore, to identify and detecting a malware botnet required malware analysis on Windows executable file. Many ways can be done in analyzing a malware. However, generally speaking there are two techniques in malware analysis. That is static analysis and dynamic analysis. By combining both the results of static analysis, dynamic analysis can produce data for detecting malware botnet in the executable files of Windows operating system that are Herpestnet, Ann Loader, mbot, Vertexnet, Athena, Elite Loader, Gbot, dan Cythosia.
The Microsoft Windows 8 operating system has a newly added feature to track system resource usage, specifically process and network metrics over time. Process related information such as process owner, CPU cycles used, data bytes read/written, and network data (sent/received) are continuously recorded by a mechanism called System Resource Usage Monitor (SRUM). This paper describes the SRUM mechanism, its databases, Windows registry entries, data logging, and potential uses in a forensic examination. Prior to this applied research, no tools were available to parse the SRUM data to a usable format. As part of this paper, two scripts have been developed to aid forensic examiners who would want to read, parse, and decode this information from a forensic disk image.
a b s t r a c t Forensic analysis of physical memory is gaining good attention from experts in the community especially after recent development of valuable tools and techniques. Inves-tigators find it very helpful to seize physical memory contents and perform post-incident analysis of this potential evidence. Most of the research carried out focus on enumerating processes and threads by accessing memory resident objects. To collect case-sensitive information from the extracted memory content, the existing techniques usually rely on string matching. The most important contribution of the paper is a new technique for extracting sensitive information from physical memory. The technique is based on analyzing the call stack and the security sensitive APIs. It allows extracting sensitive information that cannot be extracted by string matching-based techniques. In addition, the paper leverages string matching to get a more reliable technique for analyzing and extracting what we called ''application/protocol fingerprints''. The proposed techniques and their implementation target the machines running under the Windows XP (SP1, SP2) operating system.
a b s t r a c t This paper describes the use of the Virtual Address Descriptor (VAD) tree structure in Win-dows memory dumps to help guide forensic analysis of Windows memory. We describe how to locate and parse the structure, and show its value in breaking up physical memory into more manageable and semantically meaningful units than can be obtained by simply walking the page directory for the process. Several tools to display information about the VAD tree and dump the memory regions it describes will also be presented.
Current memory forensic tools concentrate mainly on system-related information like processes and sockets. There is a need for more memory forensic techniques to extract user-entered data retained in various Microsoft Windows applications such as the Windows command prompt. The command history is a prime source of evidence in many intrusions and other computer crimes, revealing important details about an offender’s activities on the subject system. This paper dissects the data structures of the command prompt history and gives forensic practitioners a tool for reconstructing the Windows command history from a Windows XP memory capture. At the same time, this paper demonstrates a methodology that can be generalized to extract user-entered data on other versions of Windows.
This paper describes a methodology for the reconstruction of digital events by comparing states captured in time. Microsoft Windows Restore Point data is used to illustrate how to organize captured state information into a useful timeline of user and system events. It is shown that by comparing consecutive states, events can be uncovered that would otherwise be unknown by analysis of the current system state alone.
Based on the use of open source tools, this book lends itself to many organizations as well as students who do not have means to purchase new tools for different investigations.Well known forensic methods are demonstrated using open-source computer forensic tools (Sleuthkit, Foremost, dcdd, pyag, etc.) for examining a wide range of target systems (Windows, Mac, Linux, Unix, etc.).The digital forensics industry is growing a rapid pace and this book is perfect for someone entering the field that does not have access to corporate tools.Written by world-renowned forensic practitionersCovers open source forensics tools for all major systems: Windows, Mac, and LinuxUses the most current examination and analysis techniques in the field.
Harlan Carvey brings readers an advanced book on Windows Registry. The first book of its kind EVER - Windows Registry Forensics provides the background of the Registry to help develop an understanding of the binary structure of Registry hive files. Approaches to live response and analysis are included, and tools and techniques for postmortem analysis are discussed at length. Tools and techniques will be presented that take the analyst beyond the current use of viewers and into real analysis of data contained in the Registry. Named a 2011 Best Digital Forensics Book by InfoSec Reviews Packed with real-world examples using freely available open source tools Deep explanation and understanding of the Windows Registry - the most difficult part of Windows to analyze forensically Includes a CD containing code and author-created tools discussed in the book.
This chapter demonstrates the full capabilities of open source forensics tools. One can actually perform a complete investigation using solely open source tools. While digital forensics techniques are used in more contexts than just criminal investigations, the principles and procedures are more or less the same no matter the investigation. Digital forensic examinations use computer-generated data as their source. The goal of any given forensic examination is to find facts, and via these facts to recreate the truth of an event. The examiner reveals the truth of an event by discovering and exposing the remnants of the event that are left on the system. The process of digital forensics is discussed into three categories of activity: acquisition, analysis, and presentation. The open source Initiative creates a formal definition that lays out the requirements for a software license to be truly open source. There are great many passionate screeds about the benefits of open source software, the ethics of software licensing, and the evils of proprietary software. The biggest benefit open source software provides to the examiner is the code itself.
In this paper we examine the use of the Windows Registry as a source of forensic evidence in digital investigations, especially related to Internet usage. We identify the sources of the information, along with the methods used and toolsets available for such examinations, and illustrate their use for recovering evidence. We highlight issues of the forensic practise related to Registry inspections and propose ideas for further improvements of the process and the tools involved. (c) 2006 Elsevier Ltd. All rights reserved.
We present the Forensic Analysis ToolKit (FATKit) – a modular, extensible framework that increases the practical applicability of volatile memory forensic analysis by freeing human analysts from the prohibitively-tedious aspects of low-level data extraction. FATKit allows analysts to focus on higher-level tasks by providing novel methods for automatically deriving digital object definitions from C source code, extracting those objects from memory images, and visualizing the underlying data in various ways. FATKit presently includes modules for general virtual address space reconstruction and visualization, as well as Linux- and Windows-specific kernel analysis.
What makes a PDF file malicious? PDF designers and the PDF reader software architects never intended for files to be able to modify the operating system running the PDF reader. But security researchers and malware authors found ways to exploit PDF readers' software bugs and to creatively use the PDF language, enabling them to produce PDF documents that execute arbitrary code. Embedded files are a good example of this design philosophy. The PDF language allows files to be embedded inside PDF documents.PDF reader software designers have begun using Windows security features such as data execution prevention (DEP) and address space layout randomization (ASLR) to prevent exploits from executing.
The NTFS file system underlying modern Windows Versions provides the user with a number of novel ways in which to configure data storage and data paths within the NTFS environment. This article seeks to explain two of these, Volume Mount Points and Directory Junctions, such than when they are encountered the forensic examiner will have some information as to their use and structure.
Time information is an important factor in digital forensic investigations. The time information of files obtained under the New Technology File System (NTFS) for Windows is determined by the creation, modification, access, and master file table (MFT) entry modification times and can be changed by user manipulations such as copy, move, and change. The characteristics of changes in time attributes can be used to analyze certain user behaviors related to data transfer and modification. This study analyzes the change in time attributes of files or folders resulting from user manipulations under different Windows operating systems and deduces user behaviors through a procedure based on the analysis results.
Digital memory forensics consists of analyzing various components of a memory image from a compromised host. A memory image consists of data and processes that were running on the system at the time the image was created. Previously running processes are one of the key items in memory images to identify, including potentially hidden processes. Each process has its own paging structures that define its address space, so locating the paging structures can potentially lead to finding all of the processes that were running. In this paper, we describe an algorithm to locate paging structures in a memory image of an ×86 platform running either Linux or Windows XP. The algorithm can be used to find paging structures for potential processes that were hidden by rootkits or other malware. Furthermore, if the system was running an ×86 virtual machine, the algorithm can locate paging structures associated with both the host kernel and the guest kernel processes. Our algorithm relies more on the constructs of the ×86 hardware and less on the operating system running on top of the hardware. This means that the algorithm works for many different operating systems with only minor tweaking.
Investigating computer intrusions is becoming infinitely more complicated with the advancement of post-exploitation techniques currently being used by attackers. We must continually update our traditional forensic techniques to include the more rare investigative steps. Analysis of System Restore points is one of these steps. This article will illustrate how a forensic examiner analyzed System Restore points to reveal traces of evidence which ultimately lead to the complete understanding of the computer and subsequent bank account compromises.