• md5deep is a powerful MD5 hashing and analysis tool suite written by Jesse Kornblum that gives the user granular control over the hashing options, including piecewise and recursive modes (Figure 5.4).⁵

• In addition to the MD5 algorithm, the md5deep suite provides for alter-native algorithms by providing additional utilities such as sha1deep, tigerdeep, sha256deep, and whirlpooldeep, all of which come included in the md5deep suite download.

• Identifying the file type is determining the nature of the file from its file format or signature based upon available data contained within the file.

• File type analysis, coupled with file classification, or a determination of the native operating system and the architecture for which the code was intended, are fundamental aspects of malware analysis that often dictate how and the direction in which your analytical and investigative methodology will unfold.

• A file signature is a unique sequence of identifying bytes written to a file’s header. On a Windows system, a file signature is normally contained within the first 20 bytes of the file.

• Different file types have different file signatures; for example, a Windows Bitmap image file (.bmp extension) begins with the hexadecimal characters 42 4D in the first two bytes of the file, characters that translate to the letters “BM.”

• Most Windows-based malware specimens are executable files, often ending in the extensions .exe, .dll, .com, .pif, .drv, .qtx, .qts, .ocx, or .sys. The file signature for these files is “MZ” or the hexadecimal characters 4D 5A, found in the first two bytes of the file.

• Generally, there are two ways to identify a file’s signature.

• By viewing a file in a hex editor, every byte of the file is visible, assuming its contents are not obfuscated by packing, encryption, or compression.

• MiniDumper by Marco Pontello¹⁰ is a convenient tool for examining a file in hexadecimal format, as it displays a dump of the file header only, as illustrated in Figure 5.8.

• Other hexadecimal viewers for Windows provide additional functionality to achieve a more granular analysis of a file, including strings identification, hash value computation, multiple file comparison, and templates for parsing the structures of specific file types.

• Approach this phase of the analysis in two separate steps:

• Unlike vendor-specific malware specimen submission Web sites, online malware scanning services will scan submitted specimens against numerous anti-virus engines to identify whether the submitted specimen is detected as hostile code.

• During the course of inspecting the file, the scan results for the respective anti-virus engines are presented in real time on the Web page.

• These Web sites are distinct from online malware analysis sandboxes that execute and process the malware in an emulated Internet, or “sandboxed,” network. The use of online malware analysis sandboxes will be discussed in Chapter 6.

• Remember that submission of any specimen containing personal, sensitive, proprietary, or otherwise confidential information may violate the victim company’s corporate policies or otherwise offend the ownership, privacy, or other corporate or individual rights associated with that information. Be careful to seek the appropriate legal guidance in this regard, before releasing any such specimen for third-party examination.

• Do not submit a suspicious file that is the crux of a sensitive investigation (i.e., circumstances in which disclosure of an investigation could cause irreparable harm to a case) to online analysis resources, such as anti-virus scanning services, in an effort not to alert the attacker. The results relating to a submitted file to an online malware analysis service are publicly available and easily discoverable—many portals even have a search function. Thus, as a result of submitting a suspect file, the attacker may discover that his malware and nefarious actions have been discovered, resulting in the destruction of evidence, and potentially damaging your investigation.

• Assuming you have determined it is appropriate to do so, submit the suspect file by uploading the file through the Web site submission portal.

• Upon submission, the anti-virus engines will run against the suspect file. As each engine passes over the submitted specimen, the file may be identified, as manifested by a signature identification alert similar to that depicted in Figure 5.12.

• If the file is not identified by any anti-virus engine, the field next to the respective anti-virus software company will either remain blank (in the case of VirusTotal and VirScan), or state that no malicious code was detected (in the case of Jotti Online Malware Scanner and Metascan Online).

• The signature names attributed to the file provide an excellent way to gain additional information about what the file is and what it is capable of. By visiting the respective anti-virus vendor Web sites and searching for the signature or the offending file name, more often than not a technical summary of the malware specimen can be located.

• Alternatively, through search engine queries of the anti-virus signature, hash value, or file name, information security-related Web site descriptions or blogs describing a researcher’s analysis of the hostile program also may be encountered. Such information may contribute to the discovery of additional investigative leads and potentially reduce time spent analyzing the specimen.

• Conversely, there is no better way to get a sense of your malicious code specimen than thoroughly analyzing it yourself; relying entirely on third-party analysis to resolve a malicious code incident often has practical and real-world limitations.

• Although symbolic references and metadata may be identified while parsing the strings of a file, these items are treated separately and distinctly from one another during the examination of a suspect file.

• Embedded artifacts—evidence contained within the code or data of the suspect program—are best inspected separately to promote organization and clearer file context. Each inspection may shape or otherwise frame the future course of investigation.

• Program Functionality: Often, the strings in a program will reveal calls made by the program to a particular .dll or function call. To help evaluate the significance of such strings, the Windows API Reference Web site²⁴ and the Microsoft Advanced Search engine²⁵ are solid references.

• File Names: The strings in a malicious executable often reference the file name the malicious file will manifest as on a victim system, or perhaps more interestingly, the name the hacker bestowed on the malware. Further, many malicious executables will reference or make calls for additional files that are pulled down through a network connection to a remote server.

• Moniker Identification (“greetz” and “shoutz”): Although not as prevalent recently, some malicious programs actually contain the attacker’s moniker hard-coded within it. Similarly, attackers occasionally reference, or give credit to, another hacker or hacking crew in this way—references known as “greetz” or “shoutz.” Like self-recognition references inside code, however, greetz and shoutz are less frequent.²⁶

• URL and Domain Name References: A malicious program may require or call on additional files to update. Alternatively, the program may use remote servers as drop sites for tools or stolen victim data. As a result, the malware may contain strings referencing the URLs or domain names utilized by the code.

• Registry Information: Some malware specimens reference registry keys or values that will be added or modified upon installation. Often, as discussed in other chapters, hostile programs create a persistence mechanism through a registry autorun subkey, causing the program to start up each time the system is rebooted.

• IP Addresses: Similar to URLs and domain names, Internet Protocol (IP) addresses often are hard-coded into malicious programs and serve as “phone home” instructions, or in other instances, the direction of the attack.

• E-mail Addresses: Some specimens of malicious code e-mail the attacker information extracted from the victim machine. For example, many of the Trojan horse variants install a keylogger on the victim computers to collect usernames and passwords and other sensitive information, then transmit the information to a drop-site e-mail address that serves as a central receptacle for the stolen data. An attacker’s e-mail address is obviously a significant evidentiary clue that can develop further investigative leads.

• IRC Channels: Often the channel server and name of the Internet Relay Chat (IRC) command and control server used to herd armies of compromised computers or botnets are hard-coded into the malware that infects the zombie machines. Indeed, suspect files may even reference multiple IRC channels for redundancy purposes should one channel be lost or closed and another channel comes online.

• Program Commands or Options: More often than not, an attacker needs to interact with the malware he or she is spreading, usually to promote the efficacy of the spreading method. Some older bot variants use instant messenger (IM) programs as an attack vector, and as such, the command to invoke IM spreading can be located within the program’s strings. Similarly, command-line options and/or embedded help/usage menu information can potentially reveal capabilities of a target specimen.

• Error and Confirmation Messages: Confirmation and error messages found in malware specimens (such as “Exploit FTPD is running on port: %i, at thread number: %i, total sends: %i”) often become significant investigative leads and provide good insight into the malware specimen’s capabilities.

• A number of tools can help quickly assess whether a suspect binary is statically or dynamically linked.

• DUMPBIN,²⁹ a command-line utility provided with Microsoft Visual C++ in Microsoft Visual Studio,³⁰ combines the functionality of the Microsoft development tools LINK, LIB, and EXEHDR. Thus, DUMPBIN can parse a suspect binary to provide valuable information about the file format and structure, embedded symbolic information, as well as the library files required by the program.

• To identify an unknown binary file’s dependencies, query the target file with DUMPBIN, using the /DEPENDENTS argument, as shown in Figure 5.14.

• To obtain a better picture of the suspect file’s capabilities based upon the dependencies it requires, research each dependency separately, eliminating those that appear benign or commonplace, and focus more on those that seem more anomalous. Some of the better Web sites on which to perform such research are listed in the textbox Online Resources: Reference Pages.

• If the feel of a GUI tool to inspect file dependencies is preferred, Tim Zabor has developed dumpbinGUI,³¹ a sleek front-end for DUMPBIN, which includes dumpbinCHM, a shell context menu that allows for a right-click on the target file and a selection of the DUMPBIN argument to be applied against a target file.

• To gain a more granular perspective of a target file’s dependencies, a useful command-line and GUI utility is Dependency Walker,³² which builds a hierarchical tree diagram of all dependent modules in the binary executable—allowing drill-down identification of the files that the dependencies require and invoke, as shown in Figure 5.15.

• To check for symbols in a binary, turn to the utility nm, which is preinstalled in most distributions of the Linux operating system. The nm command identifies symbolic and debug information embedded in executable/object files specimen.

• Although Windows systems do not have an inherent equivalent of this utility, there are several other tools that nicely extract the same symbol information.

• As with file dependencies, DUMPBIN can be used with the /SYMBOLS argument to display the symbols present in a Windows executable file’s symbol table.

• As previously discussed, there is a GUI alternative to the DUMPBIN console program called dumpbinGUI, which also can be used to query target files for symbolic information. DumpbinGUI is particularly helpful in that it offers a shell context menu, allowing for a file to be right-clicked and run through the program.

• Metadata also resides in executable files, and often these data can provide valuable insight as to the compilation date/time, origin, purpose, or functionality of the file.

• Metadata in the context of an executable file does not reveal technical information related to file content, but rather contains information about the origin, ownership, and history of the file. In executable files, metadata can be identified in a number of ways.

• In addition to these pieces of information, other file metadata may be present in a suspect program, including information relating to the following:

• These metadata artifacts are references from various parts of the executable file structure. The goal of the metadata harvesting process is to extract historical and identifying clues before examining the actual executable file structure.

• Later in this chapter (in the “Windows Portable Executable Format” section), as well as in Chapter 6, we will be taking a detailed look at the format and structure of the PE file, and specifically where metadata artifacts reside within it.

• Most of the metadata artifacts listed in the previous table manifest in the strings embedded in the program; thus, the strings parsing tools discussed earlier in this chapter certainly can be used to discover them. However, for a more methodical and concise exploration of an unknown, suspect program, the tasks of examining the strings of the file and harvesting file metadata are better separated.

• To gather an overview of file metadata as a contextual baseline, scan a suspect file with exiftool.³³ A number of GUI front-ends have been developed for exiftool that provide for drag-and-drop functionality and recursive scanning.

• Exiftool will provide the digital investigator with temporal context, operating system, and target environment identifiers, along with other helpful clues such as linker version, as displayed in Figure 5.16. However, further probing is often required to gather additional metadata artifacts of value from a suspect executable file.

• After gaining an overview of the file metadata, review or “peel” the file for specific metadata artifacts in chronological order of the compilation process—from high-level source code to compiled executable. Initial clues to look for include:

• Often, metadata items of interest are obfuscated by the attacker through packing or encrypting the file (discussed in the “File Obfuscation: Packing and Encryption Identification” section, later in this chapter). If the file is not obfuscated, the high-level programming language can be quickly identified by GT2, a file format detection utility with a shell context menu that allows for a right-click on the target file.³⁴

• Although GT2 can identify and parse many file formats, it is particularly geared toward extracting data from PE files. Figure 5.17 displays the output of GT2 extracting file version information and identifying the high-level programming language of a target file (Visual C++ 6.0).

• There are a number of other utilities that may be useful for identifying the compiler used to create a binary executable. Among them is PEid,³⁵ a power utility for examining PE files, including compiler and packing identification. Another is Babak Farrokhi’s Language 2000 tool,³⁶ an older compiler detection utility, which identifies the compiler used to create a program and extracts the program version information embedded in the file.

• PE file metadata can also provide temporal context surrounding an incident and contribute toward building an investigative time line in conjunction with live response and post-mortem forensic artifacts acquired from a victim system.

• In particular, the date and time stamp when the executable was compiled can be extracted from the IMAGE_FILE_HEADER structure of a PE file. A detailed discussion of the IMAGE_FILE_HEADER and other PE file structures can be found in the section “Windows Portable Executable File Format,” later in this chapter.

• Looking back at the output in Figure 5.17, extensive file version information was extracted, most likely obtained from the executables Resource section (a topic covered in depth in Chapter 6). Although this information is not dispositive, these are substantial leads that can be further pursued through online research.

• To gain further insight about the attacker, examine the Language Code and Character Set identifiers embedded within the IMAGE_RESOURCE_DIRECTORY structure of the binary during the time of compilation. These settings provide information about the native attacker system environment or settings selected by the attacker during compilation.

• Packers are programs that allow the user to compress, and in some instances encrypt, the contents of an executable file.

• Packing programs work by compressing an original executable binary, and in turn, obfuscating its contents within the structure of a “new” executable file. The packing program writes a decompression algorithm stub, often at the end of the file, and modifies the executable file’s entry point to the location of the stub.⁴²

• As illustrated in Figure 5.21, upon execution of the packed program, the decompression routine extracts the original binary executable into memory during runtime and then triggers its execution.

• In addition to unpacking programs that were created to foil specific packers, there are numerous generic unpackers and file dumping utilities that can be implemented during runtime analysis of a packed executable malware specimen. These tools will be discussed in greater detail in Chapter 6.

• Unlike packing programs, cryptors accomplish this goal by applying an encryption algorithm upon an executable file, causing the target file’s contents to be scrambled and undecipherable.

• Like file packers, cryptors write a stub containing a decryption routine to the encrypted target executable, thus causing the entry point in the original binary to be altered. Upon execution, the cryptor program runs the decryption routine and extracts the original executable dynamically at runtime, as shown in Figure 5.22.

• The binder author can determine which file will execute and whether the state will be normal or hidden. The copy location of the file can be specified in the Windows, system, or temp directories, and the action can be specified to either open/execute or copy only.

• From the underground perspective, binders allow attackers to combine their malicious code executable together with a benign one, with the latter serving as an effective delivery vehicle for the malicious code’s distribution.

• There are many different binders available on the Internet; a simple and most fully featured one is known as YAB or “Yet Another Binder.”⁵⁴

• The PE file format is derivative of the older Common Object File Format (COFF) and shares with it some structural commonalities.

• The PE file format not only applies to executable image files, but also to DLLs and kernel-mode drivers. Microsoft dubbed the newer executable format “Portable Executable” with aspirations of making it universal for all Windows platforms, an endeavor that has proven successful.

• The PE file format is defined in the winnt.h header file in the Microsoft Platform Software Development Kit (SDK). Microsoft has documented the PE file specification,⁵⁵ and researchers have written whitepapers focusing on its intricacies.⁵⁶

• Despite these resources, PE file analysis is often tricky and cumbersome.⁵⁷ The difficultly lies in the fact that a PE file is not a single, large continuous structure, but rather a series of different structures and sub-components that describe, point to, and contain data or code, as illustrated graphically in Figure 5.26.

• To gain a clear and intuitive perspective of the entire PE file format, run the suspect binary through a CLI tool, like Matt Pietrek’s pedump utility,⁵⁸ or pefile.py, so that each structure and sub-component can be studied and analyzed in a comprehensive view. Alternatively, for a general graphical overview of the PE structure, load the suspect file into a GUI-based PE analysis tool, such as PEView,⁵⁹ AnyWherePEViewer,⁶⁰ and CFF Explorer⁶¹ (see Figure 5.27), among others.

• After reviewing the entirety of the PE file output, which can often be rather extensive, consider “peeling” the data slowly by reviewing each structure and sub-component individually; that is, begin your analysis at the start of the PE module and work your way through all of the structures and sections, taking careful note of the data that are present, and perhaps just as important, the data that are not.

• File Header: The first line of a PDF file contains a header, which contains 5 characters; the first three characters are always “PDF,” and the remaining two characters define the version number, for example, “%PDF-1.6” (PDF versions range from 1.0 to 1.7).

• Body: The PDF file body contains a series of objects that represent the contents of the document.

• Objects: The objects in the PDF file body represent contents such as fonts, text, pages, and images.

• Cross Reference (XREF) Table: The XREF table serves as a file index and contains an entry for each object. The entry contains the byte offset of the respective object within the body of the file. The XREF Table is the only element within a PDF file with a fixed format, enabling entries within the table to be accessed randomly.⁶⁹

• Trailer: The end of a PDF file contains a trailer, which identifies the offset location of the XREF table and certain special objects within the file body.⁷⁰

Triage: Scan for Indicators of Malice

Discover relevant metadata

Examine the file structure and contents

Locating suspect scripts and shellcode

Decompress suspect stream objects and reveal scripts

Extract suspect JavaScript for further analysis

Examine extracted JavaScript

Extract shellcode from JavaScript

• Zynamics’ PDF Dissector⁸³ provides an intuitive and feature-rich environment allowing the digital investigator to quickly identify elements in the PDF and navigate the file structure.

• Anomalous strings can be queried through the tool’s text search function, and suspect objects and streams can be identified through a multifaceted viewing pane, as shown in Figure 5.44, below.

Figure 5.44 Navigating the structure of a suspect PDF file with PDF Dissector (Figure 5.45)

Figure 5.45 Executing JavaScript with the PDF Dissector JavaScript interpreter

• The contents of a suspicious object can be further examined by using the content tree feature of PDF Dissector.

• PDF Dissector offers a variety of tools to decode, execute, and analyze JavaScript, as well as extract embedded shellcode.

• Identified JavaScript can be executed within the tool’s built-in JavaScript interpreter.

• Embedded shellcode that is invoked by the JavaScript can be identified in the Variables panel. Right-clicking on the suspect shellcode allows the digital investigator to copy the shellcode to the clipboard, inspect it within a hexadecimal viewer, or save it to a file for further analysis, as depicted in Figure 5.46.

Figure 5.46 Inspecting and saving shellcode extracted from a suspect file

• Extracted shellcode can be examined in other GUI-based PDF analysis tools, such as PDF Stream Dumper,⁸⁴ PDFubar,⁸⁵ and Malzilla,⁸⁶ which are described in further detail in the Tool Box section at the end of this chapter.

• The Adobe Reader Emulator feature in PDF Dissector allows the digital investigator to examine the suspect file within the context of a document rendered by Adobe Reader, which may use certain API functions not available in a JavaScript interpreter.

• Adobe Reader Emulator also parses the rendered structure and reports known exploits in a PDF file specimen by Common Vulnerabilities and Exposures (CVE) number and description, as shown in Figure 5.47.

Figure 5.47 Examining a suspect PDF file through the Adobe Reader Emulator

• Binary File Format: Legacy versions of MS Office (1997–2003) documents are binary format (.doc, .ppt, .xls).⁸⁸ These compound binary files are also referred to as Object Linking and Embedding (OLE) compound files or OLE Structured Storage files.⁸⁹ They are a hierarchical collection of structures known as storages (analogous to a directory) and streams (analogous to files within a directory). Further, each application within the MS Office suite has application-specific file format nuances, as described in further detail next. Malicious MS Office documents used by attackers are typically binary format, likely due to the continued prevalence of these files and the complexity in navigating the file structures.

• Office Open XML format: MS Office 2007 (and newer versions of MS Office) use the Office Open XML file format (.docx, .pptx, and .xlsx), which provides an extended XML vocabulary for word processing, presentation, and workbook files.⁹⁶

• These attacks generally rely upon a social engineering triggering event—such as a spear phishing e-mail—which causes the victim recipient to open the document, executing the malicious code.

• Conversely, in lieu of targeting a particular application vulnerability, an attacker can manipulate an MS Office file to include a malicious Visual Basic for Applications (VBA, or often simply referred to as VB) macro, the execution of which can cause infection.

• By profiling a suspicious MS Office file, further insight as to the nature and purpose of the file can be obtained; if the file is determined to be malicious, clues regarding the infection mechanism can be extracted for further investigation.

Triage: Scan for Indicators of Malice

Discover Relevant Metadata

• The OfficeMalScanner suite of tools includes:

• OfficeMalScanner has five different scanning options that can be used to extract specific data from a suspect file¹⁰⁴:

• In addition to the information collected with the scanning options, OfficeMalScanner rates scanned files on a malicious index, scoring files based on four variables and associated weighted values; the higher the malware index score, the greater the number of malicious attributes discovered in the file. As a result, the index rating can be used as a triage mechanism for identifying files with certain threshold values.¹⁰⁵

Examine the file structure

Locating and Extracting Embedded Executables

Examine Extracted Code

Figure 5.55 Examining a malicious Word document file using OfficeMalScanner in debug mode (Cont’d)

Locating and Extracting Shellcode with DisView and MalHost-Setup

• Attackers use malicious scripting to automatically invoke a malicious file upon rendering of the help file contents.

• The malicious scripting often invokes a malicious binary, such as a Windows executable or ActiveX control file, that is surreptitiously embedded into the CHM file by the attacker.

• In many instances the malicious scripting will be hexadecimal encoded cipher text, adding an additional layer of analysis.

• In addition to invoking a locally embedded binary, scripting can also query an encoded URL to retrieve additional malicious files.

Triage: Identify Indicators of Malice.

Discover Relevant Metadata

Examine the File Structure and Contents

Locating Suspect Scripts

Figure 5.60 Executable file triggering mechanism within HTML

Identifying and Decoding Obfuscated Scripts

By submitting a file to a third-party Web site, you are no longer in control of that file or the data associated with that file. Savvy attackers often conduct extensive open source research and search engine queries to determine if their malware has been detected.

The results relating to a submitted file to an online malware analysis service are publicly available and easily discoverable—many portals even have a search function. Thus, as a result of submitting a suspect file, the attacker may discover that his malware and nefarious actions have been discovered, resulting in the destruction of evidence and potentially damaging your investigation.

Fully examine a suspect file in an effort to render an informed and intelligent decision about what the file is, how it should be categorized or analyzed, and in turn, how to proceed with the larger investigation.

Take detailed notes during the process, not only about the suspicious file but also about each investigative step taken. Consult the Field Notes located in the Appendices in this chapter for additional guidance and a structured note taking format.

In conducting digital investigations, never presume that a file extension is an accurate representation. File camouflaging, or a technique that obfuscates the true nature of a file by changing and hiding file extensions in locations with similar real file types, is a trick commonly used by hackers and bot herders to avoid detection of malicious code distribution.

Similarly, the file icon associated with a file can easily be modified by an attacker to appear like a contextually appropriate or innocuous file. The file icon associated with a Windows Portable Executable file can be inserted or modified in the file Resources section.

Anti-virus signatures are typically generated based upon specific data contents or patterns identified in malicious code. Signatures differ from heuristics—identifiable malicious behavior or attributes that are non-specific to a particular specimen (commonly used to detect zero-day threats that have yet to be formally identified with a signature).

Anti-virus signatures for a particular identified threat vary between anti-virus vendors,¹⁰⁹ but many times, certain nomenclature, such as a malware classification descriptor, is common across the signatures (e.g., the words “Trojan,” “Dropper,” and “Backdoor” may be used in many of the vendor signatures). These classification descriptors may be a good starting point or corroborate your findings, but should not be considered dispositive; rather, they should be taken into consideration toward the totality of the file profile.

Conversely, if there are no anti-virus signatures associated with a suspect file, it may mean simply that a signature for the file has not been generated by the vendor of the anti-virus product, or that the attacker has successfully (albeit likely temporarily) obfuscated the malware to thwart detection.

Third-party analysis of a similar malware specimen by a reliable source can be an incredibly valuable resource, and may even provide predictors of what will be discovered in your particular specimen. Although this correlative information should be considered in the totality of your investigation, it should not replace thorough independent analysis.

Forensic analysis of potentially damaging code requires a safe and secure lab environment. After extracting a suspicious file from a victim system, place the file on an isolated or “sandboxed” system or network, to ensure that the code is contained and unable to connect to or otherwise affect any production system.

Even though only a cursory static analysis of the code is contemplated at this point of the investigation, executable files nonetheless can be accidentally executed fairly easily, potentially resulting in the contamination of or damage to production systems.

It is strongly encouraged to examine malicious code specimens in a predesigned and designated malicious code laboratory, which can even be a field deployable laptop computer. The lab system should be revertible, that is, using a virtualization or host-based software solution that allows the digital investigator to restore the state of the system to a designated baseline configuration.

The baseline configuration in which specimens are examined should be thoroughly documented and free from artifacts associated with other specimens, resulting in forensic unsoundness, false positives, and mistaken analytical conclusions.

A file profile must be reviewed and considered in context with all of the digital and network-based evidence collected from the incident scene.

These resources might be an early warning and indicator capability employed by the attacker to notify him/her that the malware is being examined.

Logs from the servers hosting these resources are of great investigative value (i.e., other compromised sites, visits from the attacker[s], etc.) to law enforcement, Computer Emergency Response Teams (CERTs), and other professionals seeking to remediate the malicious activity and identify the attacker(s). Visits by those independently researching the malware will leave network impression evidence in the logs.