• Implement a utility that allows comparison of the state of the system after the code is executed to the pristine or original snapshot of the system state.

• In the Windows environment, there are two kinds of utilities that we can implement that provide for this functionality: host integrity monitors and installation monitors.

• During this process, the host integrity monitor scans the Registry and file system, creating a snapshot of the system in its normal (pristine) system state.

• The resulting snapshot will serve as the baseline system “template” to compare against subsequent system changes resulting from the execution of a suspect program on the host system (see Figure 6.3).

Figure 6.3 Creating a system snapshot with InstallSpy

• After creating a system snapshot, the digital investigator can invoke the host integrity monitoring software to scan the file system and Registry for changes that have manifested on the system as a result of executing the suspect program.

• Although the detail and structure of reports differ, each of the above referenced monitoring utilities compile and generate a report of the results after identifying the changes.

• Impression evidence is valuable evidence, because it can be a unique identifier relating to the suspect or it can reveal how certain events or aspects of the crime occurred.

• Impression evidence is collected and preserved for comparison with other evidence, impressions, exemplars, or known specimens.

• Traditionally, the manner in which investigators gather impression evidence is through an impression cast, using a material such as a plaster compound, silicone, or powder to create a duplicate of the impression.

• Collected impressions can have individual or class characteristics. Individual characteristics are those that are unique to one entity or person. Conversely, class characteristics are those that are common to a group.

• Digital impression evidence can be a unique identifier relating to a particular malicious code, or it can reveal how certain events occurred while the suspect malware executed and manifested.

• Digital impression evidence can be collected and preserved for correlation and comparison with other evidence or known malicious code infection patterns and artifacts. For instance, newly created files on the victim file system should be collected and analyzed.

• Similar to real-world crime scene forensics, collected digital impressions can have individual or class characteristics.

• A tool that is helpful to implement on the local system during dynamic analysis to obtain digital impression and trace evidence is Capture BAT (Behavioral Analysis Tool).³⁹

• Developed by the New Zealand Honeynet Project for the purpose of monitoring the state of a system during the execution of applications and the processing of documents, Capture BAT provides the digital investigator with significant insight into how a suspect executable operates and interacts with a host system, gathering the resulting digital impression and trace evidence.

• Capture BAT monitors state changes on a low kernel level, but provides a powerful filtration mechanism to exclude “event noise” that typically occurs on an idle system or when using a specific application.

• This granular filtration mechanism enables the investigator to intuitively identify processes that cause the various state changes, such as file and Registry writes, modifications, and deletions. For instance, as shown in Figure 6.11, upon executing a malicious PDF file, Capture BAT identifies and logs the creation of processes and the resulting File system and Registry activity.

Figure 6.11 Use of CaptureBat to obtain digital impression and trace evidence

• The purpose of memory forensics in the scope of analyzing a malware specimen in a laboratory environment is to preserve physical memory during the runtime of the malware, and in turn, find and extract data directly relating to malware (and associated information) that can provide additional context.

• Using the tools and techniques discussed in Chapter 2, the digital investigator can harvest available metadata including process details, network connections, and other information associated with the malware for analysis and comparison with volatile data preserved from the live victim system in which the malware was collected.

• FlyPaper is optimally used in a VMWare Workstation environment as it is intended to be used in conjunction with the VMWare snapshot function—preserving the memory state of the guest system once it is infected by the malware specimen.

• Once a snapshot of the infected system state is taken, the .vmem file associated with the infected guest system can be parsed in HBGary Responder, Mandiant Memoryze/AuditViewer/Redline, and Volatility (see Chapter 2 for a detailed discussion of these tools).

• A VMWare .vmem file is a virtual machine’s paging file and contains the memory of the virtual machine (also known as the guest); it is saved on the digital investigator’s analysis system (also known as the host).⁴²

• To use FlyPaper, launch it within the malware laboratory guest system prior to executing the target malware specimen, as shown in Figure 6.12.

Figure 6.12 FlyPaper

• Execute the target malware specimen and allow it to run for a few moments to ensure execution trajectory. During the course of runtime, FlyPaper generates a log file (by default, C:flypaper.log ) detailing the behavior of the malware and the resulting digital impression evidence left on the infected guest system.

• Preserve the infected system state of the VMware guest by taking a snapshot. Save the associated .vmem file for the guest system for analysis in HBGary Responder, or other memory forensic tool of choice.

• To use REcon, simply invoke the program and click the “Start” button, as shown in Figure 6.13. Select “Launch New” and select the target executable specimen for analysis.

Figure 6.13 REcon

• Let the specimen run for a reasonable period of time to ensure full execution trajectory and manifestation of potential digital impression and trace evidence in memory.

• Take a snapshot of the infected virtual guest system; after the snapshot has completed stop REcon.

• Collect the resulting REcon Forensic Binary Journal (.fbj) session file (by default residing in the root of C:) and the .vmem file associated with the infected VMWare guest. These files will be processed concurrently in Responder Pro.

• HBGary Responder 2 also offers a “Live Recon Session” project option, which largely automates this process.

• Attempted Domain Name queries

• Attempted TCP/IP connections

• Attempted UDP packet transmissions

• Unusual traffic (e.g., ICMP for attempted covert communications, command/control, etc.)

• Some examples of free firewall software available for installation on your malware lab system include:

• The real-time network traffic captured in Wireshark can be used to correlate firewall activity (see Figure 6.14). This layering of information collection is also advantageous in instances where a malware specimen has countersurveillance capabilities, such as terminating processes associated with anti-virus, firewall, and other security software.

Figure 6.14 The subject specimen requesting to resolve a domain name

• To enable a suspect program to fully execute and behave as it would “in the wild,” the digital investigator will need to adjust the laboratory environment to accommodate the specimen’s request to resolve a network resource, and in turn, facilitate the natural execution trajectory.

• Environment adjustment in the laboratory is an essential process in behavioral analysis of a suspect program. A common adjustment, particularly for modular malicious code (such as banking Trojans, crimeware kits, and bots), is to emulate DNS to resolve domain names hard-coded into the target specimen.

• The first method would be to set up a DNS server, in which the lookup records would resolve the domain name to an IP address of another system on the laboratory network (typically the suggested Linux server host). A great program to facilitate this method is Simple DNS Plus, a lightweight and intuitive DNS program for Windows systems.⁴⁹

• An alternative to establishing a full-blown DNS server would be to use a utility such as FakeDNS, which comes as a part of the Malcode Analyst Pack tool suite made available from iDefense.⁵⁰ FakeDNS can be configured to redirect all DNS queries to a local host or to an IP address designated by the user (typically the Linux server host). As shown in Figure 6.15, once launched, FakeDNS listens for DNS traffic on UDP port 53 (the default port for DNS), and in this instance, will redirect all DNS queries to the host supplied by the user (in this instance, 192.168.186.139).

Figure 6.15 Resolving DNS queries with FakeDNS

• Another more simplistic solution is to modify the system hosts file—the table on the host system that associates IP addresses with host names as a means for resolving host names. On Windows 2000, the hosts file resides in the C:WINNTsystem32driversetc directory and on XP/Vista/Windows 7 systems, the hosts file resides in the C:WINDOWSsystem32driversetc directory.

• Keep close watch on the network traffic, as adding the new domain entry and resolving the domain name may cause the specimen to exhibit new network behavior. For instance, the suspect program may reveal what it was trying to “call out” or “phone” home to, such as a Web server, FTP server, IRC server, or other remote resource, as depicted in Figure 6.16.

Figure 6.16 A suspect program attempting to retrieve a file from a Web server after a domain name is resolved

• To facilitate trajectory chaining, accommodate the sequential requests made by the suspect program.

• For instance, to chain the request made by the malware depicted in Figure 6.16, the digital investigator should start a Web server on the virtual Linux host where the domain name is pointed; done this way, the requested connections are captured in the Web server log (see Figure 6.17).

Figure 6.17 Capturing the requests of a malware specimen in a Web server

• The data collected through network trajectory reconstruction, such as that shown in Figure 6.17, may not be immediately decipherable and will require investigation of the resulting network impression and trace evidence.

• The purpose of resolving a domain name. For example, in Figure 6.17, the Web server log reveals that the suspect program needed to resolve a domain name in order to phone home to a Web server and download additional files (msn_messenge.jpg and descompact_msn.jpg).

• Identifiers of modular malicious code likely introduced as trace evidence onto the victim system. The nature and purpose of the requested files is unknown, but both have .jpg file extensions, giving the initial impression that they are image files. To emulate how the malware specimen would fully execute as it would have in the wild, if possible, discreetly retrieve and analyze the requested files and host them internally on your malware lab server to perpetuate the execution trajectory of the specimen.

• Functionality interpretation. The functionality displayed by the specimen in the Web server log is commonly referred to as a Trojan downloader, which is a Trojan program that attempts to connect to other online resources, such as Web or File Transfer Protocol (FTP) servers and stealthy download additional files. Typically, the downloaded files are additional malware, such as backdoor or other Trojan programs.⁵¹

• Metadata. Significant network impression evidence embedded in the captured Web traffic is the user-agent string. A user-agent string identifies a client Web browser and provides certain system details to the Web server visited by the browser. In the instance of Figure 6.17, the user-agent string is “(compatible; MSIE 6.0; Windows NT 5.1; SV1; EmbeddedWB 14,52 from:http://www.bsalsa.com/Embedded Web Browser from:http://bsalsa.com/).” The digital investigator should research and document findings relating to user-agent strings; this metadata may provide further insight into the attacker or malware functionality and purpose. For instance, the bsalsa embedded Web browser in Figure 6.17 is a freeware package of Borland Delphi components used to create customized Web browsing applications and to add data downloading capabilities to applications, among other things.⁵²

• Recall from Chapter 1 that netcat is a powerful networking utility that reads and writes data across network connections over TCP/IP or User Datagram Protocol (UDP).⁵³

• This is particularly helpful for establishing a network listener on random TCP and UDP ports that a suspect program uses to connect. Netcat is a favorite tool among many digital investigators due to its flexibility and diversity of use, and because it is often natively installed on many Linux distributions. There is also a Windows port available for download.⁵⁴

• Upon learning on which remote port the suspect program is requesting to connect, the digital investigator can utilize netcat by establishing a netcat listener on the target port of the Linux server host in the malware laboratory.

• Using the example in Figure 6.17, the suspect program is requesting to download files from a Web server over port 80. To establish a netcat listener on port 80 of the Linux server, use the nc command with the –v (verbose) –l (listen) –p (port) switches and identify the target port number. (The –v switch is not required and simply provides more verbose output, as shown in Figure 6.18.)

Figure 6.18 Establishing a netcat listener for the purpose of collecting network impression evidence

• Using Process Explorer (or a similar process analysis tool), collect basic process information, such as the process name and PID. With subsequent queries, seek further, particularly for the purpose of obtaining these process details:

• Further, by right-clicking on a suspect process in the Process Explorer main viewing pane, the digital investigator will be presented with a variety of other features that can be used to probe the process further, such as the strings in memory, threads, and associated TCP/IP connections, as shown in Figure 6.19.

Figure 6.19 Analyzing a suspect process with Process Explorer

• In examining the API calls made by a suspect program, be mindful of queries relating to:

• Figure 6.20, which will be used for demonstrative purposes in this section, depicts a sample of API calls made by a Banking Trojan.

Figure 6.20 Analyzing the API calls being made by a Banking Trojan

• The captured API calls reveal that the specimen is monitoring user Internet Explorer browser activity. By correlating the various API calls and gaining an understanding of the relational context between the calls, the digital investigator can better determine the nature and purpose of the specimen.

• Further examining the API calls, it is discernable that the Banking Trojan uses Dynamic Data Exchange (DDE) commands,⁵⁵ which enable Windows applications to share data. Internet Explorer supports DDE commands, and in this instance, the suspect program leverages this by issuing the www_GetWindowInfo command, which returns the Uniform Resource Locator (URL) and Window text currently displayed in an open Internet Explorer browser window.

• Immediately after querying to identify the URL being navigated to in the open browser, the Trojan uses the FindWindowA function⁵⁶ to locate window names that match specified strings.

• In addition to identifying and comparing the names of the open browser windows, the Trojan searches in the WINDOWSHelp directory for specific file names using the FindFirstFileA function.

• A tool that we can use to quickly acquire this information is NirSoft’s WinLister utility.⁵⁷

• With WinLister, the digital investigator can identify numerous hidden windows relating to the malicious code specimen.

• Items of investigative interest that can be uncovered in this process include:

• In the example in Figure 6.21, the nature of the windows associated with a suspect program reveals numerous references to Tforms (“forms”), which are objects used in the creation of Delphi applications. This is a good clue that we are analyzing a malicious code specimen written in Delphi.

Figure 6.21 Displaying hidden program windows with WinLister

• Correlate the information gathered through the interception of API calls with artifacts discovered in file system activity.

• Correlate file system activity with process activity and digital trace evidence such as dropped executables, driver modules, hidden files, and anomalous text or binary files. Monitoring common locations where malware manifests to blend into the system, such as “%systemroot%system32,” may reveal anomalous items. In addition to such traditional malware file artifacts, consider functional context, including processes running from suspicious locations in the file system, such as newly created directories, or anomalous directories such as C:Documents and Settings<user>Local SettingsTemp, among others.

• Correlate file system activity with Registry activity.

• Perform relational analysis, including correlation of network impression and trace evidence with execution trajectory on the file system, such as modification of the hosts or lmhosts file.

• Registry keys created during the execution life cycle of the malware specimen, which may reveal where malware is configured to auto-start

• Registry keys modified during the time period the malware specimen was executed

• Registry keys deleted during the time period that the malware specimen was executed

• Registry artifacts that provide clues about additional components of the malware

• Some examples of this are UnFSG,⁶⁸ UnMew,⁶⁹ AspackDie,⁷⁰ UnPECompact,⁷¹ and DeShrink.⁷²

• These tools work with varying degrees of success, and many are written by hackers referred to by a single name. Unfortunately, as many of these tools are “underground utilities,” there is also a possibility that an unscrupulous coder has built malicious features into the tool that may infect the user system or render it vulnerable.

• Further, as these tools are not typically considered forensic utilities, they may not be the best choice for investigations that have the potential for litigation in court or other proceedings in which findings need to be validated. Use due care in selecting and implementing these utilities.

• AspackDie is very simple to use. After executing the program the user will be prompted to select a target file to unpack.

• After choosing the target file, AspackDie does its “magic” and provides the user with a message box revealing whether the file was successfully unpacked, the version of ASPack identified, and the path of the output file where the new, unpacked version of the target executable was written to disk (this is normally the same directory where the target program resides).

• There are a number of tools that can assist in dumping, all of which are PE editing tools as well. Some of the staple utilities include LordPE,⁷³ ProcDump,⁷⁴ and PE Tools (Xmas Edition).⁷⁵

• Although these tools are used quite often by digital investigators, they are considered by many in the industry to be underground tools (i.e., PE Tools is available from http://www.uinc.ru/—the “Underground Information Center”).

• In addition to these tools, a number of process monitoring utilities have been released that also provide a process dumping feature, including Process Explorer,⁷⁶ CurrProcess,⁷⁷ Task Explorer,⁷⁸ ProcessAnalyzer,⁷⁹ Sysinternals ProcDump,⁸⁰ and Dumper.⁸¹

• Once the program has executed, locate the process in the upper pane of the tool, right-click on the process, and choose “dump full” (see Figure 6.24). The digital investigator will then need to name the newly dumped file and the location to write the file to disk.

Figure 6.24 Using LordPE to dump a process from memory

• Because each packing and cryptor obfuscates the OEP of the protected program in a different way, it requires step-by-step tracing of a suspect program during execution through a debugger. A debugger is a program that enables software developers, and conversely, reverse engineers, to conduct a controlled execution of a program, allowing the user to trace the program as it executes.

• In particular, a debugger allows the user to set breakpoints during the execution of a target program, which pause the execution, allowing for examination of the program at the respective breakpoint.

• OllyDbg has a user-friendly GUI and a variety of configuration options. The main OllyDbg interface or “CPU window” provides the analyst with five re-sizeable viewing panes, including, among other things, a disassembler view, a register window (which displays and interprets the contents of CPU registers), and a dump window (which reveals the contents of memory or file).

• One of the many benefits of OllyDbg is the ability to add functionality to the program through the use of plug-ins and scripting, in which there is a rather sizeable contributing community. A great resource for OllyDbg Plug-ins is the Open Reverse Code Engineering (OpenRCE) Web site founded by Pedram Amini.⁸³

• To use OllyDump, a suspect program must first be loaded into OllyDbg.

• Upon loading the obfuscated target specimen, a message box will advise that the entry point for the program is “outside the code” (see Figure 6.25). This is a common error to receive when attempting to debug a specimen that is obfuscated with a packing or cryptor program.

Figure 6.25 OllyDbg entry point alert

• After clicking through the warning, the digital investigator will be greeted with another helpful message box. This time OllyDbg will advise that based upon entropy analysis, the loaded specimen appears to be compressed or encrypted (see Figure 6.26).

Figure 6.26 OllyDbg Compressed Code Detection Warning

• After clicking through the warning, the suspect program is presented in the OllyDbg environment. To identify the OEP of the specimen, execute the malicious code specimen in OllyDbg (allowing the ASPack decompression routine to occur) and in turn, have the suspect program loaded into memory where it is no longer protected (see Figure 6.27).

Figure 6.27 A suspect program loaded into OllyDbg

• Once the specimen is loaded into OllyDbg, execute it using the F9 key.

• When the execution pauses, identify a PUSH instruction for the suspect program. At this offset use the “follow in dump” feature, which can be invoked by right-clicking within the CPU window (see Figure 6.28). In addition, set a hardware breakpoint so that when the code is stepped over with the F8 key the OEP address of the suspect program will be reached (see Figure 6.29).

Figure 6.28 “Following the dump” in OllyDbg

Figure 6.29 Finding the OEP of a suspect program

• OllyDump has a feature to rebuild the Imports as do PE Tools (Xmas Edition) and LordPE.

• An alternative, discussed in the next section, is to rebuild the Imports while the suspect program is still loaded in OllyDbg and running in memory.

• When a dynamically linked program is executed, the Windows loader reads the Import Table and Import Address Table of the PE structure, identifies and loads the .dlls (and associated functions) required by the program, and maps them into process address space. Thus, if the Imports are corrupted, the program will not be able to successfully execute and load into memory.

• The Imports can be reconstructed using Import Reconstructor (ImpREC).⁸⁶ While the suspect process is still running after having been executed with OllyDbg, attach to the suspect process by selecting it from the ImpREC active process drop-down menu (Figure 6.32).

Figure 6.32 Selecting a dumped process with ImpREC

• After attaching to the process, supply the OEP of the suspect program obtained during the dump program in OllyDbg (DC044) in the ImpRec IAT Autosearch feature window.

• By supplying the OEP and selecting IAT Autosearch, ImpREC attempts to recover the original Import Address Table of the dumped executable. ImpREC provides the user with a message box if the address of the original IAT is discovered, as displayed in Figure 6.33.

Figure 6.33 ImpREC

• By selecting the Get Imports function, ImpREC rebuilds the Imports of the target executable. Each recovered import is demarcated as to whether it is valid or invalid. Further, the user can query ImpREC using the “Show Invalid” or “Show Suspect” functions to identify functions that may not have been properly recovered.

• Once the Imports of the target executable have been recovered and validated, the newly “refurbished” dumped executable can be saved to disk using the “Fix Dump” function (see Figure 6.34).

Figure 6.34 Reconstructing the dumped binary in ImpREC

• Many of the packing detection utilities we discussed in Chapter 5 also detect the signatures of compilers and high-level programming languages.

• The digital investigator can further verify the functionality of the binary by executing it—confirming that the program executes and exhibits the same behavior as the previous obfuscated version.

• Examine the specimen in IDA Pro, a powerful disassembler and debugger offered by Hex-rays.com.⁸⁷ A disassembler allows the digital investigator to explore the assembly language of a target binary file, or the instructions that will be executed by the processor of the host system.

• IDA Pro is feature-rich, multi-processor capable, and programmable, and has long been considered the de facto disassembler for malicious code analysis and research. Although it is beyond the scope of this book to go into great detail about all of the capabilities IDA Pro has to offer, there is a great reference guide called The IDA Pro Book by Chris Eagle.⁸⁸

• A useful tool that can be used to accomplish this task is SpyStudio, which is developed by Nektra.⁹⁸

• Unlike the .dll injection technique discussed earlier, SpyStudio uses a proprietary API framework called the Deviare API to intercept function calls, allowing the digital investigator to monitor and hook applications in real time.

• Recall from previous examples where we examined a suspect Banking Trojan’s dependencies, which revealed that the functions invoked by the specimen were primarily provided by the imports user32.dll and kernel32.dll. Further, from our inspection of the specimen’s assembly instructions and our previous API monitoring sessions, we learned that the program accomplishes its nefarious purpose by using the FindWindowA and SendMessageA functions and DDE commands, among others. With this information SpyStudio can be configured to insert a hook to monitor required functions.

• As shown in Figure 6.44, a hook is inserted into the DDECreateString HandleA command through user32.dll. Immediately after placing the hook, the output interface of SpyStudio scrolled with the WWW_GetWindowInfo request.

Figure 6.44 Intercepting the WWW_GetWindowInfo function with SpyStudio

• The same method can be used to confirm the suspect program’s use of the FindWindowA, SendMessageA, GetWindowTextA.

• For example, in Figure 6.45, the output resulting from the interception of calls for the FindWindowA function identifies numerous financial institution Web sites that are being monitored vigilantly by the specimen.

Figure 6.45 Intercepting the FindWindowA function with SpyStudio

• SpyStudio enables the digital investigator to monitor several hooked functions simultaneously, intercepting and revealing the relational context and interplay between the functions.

• Trigger events may be caused by victim behavior on the infected system (such as typing on the keyboard—invoking a keylogging feature) or through the introduction of digital trace evidence from a remote resource (such as the download of additional malicious files that provide instructions to the specimen).

• Armed with information gathered through dynamic and static analysis, the digital investigator can engineer the laboratory environment in an effort to replicate the particular triggering events used by a target specimen. Although triggering events are specific relative to a target specimen, some examples include:

• To emulate a malware specimen’s interaction with the target URLs, one approach would be to copy the content of the target Web sites using utilities like HTTrack⁹⁹ (Windows and Linux) or wget (Linux) and host the content on a Web server in your malicious code laboratory—in essence, allowing the specimen to interact with the Web site offline and locally.¹⁰⁰

• An alternative approach is to resolve the predefined domains and URLs to a Web server running in the laboratory network. Although the content of the Web sites will not be similar, at a minimum the URLs will resolve, which may be enough to trigger a response from the specimen.

• Unfortunately, as these are typically “underground” applications, they may not be easy to acquire. Furthermore, even when client applications are available for download from underground forums, they are often modified by attackers to have additional backdoors and malicious features in an effort to infect the system of the individual who downloaded the program. Use extreme caution when conducting this kind of research.

• If a “clean” and “reliable” version of client software can be obtained through a malicious code research Web site,¹⁰¹ install it for use on a separate laboratory system in an effort to replicate the remote attacker.

• Once the client application has been configured for adaptation in the laboratory environment, execute the malware specimen in the victim laboratory system in an effort to trigger the specimen to connect to the remote client.

• Explore the nature and capabilities of the program by delving deeper and assuming control over the victim system through the malicious code specimen. Further, in gaining control over the victim system execute available commands and features from the “attacker” system in an effort to evaluate the attack capabilities of the specimen and client (see Figure 6.46).

Figure 6.46 Interacting with a victim laboratory system using the Poison Ivy client application

• Recall that the first step prior to executing a malicious code specimen is to establish a baseline system environment by taking a snapshot of the system state using a host integrity or installation monitoring program.

• Once the dynamic analysis of the malware specimen is completed, examine the post-runtime system state by comparing it against the pre-run snapshot taken with a host integrity or installation monitoring tool.

• For example, after running the Trojan crimeware specimen presented in the example scenario and comparing system snapshots, the installation monitoring utility InstallWatch captured the creation of directories, executable files, and prefetch files on the victim system (Figure 6.47).

Figure 6.47 File system changes captured with InstallSpy

• Correlate host integrity or installation monitoring results with other digital impression and trace evidence collection methods. For instance, referenced earlier in the Execution Artifact Capture: Digital Impression and Trace Evidence section, CaptureBat collects granular details regarding a malware specimen’s behavior and the associated digital impression evidence left on the file system and in the Registry of the affected system.

• A review of the CaptureBat log resulting from the execution of the Trojan crimeware specimen (Figure 6.48) details execution trajectory resulting in a newly created malicious process, qeise.exe, and relational context with explorer.exe, which suggests possible process injection.

Figure 6.48 CaptureBAT log

• Track process creation, file system, and Registry changes.

• Confirm digital impression and trace evidence on the affected system.

• Identify any inconsistencies or anomalies between the data sets.

1. Get an overview of the captured network traffic contents to get a thumbnail sketch of the network activity and where to probe deeper.

2. Replay and trace relevant or unusual traffic events.

3. Gain insight into network trajectory and associated network impression and trace evidence.

4. Conduct a granular inspection of specific packets and traffic sequences if necessary.

5. Search the network traffic for particular trends or entities if needed.

• Wireshark (discussed earlier in the chapter)

• RUMINT (a network forensic visualization tool)¹⁰²

• Network Miner (a network forensic analysis tool)¹⁰³

• To gain an overview of network trajectory in relation to the totality of system events and resulting digital impression evidence, use a network forensic visualization solution such as RUMINT.

• Harvest available metadata including process details, network connections, and other information associated with the malware specimen for analysis and comparison with other digital impression and trace evidence identified on the infected laboratory system.

• Perform keyword searches for any specific, known details relating to the malware specimen that was examined.

• Look for common indicators of malicious code including memory injection and hooking (see Figure 6.52, depicting the detection of process injection into explorer.exe during the runtime of the Trojan crimeware specimen).

Figure 6.52 Process injection detected with the Responder Professional Digital DNA feature

• For each process of interest, recover the executable code from memory for further analysis.

• For each process of interest, extract associated data from memory, including related encryption keys and captured data such as usernames and passwords.

• Extract contextual details such as URLs, MFT entries, and Registry values pertaining to the installation and activities associated with malicious code.

• Perform temporal and relational analysis of information extracted from memory, including a time line of events and a process tree diagram.

• In the context of malware taxonomy and phylogeny, sdeep, a file-hashing tool that utilizes CTPH, can be used to query suspicious file specimens in an effort to identify homologous files.¹¹⁵

• One scanning option, as demonstrated in Figure 6.53, is to use the recursive (-r), bare (-b), and “pretty matching mode” (-p) switches against a directory of malware specimens; the output cleanly displays matches between files.

Figure 6.53 Comparing a directory of files with ssdeep

• YARA can be invoked from the command line as a stand-alone executable or the functionality can be integrated into the digital investigator’s own Python scripts through the yara-python extension.¹¹⁹

• The YARA rule syntax consists of the following components:

• Rules can be written in a text editor of choice and saved as “.yara” files.

• YARA rules can range from simple to very complex; it is highly recommended that the digital investigator familiarize himself with the YARA User’s Manual (currently version 1.6) to gain a full understanding of YARA’s functionality and limitations.¹²²

• In Figure 6.54, a rule was created in an effort to identify and classify Wemon Trojan specimens.¹²³ Recall from the section Advanced PE Analysis Examining PE Resources and Dependencies that the Wemon Trojan contains unique PE resource artifacts. Further, extracted strings reference a PE file (svchost.exe) and various dynamic link libraries, when taken in totality, are unique to the Wemon malware family.

Figure 6.54 A YARA rule to detect the Wemon Trojan

• After creating the rule and saving it as “wemon.yara,” a directory of numerous malware specimens was queried with YARA, applying the rule. The results of the query are shown in Figure 6.55; seven different specimens were identified and classified.

Figure 6.55 Results of scanning a directory with a YARA rule

• Written in C#, FingerPrint is a framework (command-line utility and XML database) for scanning portable executable files and extracting attributive embedded artifacts such as strings and metadata. Figure 6.56 displays the information extracted and cataloged for each target file.

Figure 6.56 Probing a malicious code specimen with FingerPrint

• Results of the each scan are saved in a database named “scan_history.xml,” which can be used to further query and compare new specimens against previous specimens.

• FingerPrint can be used to scan single or multiple files in a variety of ways either against other specimens or the scan history database. A command reference is provided in the following table.

• The FingerPrint comparison scanning options are very valuable toward identifying possible phylogenetic relationships between targeted specimens. Figure 6.57 displays an example comparison of two different Wemon Trojan specimens using the –c option.

Figure 6.57 Comparing malicious code specimens with FingerPrint

• The resulting output provides a detailed report of matched and unmatched variables between the two specimens; the matches and mismatches are calculated and weighted and a final match percentage is rendered.

• In addition to the native scanning capabilities, FingerPrint is extendable through user-generated plug-ins called “FingerPrints.” Details regarding how to create a FingerPrint are included in the “readme” file packaged with FingerPrint.

• One of the most powerful features of BinDiff is the Graph GUI, which displays side-by-side comparative flowgraphs of target code contents.

• BinDiff assigns a signature for each function in a target executable based upon the number of codeblocks, number of edges between codeblocks, and number of calls to subfunctions.¹²⁷

• Once the signatures are generated for the two target executables, matches are created through a myriad of Function Matching and Basicblock Matching algorithms.¹²⁸

• BinDiff renders Similarity and Confidence values for each matched function (shown in Figure 6.58) as well as for the whole executable file.¹²⁹

Figure 6.58 BinDiff plug-in interface in IDA Pro

• A technique that allows the digital investigator to compare the contents and trajectory of deobfuscated malicious code in memory during runtime is process memory trajectory analysis, or the acquisition and comparison of the process memory space associated with target malware specimens while executed and resident in memory. This technique is most effective when the respective specimens manifest as distinct new processes rather than injection into pre-existing processes.

• After executing the target specimen, locate the newly spawned process in a process analysis tool that offers process dumping functionality, and dump the process to disk.

• For example, in Figure 6.62, using LordPE, the target process is identified and selected in the tool’s process viewer. The process dumping menu is invoked by right-clicking on the target process; select “dump full” and save the newly dumped process to disk.

Figure 6.62 Dumping process memory with LordPE

• Conduct the same process memory collection method for each specimen of interest; determine the file size and hash values associated with the process memory dump files. As shown in Figure 6.63, the processes dumped with LordPE have an identical file size but distinct MD5 hash values.

Figure 6.63 MD5 hash values of suspect process memory

• Query the respective process memory files with ssdeep in an effort to determine similarity.¹³⁰

• Target malware executable files can be viewed through a variety of visualization schemas using BinVis.¹³¹

• To select an executable file for analysis, use the BinVis toolbar, and select “File” “Open.”

• Once the executable is loaded into BinVis, choose a data visualization schema in which to view the file using the “View” toolbar option.

• BinVis has seven different data visualization schemas in addition to a hexadecimal viewer and a strings viewer.

• A powerful feature of BinVis is coordinated windows—the interplay between the various data display windows; clicking on a target data region in one viewing pane causes the data in the other open viewing panes to adjust and transition to the same region.

• Another novel aspect of BinVis is the navigator feature. Based upon a “VCR motif,” this interface allows the digital investigator to navigate forward or backward through the visualized data.

• In the example displayed in Figure 6.65, three malicious code specimens were examined—two of which were helpfile.exe and winsrv.exe. Visualizing the executables through the BinVis Byte Presence view, the two similar specimens are quickly discernable from the third, dissimilar specimen.

Figure 6.65 Using BinVis to visually identify similar files

• To process and visualize the Ether trace of a target malicious executable, load the resulting Ether trace file into VERA, and, in turn, provide the original executable file.

• Upon processing the trace file, VERA generates two graph files (.gml) called “All Addresses” (renders all addresses in the executing specimen) and “Basic Block” (renders the beginnings and ends of basic blocks).

• Upon selecting the graph file, VERA visually displays the execution and flow of the target executable in the main viewing pane. VERA provides the digital investigator a series of mouse functions to “zoom in,” “zoom out,” and navigate the results.

• As displayed in Figure 6.66, two similar Trojan horse specimens are compared in distinct VERA sessions, revealing very similar execution and runtime behavior. This is valuable information toward cataloging and qualifying phylogenetic relationships between specimens. Further, a close-up of addresses within the specimen’s runtime flow can be seen in the callout box.

Figure 6.66 Using VERA to visualize execution traces

• Malware behavioral profiles can be classified with Malheur,¹³³ a framework for automatic analysis of malware behavior. Malheur is a command-line tool that can be compiled on Linux, Macintosh OS X, and OpenBSD platforms using the standard compilation procedure for GNU software.¹³⁴

• Malheur processes data sets —reports of malware behavior recorded and compiled from the CWSandbox/GFI SandBox.¹³⁵ malware analysis sandbox and into Malware Instruction Set (MIST) format.¹³⁶ MIST format is not intended for human readability; rather, it is a generalization of observed malware behavior specialized for machine learning and data mining.

• Data sets can be submitted into Malheur as a directory or a compressed archive (tar.gz, .zip, .pax, .cpio) containing the textual reports for analysis.

• Malheur conducts four basic types of analysis:

• A data set can be input into Malheur and processed using the following steps:

Analysis of a post-runtime system state without comparison to a system baseline makes identifying system changes challenging.

Limited or incomplete evidence reconstruction prevents a holistic understanding of the nature, purpose, and capabilities of a malicious code specimen. Further, without fully reconstructing the artifacts and events associated with the dynamic analysis of a malicious code specimen, the digital investigator will have limited insight into the impact the specimen makes on a victim system.

Ineffectively executing a target malware specimen can adversely impact all dynamic analysis investigative findings.

Although automated malware analysis frameworks can provide insight into the nature of identified malicious code, they should not be solely relied upon to reveal the purpose and functionality of a suspect program. Conversely, the fact that automated analysis of a malware specimen does not reveal indicia of infection does not mean that it is innocuous.

Online malware sandbox analysis of a target or “similar” malware specimen can be helpful guidance, but it should not be considered dispositive in all circumstances.

Do not submit a malware specimen that is the crux of a sensitive investigation (i.e., circumstances in which disclosure of an investigation could cause irreparable harm to a case) to online analysis sandboxes in an effort not to alert the attacker.

The behavior and interaction of the malicious code specimen with the victim system and external network resources will likely not be revealed if the digital investigator does not adjust the laboratory environment based upon the specimen’s trajectory requirements.

Do not make investigative conclusions without considering the totality of evidence dynamics.

Critical clues embedded in a target malware specimen can be missed if the specimen is not deeply examined after it is extracted from obfuscation code. Failure to gather this information can adversely affect investigative findings and how to proceed with the larger investigation.