Forensics Investigation

3.1 Analyzing Hard Drive Forensic Images, Analyzing RAM Forensic Image, Investigating Routers

3.2 Malware Analysis - Malware, Viruses, Worms, Essential skills and tools for Malware Analysis, List
of Malware Analysis Tools and Techniques

Analyzing Hard Drive Forensic Images

The hard drive is the premier form of data storage used in a computer system: the majority of
computer users’ and corporations’ data is stored on it. When a hard drive becomes a part of a legal
investigation, it should be legally acquired, as we saw in the previous chapter, and analyzed for
information that can help in solving the subject incident. Hard drives today are large and usually
contain a massive volume of data; it is the role of the forensic examiner to investigate this data and
connect the dots to solve a crime or to understand what happened during an incident.

We will learn how to mount and analyze acquired hard drive forensics images using different tools,
focusing on the open source and free tools.

Arsenal Image Mounter

Arsenal Image Mounter is a free, open source program. It can mount a forensic image as complete
disks in Windows (real SCSI disks), allowing investigators to browse image contents as if they were
browsing any directory of files. While the free version can mount any forensic image, the paid one
supports more rich features.

This tool supports forensic images in Raw and EnCase file format, and it also supports all file systems
used by the Windows OS like NTFS and FAT32. Using this tool is very simple: go to
[Link] and download the program to your PC.

Arsenal Image Mounter is a portable program, so just execute the program and then click the
“Mount Image” button in the main program window to select the image file; now, the tool will ask
you for mount options (see Figure 6-1). Check the first option, “Read only,” and then press the “OK”
button.
Now, the forensic image will get mounted (see Figure 6-2) as a virtual drive in Windows (you can
access it from Windows file explorer) as if it were a local drive

OSFMount
This is another program for mounting the forensic drive image as local Windows drives; OSFMount
supports mounting images of CDs in .ISO format. It also supports the creation of RAM disks (a disk
mounted into RAM). Supported image file formats include, among others, AFF, Raw, split Raw, and
EnCase.

To use this program, follow these steps:

1. Go to [Link]/tools/[Link] and download the tool that

corresponds to your current Windows version (32 or 64 bits).

2. Install the program as you do with any Windows program.

3. When the program successfully launches, click the “Mount new” button; a new dialog will then
appear where you can select the image file and set other mount options (see Figure 6-3). OSFMount
will mount the image by default as read only and you can access it from Windows File Explorer like
any other local drive.

Autopsy

Autopsy is a graphical user interface (GUI) program that allows easy access to the command-line
tools and the C library included in the Sleuth Kit and other digital forensics tools. The tools included
in the Sleuth Kit—and other digital forensics tools— will allow Autopsy to automate much of the
forensics analysis tasks required in most investigations, such as recovering deleted files, analyzing
Windows registry, investigating e-mail messages, investigating unallocated disk space, and many
more. Autopsy provides additional features that help examiners to be more productive during their
analysis work.

Analyzing RAM Forensic Image

We’ve covered how to acquire RAM memory using four tools: the captured forensic image can be
analyzed using any of the major computer forensic suites like EnCase, Belkasoft Evidence Center, and
X-Ways Forensics. However, as we already said at the beginning of this chapter, we will focus on
using free and open source tools to do the job.

To analyze RAM forensic images, we have two reputable and popular free tools: Redline from
FireEye and Volatility from the Volatility Foundation. We will begin with Redline.

Redline

FireEye give the forensics community two popular free forensic tools to conduct digital forensics
investigations:

1. Memoryze: This is a physical memory imaging and analysis command-line tool. In addition to
capturing RAM images, it has the ability to perform advanced analysis of live memory while the
computer is still running. Memoryze can also analyze memory image files, whether they were
acquired using it or any other forensic software (DD-format). However, the analysis will give more
comprehensive results when the forensic image is acquired by the Memoryze tool itself.
2. Redline: This is a Windows program for conducting a memory investigation of malicious artifacts
in Windows physical memory. With Redline, you can:

• Capture memory images, running processes, opened files, and registry data.

• Filter (narrow) results according to many predefined criteria (such as a given timeframe of
compromise events [when it started, which files were touched, and how long the compromise
persisted]) and/or filter known valid data based on precompiled MD5 hash values of well-known
files.

Capturing a RAM Memory Using Redline

Before we can use Redline to capture memory, we need to download it first.

1. Go to [Link]/services/freeware/[Link]; you need to fill in a simple registration

form and the download link will send to the specified e-mail address.

2. Install the program on your Windows machine as you do with any other Windows application.
Redline is supported on almost all versions of Windows: Windows XP, Windows Vista, Windows 7,
Windows 8 (32 and 64 bit), Windows 10.

3. Launch the program, and the main window will appear (see Figure 6-19). From the “Collect Data”
pane, select “Create a Comprehensive Collector.”

Before we move on, let us give a brief description of available options when using Redline to collect
(capture) data from a suspect Windows computer.

Redline has three types of collectors:

• Standard Collector: This type gathers the minimum amount of data (mainly process and loaded
driver information).

• Comprehensive Collector: This type collects most of the data that Redline needs during its analysis
process. This type of collection is very recommended and this what we are going to use during this
experiment.

• IOC Search Collector: This type collects only the data that matches selected Indicators of
Compromise (IOCs)
4. In our case, we will select “Comprehensive Collector”; click it, and the collector configuration
window appears. From this window, you can configure what you are going to capture by clicking
“Edit your script”; you should also check the option “Acquire Memory Image” to acquire the target
memory image (see Figure 6-20).
5. The Redline Collector script (you can access it from “Edit Your Script”) has memory, disk, system,
network, and other options preselected. You can modify these options within any collector type. For
instance, the comprehensive collector type (which we have chosen to select for this example) has
most options already checked by default, so you can go safely with the default settings (see Figure 6-
21).

6. Now, from the collector configuration window, click “Browse” under “Save Your Collector To” and
select an empty directory where you want to save this collector. For instance, we will store it on a
USB thumb drive, so that we can use it later to acquire a memory image from suspect machine. Click
“OK” to begin writing to the Redline collector.

7. When Redline finishes creating the collector, a success window will pop up, showing you
important information on how to use this collector to acquire memory data from potentially
compromised systems.
Now that we have created our collector, let us see how we can use it to acquire memory images:

1. Go to the directory where you have saved your newly created collector, and move the entire
collector folder into a USB thumb drive.

2. Attach the USB thumb drive into the target machine.

3. Execute the script named “[Link]” in the collector folder to run the collector.

4. The collector should begin its collection work by showing a CMD window (see Figure 6-25), and it
will store acquired data to a folder named ‘Sessions\AnalysisSession1’ in the same directory. Every
time you run the script, a new AnalysisSession folder (AnalysisSession2, AnalysisSession3, etc.) is
created.
5. After the Collector completes the collection, the CMD window should disappear without showing
any message. Now, go into the AnalysisSession folder, and you will see an Audits folder and an
[Link] file (see Figure 6-26).

Memory Forensics Using Redline

To analyze memory data collected by the Redline collector, follow these steps:

1. Move the Sessions folder from the Collector folder into the forensic machine that you want to
perform the analysis on. Of course, Redline should be installed on this machine first.

2. Open Sessions ➤ AnalysisSession1 (there could be more than one analysis session if you run the
collector more than once) and you will see an Audits folder and an [Link] file.

3. Double-click the ‘[Link]’ file to create your session in Redline. This automatically
imports the data into Redline.

4. Importing data into Redline will take some time (from minutes to hours); the time needed will
depend on the size of the captured memory image and the acquired memory operating system type.
5. Once the data has finished loading into the new analysis session, the Redline analysis session
window will appear. Redline groups data by type; you will see these groups on the left side of the
Analysis Data frame.

6. You have different options to start your investigations; for instance, we will use the option “I am
Investigating a Host Based on an External Investigative Lead.”

7. A new window will appear; click any data type in the “Analysis Data” (corresponds to number 1)
pane to see all related acquired information on the right pane. The middle pane allows you to set
some filters (corresponds to number 2) on the data to limit the number of returning data, while the
third pane displays the sum of filtered information according to what a user has selected in pane 2.

Volatility Framework

Volatility is another famous tool for analyzing RAM forensic images; it is a research project that has
emerged from published academic research papers in the field of advanced memory analysis and
forensics.

It is a free, open source, and cross-platform program written in python; its development is now
supported by a nonprofit organization known as the Volatility Foundation.

Volatility comes already installed with many Linux security distributions like Kali; however, this tool
is also supported on Windows machines (a standalone portable application). The latest version is
2.6, and you can download it from www. [Link]/26.

Investigating Routers
Routers play many different roles during incidents. They can be targets of attack, stepping-stones for
attackers, or tools for use by investigators. They can provide valuable information and evidence that
allow investigators to resolve complex network incidents. Routers lack the data storage and
functionality of many of the other technologies we have examined in previous chapters, and thus
they are less likely to be the ultimate target of attacks. (One notable exception is that routers are
targets during denial-of-service at tacks, which we will examine closely.) Routers are more likely to
be springboards for attackers during network penetrations. The information stored on routers—
passwords, routing tables, and network block information—makes routers a valuable first stepfor
at tackers bent on penetrating internal networks.

OBTAINING VOLATILE DATA PRIOR TO POWERING DOWN

The order of volatility states that information in memory is most volatile, while information stored
on the hard drive or in nonvolatile RAM (NVRAM) is relatively stable. Accord ingly, if any of the
information in memory may be important to the investigation, it must be saved before powering
down or altering the state of the operational router. With routers, information in memory is almost
always important, because routers have little data-storage capability.
The only real data saved in NVRAM is the configuration of the router itself, and this configuration is
likely not the same configuration the router uses while it is running, especially if the router has been
the subject of hacker attack. The system state information in memory—such as current routing
tables, listening services, and current passwords—will be lost if the router is powered down or
rebooted. The steps discussed in this section are typically important for routers that have been
involved in attacks.

1. Establishing a Router Connection

Before you do anything, you’ll need to establish a connection to the router. The best way to
access the router is from the console port. When establishing a connection to the router,
make sure to log the entire session.

2. Recording System Time

Which helps in cross referencing the data.

3. Determining Who Is Logged On

Determine if anyone else is logged on to the router.

4. Determining the Router’s Uptime

The time that the system has been online since the last reboot can also be important.

5. Determining Listening Sockets

One way to discover if there are any access paths into a router that you don’t know about is to
determine which ports (sockets) are listening on the router. To determine which services are
running on the router, use an external port scanner or examine the configuration file. The
configuration file covers all aspects of the router’s configuration.

6. Saving the Router Configuration

Router configuration information is stored in NVRAM. The router uses this stored configuration
when it boots. However, you can change the configuration of the router without modifying the
configuration file stored in NVRAM. Instead, the changes to the configuration are made in RAM,
and they are saved to NVRAM only by an administrative command. Thus, you should save the
configuration that is in RAM as well as the configuration in NVRAM.

7. Reviewing the Routing Table

The routing table contains the blueprint of how the router forwards packets. If an attacker can
manipulate the routing table, the attacker can change where packets are sent. Under standably,
manipulating the routing table is a primary reason for compromising a router. Static routes
which are within the configuration file are also visible to attacker, so the attacker can change the
routes.

8. Checking Interface Configurations

Information about the configuration of each of the router’s interfaces is available.

 9. Viewing the ARP Cache

Address Resolution Protocol (ARP) maps IP addresses and media access control (MAC)
addresses. Unlike IP addresses (which are Network layer addresses), MAC addresses are physical
addresses (layer 2 of the OSI model) and are not routed outside broadcast do mains. Routers
store the MAC addresses of any device on the local broadcast domain, along with its IP address,
in the ARP cache. ARP cache can be useful when investigating attacks of these types. And since
it is easy to destroy and easy to save, you might as well save the information.

FINDING THE PROOF

We’ve saved most of the evidence you need. The next step depends on the type of incident
suspected, based on your initial investigation. Here, we will look at responses for several incident
types involving routers, including how to identify corroborating evidence. The types of incidents that
involve routers as follows:

 Direct compromise
 Routing table manipulation
 Theft of information
 Denial of service

Handling Direct-Compromise Incidents

Direct compromise of the router is any incident where an attacker gains interactive or privileged
access to the router. Direct compromise provides the attacker with control of the router and access
to the data stored on the router.

Administrative access to the router is available in a surprisingly large number of ways, including
telnet, console, SSH, web, Simple Mail Transfer Protocol (SNMP), mo dem, and TFTP access.
Interactive access, even when not privileged, is dangerous be cause of the functionality of the
router. Anyone with interactive access can use the router to identify and compromise other hosts via
available router clients such as ping and telnet. This is especially dangerous because the router is
often allowed access to internal networks, even though a firewall may block all other access to
internal networks.

Investigating a Direct-Compromise Incident

The information we’ve already collected, namely the configuration file and the list of listening ports,
the investigation is off to a strong start.

1. Listening Services The listening services on the router provide the potential attack points
from the network. The list of interfaces should tell you if the router has modem access. A
review of the physical security of the router will determine the relative accessibility of the
console port. Most likely, only a couple of avenues of attack are possible, and this simple
exercise has narrowed down the scope.
2. Passwords Most avenues of attack to the router require a password. (There are a few
ex ceptions, which we will cover in the next section.) Routers can have different passwords
for different services, such as telnet, SNMP, and enable access. Attackers can learn the
 passwords to the router through a variety of different means. The most obvious is through
brute force password guessing. This technique, popularized by Matthew Broderick in War
Games (password Joshua), is still very much in use today, though usu ally in automated
fashion. Most brute force password guessing attacks are picked up by the IDS, which is
helpful during investigations. If the passwords in use are extremely difficult to guess
(alphanumeric, more than eight characters, and so on), then brute force password guessing
probably was not the means of compromise. The passwords are stored in the configuration
file, either as cleartext or encrypted using the Vigenere cipher (XOR) or MD5 algorithm.
Another way for attackers to learn the password is through network sniffing. Any protocol
that passes cleartext data and authentication information—such as SNMP, telnet, HTTP, and
TFTP—is vulnerable to network sniffing.
A quick review of the passwords in use will provide the investigator with some clues about
the compromise.
3. Other Compromise Possibilities If the compromise did not come via a listening service or a
password, there are a few other possibilities. Anyone with console access to the router can
gain administrative access to the box through a reboot and appropriate procedures. The
system uptime information gained during the investigative steps will provide the last time
the router was rebooted. Alternatively, if a modem is connected to the router, it’s possible
that the last legitimate user did not log off properly, allowing an attacker to gain access to
the router without a password. Another method of compromise, TFTP, deserves a bit of
explanation.
Routers use TFTP to store and reload configuration files over a network. TFTP is a UDP
protocol, inherently insecure. It requires no authentication, and all data passes as cleartext.
Router configuration files often use the naming convention of -confg or .cfg. To take
advantage of these factors, an attacker only needs to scan a network for a router and a TFTP
server. The attacker learns the hostname of the router via Domain Name System (DNS)
resolution and requests the configuration file from the TFTP server. At this point, the
attacker can use the password information in the configuration file to access the router or
modify the configuration file, and then upload to the TFTP server and wait for a network
reload.

Recovering from Direct-Compromise Incidents

After a direct-compromise incident, all recovery steps should be taken while the router is offline.
Steps that should be taken include the following:

▼ Remove all unnecessary services.

■ Allow remote access only through encrypted protocols.

■ Allow no SNMP access or read-only access.

■ Do not use the SNMP password as the password for any other access.

■ Change all passwords.

■ Implement ACLs so that only connections from trusted hosts are allowed to the router.
▲ Upgrade the software with the latest updates.

Handling Routing Table Manipulation Incidents

Routers can use a variety of protocols to update their routing tables, including RIP, Open Shortest
Path First (OSPF), Enhanced Interior Gateway Routing Protocol (EIGRP), Inte rior Gateway Routing
Protocol (IGRP), Border Gateway Protocol (BGP), and so on. These protocols communicate
information about the best path between networks to neighbor routers, and they have varying
degrees of security.

1. Investigating Routing Table Manipulation Incidents

Determining the current routing table is as simple as reviewing the output of the show ip route
command, as described earlier in this chapter. However, knowledge of the network is necessary to
understand if there are any inconsistencies. If any of the routes do not pass the common sense test,
or if packets appear to be routed through distant networks, then careful investigation is required. If
unfamiliar static routes appear in the routing table, then the router may have suffered direct
compromise.

2. Recovering from Routing Table Manipulation Incidents

Temporary recovery from routing table attacks is simple: Remove unwanted static routes and reboot
the router. However, preventing the attacks from occurring in the future is a bit more difficult. ACLs
can be introduced to limit router updates to known-good source addresses. However, because some
routing protocols are UDP, these addresses can be spoofed. Anti-spoofing ACLs can further limit
exposure, but these lists are not foolproof. The routing protocol chosen should allow for
authentication, and the authentication should be enabled.

Handling Theft of Information Incidents

Typical information that attackers glean from routers includes password, routing, and topology
information.

The recovery from this data theft is to change passwords, avoid password reuse, and limit the ability
of attackers to obtain sensitive information. A common problem that we see is the SNMP service
enabled with the default community string (password) of public. With this service enabled, an
attacker can gain a great deal of sensitive network information. Internet attackers can even learn the
hosts and IP ranges on internal networks.

Handling Denial-of-Service (DoS) Attacks

DoS attacks are often directed at routers. If an attacker can force a router to stopforward ing
packets, then all hosts behind the router are effectively disabled. DoS attacks fall into several basic
categories:

 Destruction
Attacks that destroy the ability of the router to function, such as deleting the configuration
information or unplugging the power.

 Resource consumption Attacks that degrade the ability of the router to function, such as by
opening many connections to the router simultaneously.
 Bandwidth consumption Attacks that attempt to overwhelm the bandwidth capacity of the
router’s network.

Investigating DoS Attacks

Determining the type of DoS attack should be the easiest part of the investigation.

1. If the router is not working at all, it is probably a destruction attack. Check the obvious
prob lems first: power, cables, and configuration.
2. If the router periodically rebooting or is performance regularly degraded then probably the
result of a point-to-point attack—one directed at the router. Uniformly degraded
performance may be either a resource or band width-consumption attack. In either case, a
network sniffer will reveal details. Look for packets destined directly to the router, as well as
an overabundance of packets that are not part of established connections. (Refer to Chapter
8 for details on using sniffers.) Packets directed to the router will usually affect the router
only if a port is listening on the router. . A rebooting router is a nonfunctioning router, thus
the denial of service.
3. A flood of packets directed to the router can also cause degradation. If the router has open
ports, then an overabundance of SYN or similar packets may adversely impact the
performance of the router. Alternatively, even if the router has no open ports, a flood of
traffic may impact the router or use the bandwidth such that network performance is
sig nificantly degraded. A DDoS attack is an example of a bandwidth attack. Although this
type of attack is not necessarily directed at a router, the router can be used to mitigate the
effects of the attack.

Recovering from DoS Attacks

Recovery usually consists of a combination of the following measures:

▼ Eliminate listening services.

■ Upgrade software to the latest version.

■ Restrict access to listening services using ACLs.

▲ Implement ACLs to limit malicious traffic

USING ROUTERS AS RESPONSE TOOLS

Routers have many uses during incident response, especially during recovery. A couple of the more
useful router features are ACLs and logging capabilities. In addition, there are specific actions that
can be taken on routers to mitigate the effects of DoS attacks.
 1. Understanding Access Control Lists (ACLs)

ACLs are mechanisms that restrict traffic passing through the router. Packets can be re stricted
based on a dazzling array of attributes, including (but not limited to) the following:

▼ Protocol

■ Source or destination IP address

■ TCP or UDP source or destination port

■ TCP flag

■ ICMP message type

▲ Time of day

Normally, ACLs are used to implement security policies. A well-configured router can provide many
of the capabilities of commercial firewalls, and routers are often used to supplement firewalls.

Preventing IP Address Spoofing

IP address spoofing is one of the oldest, yet still most dangerous, techniques used by Internet
attackers. If an attacker can masquerade as a trusted network address, a victim system will allow the
attacker’s packets to reach their goal. Routers play an important role in preventing these attacks.
Every interface on a router should prohibit packets that logically could not be coming from that
network interface.

2. Monitoring with Routers

During incidents, it is often helpful to monitor network traffic. Routers can be used for this task, and
they can prove invaluable in many cases, such as when other monitoring software cannot
keepupwith the bandwidth passing through the router. Logging is con figured through ACLs, and
logging can be configured for permitted traffic, rejected traffic, or all traffic.

3. Responding to DDoS Attacks

DDoS entered the vocabulary of security professionals in late 1999. These crafty attacks used
systems around the Internet to simultaneously send large amounts of traffic to vic tim sites.
Subsequent attacks have expanded on the theme, with traffic-amplification techniques that are
capable of degrading service at even the largest of sites. The effects of these attacks can never be
completely avoided. If enough traffic hits a victim site at the same time, the victim site will not be
able to respond to all requests. However, there are some specific actions that can be taken to
mitigate the effects of these attacks and reduce their ability to deny service.

. ICMP, UDP, and TCP packets are part of the attack. Attacks involving ICMP and UDP packets can be
mitigated quickly by blocking ICMP and UDP packets. Most networks have no need for these
protocols to be allowed in from the Internet (except for UDP 53, DNS), so introduce ACLs that deny
all ICMP traffic and all UDP except for DNS traffic to the specific DNS server(s). To reduce the
likelihood of traffic amplification attacks by unwitting victims, also consider egress filters, which limit
these protocols. TCP attacks are a bit more difficult to mitigate. TCP traffic is necessary, unless you
do not receive email, host a web site, or use Internet connections in any other way. TCP-based DoS
attacks come in two basic flavors: connection-oriented or connectionless.

i) Responding to Connection-Oriented TCP Attacks

Connection-oriented attacks complete the three-way TCP handshake to establish a connection.

Because the three-way handshake is completed, the source address of the attack is virtually certain.
(It is extremely difficult to spoof source IP addresses and still complete the three-way handshake,
due to the TCP sequence number.)

Connection-oriented attacks, sometimes known as process table or resource allocation at tacks,

must come from the actual specified source address, so filtering the offending ad dresses is possible
through an ACL. The unfortunate part is that the filtering is reactive—you can only filter the source
address after identifying the offender via log files or network monitoring.

ii) Responding to Connectionless TCP Attacks

Connectionless TCP attacks initiate TCP connections by sending out only SYN packets, never
completing the handshake. With these attacks, source-address spoofing is trivial, since the sequence
number plays no role.

Connectionless attacks are more difficult for the responder to filter, because each packet may have a
different source address, and those source addresses are not the actual source of the packet. On the
positive side, the attacks themselves are not as damaging as the worst connection-oriented attacks.

To reduce the effects of connectionless attacks, you’ll need to implement TCP rate filtering. The
basic idea of rate filtering is based on the characteristics of normal traffic versus the traffic
experienced during SYN floods. Normal connections require the SYN packet to be sent only when the
connection is first being established. Rate limiting the number of SYN packets into the network will
throttle the amount of new incoming connections during normal operation. The importance of rate
limiting comes during a SYN flood attack, when the router throttles the spurious SYN packets being
thrown at the router. For example, if the router passes SYN packets no more than 40 percent of the
time (rate limited), then at least 60 percent of the traffic will always be established connections (ACK
packets while users are visiting a web server). This solution should not affect over all bandwidth to
the network; it impacts only the number of connections to the network.

3.2 Malware Analysis - Malware, Viruses, Worms

Malware is not only software that is programmed to perform malicious work against a victim’s
system, but also any executable code that performs work without user’s permission or consent
either on a local system or over a network. For example, malware can steal sensitive data from
users, organizations or companies. Therefore, malware can be seen as a virus or worm or even a
backdoor.

 A virus is malicious code that needs a host file or a running process, usually an executable
piece of code on a single computer for inserting malicious code, propagation, duplication,
concealment and running the virus in the background.
  a worm is similar to a virus in terms of aforementioned features, except that it does not
necessarily need a host file and can run over a network. However, both viruses and worms
might directly attach themselves to another program or indirectly by exploiting some
vulnerability in a service or application such as buffer overrunning (e.g. Blaster and Slammer
worms). Therefore, in order to analyse malware, it is important to know the first step that
malware exploits to get on a computer. The following subsection highlights the most
common ways that malware can get on computers.

How Does Malware Get on Computers

 Malware gets on your computer using different tricks and approaches. For example, spam
emails containing malicious attachment that ends up installing malware on your computer,
infected drives such as CDs or USB flash allowing malware to be automatically downloaded
and installed to your system. Additionally, exploiting software vulner abilities is considered
to many software vendors a nightmare, including operation systems, and is a preferable way
to notorious malware in terms of propagation and spread.
 For instance, remote buffer overruns are exploited by attackers to execute malicious
software or to download other applications on compromised systems. Moreover, you might
encounter in security a hybrid of tricks and approaches such as social engineering tactics or
drive-by download pages that allow an attacker eventually to successfully install and run
malware on a victim’s system. All what the need is to present credible reasons to a victim
luring them into visiting a webpage or installing an application that allows them to gain
something they like or enjoy. As a result, malware authors spend time thinking of
incorporating ingenious strategies to infiltrate a victim’s system taking advantage of the
aforementioned tactics.

Importance of Malware Analysis

Recent new headlines show that malware outbreak is astonishing, and even suggest that there
will be a bigger upsoaring in the future as there are too many malware and their variants as well
as new cyberattack methods keep surfacing.

For example, massive malware infection hit approximately 300 computers in public classrooms
and labs at the University of Alberta, Canada. The malware was designed to harvest user
credentials. It could have led to the disclosure of sensitive personal and financial information,
putting more than 3000 people (faculty members, students, administrative staffs) at risk.

Obviously, it is crucial that we are armed ourselves with necessary skills and tools to fight
malware. Unfortunately, malware is a very complicated issue since it continues to evolve.

While we need to better educate people not to fall into the malware trap, another key is to
understand how malware affects a vulnerable computing system and what exactly malware
does. As a result, better approaches could be developed to build more effective defenses against
malware, especially these new breeds of malware, which has been seen growing. Also, it could
lead to a solution to restoring data and services from malware infection. It can be achieved
through the analysis of malware.
Malware analysis is the process of determining the purpose and functions of a given malware
sample such as a virus, worm, or backdoor.

Further, malware analysis has become a critical aspect of today’s forensic investigations as
increasingly, malware are found on the compromised systems.

Essential Skills and Tools for Malware Analysis

We believe there are kind of links between advanced malware analysis and understanding
modern malware. For example, a security expert/practitioner in malware analysis is a person
who has many skills in programming languages such C/Cþþ and other web languages (e.g.,
scripting languages), assembly languages, operating systems, network programming and
settings, web application security and understanding cyber threats such as a wide variety of
techniques used in exploiting vulnerabilities that threaten users and systems.

What you want to know about malware or analysing malware software will determine the
sophisticated level of requirements for malware analysis.

However, conducting dynamic malware analysis is not recommended due to unknown

consequences, especially if you use your personal computer that contains sensitive information
for the purpose of doing serious and dangerous malware analysis.

Even though conducting dynamic malware analysis in a virtual machine can mitigate the risks
resulting from a malicious program, you might not get accurate information about the behaviour
of the malware. This is because sophisticated malware can change its behaviour when it detects
virtual environments or it might be well behaved.

In the worst case, it is highly possible for malware to jump out analysis tools or virtual machines
if it exploits a setting or zero-day bug.

From a security’s point of view, malware analysis and skills required include:

• Understanding some topics in programming languages (i.e., C/Cþþ) such as functions, pointers,
arrays, stack, and heap. Especially, it is very important to understand how function’s arguments
are passed.

• Wide knowledge about assembly language in terms of aforementioned topics and machine
language.

• Understanding PE and COFF files and their structures.

• What EXE, DLL, OCX, etc. are, how they work and their differences.

• Exported and imported tables and functions in EXE and DLL files.

• Cryptographic techniques.

• What some vulnerability is and how it can be exploited either remotely or locally.

• What shellcode and shellcode analysis are.

• Tools used for static and dynamic analysis, including debuggers, de-compilers, disassemblers,
packing and unpacking techniques and process and file and registry monitors.

List of Malware Analysis Tools and Techniques

This section introduces some key terms used in a wide verity of tools. First, an executable file on
Windows systems comes with an .EXE or .DLL extension. It contains executable code while an
application or program resides in an EXE file.

Dynamic link libraries come with a .DLL extension and are loaded by the Windows operating
system loader. It can also be loaded by another application. Second, Microsoft uses the term
portable executable (PE) to refer a file format used by Windows. The PE contains headers and
sections. These sections contain useful information used by an executable such as the
executable instruction in the .CODE or .TEXT section.

Finally, there are two techniques used in malware analysis, namely, static and dynamic. Static
analysis is the process of analysing an executable file or its functionality without running it,
particularly first using a decompiler to decompile the executable file back to its source code .
Dynamic analysis, on the other hand, involves running the executable. Both analyses give
different information about an application being analysed and use different tools.

1. Dependency Walker

The most popular tool used by many malware analysts is Dependency Walker. This tool tells
what imported and exported functions are in an executable file. An executable file comes with
an .EXE or .DLL extension. It contains executable code while an application or program resides in
an EXE file. Usually, those functions play a vital role in understanding how and what a malicious
program does. It is also important to know that those functions have some legitimate uses in
Windows programming, but if you conduct a malware analysis and see them, then they are
probably used for malicious functionality as well.

2. PEview

In static analysis, we need to understand several facts about executables .EXE or .DLL or others
such .OBJ. Particularly, Microsoft uses Portable Executable (PE) files to refer executables. The PE
file format can be seen as a data structure that contains information about executables (i.e.,
images in Microsoft jargon) used by the Windows loader.

Each PE file or image usually contains two headers. The first part of the PE header is related to
MS-DOS applications. There are sections for this part (the IMAGE_DOS_HEADER and MS-DOS
Stub) that are not interesting to us, except two fields in the IMAGE_DOS_HEADER (i.e., e_magic
and e lfanew). The second part of the PE file followed the IMAGE_DOS_HEADER and MS-DOS
Stub is the IMAGE_NT_HEADER. The IMAGE_NT_HEADER is a structure that contains three
elements, namely, Signature, FileHeader and OptionalHeader.

3. W32dasm
This software helps in extracting more information about executable files especially EXEs and
DLLs. We have mentioned earlier that you can use a disassembler if you want to better
understand about our example application under testing. W32Dasm can provide detailed
information regarding the imported and exported functions and modules (DLLs) used by
[Link].

4. OllyDbg

Ollydbg is a debugger used for reverse engineering of programs. It is widely used by crackers to
crack software written for Windows. This tool helps us in tracing registers, stack, heap and
recognizing procedures, API calls and loops. In addition, it can directly load and debug DLLs.

5. Wireshark

Wireshark is considered one important network protocol analyzers. It helps you to monitor your
network and see what is happening on sent or received packets of different protocols and
applications in real time. More importantly, it gives you an opportunity to capture network
traffic and save captured data for later analysis.

6. ConvertShellCode

A forensic investigator armed with an assembly language can understand more about malware
behaviours and analyze code at a low level in order to verify a suspicious piece of code or
identify malicious activities. In this context, we define shellcode to be assembly code written in
hex that not only allows a local or remote user to control the compromised system usually
spawning a shell or command line, but also performs countless malicious tasks such as sending
sensitive information to a remote attacking computer or even though deletion of data and
encrypting a compromised hard-disk, the list goes on and on. These security incidents cause
significant damages and financial losses in some cases.