Digital Forensics - isacasfl.orgisacasfl.org/wp-content/uploads/2015/02/Mike_Gotham_RSA-Digital... · Source: ! Be careful about drawing conclusions !

1 EMC CONFIDENTIAL—INTERNAL USE ONLY

Digital Forensics

Mike Gotham – ASOC Senior Systems Engineer RSA The Security Division of EMC [email protected]


The Internet is a dark and scary place. Malware can easily infiltrate enterprises and cause billions of dollars in damage. Our security professionals and aveangelists must stress the importance of this to those outside the security community.

-Abraham Lincoln


Analysis Basics


What we’ll cover: � Static Analysis � Dynamic Analysis

� Network Analysis


Static Analysis


The role of Static Analysis


Static Analysis


Strings

� First look at the obvious –  Examining a piece of malware for strings (sequences of

printable characters) can reveal a few clues about what the malware does, or what it is capable of doing

Source: http://malwaremusings.com/2012/09/07/the-usefulness-of-strings-during-static-malware-analysis/


Strings (Cont’d)

Source: https://www.blackhat.com/presentations/bh-dc-07/Kendall_McMillan/Presentation/bh-dc-07-Kendall_McMillan.pdf


Strings (Cont’d)


�  Be careful about drawing conclusions �  There is nothing stopping the attacker from planting strings meant

to deceive the analyst �  Strings are a good first step and can sometimes even provide

attribution


Why PE File format analysis? �  How Windows loader loads the executable in memory. �  How loader build the import and export table for a module in

memory. �  From where to start the execution of Address of Entry Point �  Answer the question “how binary compiled on a version of

Windows works on another version of Windows” �  Where should attacker attack �  Also, today malware is generally encrypted, packed. In order to

rebuild the original binary, we need to know how the binary is structures

Source: http://www.slideshare.net/securityxploded/reversing-malware-analysis-training-part-3-windows-pe-file-format-basics


Examining the PE Structure



Statistical Analysis Involving Memory

�  In malware analysis, there is not a true separation of dynamic and static analysis. They are often performed together.

� Memory is a source of data for static analysis. However, it is captured via dynamic analysis.

� An analyst can capture the internal runtime state of an executable by dumping its address space.


Why memory analysis? � Consider performing memory analysis in these

instance: –  Code injection –  Hollowed processes –  Packed code

� Main challenges of memory analysis are: –  PE Header not accurate anymore –  Imports lost –  Function indentification bad –  Offset and references bad


Examining memory dump


Static Analysis tools


Dead Box Forensics �  Computer forensics

–  Detecting, analyzing, and reporting on evidentiary artifacts found in computer physical memory

�  Forensics investigations –  Seeks to uncover evidence and then analyze it in order to gain

a full understanding of a crime scene, the motives of the perpetrator, or the criminal’s identity. ▪  As computers and the Internet have become ubiquitous in our daily lives,

the cyber realm increasingly contains potential evidence for all types of criminal investigations.

▪  Traditional cyber forensics have focused on “dead-box” analysis, but there is an emerging methodology for “live-box” analysis—a technique that preserves and harvests vital evidence from a computer’s physical memory, also referred to as random-access memory (RAM) or volatile memory.

Source: http://www.evidencemagazine.com/index.php?option=com_content&task=view&id=116&Itemid=49


Seizing evidence

Source: https://star.worldbank.org/star/sites/star/files/english_-_computer_forensics_-_day_2.pdf


Dead box acquisition

Source: https://star.worldbank.org/star/sites/star/files/english_-_computer_forensics_-_day_2.pdf


Forensics tools Example

� Guidance Software –  EnCase Forensics

� Access Data –  Forensic Tool Kit (FTK)

� Magnet Forensics –  Internet Evidence Finder (IEF)

Source: http://www.evidencemagazine.com/index.php?option=com_content&task=view&id=116&Itemid=49


Dynamic Analysis


Role of Dynamic Analysis


Why Dynamic Analysis? � Static Analysis will reveal some immediate

information � Exhaustive Static Analysis could theoretically answer

any question, but it is slow and hard � Usually you care about « What » malware is doing

than « how » it is being accomplished � Dynamic Analysis is conducted by observing and

manipulating malware as it runs



Dynamic Analysis �  Dynamic analysis of malware focuses on observing the malware’s

behavior as it executes in a safe environment. �  Tasks include:

–  Monitoring API calls to discover what the malware is doing. –  Observing changes to the system. –  Observing network traffic. –  Revealing unpacked code.

�  The key to Dynamic Analysis is to monitor how the malware modifies the analysis system. System changes may come in the form of:

–  Files saved or deleted from the file system. –  Registry keys added to the Windows registry. –  Network activity generated by the malware.


Safe Environment

� Our nice & safe analytical environment wasn’t that important during static analysis.

� As soon as you run an unknown piece of code on your system, nothing that’s writable can be trusted.

�  In general we will need to run the program many times. Snapshots make life easier.



System Monitoring

� What we are after –  Registry Activity –  File Activity –  Process Activity –  Network Traffic



The Tools � Registry

–  Procmon –  Regstat

� API –  Capture-Bat –  API Monitor

� Network Traffic –  Wireshark –  Paros

� Process –  Process Hacker –  SysInternals Process Monitor

� Debuggers –  IDA Pro –  Windbg –  Ollydbg


The Tools (Cont’d)


Processes

� Processes/threads are separate units of execution that have a number of unique attributes:

–  Open file handles –  Memory mappings –  Network connections –  Privileges



Non-Tampered with Process list •  ACTIVE PROCESS BLOCK •  EPROCESS BLOCK •  FLINK •  BLINK

FLINK BLINK

FLINK BLINK

EPROCESS

Unique Process ID

FLINK BLINK

EPROCESS

Unique Process ID

FLINK BLINK

EPROCESS

Unique Process ID

FLINK BLINK

EPROCESS

Unique Process ID

List Walking

PsActiveProcessHead > _LIST_ENTRY > EPROCESS…


Tampered list •  Hooking •  Direct Kernel Object Manipulation (DKOM) •  Cold Boot Attacks •  Other Methods

FLINK BLINK

FLINK BLINK

EPROCESS

Explorer.exe

FLINK BLINK

EPROCESS

cmd.exe

FLINK BLINK

EPROCESS

Calc.exe

FLINK BLINK

EPROCESS

EVIL


Observing System Activity using Process Monitor Process Monitor displays real-time activity for:

–  Registry –  File system –  Processes and threads


Examining Processes using Process Hacker

Process Hacker features include:

–  Overview of running processes and resource usage

–  Detailed system information and graphs

–  Views and edits services –  Process termination –  Bypasses security

software and rootkits


Detecting Changes to the File System and Registry

Regshot –  Recursive from given directory –  Entire Registry


Examining API Calls and Parameters API Monitor’s:

–  Capture-Bat –  API Monitor –  Pymon –  oSpy


Network Analysis �  Network analysis is an important part of dynamic analysis. �  These indicators describe network behavior:

–  Hosts –  Domains –  IP’s accessed

�  By monitoring network traffic, an analyst is able to determine: –  What data is being sent, where is the data sent and for what reason? –  How is the network response handled by the malware?

▪  Download and execute files, or run commands, DDoS ▪  Scanning and spreading

–  Are there backup or alternative domains and IP’s for the C2 servers?


Capturing Network Traffic using Wireshark � Wireshark

–  Network protocol analyzer –  Provides detailed information about network traffic down to

the packet level


Capturing Network Traffic- known alternative

� Netwitness Investigator or Security Analytics –  Network protocol analyzer –  Provides detailed information about network traffic down to

the packet level


What we covered: � Static Analysis � Dynamic Analysis

� Network Analysis


Documents

Digital Forensics - isacasfl.orgisacasfl.org/wp-content/uploads/2015/02/Mike_Gotham_RSA-Digital... · Source: ! Be careful about drawing conclusions !