Digital forensics

Computer Forensics: Overview of Malware Forensics [Updated 2019]

Irfan Shakeel
July 6, 2019 by
Irfan Shakeel

Introduction

Investigating the competence of malicious software enables the IT team to enhance the assessment of a security incident, and may help prevent more infections. A considerable quantity of computer intrusions entails some variety of malicious software (malware), which somehow finds its way to the victim’s workstation or a server. When performing forensics, the IT responder usually hunts for to answer questions such as: What actions can the malware carry out on the system? How does it spread? How does it keep up contact with the attacker? These questions can all be answered by analyzing the malware in a controlled environment.

Learn Digital Forensics

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

Malware forensics has turned out to be progressively more significant as the cybercrime community cause destruction to retail, technology and financial institutions. Cybercrime can cause danger to governmental and private organizations alike, and malware is a frequently used tool of the cybercriminal that installs things such as Trojans, worms, and botnets to the infected device. The only way for organizations processing sensitive information to defend company and client data is to respond to malware with speed and accuracy.

There are different types of malware that cybercriminal uses to infect user and get credential and access to critical and valuable information. The list of Malware types focuses on the most common and the general categories of infection which include:

  • Adware: The slightest dangerous and most beneficial Malware for attackers regarding redirecting the user to the desired Adware shows ads on your computer.
  • Spyware: Spyware is software that aims to gather information about a person or organization without their knowledge or that asserts control over a device without the consumer's knowledge.
  • Virus: A virus is an infectious program or code that appends itself to a different piece of software, and then utilizes system’s resources each time the software is executed.
  • Worm: A program that replicates itself to spread to other computers and wipes out data and files on the computer. Worms destroy the operating system’s files and data files until the drive is empty.
  • Trojan: It is the most hazardous Malware that creates a backdoor on your computer that gives malicious users access to your system, possibly allowing confidential or personal information to be compromised.
  • Rootkit: Rootkits allow viruses and malware to “hide in plain sight” by disguising as necessary files that your antivirus software will overlook. It is the hardest to detect Malware and therefore to remove.
  • Backdoors: Backdoors are much the same as Trojans or worms, apart from that they open a “backdoor” onto a computer, providing a network connection for hackers or other Malware to penetrate or send more viruses.
  • Keyloggers: Records everything you type on your PC to glean your log-in names, passwords, and other sensitive information, and send it on to the source of the keylogging program.
  • Browser Hijacker: This dangerous Malware will redirect your regular search activity and give you the results the developers want you to see. It intends to make money off your web surfing.
  • Ransomware: It is the most brutal type of malware that is the most effective in harming victim’s data and for financial gain. Ransomware is a sort of noxious programming from cryptovirology that threatens to distribute/publish the victim's data or block access to it unless a ransom is paid. Some of the most critical and famous ransomware includes GoldenEye, CryptoLocker, WannaCry, Locky, Petya, Crysis, HydraCrypt, etc.

Malware Analysis

Malware analysis is the practice of determining the functionality, source and possible impact of a given malware such as a virus, worm, Trojan horse, rootkit, or backdoor. The rapidly emerging significance of malware in digital forensics and the rising sophistication of malicious code has motivated advancement in tools and techniques for performing concentrated analysis on malware. As more investigation relies on indulgent and counteracting malware, the demand for formalization and supporting documentation has also grown which is done in malware analysis process.

Malware analysis involves two fundamental techniques: static analysis and dynamic analysis.

1.    Static Malware Analysis

Static analysis of malware entails the investigation of executable files without going through the actual instructions. The static analysis can validate whether a file is malicious, give information about its functionality, and sometimes provide information that will allow you to create simple network signatures. It is basic and can be quick, but it is mostly useless against sophisticated malware, and it can miss significant behaviors.

2.    Dynamic Malware Analysis:

Unlike static analysis, the dynamic analysis executes malware to observe its activities, comprehend its functionality and identify technical indicators which can be used in revealing signatures. The dynamic analysis can reveal domain names, IP addresses, file path locations, registry keys, additional files locations and can also classify communication with an attacker-controlled external server for command and control intentions or to download other malware files.

Memory Forensics

Memory forensics is the analysis of volatile data in a computer’s memory dump. It is conducted by many information security professionals to examine and identify attacks or malicious behaviors that do not leave readily detectable tracks on hard drive data. Moreover, it includes investigation of advanced computer attacks which are stealthy enough to avoid leaving data on the computer's hard drive.

Here are some favorite memory forensics tools and framework that can aid you in conducting effective memory analysis and forensics:

Volatility

Volatility is the memory forensics framework. It used for incident response and malware analysis. With this tool, you can extract information from running processes, network sockets, network connection, DLLs and registry hives. It also has support for extracting information from Windows crash dump files and hibernation files.

WindowsSCOPE

WindowsSCOPE is another memory forensics and reverse engineering tool used for analyzing volatile memory. It is primarily used for reverse engineering of malware. It provides the capability of analyzing the Windows kernel, drivers, DLLs, virtual and physical memory.

Mandiant RedLine

Mandiant RedLine is a favorite tool for memory and file analysis. It collects information about running processes on a host, drivers from memory and gathers other data like metadata, registry data, tasks, services, network information and Internet history to build a proper report.

HELIX3

HELIX3 is a live CD-based digital forensic suite created to be used in incident response. This tool can collect data from physical memory, network connections, user accounts, executing processes and services, scheduled jobs, Windows Fegistry, chat logs, screen captures, SAM files, applications, drivers, environment variables and Internet history. Then it analyzes and reviews the data to generate the compiled results based on reports.

Real Life Forensics

There are many reported cases of computer hacking that are prevented by applying computer forensics techniques and analyzing the victim’s machine. On one occasion Marquis-Boire and University of Toronto colleague Bill Marczak analyzed e-mails received by Bahraini activists and found a piece of spyware designed to steal information from their computers. Further studies on the spyware showed similarities with the FinFisher surveillance software that Gamma International sells to law enforcement agencies.

This shows that how significantly the computer forensics is being used to prevent major incidents and analyzing incidents to reveal its origin. It will help security teams to ban such traffic and contacts that are sending malicious and infected files.

Learn Digital Forensics

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

Be aware that malware developers continue to find new ways to determine forensics techniques to bypass them. However, a variety of tools and techniques are available to the digital world to overcome anti-forensics measures taken by cybercriminals. Moreover, bypassing forensic techniques require knowledge and programming skills that are beyond expectations. So, forensics has proved itself in collecting evidence by using its refined processes and techniques.

Irfan Shakeel
Irfan Shakeel

Irfan Shakeel is the founder & CEO of ehacking.net An engineer, penetration tester and a security researcher. He specializes in Network, VoIP Penetration testing and digital forensics. He is the author of the book title “Hacking from Scratch”. He loves to provide training and consultancy services, and working as an independent security researcher.