CAUTION : PHOTOCOPYING OF COPYRIGHTED BOOK IS ILLEGAL SAVE YOURSELF, DON’T BUY PHOTOCOPIED BOOKS Hooks Published are protected under Copyright Act 1999 and sold subject to the condition that the book and any extract thereof shall be not photocopied and includes the suid condition being imposed on any subsequent purchaser. Any person found selling, stocking or carrying photocopied book may be arrested for indulging in criminal offence of copyright piracy and may be imprisoned for 3 years and also fined a sum of Rs, 2,00,000/- for first offence. Sharing of PDF's, any Drives, Links, Storing in Hard Disks, Pendrive and Circulating on Social Media like Instagram, Telegram, Facebook, Snapchat, Google Drive & Whatsapp etc also violates the Copyright Laws and will be reported to Cyber Crime Division, Publisher has raided many such offenders. Their Machines were Seized. Criminal case has also been registered against them. Civil Suits are also filed for recovering damages. Police investigations of Students who are indulged in this is also in process, Recently, the Supreme Court of India, in M/s Knit Pro International y. The State of NCT of Delhi on 20 May 2022, has observed and held that offences under Section 63 of the Copyright Act, 1957 (“Copyright Act") are cognizable and non-bailable. “Name of Informer will be kept highly confidential, On successful raid he will be suitably rewarded” Call / WhatsApp us on +91 98504 29188 Tecu-Neo PUBLICATIONS Taspite Ihnocation A Sachin Shah Venture ‘Tech-Neo Publications LLP Sr. No, 38/1, Behind Pari Company, Khedekar Industral Estate, Narhe, Maharashtra, Pune-411041. Email: infostechneobooks.in ® Website: www.techneobooks in32 Analyzing Hard Drive Forensic Images, Analyzing RAM Forensic Image, Investigating Routers. p Malware Analysis - Malware, Viruses, Worms, Essential skills and tools for Malware Ana List of Malware Analysis Tools and Techniques. Introduction to Forensic Investigatior 3.1.1 Analyzing Hard Drive Forensic Image: GQ. What are the various hard drive analysis techniques? 8.1.2 Analyzing RAM Forensic Imago. 3,1.2(A) RAM Memory Image Creation.. 3.1.2(B) Volatility Framework... 3.1.3 Investigating Routers. GQ. Whatare the various router investigation steps? . 3.1.4 ‘Steps Invoived in the Router Investigation Process. Malware Analysis Techniques.. 3.2.1 Malware Analysis - Malware, Viruses, Worms. GQ. What are the various malware analysis techniques? ... 3.2.2 — Essential Skills and Tools for Malware Analysis 3.2.2(A) Malware Analysis Types... 3.2.2(B) List of Malware Analysis Tools and Techniques ... * Chapter endsDigital Forensics (MU-Sem.8-Comp) ; (Forensic Invastigation)...Pago No. (3-2) INTRODUCTION TO FORENSIC INVESTIGATION This chapter introduces you to the world of Digital Forensies and highlights the response of the emergency team formed to handle any such incident, 3.11 Analyzing Hard Drive Forensic Images we will study the various concepts and techniques which are used to carve out important information from a file system. This crucial information could be very helpful in finding out useful Intel about the suspect, In this section, (A) Data Carving Data carving is nothing but a process where a chunk of data is searched for signatures that match the start and end of known file types. The output of this analysis process is a collection of files that contain one of the signatures, * This technique is commonly performed on the unallocated space of a file system and allows the investigator to recover files that have no metadata structures pointing to them. (B) Recovering Deleted Files from Windows ‘System using Encase * Both Encase and FTK have this built-in capability, and they automatically recover any files they can. Usually you can find the deleted files that EnCase recognizes by just clicking the green homeplate at the top of the evidence item, then clicking on the filters option in the lower right window, next applying the "Deleted Files" filter. This limits the display to the deleted files. * The other common way to find files that don't show up that way is to click on the EnScript tab in the lower right window, selecting the "Case Processor" and under the Information Finders, select File Finder. Then select the types of files you want to find or add your own signatures, select whatever other options you want, click OK, select the checkbox for File Finder, click OK, DONE. (C) Recovering Deleted Files from Windows System using FTK Here, the various steps for recovering a deleted file from a Windows File system are highlighted. * Download FTK Imager Lite (New Syllabus w.e4 academic year 22-28) (MB-81) ee(Forensic Investig Digital Forensics (MU-Sem.8-Comp) Run FTK Imager as Administrator * Click the ‘Add Evidence Item’ button © Verify Physical Drive is selected © Select your device with the deleted file from the drop dow: «Navigate using the Evidence Tree pane to the location of your deleted file © Right Click on your deleted file © Click Export Files... * Select a destination for your recovered file and save it m menu * Your file is recovered! (D) Recovering Deleted Files from LINUX System using “Fatback”: Fatback works on image files as well as devices, which makes it flexible. The follow command undeletes ie: recoverable files from an image of an evidence floppy. ‘No audit log specified, usi | Mone) [root@localhost ]# ed undeleted [root@localhost undeleted]# Is -al total 28 : ; drwxr-x-x 2 Foot root 4096 Apr 9 16:37 “diwar-xr-x 5 root root 4096 Apr 9 16:36 . Serr 1 root root 20480 Apr 9 x ‘DOCUMENT.DOG < Se The -a option runs Fatback in automatic undelete mode. In other words, Fatb will attempt to recover all deleted files in a given partition. * The -o option places recovered files into the specified directory (in this case, | directory named “undeleted”). Fatback creates subdirectories underneath the outpu directory that correspond to directories in the partition on which Fatback @ performing a recovery. e «The -s option tells Fatback to treat the input file ‘evidencefloppy.bin’ as a partition, since all floppy drives have only one partition. (New Syllabus w.e.f academic year 22-23) (M8-81) Tel recn-veo Publicathpigtal Forensics (MU-S Comp) (Forensic Investigation). (e) Recovering Deleted Files from LINUX System using “Foremost” + Foremost is a tool used to recover files based on the file headers and footers. Foremost is a portable tool for data recovery. Foremost can work on forensic image files which are generated by dd, safeback and encase. Foremost consults a configuration file at runtime. « This configuration file specifies the headers and footers that Foremost is looking for, 80 you can choose which ones you want to look for simply by editing the foremost.conf file. The following excerpts from the “foremost. conf” file demonstrate what types of files Foremost is preconfigured to find. (F) Recovering Unallocated Space, Free Space and Slack Space © Operating systems arrange all the data stored on a hard drive into segments called allocation units (also called clusters). For example, an operating system that uses 82K clusters reads and writes data from a hard drive 32K at a time. + It cannot read less than 32K of data from a hard drive, and it cannot write less than 32K at a time to the hard drive. However, very few files have the exact amount of data to occupy an entire cluster or set of clusters. © Therefore, when an operating system that writes 32K clusters to a hard drive is being asked to save a 20K Microsoft Word document, there is 12K of unused space called file slack. In our example, there may be remnants of previous files in this 12K of file slack. © Unallocated space is the area of the hard drive not currently allocated to a file. Fragments of deleted files are often strewn across unallocated space on a hard drive, Free space is the portion of the hard drive media that is not within any currently active partitions. 3.1.2. Analyzing RAM Forensic Image * ‘The Random Access Memory (often abbreviated as RAM) is a form of memory used in digital electronics that supports reading and writing. A programme is read into a storage device before execution. For instance, a CD is copied to the RAM and then run by the processor. Because RAM has far faster transfer rates than the hard disc, accessing it is useful. (New Syllabus w.e.f academic year 22-23) (M8-81) rech-Neo PublicationsDicital {Mu-Sem.8-Come) * The loss of data that is stored when a computer is shut off is a drawback. When ¢] computer is turned on, the boot system's boot process is restarted and the RAM{ once again duplicated with libraries, drivers, and preference settings. * Executable applications, network communication port information, operating log files, web browsing logs, photographs, text files, and more can all be found in th RAM memory, * The aforementioned Volatility Order must be strictly observed in computer fo examination to prevent evidence loss because, as was already established, this cont may be lost when the machine shuts down. ~ 3.1.2(A) RAM Memory Image Creation The free "DumpI" software hitp//www.downloadcrew.convarticle/23854-dumpit may tilised for this. == Recommendation The image should not be written directly to the machine that will have the analyz, RAM. The software “DumpIT” must be copied and run from an external stot device (for example a flash drive, external HD or even a secure network share). Execution Run the “Dumpl” software with administrator privileges: * The Software “DumpIT” will display as below, the memory size “Address space. size”, which in the example displays a 16GB of RAM, where the result of the ima file generated will have approximately the same size. The path where the file is sa is shown in “Destination” and is the path where the program “DumpIT” is running. + _ By default the file name is the hostname (hostname) followed by the date 0 execution of the imaging process. The file is saved by default in “raw” format. * To start the process, simply press the “Y" key. The “Processing” message indical that the forensic image memory is being processed. The “Success” message indi that the process was successfully completed: (New Syllabus w.e.f academic year 22-23) (M8-81)er RE eee Giiarabeer emer Fore msy RTT bea) Parts Centers eer aon —) fire you sure you vant to continue? {y/n ert eee LacZ) (icy Fig. 3.1.1: DumpIT Command % 3.1.2(B) Volatility Framework + To show some basic examples of evidence that can be found in RAM, we will need to analyze the generated files. For this purpose we will use the Volatility Framework software. The Volatility Framework is a collection of free and open source tools for RAM analysis. It is usually used in Linux environments, and already present in some distributions, such as Kali Linux for example. We will use Volatility in a Windows environment, having no impact on the result or the commands used. Download : httpy/www.volatilityfoundation.org/25 © Plug-ins Plug-ins are modules that will perform a specific function in generated image files. As the focus is only to demonstrate some plug-ins, I suggest you read about the others (and there are many others!) at the link mentioned above. “Extracting Information Imageinfo — displays operating system information (New Syllabus w.e.f academic year 22-23) (M8-81) ‘Tech-Neo PublicationsDigital Forensics (MU-Sem.8-Comp) (Forensic Investigation)...Page No, (3. This plug-in will bring the essential information for analysis as it will identity thy: profile that will be used by all other plug-ins. : CommandUsed: Volatility -f 20160915-125011.raw imageinfo WEE Administrador: CAWindos SUSU ONTS RSet te RCC TOOT CONC OSCE ene POOREST eae ae NCTC eret io eter ay a PC eEt Ean i Inage Type Gerviee A faci) MCR eT ecw Ws meee et es Caer ere Ertan Oa) Inage local date and tine > 2016-09-15 18:23:21 ~0308 (1ca)Fig. 3.1.2 : Imageinfo Command © In the “Suggested Profile” line, always use the first suggestion. Here we can see that the operating system is Win7SP0x86 (Windows 7, with no service pack installed, the 32-bit version). From the information of the profile, we can now use other plug-ins. | + Pelist - List Processes Running: ‘Command Volatility -f 20160915-125011.raw -profile = Win7SP0x86 pslist> pslist.txt -f “filename” “profile = Win7SP0x86" — Directs to use the operating system profile previously detected. pslist — Plug-in to run > pslist.txt — Instruction to create a text file with the same name as the Plugin | which allows a better view, and record the output for later analysis, (New Syllabus w.e.f academic year 22-23) (MB-81) [Bl rech. Neo Pubcatons9 Carascere iSeg integer. exe $18-03-33 Bist) 3 3518"0333 ehB /Patsebag Seehont Loeeerayes Sechost ieueeatte srootae io lorer exe Siesta expierer, wtuayan Senrchirdsear. eeanta3a arpretakaexe, ‘erjeesto09 soppy, exe (DNR Beha Sets ‘btrseres39 austedg.e (ERE SSeS (nuibanr-torfosisexe i 3089 Bot! BOERS ESSE SS: 33 21:08:38 vre-ae0s. SORTS STs Ag ore aes ES SSS une aeo— (oaFig. 3.1.3 : pslist We can see all the processes that were Tunning at the moment of the forensic image, including the software used for this. + Dillist — Displays list of loaded dlls for each ‘Process Command Volatility -f 20160915-125011.raw -profile = Win7SP0x86 dillist> dillist.txt -ffile name” “profile = Win7SP0z86" — Directs to use the operating system profile previously detected. DILList — Plug-in to run > dillist.txt — Instruction to create a text file with the same name as the plug-in “his command generate a large file, listing the executables and their DLLs in a very Aetailed manner, including the path of each of these DLLs. It would be useful, for “xample, to identify malicious files being loaded along with programs already known ‘othe operating system. Netsedis © Dis playa uastwork eduitiecdions (Na gE] " Slbus w.04 academic yoar 22:28) (MB-81) Tech-Neo Publications ~ netscan.txt ~f "file name” *- Profile = Win7SP0x86" Directs to use the operating system profile previously detected. netscan — Plug-in to run > netscan.txt - Instruction to create a text file with the same name as the plug-in, This is perhaps one of the most useful plug-ins used by Volatility. It brings very important information as well as protocols, ports, IPs, and executables involved in the network communication of the machine in question. With this information we could identify possible connections to suspicious IP addresses, for example. Dumpregistry - Extracts log files mand Volatility -f 20160915-125011.raw -profile = Win7SP0x86 dumpregistry -dump c: \ registry-dump -f “file name” * Profile = Win7SP0x86” - Directs to use the operating system profile previously detected. dumpregistry dump - Plug-in to run + path of the directory where the log files will be extracted. Several Windows registry files will be extracted from the image, but we will work with the four main ones, described below. The “SYSTEM, SOFTWARE, SAM, NTUSER” log files contain a lot of information regarding operating system installation information, installed software, credential information, user-level information such as latest open files, network information, ete. Change the name of the files to this default below: (1) SYSTEM.REG (2) SOFTWARE.REG (3) SAM.REG (4) NTUSER.DAT > Analyzing Log Files We can use the software Registry Report to create a general report with all the information found in registry files. (New Syllabus w.e.f academic year 22-23) (MB-B1) ‘Tech-Neo Publications(Mu-Sem.8-Comp) (Forensic investigation)...Page No. (3-10) Download : http://www gaijin.at/dlregreport.php Click on “File”, “Open registry files” and select “Import from folder”, locate the previously extracted files and click “OK”, (1eaFig. 3.1.4 : Analysing Log File ‘Then again in “file” select “Create Report” (1c9Fig. 3.1.5 : Create report New Sytlabus w.e.f academic year 22-23) (M8-81) (Blrech.tieo PublicationsDigital Forensice (MU-Sem.8-Como} (Forensle investigation). Page No. (3-11 Save the report, The generated report will already bring information from choge, registry files: report qeneratico finianed ax 72/00/2 (ionFig. 3.1.6 : Save report + Routers are the main entry points to any network. They provide access to the internet from the intranet and vice versa and thus they become the easy targets for any attacker to gain access to the internal network. * Nowadays the routers are provided enough security ranging from simple authentication to complex demilitarized isolations still the attackers always win the race and stay one step ahead of the security mechanisms employed. « Asan investigator, analyzing the router is the major source of gathering enough Intel on the attacker's attack signatures and modes of operation. The detailed router investigation could yield enough information about the attack and help the organization to be well equipped and ready to face and block any such attack in the future. (Now Syllabus w.e.f academic year 22-23) (M8-81) BBhrecttieo Publications:igi pit Steps Involved In the Router Investigation Process (x) Establishing @ Router Connection + Before you do anything, you'll need to establish a direct connection to the router to obtain the volatile information during the attack or else if the router is powered off, all the crucial data could simply vanish, +The best way to access the router is from the consols port. By connecting directly to the router, you are less likely to make any attacker who still has access to the network aware of your presence, + Ifyou use telnet to connect to the router, you would be using the same network the attacker is currently using. Doing so will alert the attacker who is already using a network sniffer to sniff the traffic. This will alert the attacker that a probable investigation is likely undergoing: (2) Recording System Time : After establishing a connection with the router, the initial step should be to record the system time. The time will be critical when we need to cross-check other data later, and individual systems often have different time settings. Use the show clock command to get the system time. cisco_router>show clock *03:13:21.511 UTC Tue Mar 2 2003 (3) Determining Who Is Logged On The next step is to check the currently logged on users ciseo_router>show users Line User Host(s) Idle Location * 0 con0 idle 00:29:46 1 vty0 idle 00:00:00 10.0.2.71 2 vty] 10.0.2.18 00:00:36 172.16.1.1 Here we can see three lines in the output. The 1st line indicates our connection cond with the asterisk (#), The second line indicates a virtual terminal line vty0 which is idle and has a source IP address 10.0.2.71. Similarly, the last line indicates another virtual terminal line vty1 which is having a source IP address 172.16.1.1 and is trying (Now Sylabus we. academio year 22-28) (MB-81) aNo. (3-19) Forensic Investigation), to make a connection with the host at 10,0.2.18, This sort of information comos realy handy as wo can sco that an external IP address is trying to establish 0 dirog, connection with the internal IP. This could be an attempt to bypass tho firewall (4) Determining the Router’s Uptime “The time that the system has been online since the last reboot can also bo important, ‘Use the show version command to capture this information. cisco_router>show version. Cisco Internetwork Operating System Software TOS (tm) 1600 Software (C1600-¥-M), Version 11.9(6), RELEASE SOFTWARE (fel) Copyright (c) 1986-1998 by cisco Systems, Inc. Compiled Wed 12-Aug-98 04:57 by ceai Image text-base: 0x02005000, data-base: 0x02SC5A58 ROM: System Bootstrap, Version 11.1(12)KA, EARLY DEPLOYMENT RELEASE SOFTWARE (fel) ROM: 1600 Software (C1600-RBOOT:R), Version 11.1(12)XA, EARLY DEPLOYMENT RELEASE SOFTWARE (fel) cisco_router uptime is 1 day, 4 hours, 20 minutes System restarted by power-on System image file is "flash:c1600-y-mz_118-5_T.bin", booted via flash cisco 1605 (68360) processor (revision C) with 7680K/512K bytes of memory. Processor board ID 10642891, with hardware revision 00000000 416 Incident Response & ComputerFor ensics Bridging software. X.25 software, Version 9.0.0. 2 Ethernet/IEEE 802.3 interface(s) System/10 memory with parity disabled 8192K bytes of DRAM onboard System running from RAM (New Syllabus w.e.f academic year 22-23) (M8-81) Tech-Neo Publicationsax bytes of non-volatile configuration memory. 048K bytes of processor board PCMCIA flash (Read/Write) configuration register is 0x2102 significant amount of information is available from this command. ‘The software and pasar? jnformation will provide you with a clear picture of the capabilities of ‘the router in question. 5) peterml Routers have very little functionalities and hence ‘it is really difficult to target & router with Trojans or other malicious codes alike but routers do have some yulnerability such as they allow remote login either through telnet or other similar utilities. ‘Attackers can exploit such a vulnerability and log into the router using any nattended open port. As an investigator, it is really crucial to keep checking the {dle or unattended router ports periodically over time so as to make sure that any unwanted connection is not established. This could be done with the use of external port scanners to détermine if any remote connection is listening to any ining Listening Sockets router port. (6) Reviewing the Routing Table «The routing table contains the blueprint of how the If an attacker can manipulate the routing table, th where packets are sent. router forwards packets. e attacker can also change lating the routing table is a primary reason for compromising a router. The routing table can be manipulated through commandcline access, as well as through malicious router update packets. In either case, the routing table will reflect the changes. * Understandably manipul To view the routing table, use the show ip route command. cisco_router#show ip route Codes: C - connected, S - static, D-EIGRP, EX - EIGRP external, 0 - OSPF, IA- OSPF inter area N1- OSPF NSSA external type 1, N2- OSPF NSSA external type 2 2 - OSPF external type 2, E- EGP Tech-Neo Publications J -IGRP, R- RIP, M- mobile, B - BGP Bi. OSPF external type 1, E! (Ney ‘ Syllabus w.e.f academic year 22-23) (8-81)(0 IN Digital Forensics (MU-Sem.8-Comp) (Forensic Investigation i+ ISIS, L1 - IS-IS level-1, L2 - IS-IS level-2, * ~ candidate default U- per-user static route, o— ODR Gateway of last resort is not set 172.16.0.0/24 is subnetted, 1 subnets C 172,16.1.0 is directly connected, Ethernet! 10.0.0.0/24 is subnetted, 1 subnets C 10.0.2.0 is directly connected, Ethernet0 S 192.168.1,0/24 [1/0] via 172.16.1.254 [1/0] via 172.16.1.10 Static routes, such as the last route in the configuration file. If a malicious static route appears, router configuration. \ ( (7) Checking Interface Configurations We can always check the current interface configuration with the show ip interface command, This is really useful as it provides a lot of information about the interfaces in a easy to understand format. example above, are also visible within the then an attacker has manipulated (8) Viewing the ARP Cache ‘Address Resolution Protocol (ARP) maps IP addresses and media access control (MAC) addresses. Unlike IP addresses (which are Network layer addresses), MAC addresses are physical addresses (layer 2 of the OSI model) and are not routed outside broadcast domains. Routers store the MAC addresses of any device on the Jocal broadcast domain, along with its IP address, in the ARP cache. Packets originating on remote networks display the MAC address of the last router traversed. “Attackers occasionally spoof IP or MAC addresses to circumvent security controls, such as access control lists (ACLs), firewall rules, or switch port assignments. ‘Accordingly, the ARP cache can be useful when investigating attacks of thes? types. And since it is easy to destroy and easy to save, you might as well save the information. Use the show ip arp command to view thé ARP cache. (New Sylabus w.e academic year 22-23) (ME-B1) [el tech-Neo Publicationsen we 32d Malware Analysis - Malware, Viruses, Worms Malicious software can be described as unwanted software that is installed in your system without your consent. it can attach itself to legitimate code and propagate; it ean lurk in useful applications or replicate itself across the Internet, Here are some of the most common types of malwares: (4) COMPUTER VIRUS + Acomputer virus is a piece of code embedded in a legitimate program and is created with the ability to self-replicate infecting other programs on @ computer. Just like how humans catch a cold or flu, it can remain dormant inside the system and gets activated when you least expect it. + Acomputer virus is developed to spread from one host to another and there are numerous ways on how your computer catches it, It can be through email attachments, file downloads, software installations, or unsecured links. + These viruses can steal your data such as passwords, hacked into your social media accounts or online banking accounts, and even wiped out all your data. ‘Types of Viruses are as follows: (a) File infectors : File infector viruses usually attach themselves to executable code, such as .exe files. The virus is installed when the code is loaded. Another version of a file infector associates itself with a file by creating a virus file with the same name, but an .exe extension. Therefore, when the file is opened, the virus code will execute. (b) Macro viruses : These viruses infect applications such as Microsoft Word or Excel, Macro viruses attach to an application's initialization sequence. When the application is opened, the virus executes instructions before transferring control to the application. The virus replicates itself and attaches to other code in the computer system. (©) Web Scripting Virus : A very sneaky virus that targets popular websites. What this virus does is overwrite code on a website and insert links that can install (New Sytabus w.e.f academic year 22-28) (M8-81) ‘Tech-Neo Publications ————————Digital =alal Forensics (Mu. jem.8-Comp) (Forensic Investigat! age No. ( 2) eRe on your device. Web seripting viruses can itigal-yoar cocking information to post on your behalf on the infected website. (@) System or boot-record infectors : A boot-record virus attaches to the master boot record on hard disks; When the system is started, it will look at the boot Sector and load the virus into memory, where it can propagate to other disks ang computers, (©) Polymorphie viruses : These viruses conceal themselves through varying eycles of eneryption and decryption. The encrypted virus and an associated mutation engine are initially decrypted by a decryption program. The virus proceeds to infect an area of code. The mutation engine then develops a new decryption routine, and the virus encrypts the mutation engine and a copy of the virus with an algorithm corresponding to the new decryption routine. The encrypted package of mutation engine and virus is attached to new code, and the process repeats. Such viruses } are difficult to detect but have a high level of entropy because of the many modifications of their source code. Anti-virus software or free tools like Process Hacker can use this feature to detect them. ( Stealth viruses : Stealth viruses take over system functions to conceal themselves. They do this by compromising malware detection software so that the software will report an infected area as being uninfected. These viruses conceal any increase in the size of an infected file or changes to the file's date and time of last modification. (g) Resident Virus : A resident virus stores itself on your computer's memory which allows it to infect files on your computer. This virus can interfere with your operating system leading to file and program corruption. (h) Multipartite Virus A type of virus that is very infectious and can easily spread on your computer system. It can infect multiple parts of a system including memory, files, and boot sector which makes it difficult to contain. (2) Trojans § A'Trojan or a Trojan horse is a program that hides in a useful program and < rually has a malicious function. A major difference between viruses and Trojans is that Trojans do not self-replicate, New Syllabus w.e-f academic year 22-23) (M8-81)- igital Forensics (MU-Sem.8-Comp) (Forensic Investigation)...Page No. Jn addition to launching attacks on a system, a Trojan can establish a back door that can be exploited by attackers. For example, a Trojan can be programmed to open a high-numbered port so the hacker can use it to listen and then perform an attack. Once installed, Trojans may perform a range of malicious actions. Many tend to contact one or more Command and Control (C2) servers across the Internet and await instruction. Since individual Trojans typically use a specific set of ports for this communication, it can be relatively simple to detect them. Moreover, other malware could potentially "take over" the Trojan, using it as a proxy for malicious action. In German-speaking countries, spyware used or made by the government is sometimes called govware. Govware is typically a Trojan software used to intercept communications from the target computer. Some countries like Switzerland and Germany have a legal framework governing the use of such software. Examples of govware Trojans include the Swiss MiniPanzer and MegaPanzer and the German "state Trojan" nicknamed R2D2.German govware works by exploiting security gaps unknown to the general public and accessing smartphone data before it becomes encrypted via other applications. Due to the popularity of botnets. among hackers and the availability of advertising services that permit authors to violate their users’ privacy, Trojans are becoming more common. According to a survey conducted by BitDefender from January to June 2009, "Trojan-type malware is on the rise, accounting for 83% of the global malware detected in the world." Trojans have a relationship with worms, as they spread with the help given by worms and travel across the internet with them. @G) Worms Ni (New Sylabus w.e.f academic year 22-23) (MB-81) an Worms differ from viruses in that they do not attach to a host file but are self- contained programs that propagate across networks and computers. Worms commonly spread through email attachments; opening the attachment activates the worm program. A typical worm exploit involves the worm sending a copy of itself to every contact in an infected computer's email address. In addition to conducting malicious activities, a worm spreading across the internet and overloading email servers can result in denial-of-service attacks against nodes on the network. Tech-Neo Publications(Forensic Investigation Example: Stuxnet was probably di the US and Israel probably developed by the was introduced into Tran’s ; intelligence forces with the intent of setting back Iran's nuclear program. Tt “ : environment through a flash drive. Because the environment was air-gapped, its creators never thought Stuxnet would escape its target's network — but it did, Once in the wild, Stuxnet spread aggressively but did little damag®, since its only function was to interfere with industrial controllers that managed the uranium enrichment process, (4) Trapdoors into a program that allows anyone to A trap door is kind of a secret entry point al security access gain access to any system without going through the usu: procedures. Another definition of a trap door is it is a authentication methods. Therefore it is also known as a back door. quite difficult to detect and also in order to find them the nts of the system. ‘Trap doors turn method of bypassing normal Trap Doors are programmers or the developers have to go through the compone! Programmers use Trap door legally to debug and test programs. to threats when any dishonest programmers gain illegal access. Program development and software update activities should be the first focus of security measures. The operating system that controls the trap doors is difficult to implement. 2a. 3.2.2 Essential Skills and Tools for Malware Analysis Understanding a suspicious file's or URL's behaviour and intent is the process of malware analysis. The analysis's output assists in identifying and reducing the potential hazard. ° ° ° ° Malware analysis primarily benefits incident responders and security analysts by: ‘Triage occurrences pragmatically according to severity Identify and block occult indicators of compromise (IOCs) Boost the effectiveness of IOC notifications and warnings when looking for threats, add context (New Syllabus w.e.f academic year 22-23) (MB-61) ‘Tech-Neo Publicationson .sics (MU-Sem.8-Comp) cigs Fores <. 3:2:2(A)Malware Analysis Types ‘The analysis can be carried out in a static, dynamic, or mixed fashion. we static Analysis , Running the code is not necessary for simple static analysis. Instead, static analysis Jooks for indications of harmful intent in the file. Identifying malicious infrastructure, libraries, or packaged files may be valuable. . To detect whether a file is malicious, technical indicators such as file names, hashes, strings containing IP addresses and domain names, and file header data can be used. In order to learn more about how the malware functions, it is also possible to monitor it without executing it using tools like network analyzers and disassemblers. + Static analysis does not execute the code, though; therefore sophisticated malware may have hazardous runtime behaviour that can go unnoticed. A simple static analysis might not catch a file that generates a dynamic string that subsequently downloads a malicious file, for instance. Dynamic analysis has been used by businesses to gain a deeper knowledge of file behaviour. | Dynamic Analysis if In a sandbox, a secure environment, suspected dangerous code is executed during dynamic malware analysis. Security experts may observe the virus in operation thanks to this elosed system’ without having to worry about it getting on their computers or leaking into the company network. Deeper visibility made possible by dynamic analysis gives threat researchers and incident responders the ability to identify a threat's genuine nature. Automated sandboxing also saves time by avoiding the need to reverse engineer a file in order to find dangerous code. ‘The problem with dynamic analysis is that since adversaries are knowledgeable and aware that sandboxes exist, they have gotten quite effective at spotting them. Hybrid Analysis Complex malicious cade can occasionally evade detection by sandbox technology, and simple static analysis is not a reliable method of doing so. Hybrid analysis, which combines static and dynamic analysis techniques, gives security teams the best of both worlds. New Syllabus w.e.f academic year 22-23) (M8-81) ~~OO ————— (Foronsic investigation)..Page No. (3-21) Disital Forensics (MU-Sem.6-Comp) code that is trying to hide ang This is mainly due to the fact that it can find malicious then extract a large number of indicators of compromise (OCs) by statically analysing previously unknown code. Even the most sophisticated malware threats can be found through hybrid analysis. * For instance, hybrid analysis applies static analysis to data produced by behavioural analysis, such as when malicious code executes and causes changes in memory. ‘2 3.2.2(B) List of Malware Analysis Tools and Techniques ‘There are a number of tools that can help security analysts reverse engineer malware samples. The good news is that all the malware analysis tools I use are completely free and open source. We will look into few of the most popular malware analysis tools. (In no particular order). (2) PeStudio © This is an excellent tool for conducting an initial triage of a malware sample and allows me to quickly pull out any suspicious artifacts. Once a binary has been loaded it will quickly provide the user with hashes of the malware and any detections found in VirusTotal. ‘A list of strings is also pulled however if the sample is packed this may not return any strong IOCs, unpacking the sample, and then reviewing the strings will often provide useful information such as malicious domains and IP addresses. ‘The screenshot above also shows the ‘entropy’ of the malware. This helps ° identify whether the malware is packed or not. When a sample is packed this means the malware author has effectively put a layer of code around the malware in order to obfuscate its true functionality and prevent analysis of the malware. > To assist with identifying packed malware PeStudio displays the level of entropy of the file. Entropy is measured on a scale of 0-8, with 8 being the highest level of entropy. The higher the entropy the more likely that a piece of malware is packed. ew Syilabus w.e. academic year 22-23) (ME-61) Tech-Neo Publications (Neae: Morac IC EN NETEAFFFCCCcOKCCHBAC NDAFICLCDOENEDTEM EAGLES EHC eco ne an ‘nsomsuac anc 93852 201% ‘ostusase ance 93852216) beomaseC Cano 038822019) ((cnFig. 3.2.1 : Malware Tool Pestudio (2) Process Hacker (New Syllabus w.e.f academic year 22-23) (M8-81) Process Hacker allows a malware analyst to see what processes are running on @ device, This can be useful when detonating a piece of malware to see what new processes are created by the malware and where these are being run from on disk, Malware will often try to hide by copying itself to a new location and then renaming itself, Process Hacker will display this activity occurring making it easy to identify how the malware is attempting to hide. This tool is also useful for pulling information from the memory of a process. This of malware is detonated then Process Hacker can be used to strings, the strings found in memory will often return means that if a piece inspect the memory fo useful information such as IP addresses, domains, and user agents that are being used by the malware. [el rech.Noo Publications(1c9Fig. 3.2.2 : Malware Tool Process Hacker (8) Process Monitor (ProcMon) Microsoft's ProcMon is a potent tool that records real-time filesystem activity, including the creation of processes and.registry changes. When combined with Process Hacker, this is really useful because a new process can be started, immediately killed, and then examined in the ProcMon capture. ‘An analyst can rapidly determine what processes were started, where the ‘executable was executed from, and the parent/child dependencies by using the prebuilt filters or process tree. When examining malicious documents, ProcMon can be especially helpful. Malicious Word documents are frequently used as attack vectors by the threat actors behind Emotet. When activated, the Word document's macros will connect to the attacker's C2 infrastructure and download the Emotet payload. (New Syllabus w.e-f ‘academic year 22-23) (M8-81) Tech-Neo Publications eea jg Eons (MU-Sem.8-Comp) (Forensic investigation)...Page No. (3-24) (1eaFig. 3.2.3 : Process Monitor ProcMon Tool (4) ProcDot + A malware analyst can use ProcDot to automatically create a graphical representation of the data they have collected by ingesting the output from ProcMon. (owFig, 3.2.4 : malware Analysis ProcDot (New. Siilabus w.e.£ academic year 22-23) (M8-81) ~~ Tech-Neo PublicationsNe Digtal Forensics (Mu-som.& (Forensic investigation) _.Page No (3-28 Simply import the eav into ProoDot and choose the malware's process name, You may now traverse a visual diagram of the recorded virus activity rather than, defining filters and sorting through millions of occurrences. Additionally, ProcMon data ean be improved by feeding a peap into ProcDot from & programme like Wireshark. ©) Autoruns Another Microsoft tool called Autoruns will show you any installed applications that are set to execute as soon as a computer is turned on. Malware can conceal itself, but in the end it must operate, and in order to survive a reboot, it needs to develop a persistence mechanism. There are a number of methods that can be used to accomplish this goal, including scheduling a job or adding specific run keys to the registry. Running Autoruns after a piece of malware has been executed in a virtual machine will find and highlight any new persistent software and the technique it has used, making it the perfect tool for malware analysis. ‘2220015 249M” 2227015 1249 ‘an7n013935PM arnar3921 PM ra7non3921 PH (New Syllabus w.e.f academic year 22-23) (M8-81) a Tech-Neo Publicationssics (MU-Sem.8-Comp) “ore {Forensic investigation)...Page No. (3-26) (6) Bidder When communicating with its C2 servers to download further malware or exfiltrate data, malware frequently uses HTTP/HTTPS, This traffic can be observed and studied using a tool that serves as a web proxy, like Fiddler. Running Fiddler enables a malware analyst to locate the sites that are hardcoded into the document and will be used to download the hosted malware. This can be useful when analysing a malicious document that uses macros to download a dangerous payload, + You can see how Fiddler was able to capture a malicious Word document trying to download Emotet from a number of domains hosting the malware in the sample above. If the firet attempt is unsuccessful, it then moves on to the next hardcoded domain. erFig. 3.2.6 : Fiddler Tool (7) x6Adbg + All of the tools we've covered so far can be utilised by newcomers exploring malware analysis for the first time. The steep learning curve for malware analysis begins with x64dbg. 5 * This tool is used for manually debugging and reverse engineering malware samples; to use it, you must have a working knowledge of assembly code, but once you have, it enables a malware analyst to manually unpack and dissect malware samples like a surgeon using a scalpel. When you know how to use x64dbg, you may concentrate on particular functions and imported API calls of a sample and start to analyse how the virus actually acts, New Sy " Silebus w.e.§ academic year 22-23) (M8-81) aug) 5 i: nent j ay et asd rman, i at zs i ia esanseeess. euanesaesed SuBSnEEageH: (o1Fig. 3.2.7 : X64dbg Tool (8) Ghidra * Ghidra, which is more of a disassembler than a debugger, was created by the National Security Agency (NSA). Ghidra allows you to browse assembly code functions similarly to x64dbg, but the main distinction is that the code is disassembled rather than executed so that it can be statically studied, + Ghidra will attempt to decompile the code into a human-readable output that is similar to what the malware creator will have written while generating the malware, which is another important distinction from x64dbg. Given the variables and instructions that go into each function, this can frequently make it simpler for a malware researcher to reverse engineer the infection, (New Syllabus w.e.f academic year 2-28) (M8-81) Techies Pubiocians"pipe 7 Lrawee (ic1qFig. 3.2.8 : Chidra Tool 1 What are the various hard drive analysis techniques 2 Whatare the various router investigation steps? 3 Whatare the various malware analysis techniques? Chapter Ends... aQ00