CBS223 - Digital Forensics and Analysis

WEEK 4 -

MALWARE FORENSICS

1.1. Malware Forensics and Analysis

Malware forensics and analysis is a critical discipline within digital forensics that
focuses on detecting, identifying, and analyzing malicious software (malware) to
understand its behavior, purpose, and impact on compromised systems. As cyber
threats evolve, the need for sophisticated techniques to investigate and mitigate
malware attacks becomes increasingly important. This discussion covers key
aspects of malware forensics, including the different types of malware,
techniques for identification and analysis, behavioral analysis in sandbox
environments, reverse engineering, and case studies of major malware incidents.

1.2. Understanding Different Types of Malware

Malware, short for malicious software, refers to any software designed to

disrupt, damage, or gain unauthorized access to computer systems.
Understanding the various types of malware is foundational to malware
forensics.

1. Viruses:

A virus is a type of malware that attaches itself to a legitimate program or file

and spreads when the infected program is executed. Viruses can corrupt data,
steal information, or create backdoors for further attacks. Unlike worms, viruses
require user action to propagate.

2. Worms:

Worms are self-replicating malware that spread independently across networks,

exploiting vulnerabilities in operating systems or applications. They can cause
extensive damage by consuming bandwidth, overloading servers, or dropping
other malicious payloads.

3. Trojans:

Trojans are malware disguised as legitimate software. Once executed, they can
create backdoors, steal data, or install additional malware. Unlike viruses and
worms, Trojans do not replicate themselves.

Prepared By Muhammad Ubale Kiru 1

CBS223 - Digital Forensics and Analysis

4. Ransomware:

Ransomware encrypts a victim’s files or locks their system, demanding payment

(usually in cryptocurrency) for the decryption key. Ransomware attacks can
paralyze businesses, leading to significant financial losses.

1.3. Techniques for Malware Identification and Analysis

Malware identification and analysis are foundational to understanding the intent,

functionality, and potential impact of malicious software. These techniques can
be broadly categorized into two main approaches: static analysis and dynamic
analysis. Both methods are crucial in dissecting malware to reveal its inner
workings, though they differ significantly in how they operate and the insights
they provide.

1. Static Analysis

Static analysis involves examining the malware’s code without executing it. This
approach is often the first step in malware analysis, as it allows analysts to
gather information about the malware's structure and intent without the risk of
running potentially harmful code. Static analysis is essential for understanding
how the malware is constructed, what it aims to do, and how it might behave
once executed.

a. Binary and Executable Inspection:

The first step in static analysis is to inspect the malware’s binary file. Tools like
PEiD, Exeinfo PE, or Detect It Easy (DIE) are used to determine the file type,
compiler used, and whether the file is packed or obfuscated. This information
helps analysts understand the nature of the malware and its complexity.

b. String Analysis:

By extracting and analyzing strings (sequences of readable text) from the binary,
analysts can gain insights into the malware’s functionality. Strings can reveal
filenames, URLs, IP addresses, commands, error messages, and other potentially
revealing information embedded in the code. Tools like `strings` (a command-
line utility) or BinText are commonly used for this purpose.

c. Disassembly:

Disassembly converts the malware’s binary code into assembly language, which
is a human-readable format that represents the low-level instructions the
malware will execute. Tools like IDA Pro and Ghidra are used to disassemble the
malware. This step allows analysts to trace the execution flow, understand the
malware's logic, and identify key functions and system calls.

Prepared By Muhammad Ubale Kiru 2

CBS223 - Digital Forensics and Analysis

d. Analyzing File Headers and Metadata:

Malware executables often contain headers and metadata that provide additional
information about the file. This includes details about the file’s origin, the
compilation date, and embedded resources. Analyzing this metadata can help
determine if the malware is part of a known family or if it contains signatures
that match previously identified threats.

e. Identifying Embedded Resources:

Malware may contain embedded resources such as images, other executables, or

configuration files. Extracting and analyzing these resources can provide clues
about the malware’s purpose or additional payloads it may deliver.

f. Obfuscation Detection and Unpacking:

Malware authors often use obfuscation techniques to hide the true intent of their
code. This can include packing the malware (compressing and encrypting the
code) to make static analysis more difficult. Analysts may use tools like UPX,
OllyDbg, or x64dbg to unpack and deobfuscate the malware, revealing its original
code for further analysis.

2. Dynamic Analysis

Dynamic analysis, also known as behavioral analysis, involves executing the

malware in a controlled environment to observe its behavior in real-time. This
approach provides direct insights into what the malware does when it runs,
including its interactions with the file system, network, registry, and operating
system processes. Dynamic analysis is particularly useful for understanding
complex or obfuscated malware that may not reveal much through static analysis
alone.

a. Sandboxing:

A sandbox is a virtual environment designed to safely execute and observe

malware. The sandbox mimics a real system but is isolated to prevent the
malware from causing harm. Analysts can observe how the malware behaves,
including the processes it spawns, files it creates or modifies, registry changes,
and network communications.

- Tools: Cuckoo Sandbox, Any.Run, VMRay.

Prepared By Muhammad Ubale Kiru 3

CBS223 - Digital Forensics and Analysis

b. Monitoring Network Activity:

During dynamic analysis, the malware’s network activity is closely monitored.

This includes tracking connections to external servers, data exfiltration attempts,
and communications with command-and-control (C2) servers. Tools like
Wireshark or Fiddler can capture and analyze network traffic, revealing the
malware's external communication patterns and possibly the location of the
attackers’ infrastructure.

c. File System and Registry Monitoring:

Malware often interacts with the file system and registry to achieve persistence,
spread, or carry out its payload. Dynamic analysis tools monitor these
interactions, recording any new files created, modifications to existing files, or
changes to the Windows Registry (for Windows-based malware). This helps in
understanding the malware’s impact on the infected system.

- Tools: Process Monitor (ProcMon), Regshot.

d. Process Monitoring:

Analyzing the processes that the malware creates, terminates, or injects code
into provides insights into its execution flow. By monitoring processes, analysts
can determine how the malware loads into memory, what dependencies it
requires, and how it interacts with other system processes. Tools like Process
Explorer or Process Monitor are useful for this purpose.

e. API Call Tracing:

API calls made by the malware are recorded and analyzed to understand how it
interacts with the operating system. This can reveal the malware’s attempts to
manipulate files, initiate network connections, or modify system settings. Tools
like API Monitor or Sysinternals Suite are used to trace and analyze these calls.

- Key Insights: Identifying specific API calls can reveal the malware's intentions,
such as attempts to access sensitive data, bypass security mechanisms, or
perform privilege escalation.

1.4. Analysis Tools for Static and Dynamic Malware Analysis

Malware analysis involves a range of tools designed to extract, interpret, and

understand the behavior of malicious software. These tools are broadly
categorized into static and dynamic analysis tools, each serving distinct roles in

Prepared By Muhammad Ubale Kiru 4

CBS223 - Digital Forensics and Analysis

the investigative process. Below is an in-depth discussion of key tools used in

both static and dynamic malware analysis.

1. Static Analysis Tools

Static analysis tools focus on examining the code and structure of the malware
without executing it. These tools are essential for understanding the malware’s
design, identifying embedded threats, and predicting potential behavior.

a. IDA Pro (Interactive Disassembler)

- Purpose: Disassembly and decompilation of binary files into assembly

language, making it easier to analyze the malware’s code.

- Features: IDA Pro provides an interactive disassembler and debugger that

supports various architectures. It offers a detailed control flow graph, allowing
analysts to trace execution paths and understand how the malware is
structured.

- Usage: IDA Pro is widely used for reverse engineering malware, particularly
for unpacking and deobfuscating complex samples.

Prepared By Muhammad Ubale Kiru 5

CBS223 - Digital Forensics and Analysis

2. Dynamic Analysis Tools

Dynamic analysis tools are designed to observe and analyze the behavior of
malware while it is executed in a controlled environment. These tools provide
real-time insights into how malware interacts with the system, the network, and
other components.

a. Cuckoo Sandbox

- Purpose: Automated malware analysis in an isolated environment.

- Features: Cuckoo Sandbox is an open-source tool that allows malware to be

executed in a virtualized environment while monitoring its behavior. It captures
system calls, file operations, network traffic, memory dumps, and screenshots of
the malware’s activity.

- Usage: Cuckoo Sandbox is used for analyzing unknown samples to understand

their behavior, including network interactions and system modifications

Prepared By Muhammad Ubale Kiru 6

CBS223 - Digital Forensics and Analysis

b. Process Monitor (ProcMon)

- Purpose: Monitoring real-time file system, registry, and process/thread

activity.

Prepared By Muhammad Ubale Kiru 7

CBS223 - Digital Forensics and Analysis

- Features: ProcMon is a Windows tool that logs all file and registry activity as
well as process and thread creation or termination. It provides a detailed view of
what the malware is doing on the system during execution.
- Usage: ProcMon is used to trace how malware interacts with the file system
and registry, helping analysts understand how it achieves persistence,
manipulates files, or alters system configurations.

Prepared By Muhammad Ubale Kiru 8