Malware Forensics
Begin Project 2
In the prior project, you used network forensics to write an incident report detailing how you captured, recorded, and analyzed events that occurred on a network. Based on this analysis, you determined that there has been a breach of the network.
Gathering this information is only the first step. Next, you must use the network forensic evidence you gathered to understand how the attack was conducted to better understand exactly what took place during the attack. There are several ways to identify the source of attacks. One of the challenges with network forensics is making sense of the data, which often comes from multiple sources, not to mention the fact that incidents of interest may occur at different times.
In this project, you will analyze suspicious software in a virtualized environment to determine whether the code is in fact malware.
The final report will summarize how you used your knowledge and skills in malware forensics to analyze the attack and determine what occurred and when. It will also offer recommendations on ways to improve the organization’s defense posture and response.
Step 1: Collect Evidence From the Forensic Image
As you learned in your exploration of digital forensic response and analysis, one way to analyze the data is by visual analysis, which allows assimilation of information from a variety of sources for inspection in ways that is possible only with this integration.
Often in visual analysis, computing power is used to to process raw data into graphics, which are meant to reveal patterns or relationships in the data when viewed by a human. This raw data can include logs and records that have different formats, as well as media files.
Filtering and linkage techniques, as well as the use of a timeline, can provide a more complete picture of a situation that may be difficult or impossible to conceptualize without visual analysis techniques. In determining next steps, you recall that effective analysis of data includes metrics based on pattern-matching algorithms. By comparison, other techniques like statistical analysis rely primarily on numerical measures derived from the data and incorporated into tree maps.
Graphics produced for visual analysis may rely on color, shape, size, location, and relationships to represent aspects of the underlying data. Visual analysis for data analytics should not be confused with visual analysis for artwork, which is the study of the formal elements and other aspects of a work of art.
Visual analysis is one technique used in digital forensics for analysis. For the current investigation, though, you first need to determine what you are dealing with. Is it malware?
After reviewing the network attack and the possible approach taken by the attacker, you suspect malware was used. Integrating reverse engineering techniques with malware analysis techniques can shed light on network vulnerabilities and how malware code executed. These malware analysis tools and environment are run on a live network, or, preferably, on captured network traffic, as in this particular incident.
You know from the recent meeting with your boss that Special Agent Michael Jones of the UMGC Investigation Bureau imaged the compromised host disk and made a working copy of the image files. The evidence was checked into the evidence room and all examinations were conducted on the working copy.
You will use your VM lab tools to analyze the suspect image for malware. In the VM lab, you will investigate the back door, indicators, hidden rootkit, and file systems. As you work through this analysis, keep in mind malware trends, including malware obfuscation and other techniques used to protect malware.
Step 2: Analyze Evidence Collected from Image and Write Lab Report
In the previous step, you conducted an analysis of a network attack using EnCase with the compromised host disk image. Now, you will report on the results of the lab exercise and document following the Guidelines for Digital Forensics Examiner Reports, but this time, you will apply these guidelines using the UMGC Digital Evidence Forensic Report Template. See an example of this template in use. As you progress in your career, you will probably use many different templates; this is a chance to build that skill.
Keep in mind that you will incorporate this lab report into the Final Incident Response Report for the last step.
This comprehensive report will provide Yvonne and other leaders in the organization with an understanding of how this particular attack happened and what exposures were compromised. They will need an overview of how the organization’s security team responds to security incidents. Use screenshots and other communication techniques to convey technical concepts to a less tech-oriented audience.
Step 3: Analyze Malware
Your analysis in EnCase indicates that malware was indeed used in the attack. With this in mind, the next step is to determine the source of the malware. As a digital forensics investigator, you know that email is one of the most prevalent methods for transporting malware into and throughout a network infrastructure.
Special Agent Jones thinks he has tracked the malware down to a foreign national graduate student from Florida East-Central University. SA Jones indicated that he has probable cause to believe the software was being used for illegal purposes. He provided Yvonne with two files recovered from the student’s computer for analysis, and they are relying upon our knowledge and skills to identify specifically what the software does and how it works.
Analyze the malware field(s) in accordance with the instructions in the box below. Conduct a static analysis of the files. Report the procedures you used and the results. Identify potential civil or criminal problems created by the use of malware.
You are to conduct your analysis using a virtual machine (VM) only. Do not download the file to any computer, as it may contain malware. Whenever you analyze malware, make sure the computer or VM you use is set to host-only based network after you download the file to your VM. This is good incident response and forensic practice, as you do not know what the software will do once executed.
Step 4: Evaluate Malware Analysis Results and Write Lab Report
As you did with the first lab, after you’ve conducted your analysis, write up your findings by applying Guidelines for Digital Forensics Examiner Reports to the UMGC Digital Evidence Forensic Report Template. Keep in mind that your report should include screenshots and analysis of the malware file.
Once you have completed this write-up, submit it to get feedback after reading the instructions below.
You have completed your lab investigations and collected the information you need. It is time to write the Final Incident Response Report for your organization’s leaders, network administrators, and security operations team.