Digital Forensics And Malware Analysis

Hello everyone. My name is Ahmet Payaslıoğlu. I wrote a document on Digital Forensics to pass my Master’s course at the University of Maribor. You can find malware investigation and forensic examinations in it. I hope that will be useful.

Abstract

We will examine how to analyze a hacked windows operating system, with which clues we can catch malicious software that has infected the windows machine, and what systemic changes the malware has made inside the windows machine. We will analyze the background running processes of the malicious software by making the Ram analysis of the hacked windows machine and the necessary forensic examinations. Then we will do static and dynamic analysis to examine the malware. After analyzing, we will obtain a lot of evidence in terms of Digital Forensics.

Contents

Chapter 1 Introduction

Chapter 2 Related Work

Chapter 3 Trojan

3.1 What is Trojan?

3.2 Simple Creation of Dangerous Trogens for Windows System

3.3 Getting Reverse Shell on Victim Machine

Chapter 4 Windows Forensics

4.1 Importance of Digital Forensics

4.2 Objectives of Computer Forensics

4.3 Create a Forensic Image

4.4 Windows Ram Forensics

4.5 Windows Network Forensics

Chapter 5 Malware Forensics

5.1 Static Malware Analysis

5.1.1 String Analysis

5.1.2 Inspecting the PE File Format

5.1.3 Meta-Data and Hash Information

5.2 Dynamic Malware Analysis

Chapter 6 Analysis

Chapter 7 Conclusion

Chapter 8 References

Chapter 1

Introduction

Microsoft Windows still remains the most popular operating system for most devices all over the world. Most of the cyber forensic software is developed for Windows systems and its compatible hardware. There are numerous books, guides, and articles on Windows forensics that publish information about tools and techniques used in the industry. Windows Forensics as a field of research has tremendous potential, as we witness the development of new methods and tools for investigations. The fact that Windows is so popular attracts the attention of hackers. Attacks on Windows systems are increasing day by day. Therefore, forensic examination of windows operating systems has become more important.

Chapter 2

Related Work

Due to the growing number of disputes over IT-related issues such as mass marketing frauds, identity thefts, and even national security threats, forensic investigation of cybercrimes as well as solving the problem of IT disputes is vital. In addition to engineering secure software and systems, hardening networks, and security monitoring, investigating cyber incidents is necessary. Therefore, forensic investigations have a very important place. I was inspired by this thesis before starting my own thesis. Hejazi, Seyed Mahmood. Analysis of Windows memory for forensic investigations. Document authored from the Concordia University.[1]

Chapter 3

Trojan

3.1 What is Trojan?

A Trojan horse, or Trojan, is a type of malicious code or software that looks legitimate but can take control of your computer. A Trojan is designed to damage, disrupt, steal, or in general, inflict some other harmful action on your data or network. A Trojan acts as a bona fide application or file to trick you. It seeks to deceive you into loading and executing the malware on your device. Once installed, a Trojan can perform the action it was designed for. A Trojan is sometimes called a Trojan virus or a Trojan horse virus, but that’s a misnomer. Viruses can execute and replicate themselves. A Trojan cannot. A user has to execute Trojans. Even so, Trojan malware and Trojan virus are often used interchangeably. Whether you prefer calling it Trojan malware or a Trojan virus, it’s smart to know how this infiltrator works and what you can do to keep your devices safe. (Ghossoon M.Waleed 2011)

How do Trojans work?

You might think you’ve received an email from someone you know and click on what looks like a legitimate attachment. But you’ve been fooled. The email is from a cybercriminal, and the file you clicked on — and downloaded and opened — has gone on to install malware on your device. When you execute the program, the malware can spread to other files and damage your computer. How? It varies. Trojans are designed to do different things. But you’ll probably wish they weren’t doing any of them on your device. These programs purposely damage a user’s system.( Gordon and David Chess 1999) [2]

Common types of Trojan malware

Backdoor Trojan

This Trojan can create a “backdoor” on your computer. It lets an attacker access your computer and control it. Your data can be downloaded by a third party and stolen. Or more malware can be uploaded to your device.

Distributed Denial of Service (DDoS) attack Trojan

This Trojan performs DDoS attacks. The idea is to take down a network by flooding it with traffic. That traffic comes from your infected computer and others.

Downloader Trojan

This Trojan targets your already-infected computer. It downloads and installs new versions of malicious programs. These can include Trojans and adware.

Fake AV Trojan

This Trojan behaves like antivirus software but demands money from you to detect and remove threats, whether they’re real or fake.

Game-thief Trojan

The losers here may be online gamers. This Trojan seeks to steal their account information.

Infostealer Trojan

As it sounds, this Trojan is after data on your infected computer.

Mailfinder Trojan

This Trojan seeks to steal the email addresses you’ve accumulated on your device.

Ransom Trojan

This Trojan seeks a ransom to undo damage it has done to your computer. This can include blocking your data or impairing your computer’s performance.

Remote Access Trojan

This Trojan can give an attacker full control over your computer via a remote network connection. Its uses include stealing your information or spying on you.

Rootkit Trojan

A rootkit aims to hide or obscure an object on your infected computer. The idea? To extend the time a malicious program runs on your device.

SMS Trojan

This type of Trojan infects your mobile device and can send and intercept text messages. Texts to premium-rate numbers can drive up your phone costs.

Trojan banker

This Trojan takes aim at your financial accounts. It’s designed to steal your account information for all the things you do online. That includes banking, credit card, and bill pay data.

Trojan IM

This Trojan targets instant messaging. It steals your logins and passwords on IM platforms.

3.2 Simple Creation of Dangerous Trogens for Windows System

1-As a first step I created such a windows trojan to get a reverse TCP connection through Msfvenom Tool. Msfvenom is a command-line instance of Metasploit that is used to generate and output all of the various types of shellcode that are available in Metasploit. Requirements: Kali Linux. Windows Machine.

2- I wrote my own IP address and port for the target machine to connect to me. After I created the malware, I sent it to the windows machine with the phishing method. When the victim clicked my trojan, I got obtain a reverse shell.

Later, I wrote meterpreter codes for the target machine and stole information from the victim.

-The screenshot command takes a screenshot from a remote machine.

-The download command downloads a file from the remote machine.

I stole this file from the victim’s computer. (password file)

-Password File From Victim’s computer:

- The ps command displays a list of running processes on the target

-The record_mic command take a recorded audio from a remote machine

-The shell command will present you with a standard shell on the target system

Also, You can find in link all the commands to steal different data from a remote machine(https://www.offensive-security.com/metasploit-unleashed/meterpreter-basics/)

Chapter 4

Windows Forensics

4.1 Importance of Digital Forensics

Digital forensics is usually associated with the detection and prevention of cybercrime. It is related to digital security in that both are focused on digital incidents. While digital security focuses on preventative measures, digital forensics focuses on reactive measures. (Matthew N. O. Sadiku, 2017) [5]

Digital Forensics is defined as the process of preservation, identification, extraction, and documentation of computer evidence that can be used by the court of law. It is a science of finding evidence from digital media like a computer, mobile phone, server, or network. It provides the forensic team with the best techniques and tools to solve complicated digital-related cases.Digital Forensics helps the forensic team to analyzes, inspect, identifies, and preserve the digital evidence residing on various types of electronic devices. In this way, it causes the criminals to be caught and brought to court.

4.2 Objectives of computer forensics

  • It helps to recover, analyze, and preserve computer and related materials in such a manner that it helps the investigation agency to present them as evidence in a court of law.
  • It helps to postulate the motive behind the crime and the identity of the main culprit.
  • Designing procedures at a suspected crime scene which helps you to ensure that the digital evidence obtained is not corrupted.
  • Data acquisition and duplication: Recovering deleted files and deleted partitions from digital media to extract the evidence and validate them.
  • Helps you to identify the evidence quickly, and also allows you to estimate the potential impact of the malicious activity on the victim
  • Producing a computer forensic report which offers a complete report on the investigation process.
  • Preserving the evidence by following the chain of custody.

4.3 Create a Forensic Image

-I first take an image to examine the hacked machine.I will use FTK for this.FTK Imager is a data preview and imaging tool that lets you quickly assess electronic evidence to determine if further analysis with a forensic tool such as AccessData® Forensic Toolkit® (FTK) is warranted.

-Then I choose the disk I want to image.

-Next, select the image type. The type you choose will usually depend on what tools you plan to use on the image. The dd format will work with more open-source tools, but you might want SMART or E01 if you will primarily be working with ASR Expert Witness or EnCase, respectively.

-Then I create a name for the image. Then I choose the path where I want to save the image.

-And the image started to be created.

4.4 Windows Ram Forensics

Memory forensics involves analyzing a static memory image in order to determine the current state of the target system. This can be compared to taking a snapshot of the system memory for a particular instant in time. Live computer systems contain volatile data stored in Random-Access Memory (RAM). If power is no longer supplied to the system, the data stored in RAM is lost. (J. Brendan Baum, Civilian, USAF 2014) [3] Therefore, it is very important to make an urgent Ram analysis in forensic cases.

Since the RAM image has an important position in terms of Digital forensics, the data to be obtained through examination can turn into a very useful resource in illuminating events. After taking images with FTK, I do ram analysis with the Volatility tool.

-I write the image info command to find out which operating system architecture the image has.

- I typed the pslist command to see all the processes running in the background. Later, notepad.exe catches my attention and I start to examine it.

-As a result of my analysis, I see that the virus injects itself into notepad.exe. After injecting I notice it runs a lot of DLLs in the background.

1- It was using WS2_32.DLL to the network connection.

2- It was using CRYPT32.DL to an encrypted connection.

3- It was using SHELL32.DLL to run commands.

- Then I see the trojan establishes a connection to a remote server via TCP connection.

4.5 Windows Network Forensics

Network forensics deals with the capture,recording and analysis of network events in order to discover evidential information about the source of security attacks in a court of law.( Natarajan Meghanathan 2009) [4]

-I used the TCPView tool to view network connections. As you can see in the image below, notepad.exe is sending a TCP request to a remote server. It also transfers packages.

-I can see that there is a TCP connection between the target server and the victim machine.

Chapter 5

Malware Forensics

5.1 Static Malware Analysis

Analyzing software without executing it is called static analysis. (Nirav Bhojani 2014)[6] This is the safest way to analyze malware, as executing the code could infect your system. In its most basic form, static analysis gleans information from malware without even viewing the code. Metadata such as file name, type, and size can yield clues about the nature of the malware. MD5 checksums or hashes can be compared with a database to determine if the malware has been previously recognized. And scanning with antivirus software can reveal what malware you’re dealing with. Any file that uses hard-coded data such as URL’s, file paths, and messages…etc. Contain strings inside of it. Those strings can provide very useful information about what malware can do.

For example, if we look through the strings of a file and find some kind of URL’s or IP’s. This could be a strong indicator that our malware is going to use some kind of network functionality that will make use of those URL’s or IP’s.

5.1.1 Searching for Interesting Strings

-I do string analysis without running malware. I used the BinText tool for this process.

I have seen many malicious functions in the malware program.

(CreateFileA , CreateFileW, GetProcAdress,WriteFile, Read File,KERNEL32.dll etc …)

5.1.2 Inspecting the PE File Format

PE is a file format that is standardized by the Microsoft Windows operating systems for executables, dynamically linked libraries (DLL), and object files. (Yibin Liao )[8]

I did Portable Executable analysis via the Dependency Walker program.

I caught these malicious DLLs.

1-I saw that it was using WS2_32.DLL to network connection

2-I saw that it was using CRYPT32.DL to encrypted connection

3-I saw that it was using SHELL32.DLL to run commands

5.1.3 Meta-Data and Hash Information

Metadata Analysis. Metadata often described as data about data, allows digital or computer forensic investigators to understand the history of a particular electronic file, including when the file was created, modified, and accessed, among other information that can be used to describe the file. I used the pescanner tool included in the Remnux Distribution To access Meta-Data and Hash information.

-I caught malicious functions through this tool.(CreateFileA, CreateFileW, GetVersionExA, GetCommandLineW, LoadLibraryA, TerminateProcess)

1-CreateFileA, CreateFileW functions are used for reading and writing files.

2-Connect, Closesocket functions to open and close the network connection

3-GetVersionExA function to learn the operating system version

4-GetCommandLineW function to run commands from the command line

5-LoadLibraryA function for library loading

6-TerminateProcess function is used to terminate a process.

Online scan engines, designed to scan malware files and malicious websites, are critical tools for detecting new threats VirusTotal is one of the most popular scanning services that are widely used by researchers and industry practitioners. ( Peng Peng , Limin Yang) [10]

-After I know the hash value of its file, After uploading it to the Virustotal website, many antiviruses found that this application was a trojan, as a result of comparing the hash values.

5.2 Dynamic Malware Analysis

A given malware sample can be executed within a controlled environment and monitoring its actions in order to analyze the malicious behavior which is called dynamic malware analysis. (Nirav Bhojani 2014) [7] Dynamic analysis — also called malware behavior analysis — runs the malware program to examine its behavior. Of course, running a piece of malware always carries some risk, so dynamic analysis must be performed in a safe environment. A “sandbox” environment is a virtual system that is isolated from the rest of the network and can run malware without risk to production systems. After the analysis is done, the sandbox can be rolled back to its original state without permanent damage.

When a piece of malware is run, technical indicators appear and provide a detection signature that dynamic analysis can identify. Dynamic analysis software monitors the sandbox system to see how the malware modifies it. Modifications may include new registry keys, IP addresses, domain names, and file path locations. Dynamic analysis will also reveal whether the malware is communicating with a hacker’s external server. Debugging is another useful dynamic analysis technique. As the malware is running, a debugger can zero in on each step of the program’s behavior while the instructions are being processed.

I used the process monitor tool to dynamically monitor the malware. After running the process monitor tool, we can follow all the operations performed on the system. There are too many processes, we can perform filtering.

-When I looked at the process name of the malware I created, it appeared as Explorer.EXE. When I looked under the Explorer.Exe path , I saw that the Virus.Exe malware was running and was using cmd.

-When I examine the file movements of the malware after filtering, it performs some operations. Like “Create File”, “CloseFile”, “Read File” …

-When I right click on any process and move to the “Stack” area, we can observe in detail which processes it uses, which files it creates and where it creates it. Stack are temporary variables, function parameters, return values ​​are the fields that are kept in RAM while the program is running.

-When we examine the stack part of the “QueryBasicInformation” process, we can observe that the malware uses and runs the files in “system32”.

-When we look at the network activities of the malware on the process monitor, we observe that it is constantly looking for a TCP socket connection.

-Also, malware makes changes to registry files.

Chapter 6

Analysis

-As a result of my studies, I have determined that a harmful application can steal too much information from us. In my work, I got the authority when the victim opened a file that I sent via the phishing method. Recently, one form of identity theft crime that has become a lethal security threat is phishing, targeted primarily at casual email users. (Bıju Issac 2006) [9]

-The majority of cyberattacks begin with a user clicking on a phishing email. According to a new report from PhishMe that found that 91% of cyberattacks start with a phish, the top reasons people are duped by phishing emails are curiosity (13.7%), fear (13.4%), and urgency (13.2%), followed by reward/recognition, social, entertainment, and opportunity.

Chapter 7

Conclusion

My purpose in this study was to analyze malware downloaded with the phishing method. As I said in the analysis section, approximately 91% of today’s attacks occur through phishing. Therefore, basic cybersecurity training should be given to all employees first. Emails from unknown sources should not be opened. In addition, cracked applications should not be used. Because hackers can insert bad code snippets into the software to get you into your botnet network. Especially, we should question the reliability of applications downloaded from unknown sources.

Chapter 8

References

Researches

[1] Hejazi, Seyed Mahmood. Concordia University (Canada), ProQuest Dissertations Publishing, 2009. MR63196

[2] Attitude Adjustment: Trojans and Malware on the Internet An Update Sarah Gordon and David Chess IBM Thomas J. Watson Research Center Yorktown Heights, NY

[3] WINDOWS MEMORY FORENSIC DATA VISUALIZATION J. Brendan Baum, Civilian, USAF

[4] TOOLS AND TECHNIQUES FOR NETWORK FORENSICS Natarajan Meghanathan, Sumanth Reddy Allam and Loretta A. Moore 2009

[5] Digital Forensics Matthew N. O. Sadiku, Mahamadou Tembely, and Sarhan M. Musa 2017

[6] Malware Analysis Conference:Ethical Hacking At: Nirma University,Nirav Bhojani 2014

[7] Malware Analysis Conference:Ethical Hacking At: Nirma University,Nirav Bhojani 2014

[8] Microsoft Portable Executable and Common Object File Format Specification. http://msdn.microsoft.com/library/windows/hardware/gg463125/.

[9] Analysis of Phishing Attacks and Countermeasures , Biju Issac , Raymond Chiong 2006

[10] Opening the Blackbox of VirusTotal: Analyzing Online Phishing Scan Engines Peng Peng , Limin Yang , Linhai Song , Gang Wang

Books

- Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software Michael Sikorski, Andrew Honig

- Learning Malware Analysis: Explore the concepts, tools, and techniques to analyze and investigate Windows malware Monnappa K A

- Windows Forensics Cookbook Oleg Skulkin, Scar de Courcier

- Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry Harlan Carvey

- Practical Windows Forensics Ayman Shaaban, Konstantin Sapronov

WebSites

- https://www.offensive-security.com/metasploit-unleashed/meterpreter-basics/)

- https://us-cert.cisa.gov/sites/default/files/publications/forensics.pdf

- https://us.norton.com/internetsecurity-malware-what-is-a-trojan.html

- https://www.hindawi.com/journals/scn/2018/5749481/

- https://www.virustotal.com/gui/

I am a 3rd grade Digital Forensics Engineering Student. This year I am studying Computer Science through Erasmus+ in order to complete my 3rd grade.