Malware analysis and forensic analysis of images
- 1. Forensic Analysis and Malware Analysis Workstaiton For analyzing malicious URLs. suspect Office documents or PDFs, executable, or analyzing disk images , the SANS SIFT Workstaion with Remnux tools will be used. This is a virtual machine installed with a suite of tools needed to analyze these items. Although there are hundreds of too ls, not all of them are necessary for high-level malware or forensic analysis. Below are the groupings of the tools for their specific purpose, as well as 2 flow charts indicating in what order and what output is to be expected from each tool. Also, there are 3 .dd images , a suspicious Office document, a malicious PDF, and an Trojan executable installed on the SAN SIFT workstation in order to practice the skills and utilization of the tools. Malware Analysis and Forensic Analysis of Images Tool List Manta Ray – Image Analysis and Deleted File Recovery Autopsy – Forensic Image Analysis and Filre recovery Kibana – Log Timeline Analysis Bokken –URL and File TEsting UPX – For unpacking malware Pyew – File and PDF Analysis for Malware PEScan – Windows Executable Analysis Procdot – dynamic malware Analysis Thug – URL collection and analysis Burp Suite – URL Analysis and Collection Olevba.py – embedded macros in Office documents BE Viewer – gathers information off of forensic images Strings – pulls cleartext from files GHEX – For viewing raw hexadecimal view of files and images Scalpel – For pulling data off of images via command line or parsing damaged images - Forensics o Mantaray – recovers deleted files, creates timelines o Autopsy – Analysis of Forensic Images o BEViewer– Bulk_extractor – pulls email addresses, phone numbers, URLs o Scalpel – For analyzing images or damaged files not viewable in Autopsy or Mantaray o Log2Timeline/Plaso – part of Mantaray
- 2. o GHEX - Malware analysis o Suspicious URL Thug.py www.yahoo.com - FZM ……output to var/log/thug Burpsuite JSDetox o Static Bokken - GUI Interface that can analyze the following: Websites Executables PDF Files PEScan – Scans executables and provides information PEFrame Pyew Commands o Pyew.imports – more details on malware o Urls – will show URLs inside a piece of malware o Packer – will show if the malware is “packed” o Threat – sends the MD5 has to Virustotal o Pdfview – only for using pyew to analyze PDF Files UPX Ghex o Document Analysis Olevba.py – for Office Document Macros JSDetox – For Obfuscated Java Script PDFxtract – For PDF Peepdf –I – PDF Document Analysis Pyew – PDF and Windows Executable Analysis Swfdump – to pull .swf files out of PDF files o Dynamic - Need a VM to infect - Need to tailor VM so that the malware does not detect this as a VM for analysis
- 3. Static Analysis of Suspicious URLs and Malware Flowchart Is this an executable, URL, Offfice Doc, or PDF? URL Use thug.py -FZM www.xxxxxx.com to pull the website and analyze Executable Use PEFrame and Pyew to Analyze Is it packed? Unpack using UPX or another tool Use" strings" to find Cleartext Use XORSearch or No MoreXOR to find hidden strings Office Document Use olevba.py to find suspicious macros PDF Use"pyew" to analyze Use "pdfview" option to view any suspicious Javascript May need to use JS-Detox to de-obfuscate Javascript
- 4. Forensic Analysis of Workstation Image Obtain Disk Image via ExternalMedia DVD or External USB Determine Format Determine Partion for Analysis mmls command FTK Image type from Forensic Toolkit Imager DD Autopsy GUI Interface, retrieves deleted files GHEX Raw Look at Files and Disk Images Scalpel Command-Line..for damaged or unmountable images Mantaray GUI Interface Supertimeline Pulls all logs and creates a timeline of activity Forefront Recovers deleted files and separates tehm into folders Bulk_Extractor BEViewer - extracts emails, URLs, telephone numberes...etc from images For mounting a .dd image, right-click and chooseDrive Mounter VMDK Virtual Machine Image