Eoghan Casey

Analysis of a Malware Specimen

Through the file profiling method, tools, and techniques discussed in Chapter 5, forensic investigators can gain important insight into the dependencies, strings, antivirus signatures, and metadata associated with a suspect file and use this knowledge to learn more about the file. Building on that information, this chapter further explores the nature, purpose, and functionality of a suspect program by conducting a dynamic and static analysis of the binary. The chapter demonstrates the importance of using dynamic and static analysis to gain a better understanding of a malicious code specimen. It explains what an investigator should consider while analyzing a suspect program, including the nature and purpose of the program, how it accomplishes its purpose, how it interacts with the host system and network, how the attacker interacts with the program, and more. The chapter also covers how phylogenetic relationships between specimens can provide insight into their origin, composition, and development.

File Identification and Profiling

This chapter introduces Windows-based file profiling analysis through an incident response scenario. During the course of responding to or investigating an incident encountered on a system within a targeted network, or clearly linked to receipt by a network user via email, instant messaging, or other means of online communication or file transfer, a suspicious file may be fairly characterized as: of unknown origin, unfamiliar, or seemingly familiar, but located in an unusual place on the system. After extracting the suspicious file from the system, determining its purpose and functionality is often a good starting place. This process is called file profiling. The file profiling process entails an initial or cursory static analysis of the suspect code. Static analysis is the process of analyzing executable binary code without actually executing the file. Dynamic or behavioral analysis involves executing the code and monitoring its behavior, including its interaction and effect on the host system. These are the two approaches to code analysis that most digital investigators implement.