Course Review SANS FOR526 Memory Forensics In-Depth

I have been delinquent in posting here, mostly because my duties have taken me more into the cyber hunting realm than malware analysis.  One of the skills I realized was invaluable to the hunter was memory analysis.

I attended the DFIR Summit in Austin Texas back in July of 2013.  I had an excellent time, learned a lot, laughed a lot, and could not recommend the event more highly.  After the summit, I took the new SANS FOR526 class devoted to Memory Forensics.

Continue reading

Taking the Plunge, learning open source projects

I have started a new open source Java project called ArtifactIR.  Many times while conducting incident response, I found myself using a combination of paper notes, notepad++, Forensic Casenotes, MS Word, and others to record my observations.  I would then spend time collecting them all into my report.  Typically, I would want these observations to be sorted by the time that they applied, but for after action review, I would also like to be able to display them in the order the observations were made.  This includes aggregating across team members so we can see the flow of the investigation when we are reviewing our performance. Continue reading

Don’t Cross the Streams

I had an experience a couple of weeks ago where I was reminded about the difference between speed and efficiency. This post will serve as my mea culpa.

I was in the middle of an intense analysis session of some complex malware when I was notified of a brand new piece of malware that needed to be analyzed immediately.  As I went through the process of acquiring it, my boss approached, pulled up a chair, and asked how long before we knew anything.  On the earlier case, I had just reverted my lab VM to a validated base to some kernel level debugging of the samples.  I had only moved in the samples that I needed, but had not begun the analysis. No other activity had taken place in this lab VM.  Instead of taking the time to snapshot the lab’s current state, revert to my base, and analyze the new sample in a clean and validated environment, I just moved the new sample in.  I intended to get some quick static analysis done to decide how much time and what priority this new sample would need.  Then but for one click I could have been a hero. :) Continue reading

Malware Analysis as a function of intelligence and counterintelligence operations.

Simply stated, intelligence operations are focused on gathering information about an organization’s adversaries.  Counterintelligence operations are focused on limiting, controlling, or identifying the information that an organization’s adversaries gather about the organization.

Often when discussing malware, analysts will speak mechanically about the observations and capabilities of a sample.  (How is it packed?  How does it maintain persistence? What are the artifacts that let me find it on other machines or detect it on the network?…)  But a lot of what we need to do involves gathering and controlling information.  That is more like intelligence and counterintelligence operations and can be as hard as reverse engineering the sample itself.

Continue reading

PXE Boot Server in a Malware Lab

Sometimes when analyzing malware, we discover that it behaves differently when run in a virtual machine (VM). It may exhibit different behaviors or it may just not run at all. Being able to quickly test these samples on real hardware in an efficient manner is a vital function to have available in a Malware Lab.  This can be accomplished by building up a Preboot Execution Environment (PXE) Boot Server and creating various pre-configured machines state images to deploy as needed. Continue reading

Tool Talk #1

To start contributing I thought I would cover some of the tools that I use, and how I use them.

The most valuable tool for any malware analyst is the software that hosts their virtual machines in both their test and analysis environments.  While windows licenses cost money, the virtual machine software can be free.  Oracle’s VirtualBox, the QEMU Project, and VMware’s Player are free applications that can host virtual machines.  While I prefer VirtualBox due to the GUI combined with snapshot capabilities, the others provide some additional benefits.  Most of the malware that I have analyzed that was VM aware looked for VMware signatures.  A couple of the samples did things with the floating point processor to detect abnormal results and detected VirtualBox, but I have not observed any that directly look for QEMU signatures.   Additionally, if you have a server in your arsenal, you can install the free VMware ESXi hypervisor to build intricate networks and manage the multiple virtual machines through one interface.  One of the negatives of the ESXi application is getting memory snapshots from the hypervisor to the machine you use to do memory analysis. Continue reading