Malware Forensics

Malware Forensics

Step 1: Collect Evidence from the Forensic Image As you learned in your exploration of digital forensic response and analysis, one way to analyze the data is by visual analysis, which allows assimilation of information from a variety of sources for inspection in ways that is possible only with this integration. In visual analysis reporting, computing power is used to to process raw data into graphics, which are meant to reveal patterns or relationships in the data when viewed by a human. This raw data can include logs and records that have different formats, as well as media files. Filtering and linkage techniques, as well as the use of a timeline, can provide a more complete picture of a situation that may be difficult or impossible to conceptualize without visual analysis techniques. In determining next steps, you recall that the effectiveness of visual analysis include visual resolution and metrics based on pattern-matching algorithms. By comparison, other techniques like statistical analysis rely primarily on numerical measures derived from the data and incorporated into tree maps. Graphics produced for visual analysis may rely on color, shape, size, location, and relationships to represent aspects of the underlying data. Visual analysis for data analytics should not be confused with visual analysis for artwork, which is the study of the formal elements and other aspects of a work of art. Visual analysis is one technique used in digital forensics for analysis. For the current investigation, though, you first need to determine what you are dealing with. Is it malware? After reviewing the network attack and the possible approach taken by the attacker, you suspect malware was used. Integrating reverse engineering techniques with malware analysis techniques can shed light on network vulnerabilities and how malware code executed. These malware analysis tools and environment are run on a live network, or, preferably, on captured network traffic, as in this particular incident. Special Agent Michael Jones of the US Secret Service imaged the compromised host disk and made a working copy of the image files. The evidence was checked into the evidence room and all examinations were conducted on the working copy. You will use your eLab tools to analyze the suspect image for malware. In the eLab, you will investigate the back door, indicators, hidden rootkit, and file systems. As you work through this analysis, keep in mind malware trends, including malware obfuscationand other techniques used to protect malware.