Malware Forensics Field Guide for Windows Systems
Digital Forensics Field Guides
Cameron H. Malin Eoghan Casey
James M. Aquilina Curtis W. Rose Technical Editor
Acquiring Editor: Cris Katsaropoulos Project Manager: Paul Gottehrer Designer: Alisa Andreola
Syngress is an imprint of Elsevier 225 Wyman Street, Waltham, MA 02451, USA
© 2012 Elsevier, Inc. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publisher’s permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions.
This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein).
Notices Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods or professional practices, may become necessary. Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information or methods described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility.
To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to
contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein.
Library of Congress Cataloging-in-Publication Data Application submitted
British Library Cataloguing-in-Publication Data A catalogue record for this book is available from the British Library.
ISBN: 978-1-59749-472-4
For information on all Syngress publications visit our website at http://store.elsevier.com
Printed in the United States of America 12 13 14 15 16 10 9 8 7 6 5 4 3 2 1
Typeset by: diacriTech, Chennai, India
For our moms, who taught us determination, patience, creativity, and to live passionately.
Acknowledgments
Cameron would like to thank a number of people for their guidance, support, and ideas on this book—without them it would not have happened. James and Eoghan I appreciate your willingness to keep an open mind and embrace the format and structure of this book; it was a rewarding challenge. I’m proud to work with you both.
Thanks to the Syngress crew for your patience and understanding of our vision: Steve Elliot, Angelina Ward, Laura Colantoni, Matthew Cater, Paul Gottehrer, Chris Katsaropoulos, and David Bevans.
Not to be forgotten are the some terrific researchers, developers, and forensic practitioners who assisted and supported this book: Mila Parkour (contagiodump.blogspot.com), Ero Carera and Christian Blichmann (Zynamics), Matthew Shannon (F-Response), Maria Lucas (HBGary), Thorsten Holz (Assistant Professor at Ruhr- University Bochum; http://honeyblog.org/), Tark (ccso.com), and Danny Quist (offensivecomputing.net).
For your friendship, camaraderie, and day-to-day hi-jinks,
For your friendship, camaraderie, and day-to-day hi-jinks, “Team Cyber” of the Los Angeles Cyber Division—you are a fantastic crew and I miss you. Jason, Ramyar, and Bryan—my friends and confidants—thank you for everything, we had a good run.
My sister Alecia—your determination and focus are an inspiration to me. “No lying on the couch!”
Finally, to my lovely wife Adrienne, I am so lucky to have you in my life—thanks for being a “team” with me—I love you. Bentley and Barkley—thanks for being Daddy’s little “writing buddies.”
Special Thanks to the Technical Editor Malware Forensics Field Guide for Windows Systems was reviewed by a digital forensic expert who is a fantastic author in his own right. My sincerest thanks to Curtis W. Rose for your tenacity and attention to detail—we’re lucky to work with you.
About the Authors
Cameron H. Malin is a Supervisory Special Agent with the Federal Bureau of Investigation assigned to a Cyber Crime squad in Los Angeles, California, where he is responsible for the investigation of computer intrusion and malicious code matters. In 2010, Mr. Malin was a recipient of the Attorney General’s Award for Distinguished Service for his role as a Case Agent in Operation Phish Phry.
Mr. Malin is the Chapter Lead for the Southern California Chapter of the Honeynet Project, an international non-profit organization dedicated to improving the security of the Internet through research, analysis, and information regarding computer and network security threats. Mr. Malin currently sits on the Editorial Board of the International Journal of Digital Evidence (IJDE) and is a Subject Matter Expert for the Information Assurance Technology Analysis Center (IATAC) and Weapon Systems Technology and Information Analysis Center (WSTIAC).
Mr. Malin is a Certified Ethical Hacker (C|EH) and Certified Network Defense Architect (C|NDA) as designated by
Certified Network Defense Architect (C|NDA) as designated by the International Council of Electronic Commerce Consultants (EC-Council) and a Certified Information Systems Security Professional (CISSP), as designated by the International Information Systems Security Certification Consortium ((ISC)2®).
Prior to working for the FBI, Mr. Malin was an Assistant State Attorney (ASA) and Special Assistant United States Attorney (SAUSA) in Miami, Florida, where he specialized in computer crime prosecutions. During his tenure as an ASA, Mr. Malin was also an Assistant Professorial Lecturer in the Computer Fraud Investigations Masters Program at George Washington University.
The techniques, tools, methods, views, and opinions explained by Cameron Malin are personal to him, and do not represent those of the United States Department of Justice, the Federal Bureau of Investigation, or the government of the United States of America. Neither the Federal government nor any Federal agency endorses this book or its contents in any way.
Eoghan Casey is founding partner of cmdLabs, author of the foundational book Digital Evidence and Computer Crime, and coauthor of Malware Forensics: Investigating and Analyzing Malicious Code. For over a decade he has dedicated himself to advancing the practice of incident handling and digital forensics. He helps client organizations handle security breaches and analyzes digital evidence in a wide range of investigations, including network intrusions with international scope. He works at the Department of Defense Cyber Crime
scope. He works at the Department of Defense Cyber Crime Center (DC3) on research and tool development. He has testified in civil and criminal cases, and has submitted expert reports and prepared trial exhibits for computer forensic and cyber-crime cases.
As a Director of Digital Forensics and Investigations at Stroz Friedberg, he maintained an active docket of cases and co-managed the firm’s technical operations in the areas of computer forensics, cyber-crime response, incident handling, and electronic discovery. He also spearheaded Stroz Friedberg’s external and in-house forensic training programs as Director of Training. Mr. Casey has performed thousands of forensic acquisitions and examinations, including Windows and UNIX systems, Enterprise servers, smart phones, cell phones, network logs, backup tapes, and database systems. He also has extensive information security experience, as an Information Security Officer at Yale University and in subsequent consulting work. He has performed vulnerability assessments; deployed and maintained intrusion detection systems, firewalls, and public key infrastructures; and developed policies, procedures, and educational programs for a variety of organizations.
Mr. Casey holds a B.S. in Mechanical Engineering from the University of California at Berkeley, and an M.A. in Educational Communication and Technology from New York University. He conducts research and teaches graduate students at Johns Hopkins University Information Security Institute, and is Editor- in-Chief of Digital Investigation: The International Journal of
in-Chief of Digital Investigation: The International Journal of Digital Forensics and Incident Response.
James M. Aquilina, Executive Managing Director and Deputy General Counsel, contributes to the management of Stroz Friedberg and the handling of its legal affairs, in addition to having overall responsibility for the Los Angeles, San Francisco, and Seattle offices. He supervises numerous digital forensic, Internet investigative, and electronic discovery assignments for government agencies, major law firms, and corporate management and information systems departments in criminal, civil, regulatory, and internal corporate matters, including matters involving data breach, e-forgery, wiping, mass deletion and other forms of spoliation, leaks of confidential information, computer- enabled theft of trade secrets, and illegal electronic surveillance. He has served as a neutral expert and has supervised the court- appointed forensic examination of digital evidence. Mr. Aquilina also has led the development of the firm’s online fraud and abuse practice, regularly consulting on the technical and strategic aspects of initiatives to protect computer networks from spyware and other invasive software, malware and malicious code, online fraud, and other forms of illicit Internet activity. His deep knowledge of botnets, distributed denial of service attacks, and other automated cyber-intrusions enables him to provide companies with advice and solutions to tackle incidents of computer fraud and abuse and bolster their infrastructure protection.
Prior to joining Stroz Friedberg, Mr. Aquilina was an Assistant U.S. Attorney (AUSA) in the Criminal Division of the
Assistant U.S. Attorney (AUSA) in the Criminal Division of the U.S. Attorney’s Office for the Central District of California, where he most recently served in the Cyber and Intellectual Property Crimes Section. He also served as a member of the Los Angeles Electronic Crimes Task Force, and as chair of the Computer Intrusion Working Group, an inter-agency cyber- crime response organization. As an AUSA, Mr. Aquilina conducted and supervised investigations and prosecutions of computer intrusions, extortionate denial of service attacks, computer and Internet fraud, criminal copyright infringement, theft of trade secrets, and other abuses involving the theft and use of personal identity. Among his notable cyber cases, Mr. Aquilina brought the first U.S. prosecution of malicious botnet activity against a prolific member of the “botmaster underground” who sold his armies of infected computers for the purpose of launching attacks and spamming and used his botnets to generate income from the surreptitious installation of adware; tried to jury conviction the first criminal copyright infringement case involving the use of digital camcording equipment; supervised the government’s continuing prosecution of Operation Cyberslam, an international intrusion investigation involving the use of hired hackers to launch computer attacks against online business competitors; and oversaw the collection and analysis of electronic evidence relating to the prosecution of a local terrorist cell operating in Los Angeles.
During his tenure at the U.S. Attorney’s Office, Mr. Aquilina also served in the Major Frauds and Terrorism/Organized Crime Sections, where he investigated and
Terrorism/Organized Crime Sections, where he investigated and tried numerous complex cases, including a major corruption trial against an IRS Revenue Officer and public accountants, a fraud prosecution against the French bank Credit Lyonnais in connection with the rehabilitation and liquidation of the now defunct insurer Executive Life, and an extortion and kidnapping trial against an Armenian organized crime ring. In the wake of the September 11, 2001, attacks Mr. Aquilina helped establish and run the Legal Section of the FBI’s Emergency Operations Center.
Before public service, Mr. Aquilina was an associate at the law firm Richards, Spears, Kibbe & Orbe in New York, where he focused on white collar defense work in federal and state criminal and regulatory matters.
He served as a law clerk to the Honorable Irma E. Gonzalez, U.S. District Judge, Southern District of California. He received his B.A. magna cum laude from Georgetown University, and his J.D. from the University of California, Berkeley School of Law, where he was a Richard Erskine Academic Fellow and served as an Articles Editor and Executive Committee Member of the California Law Review.
He currently serves as an Honorary Council Member on cyber-law issues for the EC-Council, the organization that provides the C|EH and CHFI (Certified Hacking Forensic Investigator) certifications to leading security industry professionals worldwide. Mr. Aquilina is a member of Working Group 1 of the Sedona Conference, the International
Association of Privacy Professionals, the Southern California Honeynet Project, the Los Angeles Criminal Justice Inn of Court, and the Los Angeles County Bar Association. He also serves on the Board of Directors of the Constitutional Rights Foundation, a non-profit educational organization dedicated to providing young people with access to and understanding of law and the legal process.
Mr. Aquilina is co-author of Malware Forensics: Investigating and Analyzing Malicious Code.
About the Technical Editor
Curtis W. Rose is the President and founder of Curtis W. Rose & Associates LLC, a specialized services company in Columbia, Maryland, which provides computer forensics, expert testimony, litigation support, and computer intrusion response and training to commercial and government clients. Mr. Rose is an industry- recognized expert with over 20 years of experience in investigations, computer forensics, and technical and information security.
Mr. Rose was a co-author of Real Digital Forensics: Computer Security and Incident Response, and was a contributing author or technical editor for many popular information security books including Handbook of Digital Forensics and Investigation; Malware Forensics: Investigating and Analyzing Malicious Code; SQL Server Forensic Analysis; Anti-Hacker Toolkit, 1st Edition; Network Security: The Complete Reference; and Incident Response and Computer Forensics, 2nd Edition. He has also published whitepapers on advanced forensic methods and techniques including “Windows Live Response Volatile Data Collection:
including “Windows Live Response Volatile Data Collection: Non-Disruptive User and System Memory Forensic Acquisition” and “Forensic Data Acquisition and Processing Utilizing the Linux Operating System.”
Introduction to Malware Forensics
Since the publication of Malware Forensics: Investigating and Analyzing Malicious Code in 2008,1 the number and complexity of programs developed for malicious and illegal purposes has grown substantially. The 2011 Symantec Internet Security Threat Report announced that over 286 million new threats emerged in the past year.2 Other anti-virus vendors, including F-Secure, forecast an increase in attacks against mobile devices and SCADA systems in 2011.3
In the past, malicious code has been categorized neatly (e.g., viruses, worms, or Trojan horses) based upon functionality and attack vector. Today, malware is often modular and multifaceted, more of a “blended-threat,” with diverse functionality and means of propagation. Much of this malware has been developed to support increasingly organized, professional computer criminals. Indeed, criminals are making extensive use of malware to control computers and steal personal, confidential, or otherwise proprietary information for
personal, confidential, or otherwise proprietary information for profit. In Operation Trident Breach,4 hundreds of individuals were arrested for their involvement in digital theft using malware such as ZeuS. A thriving gray market ensures that today’s malware is professionally developed to avoid detection by current AntiVirus programs, thereby remaining valuable and available to any cyber-savvy criminal group.
Of growing concern is the development of malware to disrupt power plants and other critical infrastructure through computers, referred to by some as Cyber Warfare. The StuxNet malware that emerged in 2010 is a powerful demonstration of the potential for such attacks.5 Stuxnet was a sophisticated program that enabled the attackers to alter the operation of industrial systems, like those in a nuclear reactor, by accessing programmable logic controllers connected to the target computers. This type of attack could shut down a power plant or other components of a society’s critical infrastructure, potentially causing significant harm to people in a targeted region.
Foreign governments are funding teams of highly skilled hackers to develop customized malware to support industrial and military espionage.6 The intrusion into Google’s systems demonstrates the advanced and persistent capabilities of such attackers.7 These types of well-organized attacks, known as the “Advanced Persistent Threat (APT),” are designed to maintain long-term access to an organization’s network in order to steal information/gather intelligence and are most commonly associated with espionage. The increasing use of malware to
associated with espionage. The increasing use of malware to commit espionage and crimes and launch cyber attacks is compelling more digital investigators to make use of malware analysis techniques and tools that were previously the domain of anti-virus vendors and security researchers.
This Field Guide was developed to provide practitioners with the core knowledge, skills, and tools needed to combat this growing onslaught against computer systems.
How to Use this Book
This book is intended to be used as a tactical reference while in the field. This Field Guide is designed to help digital investigators identify malware on a computer system, examine malware to uncover its functionality and purpose, and determine malware’s impact on a subject system. To further advance malware analysis as a forensic discipline, specific methodologies are provided and legal considerations are discussed so that digital investigators can perform this work in a reliable, repeatable, defensible, and thoroughly documented manner.
Unlike Malware Forensics: Investigating and Analyzing Malicious Code, which uses practical case scenarios throughout the text to demonstrate techniques and associated tools, this Field Guide strives to be both tactical and practical, structured in a succinct outline format for use in the field, but with cross-references signaled by distinct graphical icons to supplemental components and online resources for the field and lab alike.
Supplemental Components
The supplementary components used in this Field Guide
include:
• Field Interview Questions: An organized and detailed interview question and answer form that can be used while responding to a malicious code incident.
• Field Notes: A structured and detailed note-taking solution, serving as both guidance and a reminder checklist while responding in the field or in the lab.
• Pitfalls to Avoid: A succinct list of commonly encountered mistakes and discussion of how to avoid these mistakes.
• Tool Box : A resource for the digital investigator to learn about additional tools that are relevant to the subject matter discussed in the corresponding substantive chapter section. The Tool Box icon ( —a wrench and hammer) is used to notify the reader that additional tool information is available in the Tool Box appendix at the end of each chapter, and on the book’s companion Web site, www.malwarefieldguide.com.
• Selected Readings: A list of relevant supplemental reading materials relating to topics covered in the chapter.
Investigative Approach
When malware is discovered on a system, the importance of organized methodology, sound analysis, steady documentation, and attention to evidence dynamics all outweigh the severity of any time pressure to investigate. Organized Methodology
The Field Guide’s overall methodology for dealing with
malware incidents breaks the investigation into five phases:
Phase 1: Forensic preservation and examination of volatile data (Chapter 1)
Phase 2: Examination of memory (Chapter 2) Phase 3: Forensic analysis: examination of hard drives
(Chapter 3) Phase 4: File profiling of an unknown file (Chapters 5) Phase 5: Dynamic and static analysis of a malware
specimen (Chapter 6)
Within each of these phases, formalized methodologies
and goals are emphasized to help digital investigators reconstruct a vivid picture of events surrounding a malware infection and gain a detailed understanding of the malware itself. The methodologies outlined in this book are not intended as a checklist to be followed blindly; digital investigators always must apply critical thinking to what they are observing and adjust accordingly.
Whenever feasible, investigations involving malware should extend beyond a single compromised computer, as malicious code is often placed on the computer via the network, and most modern malware has network-related functionality. Discovering other sources of evidence, such as servers the malware contacts to download components or instructions, can provide useful information about how malware got on the computer and what it did once installed.
In addition to systems containing artifacts of compromise, other network and data sources may prove valuable to your investigation. Comparing available backup tapes of the compromised system to the current state of the system, for example, may uncover additional behavioral attributes of the malware, tools the attacker left behind, or recoverable files containing exfiltrated data. Also consider checking centralized logs from anti-virus agents, reports from system integrity checking tools like Tripwire, and network level logs.
Network forensics can play a key role in malware incidents, but this extensive topic is beyond the scope of our
incidents, but this extensive topic is beyond the scope of our Field Guide. One of the author’s earlier works8 covers tools and techniques for collecting and utilizing various sources of evidence on a network that can be useful when investigating a malware incident, including Intrusion Detection Systems, NetFlow logs, and network traffic. These logs can show use of specific exploits, malware connecting to external IP addresses, and the names of files being stolen. Although potentially not available prior to discovery of a problem, logs from network resources implemented during the investigation may capture meaningful evidence of ongoing activities.
Remember that well-interviewed network administrators, system owners, and computer users often help develop the best picture of what actually occurred.
Finally, as digital investigators are more frequently asked to conduct malware analysis for investigative purposes that may lead to the victim’s pursuit of a civil or criminal remedy, ensuring the reliability and validity of findings means compliance with an oft complicated legal and regulatory landscape. Chapter 4, although no substitute for obtaining counsel and sound legal advice, explores some of these concerns and discusses certain legal requirements or limitations that may govern the preservation, collection, movement and analysis of data and digital artifacts uncovered during malware forensic investigations.
Forensic Soundness
The act of collecting data from a live system may cause
changes that a digital investigator will need to justify, given its impact on other digital evidence.
• For instance, running tools like Helix3 Pro9 from a removable media device will alter volatile data when loaded into main memory and create or modify files and Registry entries on the evidentiary system.
• Similarly, using remote forensic tools necessarily establishes a network connection, executes instructions in memory, and makes other alterations on the evidentiary system.
Purists argue that forensic acquisitions should not alter
the original evidence source in any way. However, traditional forensic disciplines like DNA analysis suggest that the measure of forensic soundness does not require that an original be left unaltered. When samples of biological material are collected, the process generally scrapes or smears the original evidence. Forensic analysis of the evidentiary sample further alters the original evidence, as DNA tests are destructive. Despite changes that occur during both preservation and processing, these methods are nonetheless considered forensically sound and the evidence is regularly admitted in legal proceedings.
Some courts consider volatile computer data discoverable, thereby requiring digital investigators to preserve
discoverable, thereby requiring digital investigators to preserve data on live systems. For example, in Columbia Pictures Industries v. Bunnell,10 the court held that RAM on a Web server could contain relevant log data and was therefore within the scope of discoverable information in the case.
Documentation
One of the keys to forensic soundness is documentation.
• A solid case is built on supporting documentation that
reports on where the evidence originated and how it was handled.
• From a forensic standpoint, the acquisition process should change the original evidence as little as possible, and any changes should be documented and assessed in the context of the final analytical results.
• Provided both that the acquisition process preserves a complete and accurate representation of the original data, and the authenticity and integrity of that representation can be validated, the acquisition is generally considered forensically sound.
Documenting the steps taken during an investigation, as
well as the results, will enable others to evaluate or repeat the analysis.
analysis.
• Keep in mind that contemporaneous notes are often referred to years later to help digital investigators recall what occurred, what work was conducted, and who was interviewed, among other things.
• Common forms of documentation include screenshots, captured network traffic, output from analysis tools, and notes.
• When preserving volatile data, document the date and time that data was preserved and which tools were used, and calculate the MD5 of all output.
• Whenever dealing with computers, it is critical to note the date and time of the computer, and compare it with a reliable time source to assess the accuracy of date-time stamp information associated with the acquired data.
Evidence Dynamics
Unfortunately, digital investigators rarely are presented with
the perfect digital crime scene. Many times the malware or attacker purposefully has destroyed evidence by deleting logs, overwriting files, or encrypting incriminating data. Often the digital investigator is called to an incident only after the victim has taken initial steps to remediate—and in the process, has either
destroyed critical evidence, or worse, compounded the damage to the system by invoking additional hostile programs. This phenomenon is not unique to digital forensics. Violent crime investigators regularly find that offenders attempted to destroy evidence or EMT first responders disturbed the crime scene while attempting to resuscitate the victim. These types of situations are sufficiently common to have earned a name —evidence dynamics.
Evidence dynamics is any influence that changes, relocates, obscures, or obliterates evidence—regardless of intent —between the time evidence is transferred and the time the case is adjudicated.11
• Evidence dynamics is a particular concern in malware incidents because there is often critical evidence in memory that will be lost if not preserved quickly and properly.
• Digital investigators must live with the reality that they will rarely have an opportunity to examine a digital crime scene in its original state and should therefore expect some anomalies.
• Evidence dynamics creates investigative and legal challenges, making it more difficult to determine what occurred, and making it more difficult to prove that the evidence is authentic and reliable.
• Any conclusions the digital investigator reaches without knowledge of how evidence was changed may be
knowledge of how evidence was changed may be incorrect, open to criticism in court, or misdirect the investigation.