If a simple action such as clicking on a link or opening an email can cause disastrous outcomes, then Malware and Malware forensic cannot be overlooked.
In my last post, I explained malware, how it works, antimalware and antimalware tools. Check it out here for more understanding.
What is Malware Forensic:
Malware is the collective name for malicious software with the intent to cause disaster to computers, networks, servers, devices, and maybe even the end-users. Forensic refers to scientific techniques used in investigating a crime. With these as background, We can say Malware forensic is the use of scientific techniques to investigate, analyze and possibly make deductions on who, why, and how the attack was carried out.
Malware has increasingly become a huge threat to businesses and individuals. Everyone is at the risk of getting their devices, data exposed, corrupted, or worse still deleted. This further solidifies the need for malware forensic to ensure such attacks do not happen again.
When carrying out forensic research upon the incidence of a malware-related attack, the forensic auditors will usually take a sample that will be investigated for a better understanding of intent and purpose of the attack.
While carrying out such investigation the Forensic auditors’ usually seek to answer questions such as:
1)What activities can the malware carry out on the system?
2) How does it spread?
3) How does it communicate with the attacker?
Most of these questions are usually analyzed when the malware is contained in a safe environment.
History of Malware Forensic
Malware forensic became increasingly popular as the rate of cybercrimes heightened. The cybercrime community had to their name a lot of listed and unlimited destruction of data. Since most of these cybercrime activities are usually carried out with the use of malware be it trojan horse, ransomware, worm, keylogger, etc. The only way out for companies and individuals is to deal with such occurrences speedily and prevent further attacks from occurring.
How does Malware Forensic work?
Malware forensics is also known as Malware analysis is the practice of deducing the function, the source, and the possible impact of malware such as a virus, worm, Trojan horse, rootkit, or backdoor. As cybercrime perpetrators increase the complexity of their malicious codes the need for malware analysis in digital forensics becomes a necessity. An increase in the production of malware analysis tools and techniques is also important.
Malware analysis involves two fundamental techniques:
1) Static Analysis: Static analysis of malware involves the investigation of executable files without going through the actual instructions. This type of malware analysis validates whether a file is malicious, provides information about its function, and at times it gives information that will allow you to create a simple guess network of its origin. It is basic and quick, but it is mostly useless against sophisticated malware because it can miss significant behaviors.
2) Dynamic Analysis: Unlike static analysis, dynamic analysis executes malware to observe its activities, understand its function and identify certain technical behaviors that can be used to reveal its origin. The dynamic analysis can reveal domain names, IP addresses, file path locations, registry keys, additional files locations and can also identify and classify how communication is carried out with the attacker’s external servers.
Malware forensic Tools:
There are a number of tools that can help security analysts reverse engineer malware samples. The great thing is a lot of these tools are free and open source.
- PeStudio
- Process Hacker
- Process Monitor (ProcMon)
- ProcDot
- FTKImager
- Autopsy
- Autoruns
- Fiddler
- Wireshark
- x64dbg
- Ghidra
- Radare2/Cutter
- Cuckoo Sandbox
Leave a Reply