« Previous 1 2

Malware Analysis

Forensic Analysis with Redline and Volatility

Conclusion

After taking a class for GCFA certification [9] and learning how to use the tools described in this article, I started analyzing the malware found by the firewall on our network, along with a known malware variant from Palo Alto Networks. This example was a challenge to analyze because the investigation threw no obvious red flags, demonstrating how you need to dig deep to find threats to your systems. What I learned:

1. The memory image taken before infection showed communication with the Windows box and the forensic workstation, but no other connections.

2. The memory image taken after the infection showed communication with 10.10.3.180 (two instances), which is an internal IP address that does not exist on my test network.

3. The PIDs related to IP address 10.10.3.180 were 1792, a dead process, and 132, svchost.exe, which was a child of wscript.exe and had a parent process of PID 1648 (explorer.exe).

4. svchost.exe (PID 132) is a generic host process for Windows services and is used to run service DLLs; it should always be a child of services.exe. Because it showed up as a child process of wscript.exe, it was a clear indication of wrongdoing (Figure 12).

Infos

  1. "Acquiring a Memory Image" by David J. Dodd, ADMIN , Issue 20, pg. 8, http://www.admin-magazine.com/Archive/2014/20/Acquiring-a-Memory-Image/(language)/eng-US
  2. F-Response: https://www.f-response.com/software/tac
  3. Volatility: http://code.google.com/p/volatility/wiki/VolatilityIntroduction?tm=6
  4. Redline: https://www.mandiant.com/resources/download/redline
  5. PA-5000 series: https://www.paloaltonetworks.com/products/platforms/firewalls/pa-5000/features.html
  6. WildFire: https://www.paloaltonetworks.com/products/technologies/wildfire.html
  7. VirusTotal: https://www.virustotal.com/
  8. SANS DFIR: https://digital-forensics3.sans.org/media/dfir_poster_2014.pdf
  9. GCFA certification: http://www.giac.org/certification/certified-forensic-analyst-gcfa

« Previous 1 2

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
Print Issues
Digital Issues
 
SUBSCRIPTIONS
Print Subs
Digisubs
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Lead Image © lightwise, 123RF.com
    Acquiring a Memory Image
    Be ready before disaster strikes. In this article we describe some tools you should have on hand to obtain a memory image of an infected system.
    more »
  • Forensic Analysis on Linux

    In computer forensics, memory analysis is becoming increasingly important as a means for investigating security incidents. In this article, we provide an overview of the various memory dumping options on Linux and introduce the support in Linux for the Volatility Analysis Framework.

    more »
  • Lead Image © Bruce Rolff, 123RF.com
    Forensic main memory analysis with Volatility
    When you examine the memory of a computer after a break-in, take advantage of active support from the Volatility framework to analyze important memory structures and read the volatile traces of an attack.
    more »
  • PowerShell add-on security modules
    Numerous PowerShell add-on modules provide security and attack functions for penetration tests and forensic analyses, to help admins search for vulnerabilities in their networks.
    more »
  • Lead Image © Tom Baker, 123RF.com
    The Cuckoo sandboxing malware analysis tool
    The open source Cuckoo Sandbox malware analysis system investigates malicious software.
    more »
comments powered by Disqus