Embed Size (px)
Citation preview
Forensic Analysis and Malware Analysis Workstation Tool Breakdown
NEEDED: VM Machine with SANS SIFT and Remnux Tool Set installed.
For analyzing malicious URLs. Suspect Office documents or PDFs, executable, or analyzing disk images , the SANS SIFT Workstaion with Remnux tools will be used.
This is a virtual machine installed with a suite of tools needed to analyze these items. Although there are hundreds of tools, not all of them are necessary for high-level malware or forensic analysis.
Below are the groupings of the tools for their specific purpose, as well as 2 flow charts indicating in what order and what output is to be expected from each tool.
Also, there are 3 .dd images , a suspicious Office document, a malicious PDF, and an Trojan executable installed on the SAN SIFT workstation in order to practice the skills and utilization of the tools.
Malware Analysis and Forensic Analysis of Images Tool List
Manta Ray – Image Analysis and Deleted File RecoveryAutopsy – Forensic Image Analysis and Filre recoveryKibana – Log Timeline AnalysisBokken –URL and File TEstingUPX – For unpacking malwarePyew – File and PDF Analysis for MalwarePEScan – Windows Executable AnalysisProcdot – dynamic malware Analysis – requires Sysinternal Tools procmon but Wireshark is optionalThug – URL collection and analysisBurp Suite – URL Analysis and CollectionOlevba.py – embedded macros in Office documentsBE Viewer – gathers information off of forensic imagesStrings – pulls cleartext from filesGHEX – For viewing raw hexadecimal view of files and imagesScalpel – For pulling data off of images via command line or parsing damaged images
- Forensics o Mantaray – recovers deleted files, creates timelineso Autopsy – Analysis of Forensic Imageso BEViewer– Bulk_extractor – pulls email addresses, phone numbers, URLs
o Scalpel – For analyzing images or damaged files not viewable in Autopsy or Mantarayo Log2Timeline/Plaso – part of Mantarayo GHEX
- Malware analysis o Suspicious URL
Usage: Thug.py www.yahoo.com - FZM ……output to var/log/thug Burpsuite JSDetox
o Static Bokken - GUI Interface that can analyze the following:
Websites Executables PDF Files
PEScan – Scans executables and provides information PEFrame Pyew
Commandso Pyew.imports – more details on malwareo Urls – will show URLs inside a piece of malwareo Packer – will show if the malware is “packed”o Threat – sends the MD5 has to Virustotalo Pdfview – only for using pyew to analyze PDF Files
UPX Ghex
o Document Analysis Olevba.py – for Office Document Macros JSDetox – For Obfuscated Java Script PDFxtract – For PDF Peepdf –I – PDF Document Analysis Pyew – PDF and Windows Executable Analysis Swfdump – to pull .swf files out of PDF files
o Dynamic - Need a VM to infect
- Need to tailor VM so that the malware does not detect this as a VM for analysis
Static Analysis of Suspicious URLs and Malware Flowchart
Is this an executable, URL, Offfice Doc, or PDF?
URL
Use thug.py -FZM www.xxxxxx.com to pull the
website and analyze
Executable
Use PEFrame and Pyew to Analyze Is it packed?
Unpack using UPX or another tool
Use" strings" to find Cleartext
Use XORSearch or No MoreXOR to find hidden
strings
Office Document
Use olevba.py to find suspicious macros
Use"pyew" to analyze
Use "pdfview" option to view any suspicious
Javascript
May need to use JS-Detox to de-obfuscate Javascript
Forensic Analysis of Workstation Image
Obtain Disk Image via External Media
DVD or External USB
Determine Format
Determine Partion for Analysis
mmls command
FTK
Image type from Forensic Toolkit Imager
DD
Autopsy
GUI Interface, retrieves deleted files
GHEX
Raw Look at Files and Disk Images
Scalpel
Command-Line..for damaged or unmountable images
Mantaray
GUI Interface
Supertimeline
Pulls all logs and creates a timeline of activity
Forefront
Recovers deleted files and separates tehm into folders
Bulk_Extractor
BEViewer - extracts emails, URLs, telephone numberes...etc from
images
For mounting a .dd image, right-click and choose Drive
Mounter
VMDK
Virtual Machine Image
