SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

3 Phases of Malware Analysis: Behavioral, Code, and Memory Forensics

When discussing malware analysis, I've always referred to 2 main phases of the process: behavioral analysis and code analysis. It's time to add a third major component: memory analysis.

Here's a brief outline of each phase:

  • Behavioral analysis examines the malware specimen's interactions with its environment: the file system, the registry (if on Windows), the network, as well as other processes and OS components. As the malware investigator notices interesting behavioral characteristics, he modifies the laboratory environment to evoke newcharacteristics. To perform this work, theinvestigatortypically infects the isolated system while having the necessary monitoring tools observe the specimen's execution. Some of the free tools that can help in this analysis phase are Process Monitor,

Affidavit as Support for an Investigation

An affidavit can be a vital tool in any type of investigation, whether the investigation be forensic, internal, criminal, regulatory, incident response or otherwise. As an investigator gathers facts, he will often interview witnesses, and obviously the investigator is wise to make records of the interviews (written notes or even audio/video records). But sometimes it is prudent to take an additional step in securing what a witness has to say.

I recently advised an investigation where numerous witnesses had much to say. But as I assessed all that was being said, a particular statement of one certain witness stood out as crucial to the outcome of the case. I recommended that witness record her statement in an affidavit.

An affidavit is a formal, written document that memorializes a declaration of facts by a witness. The preparation and execution of an affidavit can help to lock down a complete and careful statement of what the witness has to say. An affidavit

... Continue reading Affidavit as Support for an Investigation


Digital Forensics Case Leads: Passwords and Voting lead the news

This week we have a man getting jailed for refusing to give up his password. Internet voting in Washington D.C. was hijacked 36 hours into testing. The new Android phone reverts back to factory settings to thwart being jailbroken. Jesse Kornblum and woanware have released updated software and quite a few good blog reads. Check out the upcoming events and if you know of anything interesting happening send us an email at caseleads@sans.org. We are always looking for new things to post.

Tools:

  • Jesse Kornblum has released a new version of ssdeep, which does fuzzy hashing. Jesse has changed the output format of the tool to better handle creating CSV files and file names with quotation marks in the name. You can find out more here.
  • Woanware has release an update to his EseDbViewer. You can see the changes

Images and dm-crypt and LVM2... Oh my!

Hal Pomeranz, Deer Run Associates

Disk layouts using the Linux Logical Volume Manager (LVM2) are increasingly becoming the norm for new Linux installs. And very often the physical volume used by LVM2 has been encrypted via dm-crypt. A recent email from a Sec508 student asking for a procedure for mounting these images prompted me to codify this information into a blog posting.

Investigating the Image

When initially presented with the image, you may not know whether LVM2 or dm-crypt has been employed. So let's start from scratch:

# md5sum sda.dd
f4c7a8d54b9b0b0b73ec03ef4cf52f42 sda.dd
# mmls -t dos sda.dd
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

Slot Start End Length Description
00: Meta

...


How To - Digital Forensic Imaging In VMware ESXi

Paul A. Henry Forensics and Recovery.com Follow me on Twitter

As a follow up to my recent SANS Forensic Blog post "How To - Digital Forensics Copying A VMware VMDK" that provided insight in to making a "GUI tool" based copy of a VMware VMDK, I have put together a How To that addresses creating a forensically sound image of a VMware VMDK on the ESXi console, that is able to provide the "chain of custody" needed in a digital forensics investigation.

Important note: In the simplest of terms a VMDK is an abstraction of a physical disk for a VM contained within a file (VMDK-flat). We are making a bit by bit

...