|
By Nick Harbour
The practice of Reverse Engineering of computer programs has grown out of its obscure and nefarious origins and entered the realm of Computer Forensics.
On an increasing basis Computer Forensic Examiners are encountering critical evidence of sophisticated cyber crimes contained within the executable program files used to commit the crimes. Evidence contained within the program files may help reveal the identity of the perpetrator, their level of sophistication, the usage and behavior of the program as well as when it may have been created or used. Forensic Analysis of a program file may be achieved using the techniques of a discipline of Reverse Engineering known as Malware Analysis.
The techniques of Malware Analysis focus on discovering the functionality of unknown malicious programs. In an increasing number of computer crimes custom written malicious programs (called Malware) are used by the perpetrators to carry out or conceal their treacherous schemes. In these cases, Malware Analysis is the likely to be the only method available to discover the precise methods used in the crime. Malware Analysis is divided into two categories; static and dynamic analysis.
Dynamic Analysis
Dynamic Malware Analysis involves running the malicious program in a controlled environment. By using a variety of computer system monitoring tools an analyst is able to observe the programs behavior at every layer of abstraction. The layers of abstraction range from the high level, which includes the information that may be presented to the user on the screen, to the low level, which deals with how data is processed and stored by the computer hardware.
Prior to performing Dynamic Malware Analysis it is important to create controlled virtual lab environment for your malware. Virtualization software allows an analyst to run and interact with the malware in a virtual computer and virtual network which does not affect their underlying host computer. The virtual computer network can be loaded with software to observe file activity, internal operating system activity as well as capture and decode network traffic.
Once a proper environment is established to run malware, Dynamic Analysis can be a very time efficient approach to discovering evidence about a malicious program. For example, if a perpetrator had installed a program to capture keyboard input to file and upload it to a specific server, both the creation and writing of the capture file as well as the attempted network transfer could be instantly observed through Dynamic Malware Analysis. The information about the specific server it was configured to upload to would be both an evidentiary item as well as an investigative lead.
In this example, the malicious program automatically connected to a specific server without the user needing to specify a location. This is called “Hard Coding” the configuration and is very common among malicious software. These Hard Coded configuration items and behaviors are the primary source of evidence we attempt to collect from malicious programs.
Information collected during the Dynamic Malware Analysis process can also be critical to individuals and organizations interested in the mitigation and remediation of the crime being committed. For instance, if our previously mentioned keyboard capturing program happened to create a unique pattern of data on the network then its usage can be effectively detected and eliminated based on searching for that unique pattern of data.
In this article we have introduced you to Forensic Analysis of Computer Programs through Reverse Engineering. We have specifically focused on the techniques of Dynamic Malware Analysis. In the next article we will discuss Static Malware Analysis, which encompasses every analysis technique which does not involve running the malicious program.
About the author: Nick Harbour is a Senior Engineer with MANDIANT and is a well-known innovator in the field of computer security with over seven years experience in computer forensics, network monitoring and software development. Prior to joining Mandiant, Nick spent two years as a government contractor. He has worked in the intelligence, counterintelligence, military and law enforcement communities.
|
