Digital forensics and malware
Digital forensics
● According to Wikipedia, you could be looking for: attribution, alibis and
statements, intent, evaluation of source, document authentication
● File carving (e.g., bifragment gap carving)
– Electron microscopes
● Memory forensics (Volatility)
● Network forensics (PCAPs, NetFlow records, NIDS logs)
● Database forensics
● Timestamps in document or log file analysis
● Steganography
● Digital forensic processes
● Benford’s law
File carving
Alessio Sbarbaro User_talk:Yoggysot – Own work
Memory forensics
Steganography
From https://www.tech2hack.com/steganography-hide-data-in-audio-video-image-files/
Forensics tools
● File carvers
– E.g., Scalpel and foremost
● Log parsers
● Parsers/viewers for different kinds of files
– SQLite, EXIF, etc.
● Linux commands that might be useful:
– file, exif, sqlite3, losetup, mount, dd, ssdeep, grep,
strings
Malware
● Cryptovirology by Young and Yung
● The Art of Computer Virus Research and Defense by Szor
– Common theme since the turn of the millennium: stay in memory and don’t go out to disk
● Elk Cloner in 1981 (Skrenta)
● “Virus” coined by Cohen in 1983 (“Information only has meaning in that it is
subject to interpretation”)
– https://web.eecs.umich.edu/~aprakash/eecs588/handouts/cohen-viruses.html
● “Worm” came from John Brunner’s The Shockwave Rider in 1975
– Creeper in 1971 for TENEX systems
– ANIMAL in 1975
– Morris Worm in 1988
– Code Red in 2001
https://web.eecs.umich.edu/~aprakash/eecs588/handouts/cohen-viruses.html
Interesting types of malware
● Macroviruses
– “On error resume next”
● Botnets
– Command and Control (C&C), from IRC and
hierarchical to fastflux and beyond
● Targeted threats
– E.g., Tibetan exile community, Syria/Egypt, Mexico
– Google “Citizen Lab” or watch “Black Code”
Malware analysis
● Static vs. dynamic
● IDA Pro, Ollydbg, etc.
● Cuckoo Sandbox
● Decompilation
● Armoring, packing, etc.
Anomaly detection
● A Sense of Self for Unix Processes (Forrest et
al. in 1996)
Resources
● Practical Malware Analysis by Honig and
Sikorski
● http://www.forensicswiki.org/wiki/Tools
Conferences you should check out
● IEEE Symposium on Security and Privacy (Oakland)
● USENIX Security Symposium
– Also check out the workshops like FOCI and WOOT
● ACM Conference on Computer and Communications Security
(CCS)
● Network and Distributed System Security Symposium (NDSS)
● Privacy-Enhancing Technologies Symposium (PETS)
– Also PoPETS
● Also RAID for intrusion detection, DFRWS for forensics, CSF for
policy and theory, Eurocrypt and Crypto, Blackhat, DEFCON,
phrack, 2600 magazine, WPES and WEIS
Slide 1
Slide 2
Slide 3
Slide 4
Slide 5
Slide 6
Slide 7
Slide 8
Slide 9
Slide 10
Slide 11
Slide 12