[ieee 2013 ieee international conference on system science and engineering (icsse) - budapest,...

Study on Constructing Malware Attack Forensic Procedure of Digital Evidence

Chih-Pai Chang *, Chun-Te Chen** , Tsung-Hui Lu*, I-Long Lin*** , Jesse Chang****, Chen-Cheng Lin** * Department of Mechatronic Engineering, Huafan University, Taipei, R.O.C.

** Department of Information Management, Huafan University, Taipei, R.O.C. *** Department of Information Management, Yuanpei University, HsinChu, R.O.C.

**** Acro Technology Company, Taipei, R.O.C [email protected], [email protected], [email protected], [email protected],

[email protected] , [email protected]

Abstract—This study intended to improve two common problems of digital evidences: preservation and ease to modified; during preservation, collection, validation, identification, analysis, interpretation, documentation and presentation processes. We used I-Forensics (LiveDetector & LiveSearch) tools kit to explore digital evidence of malware attack in Windows system to produces a standard operation procedure. The main purpose is to provide forensic operators a reliable and accountable standard and guideline mechanism.

Keywords: Digital Evidence, Digital Forensic, Standard Operating Procedures

I. INTRODUCTION According to information solution provider –

Symantec’s report on global network information security threat volume 17. 2011, cyber criminal had been evolutional became hybrid, stealth, tricky and versatile. Those attack nearly cold and brutal. In 2011, Symantec detected and accepted 5.5 billions of malicious attack. Increased 81% compared to 2010. In summarized those types of attack, Symantec pointed out two specific conclusions:

A. Threat to specific target: Specific target attack causing many organizations lost

on financial assets and intellectual property. Attacker focused on different type of target; from small business to fortune 500 enterprises. A common among those victims is they were specific; 50% of them were small and medium business, 2011.

B. Threat to socialize network: As social network become part of our daily activities,

enterprise tried to leverage social network with clients and employees, thus risk to exposed sensitive information and attacked from everywhere on Internet. Attackers did a footprint research based on information on corporate web site. For example, gather e-mail and others personal information to plan a specific attack or use social engineering to cheat employee leak corporate internal information unintentionally. Mean while, because un-patching system can lead public web site plug-in malicious software.

It’s been usual to used malicious software to practice and hide criminal activities. The reason why these programs protect themselves by using technics is tried to

concealing forensic investigator difficult to find pattern and evidence how attacker breaks into computer system and network. It's getting popular to take malicious software analysis in during forensic processes. Facing the evolution of malicious software driving the need for advance of more forensic tools and qualified investigator.

II. Digital Evidence Forensic and Procedures

A. Digital Evidence: Casey defined a digital evidence is data in electrical

format like voice, words, picture and video that contain in digital storage and can be proved criminal activities [2]。Digital evidence was record in magnetic or signal on electrical media and can’t be seen or touched as physical object; it need to be exam by electrical equipment to do further analyze or display as visualize format [3].

Compared to traditional evidence’s touchable and seeable shape, digital evidence is quite difference in nature. It’s recorded in electrical signal on media; it can’t be seen until transform into letter, voice and video by electrical device for understandable by human sense. Data contain in electrical device can be changed easily. The first step is to preserve the original copy of volatile data in order to fulfill a reliable forensic process on suspicious computer after attacked by malicious software and create log automatically during forensic process. Following are four types of evidences form real system. [4]. (TABLE I)

Tier 1 Volatile Evidence: this type of evidences were information about detail information of key system which provide information like registered users, network shares and running processes for forensic investigator aware how systems were infected and the nature of infection.

Tier 2 Volatile Evidence: this types of evidence were temporary files which were useful to digital forensic investigator provide more detail of how systems were infected, but can’t be used to identified status of system and key information. These evidences include scheduling and clipboard.

Tier 1 Non-Volatile Evidence: this types of evidence shows status, configuration and implementation of objective system and provide clues to find out the system infected and what part of system damaged. This type of evidence consist registration configuration and auditing policy.

– 401 –

ICSSE 2013 • IEEE International Conference on System Science and Engineering • July 4-6, 2013 • Budapest, Hungary

978-1-4799-0009-1/13/$31.00 ©2013 IEEE

Tier 2 Non-Volatile Evidence: this type of evidence provides history and document information to support forensic investigator realize the nature and purpose of infection. These evidences include system log, Internet browsing history rather than system status, configuration or deployment.

TABLE I Types of evidence collected on life system

Types Evidence collected

Tier 1 Volatile Evidence 1. Registered user information 2. Network share 3. Scheduling on system

Tier 2 Volatile Evidence 1. Scheduling process 2. Clipboard

Tier 1 Non-Volatile Evidence 1. Registration Configuration 2. Auditing Policy

Tier 2 Non-Volatile Evidence 1. System log 2. Internet browsing history

B. Digital Evidence Forensic: Digital forensic has to preserve, identify, extract, record,

interpret and analyze evidence in a precise way. These evidence are carried in digital medias like computer, network devices, personal digital assistant, mobile phone, digital camera, memory card, any device can store information in digital format are included. By the nature of forensic can be separate into Computer Forensics、Hardware Forensics、Software Forensics、Network Forensics and Mobile Forensics, etc. (Figure 1), every forensic relates with digital data are all included. The basic principle is to collect primitive evidence without changed and altered (integrity); prove extracted evidences were direct from evidence custody (authentic); analyze without change evidence (consistence). With preserved integrity and authentic evidence and recreate processes for information security event, evidences can be presented in court to trial a criminal violation [5].

OS、Compress、Image、Virus、SWAP、Encryption

Firewall、Wireless、Mobile 3.5G、Router、Share AP、Bluetooth、Net Camera

DataBase、File、Slack File、Log File

Net work Forensi cs

Dat a Forensi cs

Sof t ware Forensi cs

Digital Forensicsor

Cyber Forensics

PC、NB、Electronic dictionnaryRAM、HD、Disk(USB、FL DVD、CD、Digital camera、Printer)、Virtual Machine

Comput er Forensi cs

Mobi l e Forensi cs

PDA、Mobile Phone、USB Devices、Tablet PC

Figure 1. Digital Forensic

C. Digital Evidence Forensic Procedures: Discussion on digital evidence forensic procedures are

getting popular among governments, academic and information technology industry. In advance information security countries, the standard operating procedure were taking more serious. Many academics point out view and method on digital forensic but the legal aspect of digital forensic process should be most important part for digital forensic investigator as guideline when practice in real case. Table II lists procedures proposed by academics [6].

TABLE II

Comparisons on Digital evidence processes Author Process

Kuchta (U.S.A.)

1. Preparation 2. Documentation 3. Collection 4. Authentication 5. Analysis 6. Preservation 7. Production 8. Reporting

Kruse & Heiser (U.S.A.)

1. Preserve evidence 2. Exam evidence 3. Case analysis and description 4. Presentation

I-Long Lin (Taiwan)

1. Law and regulation 2. Principle 3. Preparation 4. Collection 5. Analysis 6. Forensic 7. Reports

Table II summarize view from academics and conclude

follow comments of digital forensic procedure: preparation, siege, preserve, recovery, analyze, check, authentic, present and combine those into a digital forensic procedure (table III).

TABLE III

Digital Forensic Procedure Malicious software forensic

procedures View from academics

Preparation Law and regulation, principle, preparation

Siege Siege, preserve, recover Analyze Analyze, check

Forensic Report Authentic and present finding

III. RESEARCH

A. Construct digital evidence forensics malware standard operating procedures:

This research conclude aspects from experts in digital本 forensic field and construct a procedure to forensic digital evidence. The result can be used by investigator from law enforcement or legal department. Standard

C.-P. Chang et al. • Study on Constructing Malware Attack Forensic Procedure of Digital Evidence

– 402 –

operating procedure of construct malicious software forensic process (Figure 2):

B. Implement construct digital evidence forensics malware standard operating procedures:

This study took the SOP from step A. as methodology and use I-Forensics(LiveDetector & LiveSearch) toolkits as tool to forensic malicious software, Windows XP as operating system. Following is flows of digital evidence on malicious software forensic:

Start malware detection

Computer boot operation?

Memory Dump

Preparation

Collect the Data

Appraise and

Report

Procedure 2YES

starts the machine

LiveDetector

Can use the network Forensic

Devices ?

In the exit of the network flow,The side of the package records

and the behavioral analysis of

network

NetWitness

YES

Volatile DataSearch warrant

& System

snapshot LiveDetector

NO

Save the complete state of

the system ?

The image of the production system & Bit-Stream copy

to copy

Procedure 1NO

starts the machine

The system can be shutdown ?YES

Make Live DDImage Files

Dynamic Analysis&

Static Analysis

YESshutdown

NO

Dynamic Analysis Static Analysis

Image Files Or

Copy’s hard driveRe-live it up

Image Files Or

Copy’s hard driveMount as read-only

file system

Back toProcedure 2The boot state

detection process

Positive list eigenvalue

Scan analysis

NO

LiveHash+

Sigverify

LiveViewOr

EnCasePhysical Pro

EnCaseMount Pro

+TableAU

WriteBlock

Found on the list of positive list eigenvalue

The negative list eigenvalue scan

analysis

NO

Suspicious program into the Virus Total

site scanning

YES

Malware?

Into the the CWSandbox do

dynamic analysis and generate reports

Into the the CWSandbox do

dynamic analysis and generate reports

NO

YES

Than on network forensics analysis

And Memory DumpImage analysis

Encase 6.16

+HBGary

Malware ?Update the list of characteristics of

positive list database

Updated list of the characteristics of the

negative list database

End

NOYES

Analysis the Data

Figure 2. Digital Forensic

a. Preparation: By plugging the Dongle USB of LiveDetector & LiveSearch on targeted computer preserve digital evidence and execute the software at the same time. To contain the contamination, use 2nd storage device to preserve the collecting as shown in figure 3 and 4.

Figure 3. Lived demo using LiveDetector Fill out this case information and select appropriate

storage location:

Figure 4. select appropriate storage location

b. Collect the Data :

For malware forensic investigate, we need to collect volatile & nonvolatile data from suspicious computer , now click memory dump is important because some malware will be hidden itself process and network activity ; let’us start collect volatile data first,(Figure 5、6、7).

Figure 5. Execute memory dump

Software USB Dongle

Storage devices

– 403 –


Figure 6. Volatile data collect in progress

Figure 7. Nonvolatile data collect in progress

c. Analysis the Data : Open LiveDetector report locate on storage path’s

“Report” sub directory , we will see two category report : System Volatile Data Analysis, Windows non-volatile data analysis. (Figure 8)

Figure 8. report locate on storage path’s “Report” sub directory

(a). Analysis volatile data First need analysis volatile data to found out suspicious

process , locate on “System Volatile Data Analysis” this category’s “Running Process” this report. (Figure 9)

Figure 9. analysis volatile data

(b). Running Process After open “Running Process” this report, look up

“Process Name” , “Product Name” , “Descriptions” , “Company” these field information , because malware will not provide collect information or provide fake information to confuse user. (Figure 9)

Figure 9. Running Process

(c). Process Name” is “svchost.exe We will found out one “Process Name” is

“svchost.exe” but “Company Name” is “Home” and “Product Name” is “svchost” , that is suspicious point. (Figure 10)

Figure 10. Process Name” is “svchost.exe

(d). Suspicious program And this program path is “C:\Program Files\System32”

, but we know the svchost.exe is system program collect path locate on “C:\Windows\System32” , now we know this program may be a suspicious program. (Figure 11)

Figure 11. suspicious program

(e). Analysis Windows non-volatile data “Autorun Registry” report

Know some malware modify autorun registry let malware will auto execute from system startup , second step we need analysis Windows non-volatile data “Autorun Registry” report. (Figure 12)

Figure 12. Analysis Windows non-volatile data “Autorun Registry”

report (f). Autorun Registry report


– 404 –

Locate “Autorun Registry” report and open it. (Figure 13)

Figure 13. Autorun Registry report

(g). Suspicious “Product Name” , Registry name “WinService32”

We will found the registry name is “WinService32” , “Product Name” is “svchost” and program path on “C:\Program Files\System32\svchost.exe” , match running process found . (Figure 14)

Figure 14. suspicious Product Name

d. Appraise and Report : Now we found one suspicious program, we need to

extract this program, but this program running now cannot use normal method to copy it , locate iForensic InfoDetect USB dongle found “LiveSearch.exe” this program tool and launch it. (Figure 15,16)

Figure 15. launch iForensic InfoDetect USB dongle

Figure 16. select appropriate storage location (a). Search keyword “svchost”

Select C drive and fill out “svchost” keyword , then click “search” button to start search. (Figure 17)

Figure 17. search keyword “svchost”

(b). LiveSearch found out something name match “svchost”.

When search progress finish , we will see LiveSearch found out something name match “svchost” , locate file path on “C:\Program Files\System32” svchost.exe this program and click the check , then click copy button. (Figure 18)

Figure 18. LiveSearch found out something name match “svchost”

(c). Ensure that the collected path

Make sure destination path is collect then click ok button copy this file. (Figure 19)

Figure 19. Ensure that the collected path

(d). www.virustotal.com to analysis and interpretation

After extract this file and send this file to www.virustotal.com to analysis this file. (Figure 20)

– 405 –


Figure 20. www.virustotal.com to analysis and interpretation

(e). virustotal web page analysis feedback

Last we will make sure this file is malware from virustotal web page analysis feedback. (Figure 21,22)

Figure 21. virustotal web page analysis feedback

Figure 22. virustotal web page interpretation

IV. CONCLUSIONS AND RECOMMENDATIONS

A. Conclusions In early day, digital forensic can be disclose and

analyze on computer for most malicious software and can be easily observed. Therefore, the require for professional

digital forensic operator and special software to analysis source code are few; this research clarifies the definition on digital forensic from experts of the field and identified the concept of malicious software forensic. During processes of collect, analysis and forensic on malicious software detection and digital evidence collection, we found that more and more malicious software were designed to be anti-forensic. Through the technics of anti-forensic, network traffic hiding and cover the footprint reside in system files, detection and forensic processes are getting difficult. The test on abilities and responsibilities of digital forensic operator will harder than before.

This research used I-Forensics (LiveDetector & LiveSearch) to simulate a digital forensic on Windows system’s malware attack and construct the standard operating procedure for malicious software digital forensic and describes purpose of each step, which procedure should be taking and preserve, analysis, and authenticate digital evidence. Provide a standard for detective, digital and criminal forensic officers to siege, preserve, analysis evidence. As result, strengthen the credibility and authenticity when present on court.

B. Recommendations (a). A professional tools, lab and standard for digital

forensic should be built to protect the processes and preservation of digital forensic and secure digital evidence.

(b). The preparation for digital forensic and information security candidates should be taking in action.

(c). In order to improve quality and effective as evidences to present on court, a standard of investigation guild needed to be build to improve the evidence, credibility and authenticity of digital evidence and speaks for themselves.

REFERENCES [1] Symantec Internet Security Threat Report (ISTR), Volume 17,

http://www.symantec.com/about/news/resources/press_kits/detail.jsp?pkid=threat_report_17.

[2] Eoghan Casey, Handbook of Computer Crime Investigation: Forensic Tools and Technology, ACADEMIC PRESS , 2001.

[3] Ahmed, R. and Dharaskar, R.V. "Mobile Forensics: an Overview, Tools, Future trends and Challenges from Law Enforcement perspective", 2008.

[4] James M. Aquilina, Eoghan Casey, Cameron H. Malin, Curtis W. Rose, Malware Forensics Investigating and Analyzing Malicious Code, Syngress PRESS , 2008.

[5] Chih-Pai Chang, I-Long, “Research of Digital Evidence Operating Procedures of Malware attacks Forensic”, The 18th Cross Strait Conference on Information Management Development and Strategy, Taipei.

[6] I-Long, Huei-Chung Chu, Chih-Pai Chang, “To Construct the Digital Evidence Forensics Standard Operation Procedure and Verification On Real Criminal Cases- Take Windows XP system as an example”, 2008 Conference of Digital Technology and Innovation Management, Taipei.


– 406 –

[ieee 2013 ieee international conference on system science and engineering (icsse) - budapest,...

Documents