[ieee 2013 ieee international conference on system science and engineering (icsse) - budapest,...
TRANSCRIPT
![Page 1: [IEEE 2013 IEEE International Conference on System Science and Engineering (ICSSE) - Budapest, Hungary (2013.07.4-2013.07.6)] 2013 International Conference on System Science and Engineering](https://reader035.vdocument.in/reader035/viewer/2022080123/5750a6331a28abcf0cb7c2cb/html5/thumbnails/1.jpg)
Study on Constructing Malware Attack Forensic Procedure of Digital Evidence
Chih-Pai Chang *, Chun-Te Chen** , Tsung-Hui Lu*, I-Long Lin*** , Jesse Chang****, Chen-Cheng Lin** * Department of Mechatronic Engineering, Huafan University, Taipei, R.O.C.
** Department of Information Management, Huafan University, Taipei, R.O.C. *** Department of Information Management, Yuanpei University, HsinChu, R.O.C.
**** Acro Technology Company, Taipei, R.O.C [email protected], [email protected], [email protected], [email protected],
[email protected] , [email protected]
Abstract—This study intended to improve two common problems of digital evidences: preservation and ease to modified; during preservation, collection, validation, identification, analysis, interpretation, documentation and presentation processes. We used I-Forensics (LiveDetector & LiveSearch) tools kit to explore digital evidence of malware attack in Windows system to produces a standard operation procedure. The main purpose is to provide forensic operators a reliable and accountable standard and guideline mechanism.
Keywords: Digital Evidence, Digital Forensic, Standard Operating Procedures
I. INTRODUCTION According to information solution provider –
Symantec’s report on global network information security threat volume 17. 2011, cyber criminal had been evolutional became hybrid, stealth, tricky and versatile. Those attack nearly cold and brutal. In 2011, Symantec detected and accepted 5.5 billions of malicious attack. Increased 81% compared to 2010. In summarized those types of attack, Symantec pointed out two specific conclusions:
A. Threat to specific target: Specific target attack causing many organizations lost
on financial assets and intellectual property. Attacker focused on different type of target; from small business to fortune 500 enterprises. A common among those victims is they were specific; 50% of them were small and medium business, 2011.
B. Threat to socialize network: As social network become part of our daily activities,
enterprise tried to leverage social network with clients and employees, thus risk to exposed sensitive information and attacked from everywhere on Internet. Attackers did a footprint research based on information on corporate web site. For example, gather e-mail and others personal information to plan a specific attack or use social engineering to cheat employee leak corporate internal information unintentionally. Mean while, because un-patching system can lead public web site plug-in malicious software.
It’s been usual to used malicious software to practice and hide criminal activities. The reason why these programs protect themselves by using technics is tried to
concealing forensic investigator difficult to find pattern and evidence how attacker breaks into computer system and network. It's getting popular to take malicious software analysis in during forensic processes. Facing the evolution of malicious software driving the need for advance of more forensic tools and qualified investigator.
II. Digital Evidence Forensic and Procedures
A. Digital Evidence: Casey defined a digital evidence is data in electrical
format like voice, words, picture and video that contain in digital storage and can be proved criminal activities [2]。Digital evidence was record in magnetic or signal on electrical media and can’t be seen or touched as physical object; it need to be exam by electrical equipment to do further analyze or display as visualize format [3].
Compared to traditional evidence’s touchable and seeable shape, digital evidence is quite difference in nature. It’s recorded in electrical signal on media; it can’t be seen until transform into letter, voice and video by electrical device for understandable by human sense. Data contain in electrical device can be changed easily. The first step is to preserve the original copy of volatile data in order to fulfill a reliable forensic process on suspicious computer after attacked by malicious software and create log automatically during forensic process. Following are four types of evidences form real system. [4]. (TABLE I)
Tier 1 Volatile Evidence: this type of evidences were information about detail information of key system which provide information like registered users, network shares and running processes for forensic investigator aware how systems were infected and the nature of infection.
Tier 2 Volatile Evidence: this types of evidence were temporary files which were useful to digital forensic investigator provide more detail of how systems were infected, but can’t be used to identified status of system and key information. These evidences include scheduling and clipboard.
Tier 1 Non-Volatile Evidence: this types of evidence shows status, configuration and implementation of objective system and provide clues to find out the system infected and what part of system damaged. This type of evidence consist registration configuration and auditing policy.
– 401 –
ICSSE 2013 • IEEE International Conference on System Science and Engineering • July 4-6, 2013 • Budapest, Hungary
978-1-4799-0009-1/13/$31.00 ©2013 IEEE
![Page 2: [IEEE 2013 IEEE International Conference on System Science and Engineering (ICSSE) - Budapest, Hungary (2013.07.4-2013.07.6)] 2013 International Conference on System Science and Engineering](https://reader035.vdocument.in/reader035/viewer/2022080123/5750a6331a28abcf0cb7c2cb/html5/thumbnails/2.jpg)
Tier 2 Non-Volatile Evidence: this type of evidence provides history and document information to support forensic investigator realize the nature and purpose of infection. These evidences include system log, Internet browsing history rather than system status, configuration or deployment.
TABLE I Types of evidence collected on life system
Types Evidence collected
Tier 1 Volatile Evidence 1. Registered user information 2. Network share 3. Scheduling on system
Tier 2 Volatile Evidence 1. Scheduling process 2. Clipboard
Tier 1 Non-Volatile Evidence 1. Registration Configuration 2. Auditing Policy
Tier 2 Non-Volatile Evidence 1. System log 2. Internet browsing history
B. Digital Evidence Forensic: Digital forensic has to preserve, identify, extract, record,
interpret and analyze evidence in a precise way. These evidence are carried in digital medias like computer, network devices, personal digital assistant, mobile phone, digital camera, memory card, any device can store information in digital format are included. By the nature of forensic can be separate into Computer Forensics、Hardware Forensics、Software Forensics、Network Forensics and Mobile Forensics, etc. (Figure 1), every forensic relates with digital data are all included. The basic principle is to collect primitive evidence without changed and altered (integrity); prove extracted evidences were direct from evidence custody (authentic); analyze without change evidence (consistence). With preserved integrity and authentic evidence and recreate processes for information security event, evidences can be presented in court to trial a criminal violation [5].
OS、Compress、Image、Virus、SWAP、Encryption
Firewall、Wireless、Mobile 3.5G、Router、Share AP、Bluetooth、Net Camera
DataBase、File、Slack File、Log File
Net work Forensi cs
Dat a Forensi cs
Sof t ware Forensi cs
Digital Forensicsor
Cyber Forensics
PC、NB、Electronic dictionnaryRAM、HD、Disk(USB、FL DVD、CD、Digital camera、Printer)、Virtual Machine
Comput er Forensi cs
Mobi l e Forensi cs
PDA、Mobile Phone、USB Devices、Tablet PC
Figure 1. Digital Forensic
C. Digital Evidence Forensic Procedures: Discussion on digital evidence forensic procedures are
getting popular among governments, academic and information technology industry. In advance information security countries, the standard operating procedure were taking more serious. Many academics point out view and method on digital forensic but the legal aspect of digital forensic process should be most important part for digital forensic investigator as guideline when practice in real case. Table II lists procedures proposed by academics [6].
TABLE II
Comparisons on Digital evidence processes Author Process
Kuchta (U.S.A.)
1. Preparation 2. Documentation 3. Collection 4. Authentication 5. Analysis 6. Preservation 7. Production 8. Reporting
Kruse & Heiser (U.S.A.)
1. Preserve evidence 2. Exam evidence 3. Case analysis and description 4. Presentation
I-Long Lin (Taiwan)
1. Law and regulation 2. Principle 3. Preparation 4. Collection 5. Analysis 6. Forensic 7. Reports
Table II summarize view from academics and conclude
follow comments of digital forensic procedure: preparation, siege, preserve, recovery, analyze, check, authentic, present and combine those into a digital forensic procedure (table III).
TABLE III
Digital Forensic Procedure Malicious software forensic
procedures View from academics
Preparation Law and regulation, principle, preparation
Siege Siege, preserve, recover Analyze Analyze, check
Forensic Report Authentic and present finding
III. RESEARCH
A. Construct digital evidence forensics malware standard operating procedures:
This research conclude aspects from experts in digital本 forensic field and construct a procedure to forensic digital evidence. The result can be used by investigator from law enforcement or legal department. Standard
C.-P. Chang et al. • Study on Constructing Malware Attack Forensic Procedure of Digital Evidence
– 402 –
![Page 3: [IEEE 2013 IEEE International Conference on System Science and Engineering (ICSSE) - Budapest, Hungary (2013.07.4-2013.07.6)] 2013 International Conference on System Science and Engineering](https://reader035.vdocument.in/reader035/viewer/2022080123/5750a6331a28abcf0cb7c2cb/html5/thumbnails/3.jpg)
operating procedure of construct malicious software forensic process (Figure 2):
B. Implement construct digital evidence forensics malware standard operating procedures:
This study took the SOP from step A. as methodology and use I-Forensics(LiveDetector & LiveSearch) toolkits as tool to forensic malicious software, Windows XP as operating system. Following is flows of digital evidence on malicious software forensic:
Start malware detection
Computer boot operation?
Memory Dump
Preparation
Collect the Data
Appraise and
Report
Procedure 2YES
starts the machine
LiveDetector
Can use the network Forensic
Devices ?
In the exit of the network flow,The side of the package records
and the behavioral analysis of
network
NetWitness
YES
Volatile DataSearch warrant
& System
snapshot LiveDetector
NO
Save the complete state of
the system ?
The image of the production system & Bit-Stream copy
to copy
Procedure 1NO
starts the machine
The system can be shutdown ?YES
Make Live DDImage Files
Dynamic Analysis&
Static Analysis
YESshutdown
NO
Dynamic Analysis Static Analysis
Image Files Or
Copy’s hard driveRe-live it up
Image Files Or
Copy’s hard driveMount as read-only
file system
Back toProcedure 2The boot state
detection process
Positive list eigenvalue
Scan analysis
NO
LiveHash+
Sigverify
LiveViewOr
EnCasePhysical Pro
EnCaseMount Pro
+TableAU
WriteBlock
Found on the list of positive list eigenvalue
The negative list eigenvalue scan
analysis
NO
Suspicious program into the Virus Total
site scanning
YES
Malware?
Into the the CWSandbox do
dynamic analysis and generate reports
Into the the CWSandbox do
dynamic analysis and generate reports
NO
YES
Than on network forensics analysis
And Memory DumpImage analysis
Encase 6.16
+HBGary
Malware ?Update the list of characteristics of
positive list database
Updated list of the characteristics of the
negative list database
End
NOYES
Analysis the Data
Figure 2. Digital Forensic
a. Preparation: By plugging the Dongle USB of LiveDetector & LiveSearch on targeted computer preserve digital evidence and execute the software at the same time. To contain the contamination, use 2nd storage device to preserve the collecting as shown in figure 3 and 4.
Figure 3. Lived demo using LiveDetector Fill out this case information and select appropriate
storage location:
Figure 4. select appropriate storage location
b. Collect the Data :
For malware forensic investigate, we need to collect volatile & nonvolatile data from suspicious computer , now click memory dump is important because some malware will be hidden itself process and network activity ; let’us start collect volatile data first,(Figure 5、6、7).
Figure 5. Execute memory dump
Software USB Dongle
Storage devices
– 403 –
ICSSE 2013 • IEEE International Conference on System Science and Engineering • July 4-6, 2013 • Budapest, Hungary
![Page 4: [IEEE 2013 IEEE International Conference on System Science and Engineering (ICSSE) - Budapest, Hungary (2013.07.4-2013.07.6)] 2013 International Conference on System Science and Engineering](https://reader035.vdocument.in/reader035/viewer/2022080123/5750a6331a28abcf0cb7c2cb/html5/thumbnails/4.jpg)
Figure 6. Volatile data collect in progress
Figure 7. Nonvolatile data collect in progress
c. Analysis the Data : Open LiveDetector report locate on storage path’s
“Report” sub directory , we will see two category report : System Volatile Data Analysis, Windows non-volatile data analysis. (Figure 8)
Figure 8. report locate on storage path’s “Report” sub directory
(a). Analysis volatile data First need analysis volatile data to found out suspicious
process , locate on “System Volatile Data Analysis” this category’s “Running Process” this report. (Figure 9)
Figure 9. analysis volatile data
(b). Running Process After open “Running Process” this report, look up
“Process Name” , “Product Name” , “Descriptions” , “Company” these field information , because malware will not provide collect information or provide fake information to confuse user. (Figure 9)
Figure 9. Running Process
(c). Process Name” is “svchost.exe We will found out one “Process Name” is
“svchost.exe” but “Company Name” is “Home” and “Product Name” is “svchost” , that is suspicious point. (Figure 10)
Figure 10. Process Name” is “svchost.exe
(d). Suspicious program And this program path is “C:\Program Files\System32”
, but we know the svchost.exe is system program collect path locate on “C:\Windows\System32” , now we know this program may be a suspicious program. (Figure 11)
Figure 11. suspicious program
(e). Analysis Windows non-volatile data “Autorun Registry” report
Know some malware modify autorun registry let malware will auto execute from system startup , second step we need analysis Windows non-volatile data “Autorun Registry” report. (Figure 12)
Figure 12. Analysis Windows non-volatile data “Autorun Registry”
report (f). Autorun Registry report
C.-P. Chang et al. • Study on Constructing Malware Attack Forensic Procedure of Digital Evidence
– 404 –
![Page 5: [IEEE 2013 IEEE International Conference on System Science and Engineering (ICSSE) - Budapest, Hungary (2013.07.4-2013.07.6)] 2013 International Conference on System Science and Engineering](https://reader035.vdocument.in/reader035/viewer/2022080123/5750a6331a28abcf0cb7c2cb/html5/thumbnails/5.jpg)
Locate “Autorun Registry” report and open it. (Figure 13)
Figure 13. Autorun Registry report
(g). Suspicious “Product Name” , Registry name “WinService32”
We will found the registry name is “WinService32” , “Product Name” is “svchost” and program path on “C:\Program Files\System32\svchost.exe” , match running process found . (Figure 14)
Figure 14. suspicious Product Name
d. Appraise and Report : Now we found one suspicious program, we need to
extract this program, but this program running now cannot use normal method to copy it , locate iForensic InfoDetect USB dongle found “LiveSearch.exe” this program tool and launch it. (Figure 15,16)
Figure 15. launch iForensic InfoDetect USB dongle
Figure 16. select appropriate storage location (a). Search keyword “svchost”
Select C drive and fill out “svchost” keyword , then click “search” button to start search. (Figure 17)
Figure 17. search keyword “svchost”
(b). LiveSearch found out something name match “svchost”.
When search progress finish , we will see LiveSearch found out something name match “svchost” , locate file path on “C:\Program Files\System32” svchost.exe this program and click the check , then click copy button. (Figure 18)
Figure 18. LiveSearch found out something name match “svchost”
(c). Ensure that the collected path
Make sure destination path is collect then click ok button copy this file. (Figure 19)
Figure 19. Ensure that the collected path
(d). www.virustotal.com to analysis and interpretation
After extract this file and send this file to www.virustotal.com to analysis this file. (Figure 20)
– 405 –
ICSSE 2013 • IEEE International Conference on System Science and Engineering • July 4-6, 2013 • Budapest, Hungary
![Page 6: [IEEE 2013 IEEE International Conference on System Science and Engineering (ICSSE) - Budapest, Hungary (2013.07.4-2013.07.6)] 2013 International Conference on System Science and Engineering](https://reader035.vdocument.in/reader035/viewer/2022080123/5750a6331a28abcf0cb7c2cb/html5/thumbnails/6.jpg)
Figure 20. www.virustotal.com to analysis and interpretation
(e). virustotal web page analysis feedback
Last we will make sure this file is malware from virustotal web page analysis feedback. (Figure 21,22)
Figure 21. virustotal web page analysis feedback
Figure 22. virustotal web page interpretation
IV. CONCLUSIONS AND RECOMMENDATIONS
A. Conclusions In early day, digital forensic can be disclose and
analyze on computer for most malicious software and can be easily observed. Therefore, the require for professional
digital forensic operator and special software to analysis source code are few; this research clarifies the definition on digital forensic from experts of the field and identified the concept of malicious software forensic. During processes of collect, analysis and forensic on malicious software detection and digital evidence collection, we found that more and more malicious software were designed to be anti-forensic. Through the technics of anti-forensic, network traffic hiding and cover the footprint reside in system files, detection and forensic processes are getting difficult. The test on abilities and responsibilities of digital forensic operator will harder than before.
This research used I-Forensics (LiveDetector & LiveSearch) to simulate a digital forensic on Windows system’s malware attack and construct the standard operating procedure for malicious software digital forensic and describes purpose of each step, which procedure should be taking and preserve, analysis, and authenticate digital evidence. Provide a standard for detective, digital and criminal forensic officers to siege, preserve, analysis evidence. As result, strengthen the credibility and authenticity when present on court.
B. Recommendations (a). A professional tools, lab and standard for digital
forensic should be built to protect the processes and preservation of digital forensic and secure digital evidence.
(b). The preparation for digital forensic and information security candidates should be taking in action.
(c). In order to improve quality and effective as evidences to present on court, a standard of investigation guild needed to be build to improve the evidence, credibility and authenticity of digital evidence and speaks for themselves.
REFERENCES [1] Symantec Internet Security Threat Report (ISTR), Volume 17,
http://www.symantec.com/about/news/resources/press_kits/detail.jsp?pkid=threat_report_17.
[2] Eoghan Casey, Handbook of Computer Crime Investigation: Forensic Tools and Technology, ACADEMIC PRESS , 2001.
[3] Ahmed, R. and Dharaskar, R.V. "Mobile Forensics: an Overview, Tools, Future trends and Challenges from Law Enforcement perspective", 2008.
[4] James M. Aquilina, Eoghan Casey, Cameron H. Malin, Curtis W. Rose, Malware Forensics Investigating and Analyzing Malicious Code, Syngress PRESS , 2008.
[5] Chih-Pai Chang, I-Long, “Research of Digital Evidence Operating Procedures of Malware attacks Forensic”, The 18th Cross Strait Conference on Information Management Development and Strategy, Taipei.
[6] I-Long, Huei-Chung Chu, Chih-Pai Chang, “To Construct the Digital Evidence Forensics Standard Operation Procedure and Verification On Real Criminal Cases- Take Windows XP system as an example”, 2008 Conference of Digital Technology and Innovation Management, Taipei.
C.-P. Chang et al. • Study on Constructing Malware Attack Forensic Procedure of Digital Evidence
– 406 –