Skip to main content

Part2 :Malware Analysis

      1. What are some essential skills for a malware analyst?


2. How can I practice analyzing malware safely?

3. What are some common types of malware and how do they work

4. What tools and techniques are used in malware analysis?



1. What Is Malware?

Malware is a code that performs malicious actions; it can take the form of an executable,

script, code, or any other software. Attackers use malware to steal sensitive information,

spy on the infected system, or take control of the system. It typically gets into your system

without your consent and can be delivered via various communication channels such as

email, web, or USB drives.


The following are some of the malicious actions performed by malware:

Disrupting computer operations

Stealing sensitive information, including personal, business, and financial data

Unauthorized access to the victim's system

Spying on the victims

Sending spam emails

Engaging in distributed-denial-of-service attacks (DDOS)

Locking up the files on the computer and holding them for ransom


2. What Is Malware Analysis?

Malware analysis is the study of malware's behavior. The objective of malware analysis is

to understand the working of malware and how to detect and eliminate it. It involves

analyzing the suspect binary in a safe environment to identify its characteristics and

functionalities so that better defenses can be built to protect an organization's network.



3. Why Malware Analysis?

The primary motive behind performing malware analysis is to extract information from the

malware sample, which can help in responding to a malware incident. The goal of malware

analysis is to determine the capability of malware, detect it, and contain it. It also helps in

determining identifiable patterns that can be used to cure and prevent future infections



4. Types Of Malware Analysis

To understand the working and the characteristics of malware and to assess its impact on

the system, you will often use different analysis techniques. The following is the

classification of these analysis techniques:



Static analysis: This is the process of analyzing a binary without executing it. It is

easiest to perform and allows you to extract the metadata associated with the

suspect binary. Static analysis might not reveal all the required information, but

it can sometimes provide interesting information that helps in determining

where to focus your subsequent analysis efforts



Dynamic analysis (Behavioral Analysis): This is the process of executing the

suspect binary in an isolated environment and monitoring its behavior. This

analysis technique is easy to perform and gives valuable insights into the activity

of the binary during its execution. This analysis technique is useful but does not

reveal all the functionalities of the hostile program


Code analysis: It is an advanced technique that focuses on analyzing the code to

understand the inner workings of the binary. This technique reveals information

that is not possible to determine just from static and dynamic analysis. Code

analysis is further divided into Static code analysis and Dynamic code analysis. Static

code analysis involves disassembling the suspect binary and looking at the code to

understand the program's behavior, whereas Dynamic code analysis involves

debugging the suspect binary in a controlled manner to understand its

functionality. Code analysis requires an understanding of the programming

language and operating system concepts



Memory analysis (Memory forensics): This is the technique of analyzing the

computer's RAM for forensic artifacts. It is typically a forensic technique, but

integrating it into your malware analysis will assist in gaining an understanding

of the malware's behavior after infection. Memory analysis is especially useful to

determine the stealth and evasive capabilities of the malware




Integrating different analysis techniques while performing malware

analysis can reveal a wealth of contextual information, which will prove

to be valuable in your malware investigation

Labels:

Comments

Post a Comment

Popular posts from this blog

Part 1.3 :Disk Analysis, Autopsy & Redline

  Disk Analysis, Autopsy & Redline Autopsy: Autopsy  gives you the option to acquire data from both live systems or from a disk image. After adding your data source, navigate to the location of the files you want to extract, then right-click and select the Extract File(s) option. It will look similar to what you see in the screenshot below How to start Digital forensics Investigations with Autopsy 1.       Download Autopsy 2.       Download Hxd 3.       Download md5sum 4.       Download dd.exe 5.       Create disk image using dd.exe PS C:\Users\ME\Desktop\Tool\tools source> .\dd.exe if=\\.\e: of=c:\users\me\desktop\cases\image.dd bs=1M –-progress 6.       Create hash for image using md5sum or hasher PS C:\Users\ME\Desktop\Tool\tools source> .\md5sums.exe c:\users\me\desktop\cases\image2.dd  ...
Post a Comment
Read more

Part 1.2: Memory Analysis

  Part 1.2: Memory Analysis  Investigating Malware Using Memory Forensics   Memory forensics is a technique used in digital forensics that involves the analysis of a computer's volatile memory (RAM) to obtain information about running processes, open network connections, system configurations, and other valuable data. This technique is particularly useful in investigating malware, as malware often tries to hide its presence on a system, making it difficult to detect using traditional methods. When investigating malware using memory forensics, there are several steps to follow: 1.       Acquisition: The first step is to acquire the volatile memory from the infected system. This can be done using tools such as FTK Imager or Volatility. 2.       Analysis: Once the memory has been acquired, it is time to analyze it. This involves examining the memory for suspicious processes, network connections, and other indicato...
Post a Comment
Read more

Step1: Identification & Preparation

Step 1:Identification and preparation Identification involves recognizing and documenting potential digital evidence, which includes identifying devices, storage media, and files that may contain relevant information. This step often involves creating a forensic image of the storage media to preserve the data for analysis. Preparation involves ensuring that the digital evidence is collected and handled properly to maintain its integrity and admissibility in court. This includes using proper tools and techniques to collect and preserve the data, documenting the chain of custody, and ensuring that the evidence is not altered or destroyed during the collection process . Both identification and preparation are critical to the success of a digital forensic investigation, as they lay the foundation for the analysis and interpretation of the data. 1.  Identification &   Preparation : The first step is to identify the scope of the investigation and create a plan for the investi...
Post a Comment
Read more