Skip to main content

Part2.3:Malware Analysis :Static Analysis

 Static analysis is the technique of analyzing the suspect file without executing it. It is an

initial analysis method that involves extracting useful information from the suspect binary

to make an informed decision on how to classify or analyze it and where to focus your

subsequent analysis efforts.


you will learn the following:

Identifying the malware's target architecture

Fingerprinting the malware

Scanning the suspect binary with anti-virus engines

Extracting strings, functions, and metadata associated with the file

Identifying the obfuscation techniques used to thwart analysis

Classifying and comparing the malware samples


Identifying File Type Using Manual Method

The manual method of determining the file type is to look for the file signature by opening it

in a hex editor. MZ




$ xxd -g 1 log.exe | more


0000000: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ..............

Identifying File Type Using Tools

$ file mini

mini: PE32 executable (GUI) Intel 80386, for MS Windows

$ file notepad.exe

notepad.exe: PE32+ executable (GUI) x86-64, for MS Windows


CFF Explorer reveals





Labels:

Comments

Post a Comment

Popular posts from this blog

Part 1.3 :Disk Analysis, Autopsy & Redline

  Disk Analysis, Autopsy & Redline Autopsy: Autopsy  gives you the option to acquire data from both live systems or from a disk image. After adding your data source, navigate to the location of the files you want to extract, then right-click and select the Extract File(s) option. It will look similar to what you see in the screenshot below How to start Digital forensics Investigations with Autopsy 1.       Download Autopsy 2.       Download Hxd 3.       Download md5sum 4.       Download dd.exe 5.       Create disk image using dd.exe PS C:\Users\ME\Desktop\Tool\tools source> .\dd.exe if=\\.\e: of=c:\users\me\desktop\cases\image.dd bs=1M –-progress 6.       Create hash for image using md5sum or hasher PS C:\Users\ME\Desktop\Tool\tools source> .\md5sums.exe c:\users\me\desktop\cases\image2.dd  ...
Post a Comment
Read more

Part 1.2: Memory Analysis

  Part 1.2: Memory Analysis  Investigating Malware Using Memory Forensics   Memory forensics is a technique used in digital forensics that involves the analysis of a computer's volatile memory (RAM) to obtain information about running processes, open network connections, system configurations, and other valuable data. This technique is particularly useful in investigating malware, as malware often tries to hide its presence on a system, making it difficult to detect using traditional methods. When investigating malware using memory forensics, there are several steps to follow: 1.       Acquisition: The first step is to acquire the volatile memory from the infected system. This can be done using tools such as FTK Imager or Volatility. 2.       Analysis: Once the memory has been acquired, it is time to analyze it. This involves examining the memory for suspicious processes, network connections, and other indicato...
Post a Comment
Read more

Step1: Identification & Preparation

Step 1:Identification and preparation Identification involves recognizing and documenting potential digital evidence, which includes identifying devices, storage media, and files that may contain relevant information. This step often involves creating a forensic image of the storage media to preserve the data for analysis. Preparation involves ensuring that the digital evidence is collected and handled properly to maintain its integrity and admissibility in court. This includes using proper tools and techniques to collect and preserve the data, documenting the chain of custody, and ensuring that the evidence is not altered or destroyed during the collection process . Both identification and preparation are critical to the success of a digital forensic investigation, as they lay the foundation for the analysis and interpretation of the data. 1.  Identification &   Preparation : The first step is to identify the scope of the investigation and create a plan for the investi...
Post a Comment
Read more