Wednesday, January 18, 2012

DFIROnline: Detecting Malware in an Acquired Image

The next DFIROnline meetup is on Thu, 19 Jan 2012, at 8pm EST.  Eric Huber and I will each be presenting, with my presentation being Malware Detection within an Acquired Image (the PDF for the presentation is linked below).  I thought that this would be a good presentation to give, as it seems to be fairly topical.  We'll be focusing on understanding malware and addressing malware detection within an image acquired from a Windows system.

For those attending the presentation tonight, I'm sure that Eric and Mike would appreciate questions, feedback, thoughts and comments.  During the presentation, please feel free to use the available chat windows for any interaction, and also feel free to contact folks via email during or after the presentations.

In particular, please feel free to either volunteer to give presentations, or to offer up ideas and/or requests for material to be covered in these presentations.  Who knows...there might be someone out there with some great material who simply doesn't think that anyone could possibly be interested in what they have to say...and all it takes is one or two people to send in, "...I'd really appreciate hearing more about this topic...".

Finally, a HUGE thanks to Mike for setting this up and providing the resources to make this event possible on a regular basis.

Resources
Presentation PDF for 19 Jan DFIROnline Meetup

Malware page to this blog
Malware Detection Checklist

2 comments:

Ran2(然而) said...

Harlan,

Thanks for the information. In the past, I just mount the image and use AV to scan it and check the AV or Windows event logs/history.

After the autoruns provides the Analyze Offline System option, I use it to locate the malicious binaries from its ASEP. Once suspicious file is located (but a little draw back because it requires write permission, but it helps us to identify quickly), I also export the registry as text to check its creation timestamp.

If malicious binary was found, I upload it to virus total and perform code analysis. If it is a PE file, I also extract its timestamp to help my investigation.

If memory dump is available, I parse the dump using Volatility with mal2find plugin.

As a final note, one case I encountered, the malware started up by a Windows Shortcut file which contains more timestamps of the target, the hard disk volume label and netbios name, but it is not really useful because the link file was created inside a VMware machine. I'll also compare the timeline between all of these time stamps including the timestamps of the spam emails.


Frankie

Don Clifton said...

Harlan,

Thanks for the brief tonight, been doing pentesting and some forensics, but I am moving more to this field and look forward reading your blog and books!