Abstract
Digital forensic investigators commonly use dynamic malware analysis methods to analyze a suspect executable found during a post-mortem analysis of the victim’s computer. Unfortunately, currently proposed dynamic malware analysis methods and sandbox solutions have a number of limitations that may lead the investigators to ambiguous conclusions. In this research, the limitations of the use of current dynamic malware analysis methods in digital forensic investigations are highlighted. In addition, a method to profile dynamic kernel memory to complement currently proposed dynamic profiling techniques is, then, proposed. The proposed method will allow investigators to automate the identification of malicious kernel objects during a post-mortem analysis of the victim’s acquired memory. The method is implemented in a prototype malware analysis environment to automate the process of profiling malicious kernel objects and assist malware forensic investigation. Finally, a case study is given to demonstrate the efficacy of the proposed approach.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Yin, H., et al.: Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis. In: Proceedings of the 14th ACM Conference on Computer and Communications Security (2007)
Yin, H., Liang, Z., Song, D.: HookFinder: Identifying and Understanding Malware Hooking Behaviors. In: Proceedings of Distributed System Security Symposium (2008)
Kolbitsch, C., et al.: Effective and Efficient Malware Detection at the End Host. In: Proceedings of the 18th Conference on USENIX Security Symposium (2009)
Vasudevan, A., Yerraballi, R.: Cobra: Fine-grained Malware Analysis using Stealth Localized-Executions. In: Proceedings of IEEE Symposium on Security and Privacy (2006)
Dinaburg, A., et al.: Ether: Malware Analysis Via Hardware Virtualization Extensions. In: Proceedings of the 15th ACM Conference on Computer and Communications Security (2008)
Lanzi, A., Sharif, M., Lee, W.: K-Tracer: A System for Extracting Kernel Malware Behavior. In: Proceedings of the 16th Annual Network and Distributed System Security Symposium (2009)
Bayer, U., et al.: Dynamic Analysis of Malicious Code. Journal in Computer Virology 2(1), 67–77 (2006)
Christodorescu, M., Jha, S.: Static Analysis of Executables to Detect Malicious Patterns. In: Proceedings of the 12th USENIX Security Symposium (2003)
Moser, A., Kruegel, C., Kirda, E.: Limits of Static Analysis for Malware Detection. In: Proceedings of Computer Security Applications Conference (2007)
Egele, M., et al.: A Survey on Automated Dynamic Malware Analysis Techniques and Tools. ACM Comput. Surv. 44(2), 1–42 (2012)
Farmer, D., Venema, W.: Forensic Discovery. Addison-Wesley (2005)
Nance, K., Bishop, M., Hay, B.: Virtual Machine Introspection: Observation or Interference? In: IEEE Security and Privacy (2008)
Sharif, M., et al.: Impeding Malware Analysis Using Conditional Code Obfuscation. In: Proceedings of the Network and Distributed System Security Symposium (2008)
You, I., Yim, K.: Malware Obfuscation Techniques: A Brief Survey. In: Proceedings of the Int. Conf. on Broadband, Wireless Company (2010)
Balzarotti, D., et al.: Efficient Detection of Split Personalities in Malware. In: Symposium on Network and Distributed System Security (NDSS) (2010)
Moser, A., Kruegel, C., Kirda, E.: Exploring Multiple Execution Paths for Malware Analysis. In: IEEE Symposium on Security and Privacy (2007)
Shosha, A.F., James, J.I., Gladyshev, P.: A Novel Methodology for Malware Intrusion Attack Path Reconstruction. In: Gladyshev, P., Rogers, M.K. (eds.) ICDF2C 2011. LNICST, vol. 88, pp. 131–140. Springer, Heidelberg (2012)
Gladyshev, P., Patel, A.: Finite State Machine Approach to Digital Event Reconstruction. In: Digital Investigation (2004)
Forrest, S., Hofmeyr, S., Somayaji, A.: The Evolution of System-Call Monitoring. In: Proceedings of the Annual Computer Security Applications Conference (2008)
Mutz, D., et al.: Anomalous System Call Detection. ACM Trans. Information System Security (2006)
Riley, R., Jiang, X., Xu, D.: Multi-Aspect Profiling of Kernel Rootkit Behavior. In: Proceedings of the 4th ACM European Conference on Computer Systems (2009)
Rhee, J., Lin, Z., Xu, D.: Characterizing Kernel Malware Behavior With Kernel Data Access Patterns. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security (2011)
Malin, C., Casey, E., Aquilina, J.: Malware Forensics: Investigating and Analyzing Malicious Code. Syngress (2008)
Newsome, J., Song, D.: Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In: Proceedings of Network and Distributed System Security Symposium (NDSS) (2005)
Schwartz, E., Avgerinos, T., Brumley, D.: All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution. In: IEEE Symposium on Security and Privacy (Oakland 2010) (2010)
Volatility.: An Advanced Memory Forensics Framework (2012), https://www.volatilesystems.com/default/volatility
Dolan-Gavitt, B.: The VAD Tree: A Process-Eye View of Physical Memory. In: Digital Investigation (2007)
Schuster, A.: Searching for Processes and Threads in Microsoft Windows Memory Dumps. In: Proceedings of the 6th Annual Digital Forensic Research Workshop (2006)
Marrington, A., et al.: A Model for Computer Profiling. In: The Third International Workshop on Digital Forensics (2010)
Hoglund, G.: Rootkits: Subverting the Windows Kernel. Addison-Wesley (2005)
Wang, Z., et al.: Countering Kernel Rootkits With Lightweight Hook Protection. In: Proceedings of the 16th ACM Conference on Computer and Communications Security (2009)
Russinovich, M.: Windows Internals. Microsoft Press (2009)
Dolan-Gavitt, B., et al.: Robust Signatures for Kernel Data Structures. In: Proceedings of the 16th ACM Conference on Computer and Communications Security (2009)
Clarke, E., Grumberg, O., Peled, D.: Model Checking. MIT Press (2000)
Bellard, F.: QEMU, A Fast and Portable Dynamic Translator. In: Proceedings of the Annual Conference on USENIX Annual Technical Conference (2005)
Van Baar, R.B., Alink, W., Van Ballegooij, A.R.: Forensic Memory Analysis: Files Mapped in Memory. Digital Investigation (2008)
Binsalleeh, H., et al.: On the Analysis of the Zeus Botnet Crimeware Toolkit. In: Proceedings of the Eighth Annual International Conference on Privacy Security and Trust (2010)
Shosha, F.A., James, J., Chen-Ching, L., Gladyshev, P.: Evasion-Resistant Malware Signature Based on Profiling Kernel Data Structure Objects. In: Proceedings of the 7th Intl. Conference on Risks and Security of Internet Systems (CRiSIS) (2012)
Shosha, A.F., James, J.I., Liu, C.-C., Gladyshev, P.: Towards Automated Forensic Event Reconstruction of Malicious Code (Poster abstract). In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds.) RAID 2012. LNCS, vol. 7462, pp. 388–389. Springer, Heidelberg (2012)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Shosha, A.F., James, J.I., Hannaway, A., Liu, CC., Gladyshev, P. (2013). Towards Automated Malware Behavioral Analysis and Profiling for Digital Forensic Investigation Purposes. In: Rogers, M., Seigfried-Spellar, K.C. (eds) Digital Forensics and Cyber Crime. ICDF2C 2012. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 114. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-39891-9_5
Download citation
DOI: https://doi.org/10.1007/978-3-642-39891-9_5
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-39890-2
Online ISBN: 978-3-642-39891-9
eBook Packages: Computer ScienceComputer Science (R0)