1. Forensic Analysis and Malware Analysis Workstaiton
For analyzing malicious URLs. suspect Office documents or PDFs, executable, or analyzing disk images , the SANS SIFT Workstaion with
Remnux tools will be used.
This is a virtual machine installed with a suite of tools needed to analyze these items. Although there are hundreds of too ls, not all of
them are necessary for high-level malware or forensic analysis.
Below are the groupings of the tools for their specific purpose, as well as 2 flow charts indicating in what order and what output is to be
expected from each tool.
Also, there are 3 .dd images , a suspicious Office document, a malicious PDF, and an Trojan executable installed on the SAN SIFT
workstation in order to practice the skills and utilization of the tools.
Malware Analysis and Forensic Analysis of Images Tool List
Manta Ray – Image Analysis and Deleted File Recovery
Autopsy – Forensic Image Analysis and Filre recovery
Kibana – Log Timeline Analysis
Bokken –URL and File TEsting
UPX – For unpacking malware
Pyew – File and PDF Analysis for Malware
PEScan – Windows Executable Analysis
Procdot – dynamic malware Analysis
Thug – URL collection and analysis
Burp Suite – URL Analysis and Collection
Olevba.py – embedded macros in Office documents
BE Viewer – gathers information off of forensic images
Strings – pulls cleartext from files
GHEX – For viewing raw hexadecimal view of files and images
Scalpel – For pulling data off of images via command line or parsing damaged images
- Forensics
o Mantaray – recovers deleted files, creates timelines
o Autopsy – Analysis of Forensic Images
o BEViewer– Bulk_extractor – pulls email addresses, phone numbers, URLs
o Scalpel – For analyzing images or damaged files not viewable in Autopsy or Mantaray
o Log2Timeline/Plaso – part of Mantaray
2. o GHEX
- Malware analysis
o Suspicious URL
Thug.py www.yahoo.com - FZM ……output to var/log/thug
Burpsuite
JSDetox
o Static
Bokken - GUI Interface that can analyze the following:
Websites
Executables
PDF Files
PEScan – Scans executables and provides information
PEFrame
Pyew
Commands
o Pyew.imports – more details on malware
o Urls – will show URLs inside a piece of malware
o Packer – will show if the malware is “packed”
o Threat – sends the MD5 has to Virustotal
o Pdfview – only for using pyew to analyze PDF Files
UPX
Ghex
o Document Analysis
Olevba.py – for Office Document Macros
JSDetox – For Obfuscated Java Script
PDFxtract – For PDF
Peepdf –I – PDF Document Analysis
Pyew – PDF and Windows Executable Analysis
Swfdump – to pull .swf files out of PDF files
o Dynamic
- Need a VM to infect
- Need to tailor VM so that the malware does not detect this as a VM for analysis
3. Static Analysis of Suspicious URLs and Malware Flowchart
Is this an executable, URL,
Offfice Doc, or PDF?
URL
Use thug.py -FZM
www.xxxxxx.com to pull the
website and analyze
Executable
Use PEFrame and Pyew to
Analyze Is it packed?
Unpack using UPX or
another tool
Use" strings" to find
Cleartext
Use XORSearch or No
MoreXOR to find hidden
strings
Office Document
Use olevba.py to find
suspicious macros
PDF
Use"pyew" to analyze
Use "pdfview" option to
view any suspicious
Javascript
May need to use JS-Detox
to de-obfuscate Javascript
4. Forensic Analysis of Workstation Image
Obtain Disk Image via
ExternalMedia
DVD or External USB
Determine Format
Determine Partion for
Analysis
mmls command
FTK
Image type from Forensic
Toolkit Imager
DD
Autopsy
GUI Interface, retrieves
deleted files
GHEX
Raw Look at Files and Disk
Images
Scalpel
Command-Line..for damaged
or unmountable images
Mantaray
GUI Interface
Supertimeline
Pulls all logs and creates a
timeline of activity
Forefront
Recovers deleted files and
separates tehm into folders
Bulk_Extractor
BEViewer - extracts emails, URLs,
telephone numberes...etc from
images
For mounting a .dd
image, right-click
and chooseDrive
Mounter
VMDK
Virtual Machine Image