Module 3

3 Forensics Investigation
3.1 Analyzing Hard Drive Forensic Images, Analyzing RAM Forensic Image, Investigating Routers

3.2 Malware Analysis - Malware, Viruses, Worms, Essential skills and

tools for Malware Analysis, List of Malware Analysis Tools and Techniques
Hard Drive Analysis
RAM Analysis

RAM capture is the process of capturing live memory from a running computer
system. RAM analysis consists of performing forensic analysis on the data gathered
from the live computer.

After conducting a memory dump on any live machine to capture RAM, the memory
image can be used to determine information about running programs, the operating
system, and the overall state of a computer, as well as to locate deleted or temporary
information that might otherwise not be found on a normal image.

Until recently, RAM analysis and capture was not a mandatory step in investigations,
or even in triage situations where analysts were attempting to gather forensic data on
site.
However, with new tools that allow entry into locked systems and with the growing
importance of temporary files, RAM analysis is quickly becoming a pivotal and
mandatory part of the digital forensics process.

Volatile memory access is useful in law enforcement situations where data would be
lost by powering off a suspect machine.
The longer a machine is off, the more data becomes lost.
The following can be found using RAM capture: Processes, Network connections,

Open files /Configurations/Encryption keys,Open/Active Registry keys,Exploit-

related information, Zero-day attacks and root-kits, and kernel-level structures.
RAM Analysis Tools:
Volatility: A tool capable of analyzing RAM from a memory
dump disk image.

Volix : Tool that provides GUI for Volatility.

RAM Capture Tools:

RAM Analysis Tools:
RAM Capture Tools:

Dumpit :

DumpIt is a fusion of two trusted tools, win32dd and win64dd,combined into one one
executable. DumpIt is designed to be provided to a non-technical user using a removable
USB drive.
The person needs to simply double-click the DumpIt executable and allow the
tool to run. DumpIt will then take the snapshot of the host’s physical memory and save it to
the folder where the DumpIt executable was located.

DumpIt provides a convenient way of obtaining a memory image of a Windows system eve
if the investigator is not physically sitting in front of the target computer. It’s so easy to use,
even a naïve user can do it. It’s not appropriate for all scenarios, but it will definitely make
memory acquisition easier in many situations.
RAM Analysis Tools:
RAM Capture Tools:

Dumpit :

DumpIt is a fusion of two trusted tools, win32dd and win64dd,combined into one one
executable. DumpIt is designed to be provided to a non-technical user using a removable
USB drive.
The person needs to simply double-click the DumpIt executable and allow the
tool to run. DumpIt will then take the snapshot of the host’s physical memory and save it to
the folder where the DumpIt executable was located.

DumpIt provides a convenient way of obtaining a memory image of a Windows system eve
if the investigator is not physically sitting in front of the target computer. It’s so easy to use,
even a naïve user can do it. It’s not appropriate for all scenarios, but it will definitely make
memory acquisition easier in many situations.
 Investigating Routers
● Routers play many different roles during incidents. They can be
targets of attack, stepping-stones for attackers, or tools for use by
investigators. They can provide valuable information and evidence
that allow investigators to resolve complex network incidents.

● Routers are more likely to be springboards for attackers during

network penetrations. The information stored on routers e.g.
passwords, routing tables, and network block information, makes
routers a valuable first step for attackers bent on penetrating internal
networks
OBTAINING VOLATILE DATA PRIOR TO POWERING DOWN
● Routers have little data-storage capability. The only real data saved in NVRAM is the

configuration of the router itself, and this configuration is likely not the same
configuration the router uses while it is running,

● The system state information in memory—such as current routing tables, listening

services, and current passwords—will be lost if the router is powered down or

rebooted.
Investigative steps will allow you to determine if the router
configuration is not as expected, indicating a compromise of the
router.
● Establishing a Router Connection: The best way to access the router
is from the console port..
● If console access is unavailable, a dialup connection or
an encrypted protocol such as Secure Shell (SSH) is a
better choice than telnet.
● When establishing a connection to the router, make sure to log the
entire session
● Recording System Time
● One of your first steps should be to record the system time. Use the
show clock command to get the system time
● Determining Who Is Logged On: se either the show users or systat
command to produce results such as these:
○ cisco_router>show users
○ Line User Host(s) Idle Location
● Determining the Router’s Uptime
● The time that the system has been online since the last reboot can also be
important. Use the show version command to capture this information.
● Determining Listening Sockets
● Routers have limited functionality when compared to a lot of
technologies, making it exponentially more difficult for attackers
● routers do provide a number of services that allow remote connections Telnet is
well known.
● One way to discover if there are any access paths into a router that you don’t
know about is to determine which ports (sockets) are listening on the router.
● To determine which services are running on the router, use an external port
scanner or examine the configuration file.
○ C:\ScanLine>sl -p -t 1-65535 -u 1-65535 10.0.2.244

■ Scan of 1 IP started at Sat May 17 14:21:04 2003

■ ----------------------------------------------------------------------
■ 10.0.2.244
■ Responds with ICMP unreachable: Yes
■ TCP ports: 23 79 80
■ UDP ports: 161
● Saving the Router Configuration: Router configurations are
generally straightforward. All configuration information for
Cisco routers is stored in a single configuration file. This
configuration rules all aspects of the router’s behavior, and it is
stored in NVRAM. The router uses this stored configuration
when it boots.
● To save the configuration files, you must have enable
(privileged) level access to the router. Use the show
running-config command or the equivalent (but older) write
terminal command to view the configuration currently loaded on
the router.
○ cisco_router#show running-config
● Reviewing the Routing Table: The routing table contains the blueprint of how the router
forwards packets. If an attacker can manipulate the routing table, the attacker can change
where packets are sent.

● To view the routing table,.

■ cisco_router#show ip route

● Checking Interface Configurations: Information about the configuration of each of the

router’s interfaces is available via the show ip interface command.

● Viewing the ARP Cache : cisco_router#show ip arp

FINDING THE PROOF :
● Types of incidents that involve routers has been

categorize as follows:

○ Direct compromise

○ Routing table manipulation

○ Theft of information

○ Denial of service
 Handling Direct-Compromise Incidents
● Direct compromise of the router is any incident where an attacker
gains interactive or privileged access to the router.
● Direct compromise provides the attacker with control of the router and
access to the data stored on the router.
● Administrative access to the router is available in a surprisingly large
number of ways, including telnet, console, SSH, web, Simple Mail
Transfer Protocol (SNMP), modem, and TFTP access

● This is especially dangerous because the router is often allowed access

to internal networks, even though a firewall may block all other access
to internal networks.
Investigating a Direct-Compromise Incident

● Listening Services : The list of interfaces should

tell you if the router has modem access
● Passwords : Routers can have different passwords

for different services, such as telnet, SNMP, and enable access.

● Other Compromise Possibilities: Anyone with console access to the router can

gain administrative access to the box through a reboot and appropriate procedures
Handling Routing Table Manipulation Incidents
● Routers can use a variety of protocols to update their routing tables, including RIP,

Open Shortest Path First (OSPF), Enhanced Interior Gateway Routing Protocol
(EIGRP), Interior Gateway Routing Protocol (IGRP), Border Gateway Protocol
(BGP), and so on.

● These protocols communicate information about the best path between networks to

neighbour routers, and they have varying degrees of security.

Investigating Routing Table Manipulation Incidents
● Determining the current routing table is as simple as reviewing the output of the
show ip route command.

● If any of the routes do not pass the common sense test, or if packets appear to be
routed through distant networks, then careful investigation is required.

● If unfamiliar static routes appear in the routing table, then the router may have
suffered direct compromise.

● Recovering from Routing Table Manipulation Incidents: Temporary recovery

from routing table attacks is simple: Remove unwanted static routes and reboot the
router.

● Authentication should be enabled

Handling Theft of Information Incidents
● Stealing data from routers is difficult, since little data exists on the router.

● The information that is on the router is related to network topology and access
control.

● Typical information that attackers gain from routers includes password, routing, and
topology information.

● The recovery from this data theft is to change passwords, avoid password reuse, and

limit the ability of attackers to obtain sensitive information.

Handling Theft of Information Incidents

● A common problem that we see is the SNMP service enabled with the default
community string (password) of public. With this service enabled, an attacker can
gain a great deal of sensitive network information.

● Internet attackers can even learn the hosts and IP ranges on internal networks
Handling Denial-of-Service (DoS) Attacks
DoS attacks are often directed at routers. If an attacker can force a router
to stopforward - ing packets, then all hosts behind the router are
effectively disabled.

DoS attacks fall into several basic categories:

● Destruction Attacks that destroy the ability of the router to function,
such as deleting the configuration information or unplugging the
power.
● Resource consumption Attacks that degrade the ability of the router
to function, such as by opening many connections to the router
simultaneously.
● Bandwidth consumption Attacks that attempt to overwhelm the
bandwidth capacity of the router’s network.
Investigating DoS Attacks
● If the router is not working at all, it is probably a destruction attack. Check the
obvious problems first: power, cables, and configuration.

● Is the router sporadically rebooting or is performance uniformly degraded?

○ A sporadically rebooting router is probably the result of a point-to-point attack—one directed at the
router.

● Uniformly degraded performance may be either a resource or bandwidth-

consumption attack. In either case, a network sniffer will reveal details
● A flood of packets directed to the router can also cause degradation. If the router has

open ports, then an overabundance of SYN or similar packets may adversely impact
the performance of the router.

● Alternatively, even if the router has no open ports, a flood of traffic may impact the

router or use the bandwidth such that network performance is significantly degraded.
Recovering from DoS Attacks
● Usually, DoS attacks do not involve compromise of the router; rather, they are
composed of unwanted packets sent to or through the router. Recovery usually
consists of a combination of the following measures:

○ Eliminate listening services.

○ Upgrade software to the latest version.

○ Restrict access to listening services using ACLs.

○ Implement ACLs to limit malicious traffic.

USING ROUTERS AS RESPONSE TOOLS: ACLs
● Understanding Access Control Lists (ACLs)
○ ACLs are mechanisms that restrict traffic passing through the router. Packets can be restricted

○ based on a dazzling array of attributes, including (but not limited to) the following:

○ Protocol

○ Source or destination IP address

○ TCP or UDP source or destination port

○ TCP flag

○ ICMP message type

○ Time of day
In the bustling city of Cyberhaven, a leading technology company, Quantum
Innovations, has been at the forefront of groundbreaking research and development in
the field of artificial intelligence. Recently, the company discovered that sensitive
intellectual property related to their upcoming flagship project has been leaked to a rival
company, Cybertech Solutions. Quantum Innovations suspects an inside job and
contacts law enforcement to investigate the case.

Details of the Crime:

Quantum Innovations' suspicions are confirmed when they find evidence of
unauthorized access to their secure servers and a covert transfer of critical project files.
The leaked information includes proprietary algorithms, source code, and confidential
research findings. The company believes this theft is part of a corporate espionage
scheme aimed at undermining their competitive advantage.
malware
Malware is a catch-all term for any type of malicious software designed to harm or
exploit any programmable device, service or network.
 Adware: Software that bombards the victim with advertisements.
• Spyware: Software that obtains sensitive information about a victim
or exerts control over a device without their knowledge.
• Virus: Malicious software that inserts itself into other programs.
• Worm: Software that spreads by itself through network connections.
• Trojan: Malicious software that presents itself as another legitimate
program.
• Backdoors: Software that opens a network connection on the victim’s
device so the attacker can gain access later.
• Keyloggers: Software that records all the keystrokes an individual
inputs into their device’s keyboard.
• Ransomware: Software that encrypts the user’s files on a system so
the attacker can demand a ransom to unlock the user’s files.
 Virus
A computer virus is a computer program that can copy itself and infect a computer
without permission or knowledge of the user.

“a program that replicates by “infecting” other programs, so that they contain a copy of
the virus”

Viral code is attached or “inserted” into the order of execution so that when the legitimate
code is run the viral code is also run or run instead of the legitimate code.

May be “appended” on to the end of an executable file or inserted into unused program
space.

Legitimate code must be modified so that the viral code is branched/vectored to.
Virus

Do not damage the original program or damage the hardware

–May damage data files

–“trash” firmware

–Mess up boot records

For this reason most can be cleaned up with anti-virus software.

 Worms
Worms are a subset of viruses
rather than attaching to a file like a virus, a worm copies itself across the network
without attachment.
Infects the environment rather than specific objects
}Morris Worm, WANK, CHRISTMA EXEC
 Malware Analysis Types
Basic Static Analysis :
The basic method in static analysis, carried out testing against a program which is called as malware with doing
the scanning using antivirus, moreover also doing hashing, and detection of packed or obfuscated at the
program.
2. Advanced Static Analysis :
In the advanced method of static analysis, further analysis will be undertaken of the method of static analysis
with analysis against the strings, linked libraries and function as well as using IDA disassembler. ( Interactive)
3. Basic Dynamic Analysis : The basic method in dynamic analysis, will be build a virtual machine that will be
used as a place to do a malware analysis. In addition, malware will be analysis using malware sandbox and
monitoring process of malware and analysis packets data made by malware.
4. Advanced Dynamic Analysis :
In the advanced method of dynamic analysis, further analysis will be undertaken of dynamic analysis methods
with debugging on malware, analysis the registry and do an analysis on a windows system.
5. Malware Analysis Report :
From the results of malware analysis using static analysis and dynamic analysis method, we will obtain a report
of information on the characteristics of malware.
Malware Analysis tools
PeStudio

Process Hacker

Process Monitor (ProcMon)

ProcDot

Autoruns

Fiddler

Wireshark

x64dbg

Ghidra

Radare2/Cutter

Cuckoo Sandbox