A proactive malicious software identification approach for digital forensic examiners

Abstract Digital investigators often get involved with cases, which seemingly point the responsibility to the person to which the computer belongs, but after a thorough examination malware is proven to be the cause, causing loss of precious time. Whilst Anti-Virus (AV) software can assist the investigator in identifying the presence of malware, with the increase in zero-day attacks and errors that exist in AV tools, this is something that cannot be relied upon. The aim of this paper is to investigate the behaviour of malware upon various Windows operating system versions in order to determine and correlate the relationship between malicious software and OS artifacts. This will enable an investigator to be more efficient in identifying the presence of new malware and provide a starting point for further investigation. The study analysed several versions of the Windows operating systems (Windows 7, 8.1 and 10) and monitored the interaction of 90 samples of malware (across three categories of the most prevalent (Trojan, Worm, and Bot) and 90 benign samples through the Windows Registry. Analysis of the interactions has provided a rich source of knowledge about how various forms of malware interact with key areas of the Registry. Using this knowledge, the study sought to develop an approach to predict the presence and type of malware present through an analysis of the Registry. To this end, different classifiers such as Neural Network, Random forest, Decision tree, Boosted tree and Logistic regression were tested. It was observed that Boosted tree was resulting in a correct classification of over 72% – providing the investigator with a simple approach to determining which type of malware might be present independent and faster than an Antivirus. The modelling of these findings and their integration in an application or forensic analysis within an existing tool would be useful for digital forensic investigators.

[1]  Alexandros Papanikolaou,et al.  On the Evolution of Malware Species , 2011, ICGS3/e-Democracy.

[2]  Chet Hosmer Python Forensics: A Workbench for Inventing and Sharing Digital Forensic Technology , 2014 .

[3]  Miguel Castro,et al.  Vigilante: end-to-end containment of internet worms , 2005, SOSP '05.

[4]  Albert-László Barabási,et al.  A genetic epidemiology approach to cyber-security , 2014, Scientific Reports.

[5]  Harlan Carvey Windows Forensic Analysis: DVD Toolkit , 2007 .

[6]  Harlan Carvey,et al.  Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry , 2011 .

[7]  Jan Collie,et al.  The windows IconCache.db: A resource for forensic artifacts from USB connectable devices , 2013, Digit. Investig..

[8]  Christopher Krügel,et al.  Limits of Static Analysis for Malware Detection , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[9]  Theodore Tryfonas,et al.  The Windows Registry as a forensic artefact: Illustrating evidence collection for Internet usage , 2006, Digit. Investig..

[10]  S. Dija,et al.  Extraction of memory forensic artifacts from windows 7 RAM image , 2013, 2013 IEEE CONFERENCE ON INFORMATION AND COMMUNICATION TECHNOLOGIES.

[11]  Adam Hermans What Is Wild , 2011 .

[12]  Graeme Horsman,et al.  A case-based reasoning method for locating evidence during digital forensic device triage , 2014, Decis. Support Syst..

[13]  Maria Papadaki,et al.  Agent-based Vs Agent-less Sandbox for Dynamic Behavioral Analysis , 2018, 2018 Global Information Infrastructure and Networking Symposium (GIIS).

[14]  Mark Stamp,et al.  Deriving common malware behavior through graph clustering , 2013, Comput. Secur..

[15]  Anup Ghosh,et al.  Sandboxing and Virtualization: Modern Tools for Combating Malware , 2011, IEEE Security & Privacy.

[16]  Andreas Schuster,et al.  Pool Allocations as an Information Source in Windows Memory Forensics , 2006, IMF.

[17]  Alessandro Vespignani Behind enemy lines , 2005 .

[18]  Stefano Zanero,et al.  Lines of malicious code: insights into the malicious software industry , 2012, ACSAC '12.

[19]  Brian D. Carrier,et al.  File System Forensic Analysis , 2005 .

[20]  Christopher Krügel,et al.  Improving the efficiency of dynamic malware analysis , 2010, SAC '10.

[21]  Harlan Carvey,et al.  Tracking USB storage: Analysis of windows artifacts generated by USB storage devices , 2005, Digit. Investig..

[22]  Christopher Krügel,et al.  Detecting kernel-level rootkits through binary analysis , 2004, 20th Annual Computer Security Applications Conference.

[23]  Brendan Dolan-Gavitt,et al.  Forensic analysis of the Windows registry in memory , 2008, Digit. Investig..

[24]  Somesh Jha,et al.  Static Analysis of Executables to Detect Malicious Patterns , 2003, USENIX Security Symposium.

[25]  Qinghua Zhang,et al.  AntiBot: Clustering Common Semantic Patterns for Bot Detection , 2010, 2010 IEEE 34th Annual Computer Software and Applications Conference.

[26]  Andrew Honig,et al.  Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software , 2012 .

[27]  Dawn Xiaodong Song,et al.  Malware Analysis with Tree Automata Inference , 2011, CAV.

[28]  Joshua James,et al.  A survey of digital forensic investigator decision processes and measurement of decisions based on enhanced preview , 2013, Digit. Investig..

[29]  Bimal Kumar Mishra,et al.  Dynamic model of worm propagation in computer network , 2014 .

[30]  Christopher Krügel,et al.  A survey on automated dynamic malware-analysis techniques and tools , 2012, CSUR.

[31]  Chao Liu,et al.  Modeling the spread of malware with the influence of heterogeneous immunization , 2016 .

[32]  Kwang-Cheng Chen,et al.  On Modeling Malware Propagation in Generalized Social Networks , 2011, IEEE Communications Letters.

[33]  Eoghan Casey,et al.  Honing digital forensic processes , 2013, Digit. Investig..

[34]  Pan Hui,et al.  Optimal Distributed Malware Defense in Mobile Networks with Heterogeneous Devices , 2014, IEEE Transactions on Mobile Computing.

[35]  Christopher Krügel,et al.  Effective and Efficient Malware Detection at the End Host , 2009, USENIX Security Symposium.

[36]  Donald F. Towsley,et al.  Modeling and Simulation Study of the Propagation and Defense of Internet E-mail Worms , 2007, IEEE Transactions on Dependable and Secure Computing.

[37]  Mark E. J. Newman,et al.  Technological Networks and the Spread of Computer Viruses , 2004, Science.

[38]  Sheau-Dong Lang,et al.  Forensic Artifacts of Microsoft Windows Vista System , 2008, ISI Workshops.

[39]  Jonathon T. Giffin,et al.  Impeding Malware Analysis Using Conditional Code Obfuscation , 2008, NDSS.

[40]  Digit Oktavianto,et al.  Cuckoo Malware Analysis , 2013 .

[41]  J. B. Shukla,et al.  Modeling and analysis of the effects of antivirus software on an infected computer network , 2014, Appl. Math. Comput..

[42]  Anupama Sharma,et al.  Capturing the interplay between malware and anti-malware in a computer network , 2014, Appl. Math. Comput..

[43]  Somesh Jha,et al.  Semantics-aware malware detection , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[44]  Felix C. Freiling,et al.  Toward Automated Dynamic Malware Analysis Using CWSandbox , 2007, IEEE Secur. Priv..