July 31, 2012

Sharing of Forensically Interesting Objects

As I go through various forensic cases and malware studies, I often find myself producing memory dumps of the host systems under examination.  I also dump registry hives and other objects related to my analysis.  I gave some thought as to whether there would be a benefit to the community in my sharing of these objects.  A few months back, I had a nice email exchange with Harlan Carvey of the Windows Incident Response blog.  We discussed various ways in which the malware analysis community could better collaborate with the forensics community, particularly in the area of sharing objects for analysis.  I had mentioned my thoughts as far as sharing memory dumps and other objects from various malware cases that I was working on.  Harlan encouraged me to move forward on this, and provide forensically "interesting" objects, just short of a disk image that would require Microsoft licensing.

So going forward, I will be posting analysis of various malware, along with objects consisting of memory dumps, registry hives, pcaps, and anything else that might be interesting.  You can use analysis tools such as Volatility or Mandiant's Redline with the memory dumps, while RegRipper is a very cool tool to use on registry hives.  It would be great to hear feedback on how you'll be using these objects, and the tools used in your analysis.

I'll rely on the community to let me know what is useful, and what else they might like to see.  I'd also be happy to take in any samples or items for analysis, which I'll post, as well as the objects.  None of what I post here will be related to my dayjob. It will be only what I research for myself, my other efforts, or as part of DeepEnd Research.

Please feel free to contact me with any ideas or suggestions. I'm looking forward to making this a useful resource for all who are interested!  Many thanks to Harlan for the encouragement!


4 comments:

H. Carvey said...

Andre,

I look forward to seeing what it is you have to offer.

H. Carvey said...

Andre,

I think that this goes back to what we discussed previously.

When conducting malware analysis, it might be useful to have the output of fls for the volume in which the volume was executed, the Registry hives, (Windows) Event Log data (depends on version), Prefetch folders, etc.

Andre M. DiMino said...

Thanks Harlan,
I'll look to provide as much of that as I can. I also want to have the analysis machine represent a typical user environment and infection vector.

I'll have a post up very soon on the analysis of Cridex using Volatility. However for this post I'll only be posting the memory dump as this time I didn't extract the other artifacts to match the running system.

In future posts I'll be taking on your suggestions, as well as those of others.

Anonymous said...

This is a great idea! I just started a personal project where I am collecting known FS artifacts of various types of malware so I can learn more about how different malware infects systems.

I am hoping to use some type of ML classifier to help me with this but still in planning stages. If this sounds of any interest I would be happy to contribute.

Thanks,
Omar