Malware Analysis Scenario Case Study
A notorious criminal, Donald Dodger has been suspected of being involved in unsavoury pornography style activities and has been arrested in a recent raid by Wensleydale CID. During the raid, scenes of crime officers recovered his local desktop PC.
The PC has been forensically imaged by another investigator and an unusually high level of illegal images have been found on the hard drive. Donald has been arrested and charged on the strength off the evidence found on the forensic hard drive image with bestiality.
Donald’s defence team have suggested that Donald is very non computer literate and he thinks that his computer had been deliberately infected with malware that has downloaded this incriminating evidence off the Internet without his knowledge.
Your task is to take the forensic image of the suspects PC and investigate what Malware is present and is there any evidence that may suggest if any of the malware found could be responsible for the defence suggestion.
You need to remember that you are reporting what you have found within the remit given and any conclusions must be based on fact. Concise details are required because there is a maximum of 1000 words available.
Every module has a Module Definition Form (MDF) which is the officially validated record of the module. You can access the MDF for this module in three ways via:
¢ the Virtual Learning Environment (VLE)
¢ the My.Anglia Module Catalogue at www.anglia.ac.uk/modulecatalogue
¢ Anglia Ruskin’s module search engine facility at www.anglia.ac.uk/modules
All modules delivered by Anglia Ruskin University at its main campuses in the UK and at Associate Colleges throughout the UK and overseas are governed by the Academic Regulations. You can view these at www.anglia.ac.uk/academicregs. A printed extract of the Academic Regulations, known as the Assessment Regulations, is available for every student from your Faculty Office (all new students will have received a copy as part of their welcome pack).
In the unlikely event of any discrepancy between the Academic Regulations and any other publication, including this module guide, the Academic Regulations, as the definitive document, take precedence over all other publications and will be applied in all cases.
2 Introduction to the Module
The exponential growth of mobile computing from the adoption of smartphone and tablet platforms through to the rise of the mobile app and app store, is challenging the established IT sector in ways that few could have predicted. This shift has a major implication on how the Information Security professional and Forensic examiner deal with the new forensic analysis of
data on mobile devices and the next generation of malware threats .
The module aims to provide students the fundamental knowledge of mobile computing, communications technologies and security features around mobile devices. It will furnish the understanding, both in hardware and software, of these platforms that can support personal and business activities. The module provides the knowledge of security and data recovery in mobile devices and introduces fundamental apps developments and tools that enhance students, practical skills in mobile forensics.
Students will investigate modern malware types and techniques on both conventional computing systems and on some of the more recent mobile platforms as well as the tools used to analyse, defend and recover from modern cybercrime attacks. As well as investigating the key issue of the unknown executable. students will also examine the Business models of malware.
Assessment will be undertaken as regular practical lab based activities contributing to a portfolio
and a forensic case study concentrating on the analysis of a mobile & malware investigative
scenario.
3 Intended Learning Outcomes
No. Type On successful completion of this module the student will be expected to be able to:
1 Knowledge and understanding Critically analyse and interpret malicious software and associated forensic artefacts including Trojan horses, viruses and worms
2 Knowledge and understanding Understand Malware and mobile fundamentals in contrast to traditional definitions of malicious software and mobile operations
3 Intellectual, practical, affective and
transferable skills Practically approach malware investigation from mounted, booted and network perspectives contrasting Malware scans in Linux and
Windows- based analysis and behavioural observation of Malware in lab environments
4 Intellectual, practical, affective and
transferable skills Critically evaluate how cellular devices store data, how collecting mobile device evidence and preserving it relates to the forensic process
4 Outline Delivery
/ Lecture Seminar/Workshop Student-managed learning
1
Module Intro & Malicious Software Lab Environment, Variables & ADS Malware Definitions
2
Malicious Investiagtion Malware Methodology, Internal & External Scanning Analysis Environments and Malware Reporting Forms
3
Methods of Deception Poison Ivy, Process & Registry Investigation Tell Tale Signs of Infection
4
Practical Malware Investigation Start-Up & Memory Analysis, Fake GINA Windows Registry Functions
5
Mounted, Booted & Network Analysis Mounted, Booted and Network Analysis Use of Static Tools Virtualisation and Memory Capture Tools
6
Mobile Basic’s MPE+ Intro Mobile Communication Technologies
7
Telephony and SIMM Forensics SIMM Analysis Telephony Features (wha realistically be recovered)
8
IOS Forensics IOS Device Analysis IOS Devices
9
Android Forensics Android Device Analysis Android Devices
10
Mobile Log Analysis, Positioning and Statistics Photo and Geo Tag Exercise Database Manipulation and Logfile Analysis
11
External Speaker and/or Specialist Subject Assignment Workshop Assignment
12
External Speaker and/or Specialist Subject Assignment Workshop Assignment
Both the formal log book approach with lab exercises and the formal assessment provide the student with the opportunity to meet all the formal outcomes. Additional learning material is provided to the student to help them meet the 150 guided learning hours for the module through their own study time.
5 Attendance Requirements
Attending all your classes is very important and one of the best ways to help you succeed in this module. In accordance with the Student Charter, you are expected to arrive on time and take an active part in all your timetabled classes. If you are unable to attend a class for a valid reason (eg: illness), please contact your Faculty Office ([email protected])
Anglia Ruskin will closely monitor the attendance of all students and will contact you by e-mail if you have been absent without notice for two weeks. Continued absence can result in various consequences including the termination of your registration as you will be considered to have withdrawn from your studies.
International students who are non-EEA nationals and in possession of entry clearance/leave to remain as a student (student visa) are required to be in regular attendance at Anglia Ruskin. Failure to do so is considered to be a breach of national immigration regulations. Anglia Ruskin, like all British Universities, is statutorily obliged to inform the UK Border Agency of the Home Office of significant unauthorised absences by any student visa holders.
6 Assessment
All coursework assignments and other forms of assessment must be submitted by the published deadline which is detailed above. It is your responsibility to know when work is due to be submitted ignorance of the deadline date will not be accepted as a reason for late or non-submission.
All student work which contributes to the eventual outcome of the module (ie: if it determines whether you will pass or fail the module and counts towards the mark you achieve for the module) is submitted via the iCentre using the formal submission. Academic staff CANNOT accept work directly from you.
If you decide to submit your work to the iCentre by post, it must arrive by midday on the due date. If you elect to post your work, you do so at your own risk and you must ensure that sufficient time is provided for your work to arrive at the iCentre. Posting your work the day before a deadline, albeit by first class post, is extremely risky and not advised.
Any late work (submitted in person or by post) will NOT be accepted and a mark of zero will be awarded for the assessment task in question.
You are requested to keep a copy of your work.
6.1 Assessment Components
Assessment will be in multiple parts:
¢ Two mini case study based assignments (maximum of 1000 words each) based on the forensic report of the malware and mobile scenario’s (worth 100% of the marks).
(Learning Outcomes 1- 4)
Hand In for Assignment Part 1 Malware Analysis: Friday 20th December 2013 (Tutor Hand In)
Hand in for Assignment Part 2 Mobile Analysis: Monday 6th January 2014 (final Deadline)
¢ Engineering Logbook containing evidence of completion of week by week research and practical exercises (Pass/Fail Component).
It will also be required, as part of the assessment to hand in formal proof that you have completed the specified laboratory exercises. This will usually be in the form of logbook exercise sign-off sheet provided by your tutor and your tutor will inspect your logbook each week to signoff these exercises. Do not lose this sheet as you must provide evidence that you have completed the exercises or be able to hand in a completed log book.
(Learning Outcomes 1- 4)
Hand In Date: Friday 20th December 2013
Further full details on the assessment will be provided on the VLE once approved.
6.2 Investigation Scenario
You are a well respected and competent computer forensic examiner working for Wensleydale Constabulary. As the lead investigator, you have been tasked with leading a new investigation, analysing the results and presenting what could amount to quite complex evidence in a simplified formal evidence report which should concentrate on
¢ Clarity
¢ Simplicity
¢ Brevity
The target audience for your reports will be
¢ Lawyers and their clients (the accused and potential witnesses)
¢ Judges and Jury Members
You should remember that the recipients of your reports will rarely possess subject knowledge to match your own.
A picture paints a thousand words so think about using visualisation techniques such as screenshots, graphics, charts, and drawing. You will need to reach out to try and help the the target audience by relating to known concepts, try to use analogies to get concepts across but do not over stretch.
You need to maintain credibility with your reports
¢ Executive Summary
¢ Objectives
¢ Computer Evidence analyzed
¢ Relevant Findings
¢ Supporting Information
¢ Investigative Leads
¢ Concluding Statement
¢ References
¢ Appendices (if appropriate)
Each report needs to be concise not exceeding a 1000 words (excluding Executive Summary, Tables, Quotes, Screenshots, References and Appendices.
6.3 Malware Analysis Scenario Case Study Part 1
A notorious criminal, Donald Dodger has been suspected of being involved in unsavoury pornography style activities and has been arrested in a recent raid by Wensleydale CID. During the raid, scenes of crime officers recovered his local desktop PC.
The PC has been forensically imaged by another investigator and an unusually high level of illegal images have been found on the hard drive. Donald has been arrested and charged on the strength off the evidence found on the forensic hard drive image with bestiality.
Donald’s defence team have suggested that Donald is very non computer literate and he thinks that his computer had been deliberately infected with malware that has downloaded this incriminating evidence off the Internet without his knowledge.
Your task is to take the forensic image of the suspects PC and investigate what Malware is present and is there any evidence that may suggest if any of the malware found could be responsible for the defence suggestion.
You need to remember that you are reporting what you have found within the remit given and any conclusions must be based on fact. Concise details are required because there is a maximum of 1000 words available.
JUST INSTALLING AN ANTI-VIRUS SCANNER AND SUBMITTING THE RESULTS WILL AUTOMATICALLY FAIL!!
6.4 Mobile Forensics Scenario Case Study Part 2
One of the reasons that Donald Dodger, was being investigated was his alleged involvement in the stalking activities of a student from Granglian Busking University. As well as his desktop PC being seized, officers took the opportunity to seize his mobile phone as well.
The mobile phone has already been forensically imaged and you are required to write a report reviewing what evidence is available on the phone to support the following queries
1. Who is available of the SIMM card or phone memory as Mobile Contacts?
2. Who has been called from this phone in the past three months multiple times?
3. Can social media applications be accessed and if so by whom and who has been posted to?
4. Can the phone give any indication where the user might have physically been?
5. Have any photo’s been taken of interest (not animal based)?
6.5 Case Study Generic Marking Scheme
Technical Evidence Gathering Methodology 10
Actual Evidence Found and Quality (including screenshots) 20
Analysis of Evidence Presented 10
Research Material Underpinning Evidence Presented 15
Simplicity and Clarity of Technical Argument (Analogies Used) 15
Report Presentation/Quality (3rd Person) 20
Additional marks of 10% are awarded for additional value which could include
6.6 Feedback
You are entitled to feedback on your performance for all your assessed work. For all assessment tasks which are not examinations, this is provided by a member of academic staff completing the assignment coversheet on which your mark and feedback will relate to the achievement of the module’s intended learning outcomes and the assessment criteria you were given for the task when it was first issued. This feedback may be completed electronically and sent directly to your Anglia Ruskin e-mail account.
Examination scripts are retained by Anglia Ruskin and are not returned to students. However, you are entitled to feedback on your performance in an examination and may request a meeting with the Module Leader or Tutor to see your examination script and to discuss your performance.
Anglia Ruskin is committed to providing you with feedback on all assessed work within 20 working days of the submission deadline or the date of an examination. This is extended to 30 days for feedback for a Major Project module (please note that working days excludes those days when Anglia Ruskin University is officially closed; eg: between Christmas and New Year). Personal tutors will offer to read feedback from several modules and help you to address any common themes that may be emerging.
At the main Anglia Ruskin University campuses, each Faculty will publish details of the arrangement for the return of your assessed work (eg: a marked essay or case study etc.). Any work which is not collected by you from the Faculty within this timeframe is returned to the iCentres from where you can subsequently collect it. The iCentres retain student work for a specified period prior to its disposal.
On occasion, you will receive feedback and marks for pieces of work that you completed in the earlier stages of the module. We provide you with this feedback as part of the learning experience and to help you prepare for other assessment tasks that you have still to complete. It is important to note that, in these cases, the marks for these pieces of work are unconfirmed. This means that, potentially, marks can change, in either direction!
Marks for modules and individual pieces of work become confirmed on the Dates for the Official Publication of Results which can be checked at www.anglia.ac.uk/results.
6.7 How is My Work Marked?
After you have handed your work in or you have completed an examination, Anglia Ruskin undertakes a series of activities to assure that our marking processes are comparable with those employed at other universities in the UK and that your work has been marked fairly, honestly and consistently. These include:
¢ Anonymous marking your name is not attached to your work so, at the point of marking, the lecturer does not know whose work he/she is considering. When you undertake an assessment task where your identity is known (eg: a presentation or Major Project), it is marked by more than one lecturer (known as double marking)
¢ Internal moderation a sample of all work for each assessment task in each module is moderated by other Anglia Ruskin staff to check the standards and consistency of the marking
¢ External moderation a sample of student work for all modules is moderated by external examiners experienced academic staff from other universities (and sometimes practitioners who represent relevant professions) who scrutinise your work and provide Anglia Ruskin academic staff with feedback, advice and assurance that the marking of your work is comparable to that in other UK universities. Many of Anglia Ruskin’s staff act as external examiners at other universities.
¢ Departmental Assessment Panel (DAP) performance by all students on all modules is discussed and approved at the appropriate DAPs which are attended by all relevant Module Leaders and external examiners. Anglia Ruskin has over 25 DAPs to cover all the different subjects we teach.
This module falls within the remit of the Computing and Technology (Cambridge) DAP.
The following external examiners are appointed to this DAP and will oversee the assessment of this and other modules within the DAP’s remit:
External Examiner’s Name Academic Institution Position or Employer
Mr Edwin Gray Glasgow Caledonian University Senior Lecturer
The above list is correct at the time of publication. However, external examiners are appointed at various points throughout the year. An up-to-date list of external examiners is available to students and staff at www.anglia.ac.uk/eeinfo.
Anglia Ruskin’s marking process is represented in the flowchart below:
Dedicated virtual machine (VM) appliances which can be executed and run with applications such as VMWare Player so that an application or process can be demonstrated to students without students having to necessarily always build the OS environment first.
For some lab exercises and especially the case study part of the assignment, students will have to build applications from a base image to solve a particular problem. Students are expected to use a virtualisation application such as VMWare Workstation (recommended), Virtual PC (2007), VBox etc.
As the department is part of the VMWare E-Academy, students can be enrolled on the program if they contact their tutor.
The web address is
http://e5.onthehub.com/d.ashx?s=qn7tzqlvje
9.3.4.1 Windows XP Mode
Windows XP Mode works in two waysboth as a virtual operating system and as a way to open programs within Windows 7. It runs in a separate window on the Windows 7 desktop, much like a program, except it’s a fully-functional, fully-licensed version of Windows XP. In Windows XP Mode, you can access your physical computer’s CD/DVD drive, install programs, save files, and perform other tasks as if you were using a computer running Windows XP.
When you install a program in Windows XP Mode, the program appears in both the Windows XP Mode list of programs and in the Windows 7 list of programs, so you can open the program directly from Windows 7.
Download and further details from
http://windows.microsoft.com/en-GB/windows7/products/features/windows-xp-mode
9.3.5 Microsoft Academy Resources
Some of the logbook exercise in this module require you to have access to both Windows XP (or higher) ISO images and to additional documentation tools such as Visio.
As a Computer Science student at Anglia Ruskin University , you can have access to the Microsoft Academy website which provides students with their own personal copies of such software free of charge.
To apply for access, please contact Ian Oxford ([email protected]) and when you have a valid login please access
9.3.6 Virtual Machine Images
Additional virtual images are hosted externally to the VLE (due to storage limitations) and can be accessed on the O Drive.
9.4 Malware Resources
9.4.1 REMnux: A Linux Distribution for Reverse-Engineering Malware
REMnux is a lightweight Linux distribution for assisting malware analysts with reverse-engineering malicious software. The distribution is based on Ubuntu and is maintained by Lenny Zeltser.
http://zeltser.com/remnux/
9.4.2 Sample List of Malware Analysis Tools:
¢ System Monitor, Process Explorer, CaptureBAT, Regshot, VMware
¢ BinText, LordPE, QuickUnpack, Firebug, PELister, PEiD
¢ IDA Pro, OllyDbg and plug-ins such as OllyDump, HideOD
¢ Rhino, Malzilla, SpiderMonkey, Jsunpack-n
¢ Internet Explorer Developer Toolbar, cscript
¢ Honeyd, NetCat, Wireshark, curl, wget, xorsearch
¢ OfficeMalScanner, OffVis, Radare, FileInsight
¢ Volatility Framework and plug-ins such as malfind2 and apihooks
¢ SWFTools, Flare, shellcode2exe, fake DNS server, and others
9.4.3 Supplemental Reading Material
9.4.3.1 Malware Forensics
SANS/Lenny Zeltser:
Reverse-Engineering: Malware Analysis Tools and Techniques Training
http://zeltser.com/reverse-malware/
Combating Malware in the Enterprise
Related SANS Course:
SANS Forensics610 Reverse Engineering Malware:
http://www.sans.org/security-training/reverseengineering-malware-malware-analysis-tools-techniques-54-mid
9.4.3.2 Malware References:
Malware Analysis: An Introduction [whitepaper]
http://www.sans.org/reading_room/whitepapers/malicious/malware-analysisintroduction_2103
GIAC Reverse Engineering Malware (GREM) [Certification]
http://www.giac.org/certification/reverse-engineering-malware-grem
Forensic Discovery [book]
http://www.porcupine.org/forensics/forensic-discovery/
Practical Malware Analysis [presentation]
Malware Analysis for Administrators [article]
http://www.symantec.com/connect/articles/malware-analysis-administrators
Stuxnet Malware Analysis [paper]
http://www.codeproject.com/KB/web-security/StuxnetMalware.aspx
9.4.4 Mobile Forensics Resources
9.4.4.1 Access Data Mobile Phone Examiner Plus (MPE+)
The Department has a 30 user concurrent license for Access Data’s Mobile Phone Examiner Plus for forensic analysis of mobile phones, tablets and other mobile devices, which can be used within the Cisco Networking and Forensic Lab (MEL205).
Forensic Images can be saved for uploading into FTK for further analysis.
9.4.4.2 Santoku Open Source Mobile Forensics Framework
Santoku is an open source bootable linux based distribution with pre-installed platform SDKs, drivers, and utilities as well as a range of GUI tools for easy deployment and control of mobile apps.
Prime features are
Mobile Forensics
¢ Tools to forensically acquire and analyze data.
¢ Firmware flashing tools for multiple manufacturers
¢ Imaging tools for NAND, media cards, and RAM
¢ Free versions of some commercial forensics tools
¢ Useful scripts and utilities specifically designed for mobile forensics
Mobile Malware Analysis
¢ Tools useful when examining mobile malware
¢ Mobile device emulators
¢ Utilities to simulate network services for dynamic analysis
¢ Decompilation and disassembly tools
¢ Access to malware databases
Mobile Security Testing
¢ Supporting security assessment of mobile apps.
¢ Decompilation and disassembly tools
¢ Scripts to detect common issues in mobile applications
¢ Scripts to automate decrypting binaries, deploying apps, enumerating app details, and more
Can be downloaded from https://santoku-linux.com/
9.4.4.3 OWASP Project Resources
OWASP (Open Web Application Security Project) is a worldwide not-for-profit charitable organization focused on improving the security of software. Their mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks.
9.4.4.3.1 OWASP Mobile Security Project
https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. The project focus is at the application layer. Whilst consideration to the underlying mobile platform and carrier inherent risks when threat modeling and building controls is given, the main areas of focus are those that the average developer can make a difference. Additionally its not just about the mobile applications deployed to end user devices, but also on the broader server-side infrastructure which the mobile apps communicate with. The project also focuses heavily on the integration between the mobile application, remote authentication services, and cloud platform-specific features.
9.4.4.3.2 OWASP DroidGoat Project
https://www.owasp.org/index.php/Projects/OWASP_GoatDroid_Project
The OWASP GoatDroid Project is a fully functional and self-contained environment for learning about Android security. GoatDroid requires minimal dependencies, and is ideal for both Android beginners as well as more advanced users. The project currently includes two applications: FourGoats, a location based social network, and Herd Financial, a mobile banking application.
9.4.4.3.3 OWASP iGoat Project
https://www.owasp.org/index.php/OWASP_iGoat_Project
iGoat is a safe environment where iOS developers can learn about the major security pitfalls they face as well as how to avoid them. It is made up of a series of lessons that each teach a single (but vital) security lesson.
10 Module Evaluation
During the second half of the delivery of this module, you will be asked to complete a module evaluation questionnaire to help us obtain your views on all aspects of the module.
This is an extremely important process which helps us to continue to improve the delivery of the module in the future and to respond to issues that you bring to our attention. The module report in section 11 of this module guide includes a section which comments on the feedback we received from other students who have studied this module previously.
Your questionnaire response is anonymous.
Please help us to help you and other students at Anglia Ruskin by completing the Module Evaluation survey. We very much value our students’ views and it is very important to us that you provide feedback to help us make improvements.
In addition to the Module Evaluation process, you can send any comment on anything related to your experience at Anglia Ruskin to [email protected] at any time.
11 Report on Last Delivery of Module
This is the first delivery of this module.