±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36459
New Yesterday: 3 Visitors: 130

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Analysis Question

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

keydet89
Senior Member
 

Analysis Question

Post Posted: May 04, 13 16:47

When we sit down and think about our analysis workflow, one of the things we may
often come across is, "..look at data X for suspicious entries...", and then the
question becomes, "what is 'suspicious'?"

Doing some reading this morning, I ran across the MS malware encyclopedia
description for a variant of Dorkbot, and I saw that the description stated that
the malware uses the user's Run key for persistence, using a random .exe name.
The path that it uses within the file system is apparently "%AppData%", and MS
gave a full description of the path on WinXP and Windows 7.

With all of the data we have to look at, does it make sense to add grep()
statements to our parsers to extract the "low-hanging fruit" for us? If we
know, for example, that we would want to take a closer look at any value beneath
the Run (regardless of hive) that includes 'temp' or 'AppData' or 'Application
Data' in the path, does it make sense to include code to look for those things
and highlight them for us?

Would this be useful to anyone?  
 
  

Patrick4n6
Senior Member
 

Re: Analysis Question

Post Posted: May 04, 13 21:41

For anything with malware or a "virus did it" defence I'm going to run my standard registry reports which inter alia list all the run keys. Anything with AppData in the path would instantly stand out for me.

So in my case, it's not a value add. It may be for others.
_________________
Tony Patrick, B. Inf Tech, CFCE
www.patrickcomputerfor...s.com/blog
www.twitter.com/Patrick4n6 
 
  

hydrocloricacid
Member
 

Re: Analysis Question

Post Posted: May 06, 13 09:25

Would this be useful to anyone?

Yes.
will help highlight data of interest.

e.g. When using msconfig I like how i can hide all the MS services, makes it easier to see potientially interesting services.

it's quite helpful to bring to the front the items which are more likely to be of interest.
I think it's a good idea and it kinda fits with your forensic scanner concept in a way.
Intelligent processing which highlights and brings to the forefront information of interest.

When we sit down and think about our analysis workflow, one of the things we may
often come across is, "..look at data X for suspicious entries...", and then the
question becomes, "what is 'suspicious'?"

I guess there are different ways of finding what is suspicious. there are black lists where we know what is suspicious and there are whitelists to remove what we know isn't.

Maybe a project for someone for Registry Ripper , log2timeline ... etc , which highlights items for interest, and possibly removes known good items.  
 
  

Belkasoft
Senior Member
 

Re: Analysis Question

Post Posted: May 06, 13 14:34

Please PM me if you'd like to receive a copy of our (unfinished) whitepaper on detecting malware with Windows Debugger scripts. Specifically, we're describing various things that are "suspicious" in terms of malware.
_________________
Computer, Mobile, RAM and Cloud Forensics In a Single Tool
belkasoft.com 
 
  

keydet89
Senior Member
 

Re: Analysis Question

Post Posted: May 06, 13 16:27

- hydrocloricacid

Maybe a project for someone for Registry Ripper ...


Already being done...take a look at version 2.8.  
 

Page 1 of 1