Differential malware forensics

Authors: Provataki, A. and Katos, V.

Journal: Digital Investigation

Volume: 10

Issue: 4

Pages: 311-322

ISSN: 1742-2876

DOI: 10.1016/j.diin.2013.08.006

Abstract:

In this paper we present a malware forensics framework for assessing and reporting on the modus operandi of a malware within a specific organizational context. The proposed framework addresses the limitations existing dynamic malware analysis approaches exhibit. More specifically we extended the functionality of the cuckoo sandbox malware analysis tool in order to automate the process of correlating and investigating the analysis results that multiple executions of a suspect binary on distinct and specific system configurations can produce. In contrast to standard malware analysis methods that assess the potential damage a malware may cause in general, this approach enables the analyst to identify contingent behavioral changes when the malware is executed and answer questions relating to the malware's activities within a specific environment. By doing this, the analyst is in the position to report on the actual rather theoretical actions a malware has performed, allowing the stakeholders to make informed recovery decisions. In this context, we identify the necessary forensic readiness prerequisites which are critical for the successful application and adoption of the proposed framework. © 2013 Elsevier Ltd. All rights reserved.

Source: Scopus

Preferred by: Vasilis Katos