Digital Forensics and Cyber Crime. 4th International Conference, ICDF2C 2012, Lafayette, IN, USA, October 25-26, 2012, Revised Selected Papers

Research Article

Towards Automated Malware Behavioral Analysis and Profiling for Digital Forensic Investigation Purposes

Download
529 downloads
  • @INPROCEEDINGS{10.1007/978-3-642-39891-9_5,
        author={Ahmed Shosha and Joshua James and Alan Hannaway and Chen-Ching Liu and Pavel Gladyshev},
        title={Towards Automated Malware Behavioral Analysis and Profiling for Digital Forensic Investigation Purposes},
        proceedings={Digital Forensics and Cyber Crime. 4th International Conference, ICDF2C 2012, Lafayette, IN, USA, October 25-26, 2012, Revised Selected Papers},
        proceedings_a={ICDF2C},
        year={2013},
        month={10},
        keywords={Dynamic Malware Analysis Kernel Object Profiling Malware Investigation Memory Forensics Post-Mortem Analysis},
        doi={10.1007/978-3-642-39891-9_5}
    }
    
  • Ahmed Shosha
    Joshua James
    Alan Hannaway
    Chen-Ching Liu
    Pavel Gladyshev
    Year: 2013
    Towards Automated Malware Behavioral Analysis and Profiling for Digital Forensic Investigation Purposes
    ICDF2C
    Springer
    DOI: 10.1007/978-3-642-39891-9_5
Ahmed Shosha1,*, Joshua James1,*, Alan Hannaway1,*, Chen-Ching Liu1,*, Pavel Gladyshev1,*
  • 1: University College Dublin
*Contact email: Ahmed.Shosha@ucdconnect.ie, Joshua.James@ucd.ie, Alan.Hannaway@ucdconnect.ie, Liu@ucd.ie, Pavel.Gladyshev@ucd.ie

Abstract

Digital forensic investigators commonly use dynamic malware analysis methods to analyze a suspect executable found during a post-mortem analysis of the victim’s computer. Unfortunately, currently proposed dynamic malware analysis methods and sandbox solutions have a number of limitations that may lead the investigators to ambiguous conclusions. In this research, the limitations of the use of current dynamic malware analysis methods in digital forensic investigations are highlighted. In addition, a method to profile dynamic kernel memory to complement currently proposed dynamic profiling techniques is, then, proposed. The proposed method will allow investigators to automate the identification of malicious kernel objects during a post-mortem analysis of the victim’s acquired memory. The method is implemented in a prototype malware analysis environment to automate the process of profiling malicious kernel objects and assist malware forensic investigation. Finally, a case study is given to demonstrate the efficacy of the proposed approach.