Malware Reverse Engineering for Digital Forensics
By Jared McCann on December 8, 2023
Introduction
A key component of any digital forensic investigation is malware reverse engineering (MRE). MRE involves locating malware on a system, decompiling that malware, and then breaking down the functions within the code. This is an important piece of the digital forensics process. Understanding the code, what it does, and how it is written allows investigators to determine possible system impacts and assign threat attribution.
Normal 0 false false false EN-US X-NONE X-NONE /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Arial",sans-serif; mso-ansi-language:EN;}
Obtaining Files
After capturing a forensic image, the next part of the process is determining executables and binaries. These files will be the ones we need to check in our Decompiler. Using tools like Autopsy can assist in this process. Once a file is found, you can export it with the export tool within Autopsy by right-clicking the file and choosing to export and save. [1]
Note: It is recommended that files exported be touched only within a virtual machine environment.
Normal 0 false false false EN-US X-NONE X-NONE /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Arial",sans-serif; mso-ansi-language:EN;}
Deconstruction/Reconstruction
There are a number of ways to decompile malware once you’ve obtained a file. Some popular tools are Gnu Project Debugger (GDB), Ghidra, and Binary Ninja. While both Ghidra and Binary Ninja can be installed on a Windows machine, it is recommended that these tools only ever be used on a VM. [2] GDB comes preinstalled on Kali Linux, and Ghidra can be installed on Linux as well. All these tools provide similar functionality, with the main differences being the workflow used to analyze the code provided.
Once your file is processed, you can begin to determine the program flow. Program flow is just the steps that are taken while the “main” function runs. Determining program flow is important to determine the impact the program might have and what resources or servers it is trying to access. There are many ways to work through a program, but the best is to start programmatically by following the main program from top to bottom and stepping out to another function whenever it’s called. [3] The difficult part will be determining how the program works and what each function is doing. There is no particular way to do this other than to understand how the decompiler you’re using works and how it names objects. [4] As noted before, each compiler works differently and utilizes different workflows, so stick with one and try to learn it as best as possible.
Conclusion
MRE is another key tool for a digital forensic analyst. Analyzing and understanding what malware might have done to a system or network can help build a more accurate picture of a case. This will be important when creating reports and responding to events in order to provide the best response possible. Having a complete and accurate report is important to guide mitigation and recovery plans.
References
[1] Section, “How to Recover Data from Digital Storage Media using Autopsy,” Jan. 11, 2022 How to Recover Data from Digital Storage Media using Autopsy | Engineering Education (EngEd) Program | Section
[2] Ryan Clancy, “A Quick Guide to Reverse Engineering Malware,” Oct. 11, 2022 Malware Reverse Engineering for Beginners Explained (eccouncil.org)
[3] David Carter, “Understanding Evil: How to Reverse Engineer Malware,” Sept. 21, 2023 Understanding Evil: How to Reverse Engineer Malware (huntress.com)
[4] Avigayil Mechtinger, “Malware Reverse Engineering for Beginners – Part 1: From 0x0,” Jan. 5, 2022 Malware Reverse Engineering for Beginners – Part 1: From 0x0 – Intezer