Even an organization most advance defenses such as antivirus, firewall and IPS are no match for the sophisticated attacks deployed today. Malware forensics investigation is the study or process of determining the functionality, origin and potential impact of a given malware sample such as a virus, worm, Trojan horse, rootkit, or backdoor. Malware focus to compromise the system, Confidentiality, Integrity and Availability. In the malware analysis the malware behavior can take place in various environments. This is categorized into: Static, Mounted, Live & Network.
Static Analysis takes place when the infected file is placed into a non-functioning environment and analyzed as raw data. The benefits that this has are that the virus cannot utilize any advanced techniques to evade detection and any unencrypted strings or headers can be easily identified ii.
Mounted Analysis involves mounting the file system on which the infected files are stored as a logical drive within the investigation machine. This has the advantage that the file can be viewed in its native environment, allowing for file and folder permissions and metadata to be more easily examined iii.
Live Analysis should occur within a sandboxed environment where the resources available can be strictly controlled. At this stage the infection can be set loose on a system and its effects monitored or controlled. iv.
Network Analysis stage looks at any network traffic associated with the infection. When viruses are created for profit they typically need to transfer information to be successful.
