Our world is increasingly immersed in technology and malware pose a formidable threat. Malware exploits security vulnerabilities (on a large scale), causing enormous financial losses and compromise of vital information for many businesses, individuals and government institutions. To counter these attacks, forensic malware analysis is crucial. This research focuses on analyzing the RAM of computers infected with virus. The goal of this research is to enable digital investigators to better understand malware behavior and implement effective solutions to analyze compromised computers. The research question is how IT professionals can better analyze infected computer bur using the right method. This work uses tools such as LiME and Volatility and secure environments such as CSI Linux and Tsurugi Linux. In this search we identify suspicious processes running, as well as suspicious active network connections. The results show characteristic alterations, such as changes in system processes or unusual memory access patterns, aligned with known virus techniques. Forensic analysis on network connections shows that the virus established outbound connections to command and control (C&C) servers to receive instructions and send encrypted data by identifying communications to associated suspicious IP addresses and ports to the C&C. This research is crucial because behavioral analysis of malware contributes to the development of more effective mitigation techniques, thereby reducing the risk of infection. Additionally, this research can be valuable for designing malware decryption tools, providing an opportunity for data recovery after a file encryption attack.
References
[1]
Horan, C. and Saiedian, H. (2021) Cyber Crime Investigation: Landscape, Challenges, and Future Research Directions. Journal of Cybersecurity and Privacy, 1, 580-596. https://doi.org/10.3390/jcp1040029
[2]
Wu, Y., Xiang, D., Gao, J. and Wu, Y. (2019) Research on Investigation and Evidence Collection of Cybercrime Cases. Journal of Physics: Conference Series, 1176, Article 042064. https://doi.org/10.1088/1742-6596/1176/4/042064
[3]
Fernández-Fuentes, X., F. Pena, T. and Cabaleiro, J.C. (2022) Digital Forensic Analysis Methodology for Private Browsing: Firefox and Chrome on Linux as a Case Study. Computers & Security, 115, Article 102626. https://doi.org/10.1016/j.cose.2022.102626
[4]
Cox, J. and Bednar, P. (2018) Potential Difficulties during Investigations Due to Solid State Drive (SSD) Technology. In: Lecture Notes in Information Systems and Organisation, Springer, 75-91. https://doi.org/10.1007/978-3-319-90503-7_7
[5]
Chayal, N.M., Saxena, A. and Khan, R. (2022) A Review on Spreading and Forensics Analysis of Windows-Based Ransomware. Annals of Data Science, 11, 1503-1524. https://doi.org/10.1007/s40745-022-00417-5
[6]
Mohanta, A. and Saldanha, A. (2020) Memory Forensics with Volatility. In: Malware Analysis and Detection Engineering, Apress, 433-476. https://doi.org/10.1007/978-1-4842-6193-4_14
[7]
Zhang, W., Li, X. and Zhu, T. (2023) Entropy and Memory Forensics in Ransomware Analysis: Utilizing LLaMA-7B for Advanced Pattern Recognition.
[8]
Kävrestad, J., Birath, M. and Clarke, N. (2024) Malware Analysis. In: TextsinComputerScience, Springer, 227-238. https://doi.org/10.1007/978-3-031-53649-6_21
[9]
Mohamed, A. and Saad, T. (2022) Automate Memory Forensics Investigation.
[10]
Paul Joseph, D. and Norman, J. (2019) A Review and Analysis of Ransomware Using Memory Forensics and Its Tools. In: SmartInnovation, SystemsandTechnologies, Springer, 505-514. https://doi.org/10.1007/978-981-13-9282-5_48
