BitHead no offence but I guess the misinterpretation is on both sides.
"So in a case you never check if a system contains malware? If so are you in e-discovery?"
"If not what are you using a virus scanner?"
Is this a blast or a couple of questions? If you are in e-discovery I can understand there is no need for malware analysis. If not I'm largely curious how you approach the problem of looking for malware. Like I said before I'm trying to make sense of what you are saying. Yes I'm making assumptions and I'm trying to prove or disprove them by asking questions.
Maybe the choice of wording was a red flag for you?
Lastly I think your assumption about my supposed ignorance about the merits of the trojan and Chewbacca defense shows how little knowledge you have of the legal system in which I work["quote"]
He, I ask if you're familiar with the trojan horse defense and you reply in the manner you did, yes that prevails ignorance. If you want understanding for your position don't you agree that you probably should have made that clear? That you are familiar with the trojan horse defense but that in your context of law it has certain merits. Instead of referring to it as "ridiculous".
"So on EVERY single case you do malware analysis? Wow. Your case load must be significantly different than mine"
So you hold me accountable of making assumptions. The funny thing is that you're doing the same here yourself and if I try to clarify you refer to it as back peddling?
But let's stop wasting time on this back and forth haggling and get back to the topic at hand. If I offended you in anyway sorry about that.
BitHead,
you blast me and accuse me of never looking for malware.
You and I have exchanged emails before, and I have a great deal of respect for what you do. As such, I don't see how anyone is "blasting" or "accusing" anyone of anything. We all have different perspectives, requirements, and restrictions that we must operate under.
When engaging with folks that I haven't met with face-to-face, and folks I simply don't know, I try not take what is said personally. Sometimes, engaging with folks for whom English is not their first language, or that don't share the same culture, there is a potential for folks on both sides to misinterpret things. As such, I find that it's useful to focus on the goal, rather than the possible nuances of what is said.
I think that this exchange is a great avenue for sharing.
I think that this exchange is a great avenue for sharing.
Back to the discussion then.
I notice one thing that hasn't been shared is Joachim's malware process, which I'm thinking is more one of detection than actual analysis. Perhaps looking at the process would give some clues as to how he's able to look for malware in every case.
Harlan I don't think not knowing about "Joachim's malware process" (if it would exists) is the problem here.
If you want to know about forensic malware analysis
* Follow the work of the Volatility project; these people are doing an awesome job!
* Read Malware Analyst's Cookbook
* Read Practical Malware Analysis
Or whatever resource that proves relevant.
For you what is the significant difference between detection vs. analysis?
The way most analysis is done, is technically nothing more then detection, e.g. using tool X to build an index of all the keywords this keyword was detected in this file. So I consider the detection part of the analysis, e.g. the next step after finding the keyword is to determine if it is relevant for my case.
Another important thing I'll think about how to approach the case at hand. As jaclaz nicely points out by "trojan truth"; the "trojan horse defense" is only one way of thinking about the problem. "Thesis, antithesis, synthesis" is an essential part of my job
Have you ever considered in a case that the evidence you're looking at, has been carefully planted? Or found yourself in a situation similar to the following that the time stamps of a file in the Outlook secure temp folder suspiciously look the same as those in the MAPI properties of the email itself, only to find some obscure software behavior.
So to correctly analyze a case, I must consider the possibilities at hand (also those beyond the digital realm). If malware analysis proves not relevant for the case at hand, why spend time and effort in doing so. As I said before this must be a "well considered decision" and therefore is part of the analysis it self and also the report.
You mention "sniper forensics", that is one of the techniques I use. Although I would not hype it as "sniper forensics" but merely refer to it as common sense. Throwing your digital files into a processing pipeline and wait for multiple days can be a useful "delay of having to look at the data technique" but will only work to a limited extent. First triage-ing your data is a useful technique, for this you'll have to understand what you're looking at and what technologies are used.
E.g. you know a server connected to the internet has been hacked. Where do you start by imaging every system and then run them though FTK? Or maybe by taking a look at the hacked server itself. Now this is easy if you know where to start looking, if not you'll need to figure out ways to reduce scope of your analysis. Again this is nothing revolutionary shocking or new
Now what I could be doing differently is
1. I rarely use a graphical user interface. Now I suddenly can utilize the Unix power tools in my analysis. Slicing-and-dicing the data to what ever I want it to look like. And not wasting time on trying to drag and drop the data in the right placing, finding myself doing it over and over because the software is too rigid to remember my settings.
2.That I'm incredibly lazy (in a good way 😉 ). Take VSS for example if I would do it the traditional way as most people have opted
So why
a) use Windows and waste time navigating through GUIs, where you can learn to type faster than navigate the mouse?
b) do repetitive tasks more than a couple of times?
c) relying on a sub-system that I know nothing about and how it potentially could be manipulated?
d) why am I maxing the IO of my analysis workstation and not the CPU? How many cores did it have again?
So again this is a careful chosen analysis decision not to waste time on tasks I could do "smarter". Does it means I do not waste time doing repetitive tasks, unlikely, but maybe less. So I can spend some of that time (and more) looking at and documenting file formats. Which makes me more knowledgeable about the data as well, including the challenges trying to process it and therefore understanding the edge-case forensic software has to deal with.
Does all this effort pays off? Hell yes! And luckily for you I'm sharing most of it, either as some info on forensicswiki or as a library and tools that can be run on most of the major operating system and integrated into your forensic tooling. The only thing that you have to do is to read and understand it.
My guess is that your motivation for "Forensic Scanner", blog posts and books are along similar lines.
For those interested, the code for my version of an IDX parser can be found here
http//