Sep 132012

When digital investigators are confronted with suspicious executable during investigation, a standard, well-known incidents response process is applied. This process encompasses, hashing the suspect executable and look-up with the hash value in an online malware analysis and scanning service such as VirusTotal [1] to verify if suspect executable belongs to a known malware family. If used malware analysis service did not result positive detections, a manual or automated malware behavior analysis process is, then, required.

Behavior malware analysis examines the functionalities of a suspect executable and its interactions with the operating system in what so-called as sandbox analysis. In sandbox solution, a behavior examination process is conducted through the isolation of the suspect malware in a controlled environment, -i.e. virtual machine or machine emulator-, and all interactions/activities with the operating systems are observed. Observed interactions include, for example, invoked system calls from the executable, allocated memory regions, created processes and threads, access/created/modified/deleted registry entries, network activities, and etc.  Such valuable information enables human digital investigators and malware analysts to draw a conclusion about the suspect executable and whether it holds a threat to investigation integrity or not.

Unfortunately, although behavioral analysis using sandboxing is vital in malware analysis and assists human malware analysts in determining if further analysis is required, using sandbox in forensic investigation possess a number of limitations. In essence, the scope and objectives of malware analysis from digital investigation perspectives, is substantially different than, of security and malware detection.   Such differentials may lead forensic investigators to invalid conclusions and threaten the investigation integrity.

An example of these limitations is the problem of malware evasion personalities. Malware writers, often, employ different sophisticated methods to impede behavior analysis using sandboxing throughout the attempts of detection whether the host environment is a real environment or simulated using machine emulation. If an emulated or virtualized environment detected, malicious code execution is suppressed and terminates or executes a benign code to evade human analysts.

Even if such evasion methods are not employed, malware, usually, have different payloads to execute based on the configuration of infected hosts. That is, one malware sample may behave differently on different hosts if the hosts, for examples, have different versions of internet browsers. Hence, since currently developed sandbox solutions can not consider all possible configurations of the host infected operating systems, there are a chance that executed code in the sandbox is not the code that have previously executed  in the host under investigation, because different configuration settings are defined or malware employing sandboxing detection technique.

Thus, inferences and implications based on such analysis may mislead human investigators to a conclusion, in which, an executable is a benign program while in fact it’s a malicious program or malware executed an exploitation payload which is never been executed in the infected host under investigation.

Typically, existence of such limitations and many others is a result of building such technology without keeping digital forensic investigation requirements in-mind. The requirements for developing tools to use it in digital forensic investigation have unique characteristics and cannot be substituted by tools commonly used in computer security without customization to involve the unique objectives of digital investigation. Hence, a call to an assessment of used automation tools and techniques from malware security in digital investigation is, strictly, demanded to ensure if these tools are ,truly, assist digital investigators in producing successful investigation or contributes in misleading their inferences.