Linux/GNU provides a wealth of tools which can be used to analyze
binaries such as file, strings, md5sum, hexdump, ldd, strace and gdb.
Moreover, profiling tools such as AppArmor could be useful when
analyzing behaviour of an unknown binary.
For the purpose of demonstrating forensic software analysis
process and recoverable artifacts, a number of Linux/GNU tools will
be used to investigate Skype application. Conclusions of the
investigation will be presented at the end of the document.
command helps identifying file type and displays general information about the suspected binary.
command can be used to identify all shared
libraries used by the suspicious software.
is a GNU debugger useful for debugging executable “see what is going on 'inside' another program while it executes—or what another program was doing at the moment it
crashed” (Free Software Foundation, Inc. 2002). gdb
allows an investigator to run a suspicious program step by step, view a value of a specific expression or print a stacktrace using bt
can be used to display system calls and signals, including access to local and remote resources such as /etc/passwd
command could be used with
-o parameter to output the content to a specified file.
The information includes:
- a name of a system call
- arguments; and
- return values
The output file could be parsed with grep
with appropriate regular expression to identify accessed and/or modified system resources.
|grep strace output|
prints all printable characters in a specified file. It could be useful to identify system calls, resources, URLs, IP addresses, names, etc. when analyzing a suspected
AppArmor is a “Linux application security system” (AppArmor Security Project, 2011) using whitelist approach to protect the operating system and its users. It is done by enforcing “good”
behaviour including open ports, allowed resources, etc. to prevent from known and unknown application flows.
AppArmor includes a “a combination of advanced static analysis and learning-based tools” (AppArmor Security Project, 2011) which could be helpful when investigator a malicious software behaviour. For purpose of forensic investigation aa-genprof
command can be used to record all software activities which could be analyzed at the later stage.
When using aa-genprof
to analyze potential malware behaviour, the investigator has to invoke all possible functionality to force the software to access all local and remote resource. In many cases, it is required to let the software run for a few days as some malware such as infected bots communicate with the bot controller periodically.
|Skype main window|
|Skype calling echo123|
|Skype messaging echo123|
|aa-genprof analyzing Skype access to Pulse resources|
|aa-genprof analyzing Skype access to system fonts configuration|
|aa-genprof analyzing Skype access to local chat|
|aa-genprof analyzing Skype access to Firefox bookmarks|
|aa-genprof analyze Skype access to Firefox extensions|
Skype application access resources required to display a graphic user interface (GUI) using Qt library, interact with audio devices through Pulse framework and resources required to use a network, all of which could be considered ass legitimate behaviour for a VoIP application.
On the other, Skype access to resources such as Firefox bookmarks and extensions such as LassPass (advance password manager), and system resources such as /etc/passwd
raise suspicious as it resembles typical malware behaviour.
Post a Comment