Friday, July 29, 2011

Forensic Software Analysis

Linux/GNU provides a wealth of tools which can be used to analyze binaries such as file, strings, md5sum, hexdump, ldd, strace and gdb. Moreover, profiling tools such as AppArmor could be useful when analyzing behaviour of an unknown binary. For the purpose of demonstrating forensic software analysis process and recoverable artifacts, a number of Linux/GNU tools will be used to investigate Skype application. Conclusions of the investigation will be presented at the end of the document.


file command helps identifying file type and displays general information about the suspected binary.

file command


ldd command can be used to identify all shared libraries used by the suspicious software.

ldd command


gdb is a GNU debugger useful for debugging executable “see what is going on 'inside' another program while it executes—or what another program was doing at the moment it crashed” (Free Software Foundation, Inc. 2002). gdb allows an investigator to run a suspicious program step by step, view a value of a specific expression or print a stacktrace using bt command.

gdb command

gdb stacktrace


strace can be used to display system calls and signals, including access to local and remote resources such as /etc/passwd. strace command could be used with -o parameter to output the content to a specified file.
The information includes:
  • a name of a system call
  • arguments; and
  • return values

strace command

strace output

The output file could be parsed with grep with appropriate regular expression to identify accessed and/or modified system resources.

grep strace output


strings prints all printable characters in a specified file. It could be useful to identify system calls, resources, URLs, IP addresses, names, etc. when analyzing a suspected software.

strings command

strings output


AppArmor is a “Linux application security system” (AppArmor Security Project, 2011) using whitelist approach to protect the operating system and its users. It is done by enforcing “good” behaviour including open ports, allowed resources, etc. to prevent from known and unknown application flows.

AppArmor includes a “a combination of advanced static analysis and learning-based tools” (AppArmor Security Project, 2011) which could be helpful when investigator a malicious software behaviour. For purpose of forensic investigation aa-genprof command can be used to record all software activities which could be analyzed at the later stage.

When using aa-genprof to analyze potential malware behaviour, the investigator has to invoke all possible functionality to force the software to access all local and remote resource. In many cases, it is required to let the software run for a few days as some malware such as infected bots communicate with the bot controller periodically.

aa-genprof command

skype command

Skype main window

Skype calling echo123

Skype messaging echo123
aa-genprof analyzing Skype access to Pulse resources

aa-genprof analyzing Skype access to system fonts configuration

aa-genprof analyzing Skype access to local chat

aa-genprof analyzing Skype access to Firefox bookmarks

aa-genprof analyze Skype access to Firefox extensions


Skype application access resources required to display a graphic user interface (GUI) using Qt library, interact with audio devices through Pulse framework and resources required to use a network, all of which could be considered ass legitimate behaviour for a VoIP application.

On the other, Skype access to resources such as Firefox bookmarks and extensions such as LassPass (advance password manager), and system resources such as /etc/passwd raise suspicious as it resembles typical malware behaviour.


No comments:

Post a Comment