TEAM

Editor-in-Chief
Joanna Kretowicz
[email protected]

Managing Editor:

Michalina Szpyrka
[email protected]

Editors:

Marta Sienicka
[email protected]

Marta Strzelec
[email protected]

Bartek Adach
[email protected]

Magdalena Jarzębska
[email protected]

Senior Consultant/Publisher:
Paweł Marciniak

CEO:
Joanna Kretowicz
[email protected]

Marketing Director:
Joanna Kretowicz
[email protected]

DTP
Michalina Szpyrka
[email protected]

Cover Design
Hiep Nguyen Duc

Publisher
Hakin9 Media Sp. z o.o.
02-511 Warszawa
ul. Bielawska 6/19
Phone: 1 917 338 3631

www.eforensicsmag.com

All trademarks, trade names, or logos mentioned or used are the property of their respective owners.

The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the
presented techniques or consequent data loss.
 Word from the team
Dear Readers,

We wish you all the best in the New Year! We hope that it will be fruitful for you and
will allow you to develop your interests and skills. We sincerely want to help you
with the latter, which is why we present to you our latest magazine on Malware
Forensic Analysis. We have prepared a real compendium of knowledge on this topic
for you. From the articles, you will learn what the main forms of malware are, how
to analyze them, which type of analysis (static or dynamic) is appropriate for a
given case, and what tools to use! Therefore, if you are interested in this topic, you
must take a look at our magazine.

Did you think that was it? Well no! In the magazine you will also find:

• comprehensive literature for OSINT (Open Source Intelligence) evaluation

as a tool to aid combating cybercrime;

• tutorial presenting the use of IPED - an open-source tool developed and

developed by the Brazilian police;

• image tools in the context of their importance for forensic analysis;

• considerations regarding the importance of CISO in the organization.

So if you want to start the New Year productively and invest in your development,
reach for our latest magazine!

Check out our Table of Contents below for more information about each article (we
included short leads for you).

We hope that you enjoy reading this issue! As always, huge thanks to all the
authors, reviewers, to our amazing proofreaders, and of course you, our readers,
for staying with us! :)

Have a nice read!

Regards,
Michalina Szpyrka
and the eForensics Magazine Editorial Team
 Malware Forensics - The Malware Analysis In
5 Forensic Context
by Deivison Franco, Cleber Soares and Daniel Müller

IPED, An Amazing Tool To Analyze A Disk Image

47
by Marcus Fábio Fontenelle
Table of Contents

Freely Distributed Open Source Image Forensics

62 Tools
by James A (Jim) McCoy, Jr.

Malware - The Nightmare Time

68
by Wilson Mendes

Reversing Malware Anonymously

78
by Anderson Sales

Cyber-Savvy Board Of Directors

86
by Longinus Timochenco

Malware Analysis And Its Forms

94
by Daniele Giomo

A Systematic Literature Review For OSINT

103 Evaluation As A Tool To Aid Combating Cybercrime
by Francisco de Assis F. Henriques

Applying Zero Trust Principles To Critical Controls

125
by Mathias Sigrist

Significance Of Image Tools In Digital Forensics

130 by Avirup Dutta, Gaurav Kumar Singh
 Malware Forensics - The
Malware Analysis In
Forensic Context
by Deivison Franco, Cleber Soares and Daniel Müller

Due to the increase in the number of connected computing devices, the distribution of malicious
programs associated with criminal practice grows daily. Consequently, the presence of malware in
forensic examinations is increasingly frequent. In addition, the high diversity of classes and different
methods of malware performance make the forensic examinations performed on these types of
programs create new challenges for specialists in computer forensics. The purpose of this article is
to present fundamental and objective concepts about malware analysis for professionals in the area,
along with basic tools and techniques that will help in the discovery of the activities performed by
malicious programs.

The Malware

The amount of digital pests spread on the internet increases every year. Every day, countless computer

programs are developed with the strict purpose of performing illicit activities on computing devices.

Our personal information and financial data has never been more valuable. Criminal organizations see

this illegal practice as an extremely profitable and low-risk activity, moving millions of dollars a year.

Consequently, in the forensic context, the need to perform malware scans increases proportionally due

to the high number of contaminated devices. However, although malicious programs are a nightmare in

the lives of users, they can be the solution in a forensic examination, since many malwares store

valuable information that would not be obtained without their presence, which allows proving the

authorship of a crime or the innocence of a suspect.

5
In the course of this article, some techniques and tools used in malware exams will be presented that

help to understand the behavior and activities performed by the program under analysis. Our biggest

challenge in developing the article was trying to provide as much information on the topic as possible

in the short space of an article, since malware analysis and program reverse engineering are extremely

extensive and complex subjects. Because of this, throughout the article, we will focus on the analysis of

software developed for the Windows platform, as this operating system is the target of the vast majority

of current malware.

The article consists of the presentation of some essential concepts of malware analysis followed by the

demonstration of some tools used to obtain information about the functioning of a program in the

forensic context. It is important for the reader to download the aforementioned tools and test them so

that there is greater use of the concepts studied. It is also critical to download the latest versions of

tools used to minimize the risk of existing vulnerabilities. Throughout the article, most of the programs

present in the figures are real malware found in forensic examinations.

What is a Malware?

Malware is malicious software developed with the purpose of infiltrating a computer system and

collecting information without authorization or simply causing damage. Once installed, and depending

on the complexity of the malware, these programs can have access to files present on the computer,

traffic transmitted on the network, keys pressed and even environmental eavesdropping or webcam

image capture.

The main motivation in the development of malware is to obtain financial resources, however, other

motivations, such as social/ideological causes, disclosure of confidential information or vandalism, are

also adopted by attackers for the development of this type of software.

Malware uses numerous techniques to infect computing devices, making prevention and detection

difficult by users. The main entry techniques are:

• Exploitation of vulnerabilities: Many malware have exploits used to gain access through security holes
contained in outdated programs on the victim's computer;

6
• Auto-execution of external media: Functions such as Windows autorun, used by optical media and
removable devices such as USB sticks, are a great gateway for malicious software, as they run

programs without the user's consent and, as a rule, are inhabited by default;

• Social Engineering: It is the psychological manipulation employed by the attacker to persuade the
victim and lead him to execute the malware. Social engineering techniques often use means to

arouse the victim's curiosity, abuse their ambition or even their innocence;

• User Conscious Execution: In some cases, the user installs malware on purpose in order to obtain
access information about other users who share the use of the machine.

Malware Classes

There are numerous malware classifications according to their method of operation, purpose and

complexity. In an expert examination, the prior identification of the category to which the malware

belongs facilitates the search for traces and allows a more targeted analysis. Currently, due to the

evolution of malware, these classes are not mutually exclusive, that is, malicious software can belong to

more than one category. The main types are described below.

Spyware

This type of malware has as its main purpose the collection of information from users who make use of

the computer without their consent. They usually send users' personal information to external servers

on the internet. It is a class of software widely used for espionage and also by scammers to obtain

passwords to access services such as internet banking, credit card numbers, e-mail or access to

systems. Often this type of malware assists in forensic analysis, as it collects information that would not

normally be stored by operating system logs or other applications. Spyware can still be divided into a

few subclasses described below.

Adware

Its main activity is the display of advertisements, but they are developed with the aim of collecting

information about the user's browsing on the web to later offer advertisements for products and

services in a targeted way.

7
Keyloggers

Used to capture and store the keys that are pressed on the keyboard by the user. Most keyloggers store

the collected data in encoded or encrypted files, which makes malware detection and forensic analysis

difficult. In fact, if the entire hard drive is indexed, the files containing the words typed and stored by

the keylogger will not be detected in a keyword search. In these cases, a deeper analysis of the

malware or even the application of cryptanalysis techniques is necessary.

Screenloggers

Usually working together with keyloggers, this type of malware captures some screens presented by the

victim's computer. Most also store the mouse position at the time of capture in the image. Many of

them start running after a certain event, such as when the user enters their internet banking page. They

are widely used to capture passwords entered on virtual keyboards. Most screenloggers do not encrypt

the generated images, which makes it easier to detect malware in forensic analysis.

Sniffers

Sniffers are used to capture all traffic transmitted by a network card. They are usually used for lawful

purposes by network administrators who make use of this type of tool to detect possible problems in

their network. However, they can be used for malicious purposes by capturing everything that passes

through the victim's network card, making it possible to obtain unencrypted passwords or even the

acquisition of authentication cookies, allowing a session hijack.

Backdoors

Usually used after a successful attack, the backdoor is intended to guarantee later access to the

attacker in an easy way, without the need to resort to the methods initially used for the invasion. Allows

remote execution of commands on the local system, in addition to having little or no authentication for

access. The detection and analysis of a backdoor in a forensic examination can exonerate an accused, if

it is proved that his computer was accessed remotely and used for the practice of illicit activities.

8
Worms

Its main purpose is to spread across a network by infecting different machines. They exploit

vulnerabilities present in programs or network services to gain access to the victim's machine and install

themselves. Consume a lot of resources due to constant propagation attempts.

Bots

It is identical to the worm in terms of the means of propagation and infection, however, they differ in

the possibility of receiving external commands, similar to a backdoor. The possibility of remote control

makes the bot guarantee access to the victim's operating system, be updated with new exploits or even

allow its use for joint attacks. A network made up of several computers infected with bots is called a

botnet.

Botnets are used by hackers for DDoS (Distributed Denial of Service) attacks. This type of attack causes

multiple bot-infected machines (called zombies) to try to access a given service simultaneously, causing

that service to collapse and stop responding to requests.

Trojans

This type of program performs seemingly harmless functions, however, it performs secondary malicious

activities without the user's consent, constituting a gateway to other types of malware. Screensavers,

animated cursors, software cracks and keygen are examples of programs commonly used as trojan

horses.

Rootkits

Unlike other malware categories that focus on infection or malicious activity, the rootkit is concerned

with hiding the presence of malicious code on an infected computer, ensuring the presence of an

attacker or the persistence of malware. Rootkits often hide themselves by removing system logs,

encrypting their data and inserting them in a distributed way into operating system folders, altering task

manager programs so that they do not appear in active processes lists, and running at the kernel level,

among other methods.

9
Ransomware

A type of malware that restricts access to the infected system with a kind of lock and charges a ransom

(as in a kidnapping) so that access can be restored, which makes it practically impossible to track the

criminal who may receive the value. This type of "hijacking virus" works by encoding the operating

system's data so that the user no longer has access. Once a file is infected, the malware will encode

user data in the background without anyone noticing. When ready, it will issue a pop-up warning that

the machine is locked and that the user will no longer be able to use it, unless they pay the amount

required to obtain the key that gives access to the data again.

Vírus

It consists of malicious software that propagates by making copies of itself or infecting files/programs

present on the computer. Viruses need to be explicitly executed to start their malicious activities and

their infection process, as they do not make use of vulnerabilities in software present on the victim's

computer to spread. The scope of action of this type of malware is predominantly within the same

machine, as viruses generally do not make use of network services.

Malware Forensics – The Malware Analysis in Forensic Context

As with any forensic examination, the main objective of a malware analysis in the criminal context is to

answer the questions contained in the report request, as well as clarify the facts under investigation so

that the materiality of a crime can be confirmed or refuted, describing its dynamics and identify its

authorship, pointing out any other data deemed useful for the promotion of justice. However, we can

cite three major scenarios in which malware analysis is essential to draw conclusions about the criminal

practice.

Suspicious Software

In this scenario, there is software already known and used by users, developed internally or acquired

from third parties, in which there is a suspicion that this program performs secondary and malicious

functions without the administrators' knowledge. In this type of case, forensics must seek evidence

about the behavior of the analyzed software, identifying attributes that resemble a trojan.

10
Some of the goals of malware analysis in this context are:

• Analyze whether the software in question sends information to external environments not provided
for in its original documentation;

• Check if the program downloads executables or plug-ins from unauthorized sites in the software
documentation;

• Determine whether the signatures of the binary files that make up the software match the same
signatures of the binary files after a new installation, as the analyzed software may perform malicious

secondary functions due to a virus infection;

• Check if the suspicious program logs keystrokes in other applications or stores screenshots under
unauthorized conditions;

• Identify the existence of TCP/UDP ports opened by the program that are not authorized.

Malware Attacks

There are indications of an attack on a computing device or network infrastructure involving the use of

malicious software to gain access. In these circumstances, there is already a compromised and malware-

contaminated environment that must be examined for traces that determine the purpose, materiality

and, if possible, authorship of the attack. This type of examination is also known as post-mortem

analysis, which essentially boils down to studying a program's activity by analyzing its effects after

execution. They are part of the scope of malware analysis in this context:

• Identify the software that possibly contributed to the success of the attack;

• Check if there are open ports associated with the programs under analysis on the hosts or servers
present in the forensic environment;

• Investigate the existence of reverse connections related to suspicious software (a technique widely
used to circumvent security elements such as firewalls, proxies or IDS);

• Analyze the operating system logs in search of users created by the programs under analysis;

• Determine which machines and files were affected by malware.

11
Malware as Secondary Element

This is the scenario with the highest number of cases in forensic examinations involving malware

analysis. In such cases, malicious software is not the main focus of forensic examination, but acts as an

additional provider of information that would not be obtained through conventional means. Currently,

most malware found have spyware-like functionality, capturing keystrokes or images displayed on the

monitor, which allows for obtaining valuable information for the exam, such as passwords for encrypted

volumes and records of instant conversations, among other data. The execution of certain activities is

essential in this scenario, such as:

• Identify the presence of malware and the location where it is stored;

• Search for files created by malware, decode and interpret them;

• Verify that the malware is not the element responsible for the criminal practice present on the
computer device examined.

Types of Analysis

Malware analysis involves the adoption of a large number of tools and techniques in order to find out

what malicious activities are performed by the program in question. The specialized literature divides

malware analysis into two groups: static analysis and dynamic analysis. Next, we will study some

characteristics and subdivisions of these approaches and later, in the course of the article, we will delve

deeper into the skills and auxiliary tools involved in adopting each analysis separately. Additionally,

some characteristics of post-mortem analysis and some methods of anti-analysis will be discussed.

Static Analysis

The static analysis encompasses all possible ways to obtain information about the functioning of the

malware without executing it. Techniques such as string analysis of the executable file, identification of

used APIs and disassembling are examples of procedures adopted in static analysis. Static analysis is

further subdivided into two levels: basic static analysis and advanced static analysis.

Basic Static Analysis

The basic static analysis consists of examining the executable with the help of specific tools, but without

analyzing the machine instructions contained in the binary file. String parsing, PE32 [Data structure

12
present in MS-Windows binary files that contains essential information for the initialization and

functioning of an executable code] information, and displaying binary resources are examples of

techniques in basic static parsing. This type of analysis can provide some information about malicious

software features, but it is inefficient in more sophisticated malware that use methods to obfuscate the

code.

Advanced Static Analysis

The advanced static analysis works by reverse engineering the code using a disassembler to examine

the instructions belonging to the binary file. Its advantage is that by examining the instructions that will

be executed on the CPU, advanced static analysis allows you to understand exactly what the software

does. On the other hand, the major disadvantage of this analysis is the scarcity of efficient tools that

automate the decompilation process, allowing the analyzed software to return to the high-level

programming language that gave rise to the binary file, which would simplify the understanding of its

functions.

This difficulty is caused by the numerous layers that a code written in a high-level language goes

through until it becomes an executable file. In addition, there are numerous compilers belonging to

different manufacturers, containing several versions and frameworks with infinite libraries. Thus, this

analysis requires a certain degree of knowledge in assembly language (Assembly), understanding of the

machine's architecture and concepts about the operating system on which the program was compiled,

making advanced static analysis unfeasible in some cases because it is quite expensive. Because of this,

we will not go into details about advanced static analysis, as it would take an entire book to understand

the concepts and practices adopted.

Dynamic Analysis

Dynamic analysis is the study of software functioning with the program running, that is, with the

malware allocated in memory and consuming CPU resources. In this analysis, changes made by the

program to the operating system, hard disk files, and network are examined. In addition, the assembly

language instructions present in the binary file are parsed at runtime using debuggers. In dynamic

analysis, it is extremely important to prepare a controlled environment before the execution of the

13
malware, since its execution without due care can cause serious side effects in the operating system

and in the network. Dynamic analysis is also subdivided into two levels according to its complexity.

Basic Dynamic Analysis

The basic dynamic analysis essentially consists of observing the software in a computational

environment after its execution. This analysis has a more behavioral focus, checking what changes are

made by the malware, but without debugging the low-level instructions at runtime. For this, some tools

are essential that allow analyzing the system calls invoked by the program, the changes in the files, the

insertion of keys in the Windows registry, and the attempts to connect via the network, among other

techniques that will be studied in the course of the article.

Advanced Dynamic Analysis

The advanced dynamic analysis is based on the use of a debugger to examine each instruction applied

by the software at runtime. In this way, it is possible to collect more detailed information about the

program, being ideal in cases where good results are not obtained with the basic analyses. It is also a

very efficient procedure in situations where the malware makes use of anti-analysis techniques to make

the code difficult to understand. However, the advanced dynamic analysis is quite complex and for the

same reasons explained in the advanced static analysis we will not go into much detail in this analysis

throughout the article.

Post-mortem Analysis

The post-mortem analysis comprises the behavioral analysis of malware based on the traces left by it

after its execution in a computing environment. In most cases, these traces are the only evidence of the

presence of malware in the environment, as the malicious program may have been removed

accidentally by a network administrator or on purpose by the attacker. In this scenario, the operating

system and other application logs are essential to understand how the malware works, since the

executable file is no longer present on the devices, which makes it impossible to analyze the program's

behavior in a controlled environment. Firewall logs, restore points, the event viewer, prefetch and the

Windows registry are examples of tools that can provide valuable information about the functioning of

the software being analyzed.

14
The big problem with this analysis is that, in some cases, the identification of the presence of malware,

and the consequent detection of the attack, only occurs after a long period of time, which compromises

a large part of the traces left by the program on the devices. Over time, files and logs can be deleted,

metadata is changed, unallocated space is overwritten; all these actions compromise the evidence that

would allow a more incisive conclusion about the malicious activity of the software.

Anti-analysis

The anti-analysis involves numerous techniques adopted by malware to prevent its malicious activities

from being analyzed in the course of its execution. These techniques range from the simple behavior

change in the malicious activities of the software presenting an alternative behavior to the

implementation of advanced techniques of compression and code obfuscation.

Executable Compression

The compression technique, also known as packaging, basically consists of compressing an executable

file, generating compressed data that is combined with the decompression code into a single, self-

extracting executable file. At the time of executing the self-extracting archive, the decompression code

recreates the original executable file before executing it. This entire process takes place imperceptibly

to the user, since the decompression process takes place implicitly and without the need for additional

programs. Because of this, this technique differs from the use of external compression programs, such

as WinZip or WinRar, which require greater user interaction, in addition to the installation of these

programs.

Executable compression is designed to decrease the space taken up by executable files on secondary

storage devices, as well as reduce the time and bandwidth required for distributing this type of file over

the network. However, this technique has also been used by malware developers to make static analysis

of the binary file more difficult. When an executable file goes through a compression algorithm, it

becomes a smaller file with very different values from the original file. In this way, the vast majority of

information that could be obtained from the executable file through static analysis cannot be visualized

after using compression. Attempts to parse features, search for strings, or modify via hex editors will be

frustrated. Only the code responsible for decompressing the original file will be readable for static

15
analysis. In addition, compression modifies the signatures of the executable file, which makes it difficult

for some antiviruses to detect malware.

While compression makes malware analysis more difficult, it does not make it impossible. Many

malware use well-known packers to mask their signatures: UPX, ASPack, Petite, Armadillo. Identifying

the compressor used in the executable file compression process helps find tools that assist in extracting

the original file without running it, which will make it possible to analyze malware later.

There is a very efficient tool called PEiD (Portable Executable iDentificator) that helps identify if an

executable file has been compressed with a known packer. Furthermore, if the executable file has not

been compressed by a packer, PEiD allows identification of which compiler was used at the time of its

creation. This tool uses a database containing signatures from several packers and compilers, these

signatures are compared with snippets of the code present in the executable file, which makes it

possible to identify the program used in the production of the executable file. PEiD is a free tool and

allows you to identify more than 470 signatures.

Figure 1 - PEiD program interface demonstrating that the cbzvl.exe file was compressed with the UPX packer.

Obfuscation

Obfuscation is a technique that adopts several methods to make it difficult to reverse engineer a given

program. This practice was created with the aim of preventing commercial and legitimate programs

from being “cracked” by malicious users, making it difficult to use unlicensed software with fake serials

or even the creation of keygens.

Although obfuscation is a feature that adds security to commercial software, this practice has been

adopted in some sophisticated malware. In these cases, most of the traditional methods and tools used

16
for malware analysis are discarded, requiring advanced skills in the use of debuggers and assembly

language for successful analysis. Another problem encountered with obfuscation is that, unlike what

happens when compressing the executable, there are few known programs that perform the

obfuscation of executable files in an automated way. As a rule, each software that has its code

obfuscated adopts methods implemented in different ways, which makes the analysis work even more

difficult. Even with all these obstacles, no obfuscated software is entirely immune from reverse

engineering; with dedication and perseverance many features can be explored.

The main anti-cracking methods used in program obfuscation are described below:

• Elimination of Symbolic Information: Strings present in text boxes, which are displayed to the user
during the program, help the analyst find certain pieces of code of interest within the executable file.

Furthermore, Java programs contain a vast amount of symbolic information within the JAR file, such

as names of classes, methods, and libraries. Therefore, the main focus of this method is to eliminate

any and all textual information present in the software binary file(s). A simple mechanism used to hide

the textual information of a binary file is to create a function to encode/decode strings at runtime,

that is, the message will be decoded and intelligible when displayed to the user, but it will be

encoded when stored in the binary file.

• Obfuscation and Code Encryption: These are methods that modify the structure of the program in
order to make it as hard to understand as possible, making analysis difficult through debuggers and

disassemblers, but without compromising the normal functionality of the software. Code obfuscation

basically involves changes in the logic and data handled by the program, making it difficult to

understand its normal flow of execution. Code scrambling encrypts parts of the program, using a key,

and decrypts them at runtime.

• Anti-debugger techniques: This method aims to prevent the program from being executed in a
debugger, harming the dynamic analysis of the software. A technique used to detect the presence of

debuggers is to create checksums in some code snippets and, after execution, perform an integrity

check on these snippets. This technique works because the analysts, when making use of debuggers,

change some parts of the binary file when they insert breakpoints or include patches in the code; this

allows the program to realize that it has been changed and terminate its execution.

17
A great additional source of information and bibliographic references on anti-analysis techniques can

be found in the research carried out by Murray Brand under the title “Analysis Avoidance Techniques of

Malicious Software” located at http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1138&context=theses

How to Identify Malware

Having finished the theoretical basis involving the terms and concepts related to malware analysis

presented at the beginning of the article, we will now move on to a more practical approach to malware

exams, presenting tools and techniques that help to understand the basic functioning of possible

malicious software.

In some cases in malware analysis exams, one of the first challenges for the computer expert is to

identify the presence of malicious software on the computing storage device. In scenarios such as

“search for malware” and “malware as a secondary element” presented in the topic “Objectives of

malware analysis in the forensic context”, the first task of the expert is to identify the presence of

suspicious software present on the forensic storage device to start to malware analysis.

One of the most basic ways to identify the presence of malware on a computer is to simply run an

antivirus on the storage device. Depending on the antivirus used, this tactic usually brings good results.

The correct procedure for running an antivirus on a hard drive that is being scanned is described below:

1. Create the physical hard disk image in a file. One way to do this is to use the Linux dd command or

use a specific tool like FTK Imager (free for Windows);

2. Mount the created image file in read mode, avoiding unwanted changes on the disk. Both the

mount command on Linux and the FTK Imager perform image mounting;

3. Run antivirus scan pointing to newly mounted disk drive.

It is extremely important to mount the created image file in read mode before running the antivirus,

because when detecting the presence of a threat, some antiviruses remove the file without issuing any

message to the user, which would compromise the integrity of the evidence and violate the chain of

custody of the questioned material.

18
VirusTotal

The antivirus to be used to scan the storage device will depend on the expert's taste. Currently, there

are numerous antivirus solutions, both commercial and free, including online tools that allow you to

upload a binary file to a web page where information about the uploaded file is displayed, including its

classification as malicious or harmless software. One of these online tools worth mentioning is the

VirusTotal website (https://www.virustotal.com/).

When uploading a binary to VirusTotal, this file will be scanned by more than 50 antiviruses from the

most varied manufacturers. After the scan, a report is presented containing the number of antiviruses

that classified the file as malicious, the name of the malware and additional information about the

malware, if present (Figure 2). This approach involving multiple diagnoses will allow a more concrete

conclusion regarding the classification of the software, reducing cases of false positives or false

negatives presented by some antiviruses. In addition, if the identified malware is reasonably known, it

will be possible to obtain information about its characteristics and behavior through internet searches,

which will facilitate the tests to be performed and the traces to be found.

Figure 2 - Report provided by the VirusTotal tool after analyzing an executable file.

19
While scanning the storage device using antivirus is a simple and efficient approach, in some situations

it may not be so interesting. There are scenarios in which, after running the antivirus, some potentially

malicious software is found, but these programs were only stored on the examined machine and, for

some reason, were never executed. In most cases, because of its greater harmful capacity, it is more

important to try to find malware in an active condition on the computer, that is, malware that has been

executed at some point and remains operative on the system, in order to subsequently and in a

subsidiary way look for inactive malware simply stored on the device. For this, it is essential to find out

which executables, services, drivers, DLLs are launched together with the operating system, since most

malware makes use of bootstrap resources present in the operating system to stay active and to carry

out malicious activities.

Autoruns

When the Windows operating system is loaded, there are several locations that can be used to start

programs automatically. These bootstrap locations are present in some specific folders, registry keys,

system files, and scheduled tasks, among other areas of the operating system. Malware references are

often found in these locations to keep malicious software activities up and running. The great diversity

of bootstrap locations present in Windows creates the possibility that the execution of some malware

will go unnoticed in the forensic examination.

There is an extremely useful tool for identifying binaries loaded together with the operating system

called Autoruns. This tool pretty much consolidates all forms of auto-initialization of binary files in

Windows, including means of booting at logon time, running services, loading drivers, etc. Autoruns is

part of the Sysinternals suite of tools developed by Mark Russinovich. Sysinternals tools are approved

by Microsoft and available for free download at https://technet.microsoft.com/en-us/sysinternals/. In

the course of this article, we will use some of the Sysinternals tools due to their great usefulness for

malware exams and forensic analysis.

Autoruns, when opened, loads all program startup references in Windows, as shown in Figure 3. It

separates each startup entry into different tabs according to the auto-execution method, although all

entries can be viewed in the “Everything” tab. Autoruns is a very simple tool to use and its main

features for malware analysis are described below:

20
• Allows you to check boot entries for an operating system offline. To do so, just mount the image file
in read mode and point to the directory path containing the operating system root and user profile in

my File -> Analyze Offline System. The offline verification feature is very important in the

forensic context, since the operating system present on the forensic physical storage device must not

be initialized so that the traces are not altered;

• Checks the digital signature of binary files referenced in boot entries. This functionality is very
important in situations where a binary file is infected with a virus and has its integrity violated. In such

cases, the digital signature verification will detect the improper change and the binary file will be

highlighted in the Autoruns interface;

• Highlights in yellow the existing boot records in which the binary files were not found;

• Highlights in pink the records that do not have information from the software distributor, do not have
a digital signature of the file or the digital signature present is invalid;

• It has integration with the VirusTotal online tool, enabling the sending of hashes of the binary files
that are automatically initialized, which allows it to easily detect known malware;

• Allows you to save the records of Windows startup entries in a text file, which makes it possible to
compare it with a later startup state so that discrepancies in the records are identified, such as the

inclusion of a new program at startup.

21
 Figure 3 - Display of all startup entries in Autoruns.

A good strategy to identify malware using Autoruns is to look for files that have some number of hits in

the “VirusTotal” column. In Figure 3 for example, the entry lb02 (present in the registry key

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run) points to the executable file

lb02.exe in the System32 directory of Windows, which was classified as malware by 41 of the 56

antivirus used in the analysis by VirusTotal. By clicking on the value 41/56 present in the VirusTotal

column, the default browser will open and the VirusTotal tool report will be displayed containing

detailed information about the scanned file.

Other suspicious binary files are those that have entries highlighted in pink, which basically represent

the absence or invalidity of the software vendor's digital signature. For more details, it is important to

verify that a digital signature exists or that the digital signature is valid. To do so, just right-click on the

entry and then click on Properties..., a window containing the properties of the binary file will be

displayed. Click on the Digital Signatures tab (this tab is only displayed if there is a signature for the file)

and then on the Details button. A new window will be presented containing the signer's data, including

the signature validity information according to Figure 4. According to Figure 4, the babylon.exe

22
executable does not have a valid digital signature, which may be caused by infection by a virus, the use

of a crack to violate the license to use the software, or an expired digital certificate.

Figure 4 - Details of the digital signature of the babylon.exe file.

Most malware does not have digital signatures, not even information about its distributor (Description

and Publisher columns), as is the case with the lb02.exe malware. Because of this, binary files with these

characteristics deserve special attention.

Prefetch Files

Prefetch is a Windows component that is part of the memory manager and its main purpose is to

reduce the time needed to start programs. It creates a file with a .pf extension in the C:

\Windows\Prefetch folder for each program it runs. This file contains information about the components

needed to run the program, such as DLLs, data/configuration files, other executables, etc. With this

information already centralized in a cache file, Windows is able to load programs faster.

Although Prefetch was developed with the aim of improving operating system performance, it is an

excellent source of data for forensic analysis and, consequently, for malware scanning .pf files hold

valuable information about the executables they represent. Data about last run date, number of runs,

and path of binary files can be obtained by reading these files. In some cases, these files make it

possible to obtain information even from executable files that have already been deleted.

Prefetch files are binary files, that is, they cannot be read by a simple text editor. For this, it is necessary

to use a parser to interpret the .pf files. An excellent parser for prefetch files is Nirsoft's

23
WinPrefetchView, this program can be downloaded for free at http://www.nirsoft.net/utils/

win_prefetch_view.html.

To load WinPrefetchView, open a command prompt pointing to the directory where the program is

located and type: WinPrefetchView.exe /folder <path to prefetch folder>. The characters < and >

represent program parameters. If the /folder parameter is not specified, WinPrefetchView will interpret

the prefetch files from the current machine on which the program is running and not the prefetch files

from the scanned hard disk.

WinPrefetchView presents the interface as shown in Figure 5. In the upper frame, the tool lists all the

prefetch files found in the directory specified as a parameter, containing information about the last

execution date, number of executions, executable path, etc. In the lower frame, the files accessed by

Prefetch when loading a given executable file are listed, along with their respective paths on the hard

disk.

Figure 5 - WinPrefetchView tool interface.

24
When using prefetch files to identify the presence of malware, the most important information to be

analyzed in this context is the data on the hard disk path of executables that have associated .pf files

(WinPrefetchView's “Process Path” field). Most malware is not installed in folders normally used by

normal programs (e.g., C:\Program Files), they make use of directories that usually do not host

executable files. Because of this, it is important to identify programs running under the conditions listed

below:

• In User Profile (AppData, Local, Roaming, etc.);

• In Temporary files (C:\temp) or cache folders;

• In Program Data (C:\ProgramData) or generic users (All Users, Default User, Guest);

• Programs with unusual or random names;

• Windows programs run in alternate paths (e.g., C:\Windows\svchost.exe, the correct one
would be C:\Windows\System32\svchost.exe).

It is also important to check the path of files loaded by a suspicious program at the time of its launch

(WinPrefetchView's “Device Path” field), as it is common for some malicious programs to

load other malware during their execution.

There are situations where an executable has more than one prefetch file; in other situations, it may be

that the executable has no associated .pf file. These cases will depend on how the operating system

manages Prefetch, in addition to the use of external applications that clean the disk in order to increase

free space.

Static Analysis

Once the suspicious software is identified and extracted from the image file of the examined storage

device, the first step in malware analysis is to get as much information about the program as possible

without running it. For this, techniques and tools used in static analysis are of paramount importance.

Strings

A very simple and fast way to obtain information about the functionality of a program is to visualize the

strings present in a binary file. Through the strings, it is possible to identify warning messages, specific

paths of files on the hard disk, and URLs used for connection, among other data relevant to the exam.

25
The sysinternals tool suite has a program called strings (https://technet.microsoft.com/en-us/

sysinternals/bb897439), which displays the text present in a binary file, encoded in both ASCII and

UNICODE.

To view the strings present in an executable, open a command prompt pointing to the directory where

the program is located and type: strings.exe <executable_name.exe>. The characters < and >

represent program parameters, and the parameter <executable_name.exe> must contain, in

addition to the name, the full path of the file on the hard disk. You can also search for specific words

within the executable by combining the Strings tool with the Windows Findstr command using the

command: strings.exe <executable_name.exe> | findstr /i “search_word”.

If the result of the Strings tool, after its execution in a binary file, is composed in its vast majority of

small strings, apparently meaningless, this may indicate the use of a packer in the binary file. As studied

in the topic “Executable Compression”, the best way to detect if a binary file makes use of a

compressor is to use the PeiD tool. Depending on the packer used, extracting the original executable

file can be quite simple, an example of this is UPX. To extract the original executable from an

executable compressed with UPX, just download the packer (http://upx.sourceforge.net/) and type at a

command prompt: upx.exe –d <compressed_file.exe> -o <extracted_file.exe>. Table 1

represents the difference between the strings presented in a compressed executable and its respective

original file.

Table 1 – First lines of the strings.exe tool bringing words with at least 8 characters in two different executable files.

26
Portable Executable Format

In order for us to understand and interpret the information provided by the more specific tools used in

static analysis, it is essential to understand the format of an executable file on the Windows operating

system, including its headers and sections.

The PE (Portable Executable) format is a data structure present in certain binary files (executables, DLLs,

object code, etc.). Analyzing this data structure, it is possible to obtain information about imported

libraries and functions, exported functions, and resources used (menus, screens, icons, etc.). The PE file

format contains a few headers followed by a series of sections. Headers have metadata about the file

itself. Following the headers are sections of the file, which contain useful information. Listed below are

the most common sections in a PE file:

• .text – This section contains the instructions that the CPU executes. As a rule, it is the only section that
has the program execution code itself, the other sections store data and supporting information;

• .rdata – Typically contains the program's import and export information, including libraries and
functions. In some cases, a file may contain .idata and .edata sections which store import and export

data, respectively;

• .data – The .data section holds the program's global data, that is, information that can be accessed
from anywhere in the program and at any time;

• .rsrc – This section stores the resources used by the program that are not considered part of the
executable, such as icons, menus, images, screens, cursors, and strings. Strings may be stored

elsewhere in the program, but are often present in the .rsrc section.

In some cases, these sections may have different names due to the use of different compilers or the

complexity deliberately used by obfuscation, however the vast majority of PE files use the section

names described above.

A great complementary MSDN reference on the PE format can be found in Matt Pietrek's article

“Peering Inside the PE: A Tour of the Win32 Portable Executable File Format” at https://

msdn.microsoft.com/en-us/library/ms809762.aspx.

27
PEview

A simple and practical program used to interpret the information present in a PE file is PEview. This

program can be downloaded free of charge at http://wjradburn.com/software/. The information present

in the PE file is presented in PEview according to Figure 6.

Figure 6 - PEview program interface.

Some metadata contained in PEview are worth mentioning. The IMAGE_FILE_HEADER header, present

inside the IMAGE_NT_HEADERS header, contains a field called Time Date Stamp, which displays the

compilation date of the executable. This information helps to understand the popularity of malware.

For example, old malware is more likely to have a detailed analysis published on the internet about the

program, making it easier to understand its malicious activities; in newly developed malware, the

probability of success in internet searches is drastically reduced in addition to the lower chances of

detection through antivirus. Unfortunately, the build date can easily be changed by a malware

programmer. If a completely meaningless date is identified, it is very likely that it has been changed.

Another interesting data is present in the IMAGE_OPTIONAL_HEADER header in the Subsystem field.

Through this field, it is possible to know if the program has a graphical interface (GUI) or is based on the

command line (CLI). Programs with a graphical interface are represented by the value

IMAGE_SUBSYSTEM_WINDOWS_GUI, while programs based on command prompts are represented by

the value IMAGE_SUBSYSTEM_WINDOWS_CUI. The absence of the .rsrc section is also an indication that

the program works in a console or composes a library (DLL), as these types of applications usually do

not have graphical resources as part of the binary file.

28
Information about the size occupied by each section within the binary file can be obtained from the

IMAGE_SECTION_HEADER headers for each section. The value present in the Virtual Size field

represents the size occupied in memory by the section after its loading. The Size of Raw Data field

displays the size occupied on the hard disk by the corresponding section. Generally, these sizes tend to

be the same, with slight variations due to the size of the blocks in the file system. However, large

variations in the sizes present in the .text section can mean the use of packers in the execution of the

file. Variations in .data section sizes are usually normal.

Although PEview displays all the metadata contained in a PE file, there are other more specialized tools

that focus on some specific sections of the PE format as we will see below.

Dependency Walker

Aiming at software modularization, programmers develop libraries that can be used by several different

programs, which facilitates programming and code reuse. However, for the functions provided by a

library to be used by programs, linkage mechanisms between the two are necessary:

• Static Linking – In static linking, the entire contents of the library are copied to the code area of the
executable at compile time. This practice is less common as it makes the executable file much larger

than other binding practices as it merges the executable code with the library code into a single file.

Static binding makes malware analysis more complex due to the increase in the number of

instructions present in the file;

• Dynamic Link – This type of link loads all the libraries used by the program at the time of its
execution. The libraries are usually present in DLLs (Dynamic Link Library) files, which export functions

that can be used by external programs. External DLL functions used by a program are usually present

in the .rdata section in the PE header of the binary file. Dynamic binding is the most used form of

binding in software programming; in addition, it provides valuable information for reverse

engineering because, based on the functions used by the program in system DLLs, it is possible to

have an idea of the activities performed by the application without executing it. For example, if the

InternetOpenUrl function (belonging to the Wininet.dll Windows library) is present in the import table

of a program, it is possible to assume that this program at some point makes an internet connection,

opening a specific URL and making use of some high level protocol like HTTP, HTTPS, FTP, etc;

29
• Runtime linking – Unlike dynamic linking, in which all the libraries used are linked at program startup,
in runtime linking, the program links to the libraries only when these functions are needed in the

program’s course of execution. Therefore, it is not possible to identify the functions of imported

libraries by reading the .rdata section of the PE header. The loading of these libraries during

execution is done manually by the programmer, generally making use of the LoadLibrary and

GetProcAddress functions (present in the Kernel32.dll library), which allows accessing any function

belonging to the external libraries. Because of this, when an executable adopts this type of binding, it

is not possible to categorically state which functions are bound to the program. Runtime binding is

often found in binary files that make use of packers or in programs that adopt obfuscation techniques,

although it is also possible to find this type of binding in legitimate programs due to the peculiarities

of some compilers.

Despite the existence of other linking methods, dynamic linking remains the most used way by

programs to link to external libraries. Therefore, a more detailed analysis of the import table found in

the .rdata section of an executable file can provide useful information about the functioning of the

software under analysis.

The Dependency Walker tool (http://www.dependencywalker.com/) has the purpose of exposing the

dynamic links of a binary file, that is, it presents all the functions of imported external libraries present in

the .rdata section of the PE header. In addition, it also points out the functions exported by a binary file,

if they exist. Figure 7 presents the tool's interface when analyzing possible spyware.

30
 Figure 7 - Dependency Walker tool interface with enumerated panels.

The upper left panel (Panel 1) displays a tree containing as root element the analyzed executable file

(FILE.EX_) followed by the DLLs imported by this program at a lower level (KERNEL32.DLL,

USER32.DLL, GDI32.DLL, ADVAPI32. DLL, OLE32.DLL and OLEAUT32.DLL). When clicking on

one of the DLLs, the functions imported by the executable program present in the selected library

(GDI32.DLL) are displayed in the upper right panel (Panel 2). Based on these functions, it is possible to

have an idea of what the program can do. The BitBlt function highlighted in Figure 7 belonging to

GDI32.DLL, for example, is often used to generate user screen captures, which would allow the

program to act as a screenlogger, recording the screens accessed by the user in image files. It is also

important to note that the program does not import functions from suspicious DLLs, as these may be

part of the malware present in another binary file. In the right central panel (Panel 3), all the functions

exported by the selected DLL that can be imported by a program are displayed.

To check if the file under analysis exports any function, just click on the root element of the tree in Panel

1 (FILE.EX_) and check if any function is displayed in Panel 3.

In some cases, binary files do not import functions from DLLs by name, but using the ordinal number of

the function. In these cases, the names of the imported functions will not be displayed in the Function

31
field on Panel 2, only the respective function number will be displayed in the Ordinal field. To identify

the name of a function having only its ordinal number, just right-click on the desired function in Panel 2

and click on “Highlight Matching Export Function”. The function corresponding to the selected ordinal

number will be highlighted in Panel 3.

The central panel (Panel 4) displays information about the DLL versions that can be loaded along with

the program. The bottom pane (Panel 5) displays warning and error messages, if any.

Detailed information about the libraries and functions provided by Windows can be consulted on the

MSDN portal at https://msdn.microsoft.com/en-us/library/windows/desktop/ff818516%28v=vs.

85%29.aspx.

Additionally, Lohit Mehta member of InfoSec Institute ranked the Windows functions that are commonly

found in malware analysis. This list is divided into two parts and can be accessed at:

• http://resources.infosecinstitute.com/windows-functions-in-malware-analysis-cheat-sheet-part-1/,

• http://resources.infosecinstitute.com/windows-functions-in-malware-analysis-cheat-sheet-part-2/.

Resource Hacker

Another important part of the PE header is the .rsrc section. As previously studied, this section contains

various features of the application, such as dialog boxes, menus, and strings, among others. The

Resource Hacker tool allows you to graphically view the resources present in a binary file in PE format.

This tool is free and can be downloaded from the official address http://www.angusj.com/

resourcehacker/.

Resource Hacker helps understand in advance which are the possible interactions between program

and user. Based on the menus and dialog boxes displayed by the tool, it is possible to have an idea of

the options available to the user for manipulating the program under analysis. In addition, it is possible

in some cases to identify hidden screens or menus that only after a certain action, such as pressing

certain keys together, would be displayed. It is also important to examine the strings classified by the

Resource Hacker, as they may contain messages presented to the user or some additional coding done

via script or markup language (e.g. assembling an HTML page for later submission).

32
 Figure 8 - Resource Hacker program interface showing a dialog box present in the binary file.

Figure 8 presents the Resource Hacker interface. The left side panel lists the resources available in the

file by category (Menu, Dialog, Icon, String Table, etc.), each category represents a resource type as per

the name. When expanding a category, all resources present are listed according to their ID number.

When a resource is selected, its content will be displayed in the right-hand pane.

Some programs, aiming to provide support for multiple languages, use Microsoft's technology called

MUI - Multilingual User Interface. When this technology is used, the .rsrc section of the PE header of the

binary file will only present basic features such as icons or binary version information. In these cases, the

other resources will usually be present in a file that has the same name as the original file, but with the

addition of the .mui extension. The .mui file will contain the most relevant features for reverse

engineering, such as dialog boxes, string tables, menus, etc.

Dynamic Analysis

After obtaining all possible information about how the binary file works through static analysis, the next

step is to examine its behavior during execution. Great care must be taken during this procedure due to

the risks caused by the execution of the malware to the operating system and the network

infrastructure. Side effects are unwanted, so it is essential to prepare a controlled and safe environment

33
for the execution of activities. There are two ways to study how malware works safely: setting up a

physical environment or creating virtual machines.

Setting up a physical environment is a great way to analyze malware, since the anti-analysis techniques

used to detect the execution of the malicious program in virtual machines would not work. However,

this is a very expensive practice, as in many cases an environment composed of more than one machine

is required, which would lead to the assembly of a segregated physical network. In addition, the

physical environment is not very flexible, as in some cases it is necessary to reinstall the operating

system to return to the state before the malware was executed. For these and other reasons, running

malware in a controlled physical environment can become unfeasible, although in some cases it is the

only alternative.

The creation of virtual machines is the most used method in the creation of safe environments for the

execution of malware due to the ease provided in the manipulation of virtual hard disks through

snapshots, also known as snapshots. Snapshots allow you to save the entire state of a hard disk at a

given time, making it possible to return to the state of the hard disk at the time of snapshot creation

after several changes to files. In addition, many virtualization tools allow the creation of multiple

snapshots, which allows saving several points at different times of the malware analysis, allowing the

adoption of different strategies during the exam.

Process Explorer

Process Explorer presents information about all processes running on the operating system. It is

analogous to the Windows Task Manager (taskmgr), however, it is much more robust and contains

additional information and resources that are of interest to malware analysis. This tool displays active

processes in a hierarchical manner, making it possible to identify the relationship between parent and

child processes. Process Explorer is part of the Sysinternals suite of tools and can be downloaded for

free at https://technet.microsoft.com/en-us/sysinternals/bb896653.aspx.

One of the main features of Process Explorer is the possibility to view the handles and DLLs loaded by a

process. Handles are operating system resources that are being handled by a process during its

execution. Open files and directories, Windows registry keys, mutexes and threads are examples of

handles that can be used by a process. By analyzing the handles, it is possible to identify the directories

34
in which the files created by the malware are present. In addition, it is possible to identify other DLLs

loaded by the malware at runtime (runtime linking), which could not be identified by analyzing

the .rdata section using Dependency Walker, due to the use of the LoadLibrary and

GetProcAddress functions of the Kernel32 library .dll.

Process Explorer also makes it possible to search by name of handles or DLLs; in this way, it is possible

to identify which processes have loaded a particular DLL or which processes have a particular file open.

The tool's interface is shown in Figure 9. The Process Explorer divides the interface into two panels, the

upper panel displays the running processes and the lower panel displays the Handles or DLLs used by

the process. It is possible to add new fields in the upper panel with more specific information about the

process (Menu View -> Select Columns...). Blue processes represent user processes, pink

processes represent service processes. Also, new objects are initially highlighted in green and newly

deleted objects are highlighted in red. Additionally, if any process is displayed in purple, it means that

its executable file is packaged. The information displayed by the tool is updated every second by

default.

35
 Figure 9 - Process Explorer tool interface.

When double-clicking on an active process, detailed information about the process is displayed, such

as data about the executable file, performance data, open TCP/UDP ports, threads created by the

process, and environment variables, among other information.

Like the Autoruns tool, Process Explorer performs the verification of the digital signatures of running

program files and loaded DLLs. In addition, it also has integration with the VirusTotal online scanning

tool. These features make it easy to identify virus-infected files as well as find new running malware.

Process Monitor

Unlike Process Explorer, which displays all running processes, Process Monitor captures some events

performed by processes in a certain period. This tool captures four classes of events performed by a

process on Windows: activities in the registry, activities in the file system, activities in the network, and

activities involving processes and threads. Process Monitor is analogous to a sniffer, only instead of

36
capturing network packets, it captures system calls executed by processes, such as querying registry

keys, writing to a file on the hard disk, or creating a thread, among many other activities.

Process Monitor is also a program that is part of the Sysinternals suite of tools and, like the other tools

in this suite, it is free and can be downloaded by accessing the address https://technet.microsoft.com/

en-us/library/bb896645.aspx.

Figure 10 represents the Process Monitor interface. When running, Process Monitor starts capturing the

events that are occurring in the operating system. To pause capturing events, just click on the File menu

and then on Capture Events or use the shortcut keys Ctrl+E. Its interface presents a timeline

containing information about the events of a process. Each column displays specific data about the

event, such as the date and time of the event, the name of the process, the type of operation, the path

in which the event took place, the result of the event and detailed information about the event.

Figure 10 - Process Monitor Interface.

The tool captures thousands of events per second from many different processes, which makes data

analysis and interpretation difficult. To facilitate the visualization and interpretation of captured events,

Process Monitor has a filtering resource in which it is possible to create filters using a series of specific

characteristics such as process PID, category, process user, and operation, among others. Using the

filtering feature, only events that match the filter expression will be displayed. To access the filtering

37
feature, just click on the Filter menu and then on Filter... or use the shortcut keys Ctrl+L. It is also

possible to highlight specific events displayed in the analysis interface, making it easier to identify

certain program behaviors. To access this feature, just click on the Filter menu and then on Highlight...

or use the shortcut keys Ctrl+H. When the filtering resource is being used, it only performs the

filtering of events already registered, so it is not a capture filter and cannot be used in order to reduce

the amount of captured events, which would decrease the amount of memory consumed by the tool,

so all events will always be captured.

The interface shown in Figure 10 shows the mapping of events from a keylogger (while monitoring,

random keys were pressed). In this capture, the filtering feature is used so that only the process with

PID 6536 is displayed. In addition, the events that query registry values (RegQueryValue) and write to

files (WriteFile) are highlighted. Based on the capture, it is possible to infer that, when performing

the RegQueryValue operation on the key HKLM\System\CurrentControlSet\Control

\Keyboard Layouts\00000416\Layout File, the malware accesses the Windows registry in

search of the keyboard layout used by the user. The value of this registry key contains the name of the

DLL responsible for the keyboard layout being used at the time of capture (KBDBR.DLL). The malware

loads the KBDBR.DLL library to configure its layout according to the layout used. Subsequently, several

writings are carried out in the file called TUT.001, present in the path C:\ProgramData\TUT\, which

most likely stores the keys captured by the keylogger that are typed by the user.

Although Process Monitor captures certain network activities, its use is not recommended for

performing scans that aim to identify malware behavior in a network environment, since it only presents

superficial information about connections made by processes in addition to not performing capturing

trafficked frames. For this type of exam, other more specific tools will be presented throughout this

article.

Network Monitor

Many malware use a network to receive external commands, updates or even send information to third

parties. Based on the data trafficked by the malware, it is possible to discover from attempts to

propagate through the local network to the identification of servers that store stolen personal data from

38
users. Because of this, it is essential to examine the network activities performed by the program under

analysis.

To capture the data transmitted in a computational device effectively, it is necessary to use a network

sniffer. For a sniffer to work in the virtual environment created for the dynamic analysis of malware, it is

necessary to create a virtual network or, as a last resort, to provide internet access to the program under

analysis.

Wireshark is currently, without a doubt, the most used sniffer in the world, having a series of extremely

efficient features and functionalities. However, for malware analysis in Windows environments, it is

recommended to use the Microsoft sniffer called Network Monitor (NetMon). NetMon's great

differential in relation to Wireshark is its simplicity in performing the traffic analysis of a specific process,

ignoring the traffic of the other processes, which facilitates the interpretation of the frames sent and

received from a given program in execution. With NetMon, just click on the desired process and all

network traffic associated with that process will be displayed by the tool. This sniffer is free and can be

downloaded at https://www.microsoft.com/en-us/download/details.aspx?id=4865.

When starting Network Monitor, the user must select the network device on which he wants to capture

frames and then click on New Capture. Then, the main interface of the program will be displayed, like

the one shown in Figure 11. To start capturing frames, just click on the Start button.

39
 Figure 11 - Network Monitor tool interface with enumerated panels.

NetMon's interface is divided into panels with distinct information about data in transit as detailed

below:

• Network Conversations (Panel 1) displays the processes that manifested some network activity during
the capture period. The number in parentheses next to the process name represents its PID number.

By clicking on the + sign, all process flows separated by source and destination IP address will be

displayed. The value <Unknown> represents all the traffic generated by the network to which the

machine belongs that does not have any associated process, for example, broadcast traffic, wi-fi

beacons, IGMP messages, etc.;

• Display Filter (Panel 2) allows adding display filters to captured frames involving regular expressions.
The filter applied in this panel is just a visualization filter. To apply capture filters, click the Capture

Settings button;

• Frame Summary (Panel 3) lists all frames stored during capture. If a particular process is selected in
Network Conversations, Frame Summary will only display frames that are involved with that process.

40
 This panel has a lot of information about the frames, such as timestamp, source and destination

addresses, and protocol, among others. To add or delete the columns displayed, just right-click on

one of the fields and then click on Choose Columns...;

• Frame Details (Panel 4) displays detailed information about all protocol headers that make up the
frame selected in Panel 3. Panel 4 displays protocol headers organized in a bottom-up manner (lower

layer first and then lower layer protocol headers, highest layer). By clicking on the + sign of one of

the headers, detailed information about the selected header will be displayed;

• Hex Details (Panel 5) displays the frame in hex without having been parsed by a parser. On the right
side of this panel, the ASCII equivalent of the hexadecimal values shown on the left side is displayed.

When clicking on any header value in Panel 4, the respective value in hexadecimal is highlighted in

Hex Details.

Panel 3 of Figure 11 displays the capture of all frames sent/received by the Firefox browser according

to the selection present in Panel 1. The frame selected in Panel 3 is displayed in detail in Panel 4,

containing the request for the main page of the URL www. google.com.br through the HTTP protocol,

which makes use of the GET command for the request. Panel 5 presents the selected frame in

hexadecimal format, highlighting the HTTP protocol request as selected in frame 4. In the capture

recorded in the figure, visualization filters were not applied, as shown in Panel 2.

When capturing network data sent by malware with NetMon, it is important to note which IP address or

URL the program is trying to connect to, which transport and application protocol is being used, which

data is being sent. With this information in mind, it is possible to understand the malware's intentions

when using the network.

TCPView

Using a sniffer in a virtual machine with internet access, if a given process does not transmit any packets

during the capture, it will not be possible to detect whether this process makes use of the network,

even if it keeps open ports or persistent connections. To identify this type of behavior, it is necessary to

consult the states of active TCP connections in the operating system. A quick way to find out the TCP

states of connections is to run the netstat command at the Windows command prompt. While netstat is

useful in many cases, it is not as efficient for malware analysis as it does not dynamically display state

41
information, that is, it does not automatically update changes in connection states. Also, netstat is not

very intuitive to analyze connections belonging to a given process.

To identify persistent connections and ports opened by a process, TCPView is a great solution. With this

tool it is possible to identify all processes that keep ports open in the system, both UDP and TCP

(LISTENING state), in addition to displaying all established TCP connections, even if they are not

transmitting data. Furthermore, the information presented by the program is updated every second by

default. This program is free and is also part of the sysinternals toolkit and can be found at https://

technet.microsoft.com/en-us/library/bb897437.aspx.

The TCPView interface can be seen in Figure 12. Its interface is very simple and displays information

related to the process responsible for the connection, transport protocol, ports and local and remote

addresses, and the connection status, among other information. By default, TCPView resolves DNS

names to IP addresses and ports. To disable this functionality, just access the Options menu and

uncheck the Resolve Addresses option. To display only active connections, access the Options menu

and uncheck the Show Unconnected Endpoints option.

Figure 12 - TCPView Interface.

42
It is important to note whether the program under analysis keeps any UDP ports open, as some

backdoors do not use the TCP transport protocol, which, consequently, does not generate connection

states. It is also interesting to verify that the suspicious program does not establish persistent TCP

connections with external servers with port 80 as the destination port, as this is a technique used to

hide remote connections to circumvent firewalls that filter other types of known ports.

Advanced Analysis

If even after employing basic malware analysis tools and techniques it is still not enough to understand

the functioning of the program and identify possible malicious activities, then the application of

advanced techniques on reverse engineering will be inevitable. Depending on the complexity and

sophistication of the malware, it will take many hours of work to get effective results. In addition to

time, it will be essential to use advanced tools such as disassemblers and debuggers. Although there is

no space for a more in-depth analysis of this matter, below, two widely used tools for software reverse

engineering will be presented.

IDA

A very powerful and widely used disassembler and debugger is the IDA (Interactive Disassembler) by

Hex-Rays (https://www.hex-rays.com/products/ida/). This tool supports multiple operating systems,

multiple processors and multiple executable file formats. IDA converts all machine instructions present

in the binary file back into assembly language. In addition, it has a series of features such as function

identification, stack analysis, and search for local variables, among many others.

IDA tries to be as interactive as possible. Among its greatest resources is the graphic mode, which

creates a kind of flowchart which facilitates the visualization of the calls and the course of the program

flow. It also allows adding comments, labeling data and naming functions, and then saving this

information in its internal database for further analysis. Another outstanding feature is FLIRT (Fast

Library Identification and Recognition Technology). This technology allows the recognition of basic

functions generated by compilers supported by IDA and present in libraries of a certain high-level

language. For example, in a program created in C using FLIRT, IDA makes it possible to easily identify

standard functions from C-language libraries (stdio.h, stdlib.h, string.h) as the functions

printf(), scanf(), strcpy(), strcat(), fopen(), fclose(), etc.

43
There are commercial and free versions of IDA. Version 5.0 of IDA is free for non-commercial use,

however, it has limited functionality and low support for processor families. Consequently, commercial

versions have more functionality and a greater number of compatible processors.

OllyDbg

OllyDbg is a debugger for x86 architecture that allows you to analyze programs while they are running.

OllyDbg was widely used by crackers to break codes, circumventing serials and software licenses. It is

currently popular for reverse engineering malware due to its ease of manipulation, addition of plug-ins

and, most importantly, for being free. This tool can be downloaded via the link http://www.ollydbg.de/

download.htm.

Its interface is very intuitive, making it possible to track registers, recognize procedures, analyze the

stack, or search for strings, among other applications. It also allows the creation of patches in the

executable file, which basically consists of saving the changes made to the program code, providing

the modification of instructions present in the binary file and in the execution flow. Currently, its biggest

disadvantage is that it does not support binary files compiled for x64 processors, which makes it

impossible to analyze newer software.

Final Considerations

Malware analysis becomes an increasingly frequent reality in forensic examinations. Understanding the

concepts on the subject, knowing methods to identify a malicious program and understanding its basic

functioning are tasks that must be present in the daily life of any criminal expert.

As portrayed throughout the article, malware are resources that provide additional elements to the

forensic examination, making it possible to find new information about the device user (e.g., spyware

analysis), or even start new investigations into cybercrimes (e.g., bot or backdoor analysis). Because of

this, when malicious programs are not the focus of forensic examination, they should not be

overlooked, as their identification and analysis are extremely important.

References:

• AQUILINA, J.; CASEY, E.; MALIN, C. Malware Forensics: Investigating and Analyzing Malicious Code.
EUA: Syngress, 2008.

44
• BRAND, M. Analysis Avoidance Techniques of Malicious Software. Available at: <http://ro.ecu.edu.au/
cgi/viewcontent.cgi?article=1138&context=these>.

• CERT.BR. Códigos maliciosos (Malware). Available at: <http://cartilha.cert.br/malware/>.

• EAGLE, C. The IDA Pro Book: The Unofficial Guide to the World's Most Popular Disassembler. EUA:
No Starch Press, 2011.

• HARRELL, C. Finding Malware Like Iron Man. Available at: <https://digital-forensics.sans.org/summit-

archives/DFIR_Summit/Finding-Malware-Like-Iron-Man-Corey-Harrell.pdf>.

• HOGLUND, G; MCGRAW, G. Exploiting Software: How to Break Code. EUA: Addison-Wesley, 2004.

• INFOSEC INSTITUTE. Windows Functions in Malware Analysis: Cheat Sheet – Part 1. Available at:
<http://resources.infosecinstitute.com/windows-functions-in-malware-analysis-cheat-sheet-part-1>.

• INFOSEC INSTITUTE. Windows Functions in Malware Analysis: Cheat Sheet – Part 2. Available at:
<http://resources.infosecinstitute.com/windows-functions-in-malware-analysis-cheat-sheet-part-2>.

• LIGH, M.; ADAIR, S.; HARTSTEIN, B.; RICHARD, M. Malware Analyst’s Cookbook and DVD: Tools and
Techniques for Fighting Malicious Code. EUA: Wiley, 2011.

• MSDN. Peering Inside the PE: A Tour of the Win32 Portable Executable File Format. Available at:
<https://msdn.microsoft.com/en-us/library/ms809762.aspx>.

• MSDN. Windows API Index. Available at: <https://msdn.microsoft.com/en-us/library/windows/

desktop/ff818516%28v=vs.85%29.aspx>.

• PRESIDÊNCIA DA REPÚBLICA. Código Penal. Available at: <http://www.planalto.gov.br/ccivil_03/

decreto-lei/Del2848compilado.htm>.

• SIKORSKI, M.; HONIG, A. Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious
Software. EUA: No Starch Press, 2012.

45
 About the Authors

Deivison Franco - EO at aCCESS Security Lab. Master Degrees in Computer

Science and in Business Administration. Specialist Degrees in Forensic Science

(Emphasis in Computer Forensics) and in Computer Networks Support.

Degree in Data Processing. Researcher and Consultant in Computer Forensics

and Information Security. Member of the IEEE Information Forensics and

Security Technical Committee (IEEE IFS-TC) and of the Brazilian Society of

Forensic Sciences (SBCF). C|EH, C|HFI, DSFE and ISO 27002 Senior Manager. Author and technical

reviewer of the book “Treatise of Computer Forensics”. Reviewer and editorial board member of the

Brazilian Journal of Criminalistics and of the Digital Security Magazine.

Cleber Soares - Information Security Enthusiast and researcher, adept in the

free software culture. He has worked in the technology area for more than 20

years, passing through national and multinational companies. Has technical

course in Data Processing, Graduated in Computer Networks and Post

Graduated in Ethical Hacking and Cyber Security. Acts as Information Security

Analyst and Ad-hoc Forensic Computer Expert. Leader of the OWASP Belém

Chapter at the OWASP Foundation and author at Hacker Culture.

Daniel Müller - Degree in systems analysis and development,

postgraduate in computer forensics and expertise digital, computer

forensic investigator, computer forensic judicial expert, working in cases of

fraud identification and data recovery, wireless intrusion testing specialist,

Pentest and Computer Forensics article writer, currently working as

Cybersecurity Specialist at Dock Security Operations Center.

46
 IPED, An Amazing Tool
To Analyze A Disk
Image
by Marcus Fábio Fontenelle

This article will give you a brief introduction to IPED, an open source tool developed and
maintained by the Federal Police of Brazil to analyze digital evidence.

Introduction

IPED, Digital Evidence Processor and Indexer (translated from Portuguese) is a tool developed and

maintained by the Brazilian Federal Police. Its development was started in 2012. Initially, it was

supervised by the digital forensic expert Luís Felipe Nassif, and now there is a team of digital forensic

experts from Brazilian Federal Police assisting in its development.

At first, the idea was to facilitate the use of digital attachments on forensic reports, index them, and

offer a search tool. It was developed in Java, working through an intuitive command line, and

generating a very intuitive interface.

As of 2014, it began to be widely used in Operation Car Wash, a huge Brazilian criminal investigation

focused on corruption and led by Brazilian Federal Police. At that time, IPED started also to be widely

used to process and analyze digital evidence, often seized at crime scenes by Brazilian law enforcement

or in a corporate investigation by private examiners. Besides, this tool is listed in INTERPOL Innovation

Centre (https://github.com/INTERPOL-Innovation-Centre/IPED).

47
Although it has always been open source, it was only in 2019 that its code was officially published and

is currently available for anyone to contribute to its development (https://github.com/sepinf-inc/IPED).

Features and Functionalities

We can list as main characteristics of IPED:

• Customizable: it has several setting files that allow suitability to the best evidence acquisition scenario
based on hardware and software available;

• High Portability: developed in Java allowing compatibility with Windows and Linux environments;

• Efficient Processing: supports millions of items and smart use of the idle time of processors/cores
(known as workers);

• Full Extraction: Support for multiple file formats (DD, 001, E01, ISO, VHD, VMDK, UFDR, AD1)
performing data carving, expanding containers (files that have other files inside them, for instance,

compressed files), indexing, search for keywords in the content and properties of files, and

identification of possible scanned files (OCRs of images and PDF files);

• Intuitive Interface of Analysis: The developers tried to suit the interface so it was familiar to those that
had already used known commercial software, such as FTK or Encase;

• Code: It is available free for use and may have its features extended and improved.

IPED has several functionalities similar to the main existing commercial tools. Among these features, we

can highlight:

• Detection of encrypted documents;

• Query of a KFF (Known File Filter) hashset to identify known files;

• Image thumbnails;

• Video thumbnails;

• Hexadecimal viewer;

• Visualization of the most used types of documents (Office, LibreOffice, PDF, etc);

• Georeferencing;

• Nudity detection;

48
• Regex;

• Tags;

• HTML report.

IPED Configuration

Next, the basic configuration of IPED will be presented. However, it is important that you analyze

carefully all the configuration options of the software, because in a real case you may need some “fine-

tuning”. IPED configuration files are well documented.

Before configuring IPED, Java (64-bit version) must be installed on the computer. After installing Java,

go to the Windows search box and search for CONFIGURE JAVA. On the Java tab, click the View

button. In the Runtime Parameters type –Xmx3G exactly as shown in Figure 1 below. This

configuration will improve IPED performance.

Figure 1 – Java Setting

49
After installing and configuring Java, download IPED and unzip it in the folder of your choice. We must

perform some configuration/parameterization before we can run it.

Go to the folder where you unzipped the IPED, open the LocalConfig.txt file, and define the

settings for the temporary directory to be used: indexTemp = F:/TEMP_IPED.

To enable carving and file recovery by IPED, in the folder where the software was unzipped, in folder

iped-<version>\profiles\en\default, open the file IPEDConfig.txt and enable (if they are

not already enabled) the following options: processFileSignatures, indexUnknownFiles,

addFileSlacks, addUnallocated, indexUnallocated and enableCarving.

In order to expand container files, detect possible encrypted files, index metadata, generate previews,

etc., and in addition to that, show the thumbnails of images and extract images from videos, it is also

necessary to enable in the IPEDConfig.txt file the following options: enableFileParsing,

expandContainers, enableImageThumbs, and enableVideoThumbs.

Running IPED

Once you’ve finished the basic configuration of IPED, you are ready to run it. Its syntax is as follows:

java -jar iped.jar -d <source_file> -o <target_folder>

50
It is worth noticing that IPED accepts more than one image file as input, allowing the analysis of copies

of different media belonging to the same case in the same interface. Right after running the Java

command, Figure 2 followed by Figure 3 should appear.

Figure 2 – Starting IPED

Figure 3 – IPED Processing

In Figure 3, we can see that there is a progress bar at the top indicating the number of processed items

and the number of items to be processed, as well as the estimated completion time of processing. On

the left, several statistics are presented, the most interesting being the elapsed and estimated

processing time ("Processing Time" and “Estimated Finished" options) and the average processing

speed ("Average Speed" option). On the right, the number of processing cores used (workers) is shown

and which tasks are being performed in each one of them. In the center, the tasks in execution are

presented according to what has been configured.

51
Understand the Interface and Main Features

After processing, in the target folder, the file IPED-SearchApp.exe will be found. When executed,

the screen in Figure 4 should be displayed.

Figure 4 – IPED Interface

In the upper left corner, there are several predefined filters (Figure 5) that can help the investigator in

his/her analysis.

Figure 5 – Predefined Filters

52
Right below the filters section, two ways of viewing the indexed information is presented: Categories

(Figure 6) and Evidences (Figure 7).

Figure 6 – Categories Figure 7 – Evidences

The Categories tab summarizes and categorizes the information that is usually most relevant in an

investigation, such as users registered in the system, installed software, Internet search and browsing

history, Windows trash files, cookies and cache of browsers, downloads carried out, etc. New releases

of the IPED could bring new categories. The Evidences tab presents the disk partitions and the entire

file hierarchy, as well as the file system metadata found in the processed image file.

In the center of the IPED interface, a list of files is shown according to the selection made in the

Categories or Evidences tab. The Table tab (Figure 8) shows the files in detail, presenting information

such as name, type, size, MAC times, if the file was deleted and recovered, when was the last change in

the Windows registry, the path where the file was found in the file system and its hash. Usually, the

name of carved files begins with the keyword “carved”.

53
 Figure 8 – List of Files

When a folder with image files is selected, is possible on the Gallery tab to visualize the thumbnails of

the files (Figure 9).

Figure 9 – List of Thumbnails

If a certain image has geolocation metadata, a map indicating the georeferenced location could be

viewed on the Map tab. To be able to use georeferencing properly, it is necessary to set a Google API

key, but it's possible to leave the field blank and use a limited version of this feature (Figure 10).

Figure 10 – Georeferencing

54
In the lower right corner of the interface, you can access more detailed information about the selected

file. If a preview of the file is possible, it will be displayed on the Preview tab (Figure 11). Video files may

also display a preview (Figure 12).

Figure 11 – Image Preview

Figure 12 – Video Preview

In the Metadata tab, additional information is presented according to the type of file, such as the date

and time of file creation (Figure 13), latitude and longitude (Figure 14), or make and model of the

device that captured the image (Figure 15) and much more.

55
Figure 13 – Metadata: creation date and time, and time zone

Figure 14 – Metadata: geolocation

Figure 15 – Metadata: Make and Model

56
In the Links tab (Figure 16) it is possible to analyze the relationships (if any) between the users in the

system. An extremely useful feature in a digital investigation.

Figure 16 - System Users Relationship

IPED also allows us to perform searches using regular expressions. For example, in Figure 17, a search

is performed for JPEG files, which contain the letter P, followed by one or more numbers. Note that

TYPE is one of the columns displayed in the interface. It is possible to use the information displayed on

the columns of the interface to perform filters like the one in Figure 17.

Figure 17 – Regular Expressions

57
IPED searches both the name and the content of the file, including unallocated spaces. If we type just

the first part of the expression before the AND operator, all files with a JPG extension will be displayed.

If we leave just the last part of the expression (after the AND operator) all files that in their name or

content have a string of characters that contain the letter P followed by one or more numbers will be

displayed.

Tags and Report

It is possible to tag the files of interest found during the investigation to facilitate the analysis and

generation of the expert report. Suppose you want to tag the JPEG files that have been deleted (Figure

18). To do this, we must select all the displayed files; right-click on one of them and select the Manage

Bookmarks option (Figure 19).

Figure 18 – Deleted JPEG Files

Figure 19 – Manage Bookmarks

Next, the screen shown in Figure 20 will be displayed. Let’s create a Bookmark called Deleted JPG Files

as shown in the figure.

58
 Figure 20 – Bookmark Creation

Right after closing the window, notice that in the lower left corner of the IPED interface you could see

the new bookmark created on the Bookmarks tab (Figure 21).

Figure 21– Bookmarks Tab

To generate a report, just right-click on any file and select the option Create Indexed Report. A window

similar to Figure 22 should be displayed and you should select the bookmarks that you want to list in

the report and the folder where the report will be created. After that, a processing window shows up.

Figure 22 – Create Report Window

59
When the processing is finished, the file report.htm will be created in the root of the folder indicated as

the output folder. The information in the Case Information section, as well as other parameters of the

report (Figure 23), can be edited in the file HTMLReportConfig.txt located in the folder iped-

<version>\profiles\en\default\conf.

Figure 23 – Report

Final Considerations

IPED is a flexible tool that should be considered by any digital investigator as an option for processing

digital evidence. Despite the lack of beauty of its interface, the performance during the processing of a

forensic image file and the speed of searching for evidence is much better than any other similar tool.

Now that you know a little bit about IPED you have to try it and create your own opinion. Have fun!

60
 About the Author

Marcus Fábio Fontenelle - is a Digital Forensics Investigator for the

government of Paraná/Brazil. He has a master’s degree in computer

science and is a specialist in Computer Forensics. Since 1999 he

holds international certifications from several entities, highlighting

CHFI, CEH, Security+, and Network+. He has been teaching

undergraduate and graduate information security courses since

2005 and also has been delivering technical courses focused on

digital forensics and cybersecurity. In addition, he is a member of

HTCIA (High Technology Crime Investigation Association) and ISSA (Information Systems Security

Association - Brazilian Chapter). You can contact him on Linkedin: https://www.linkedin.com/in/

marcusfabio

61
 Freely Distributed Open
Source Image Forensics
Tools
by James A (Jim) McCoy, Jr.

I have learned not to trust the internet, especially not photos. Social media is littered with fake and
altered images. I have seen legitimate news sources duped by fake images. Images are often
“shopped” for harmless reasons; just for fun, or to generate attention on social media. The
problems come when fake or altered images are used for malicious purposes.

So, how can we debunk a photo?

I like to use freely distributed Open Source applications designed to examine images. They can be

easily found on the internet using Google or other search engines.

I like to start by looking at the metadata to learn what I am looking at before I look at it. Actually, if

someone gives me an image to examine, I ask them for details before even looking at the metadata. I

get the WWWWW&H from them, then begin to look at it myself. My examination begins with the

metadata.

Simply stated, metadata is data about data or information about the image that is recorded by the

camera. It is a set of data describing and providing information about rights and administration of the

image that is transported with the image file, in a way that can be understood by other software and

human users. This metadata is also called Exif data.

62
The pixels of image files are created by automated capture from cameras or scanners. Metadata is

stored in two main places:

Internally – embedded in the image file, formats include JPEG, DNG, PNG, TIFF …

Externally – outside the image file in a digital asset management system (DAM) (XMP data) or

external news exchange format document as specified by IPTC.

There are three main categories of data:

Descriptive – information about the visual content. May include headline, caption, keywords. Can

contain free text or codes from a controlled vocabulary or other identifiers.

Rights – identification of the creator, copyright information, credits, and underlying rights in the

visual content including model and property rights.

Administrative – creation date, location, instructions for users, job identifiers, etc.

It is essential that the metadata stored in an image file stays with the image. Metadata is critical for

identification and copyright protection. Metadata is also key to smoothing workflow, easily finding

digital images via search – online or offline – and tracking image usage. It is useful in authenticating an

image in that it can serve to confirm that the image is what the creator says that it is or cast doubt on

the authenticity. If the image creator claims that the photo was taken by them on a beach in Barbados,

but the metadata shows the location as New Jersey, then there is a problem.

The problem with metadata is that it can be manipulated. The location of that photo of Barbados that is

actually a beach in New Jersey can be changed, leaving the investigator searching for clues to fakery in

the image.

As I said before, authenticating an image can be as simple or complicated as the level of sophistication

of the creator. If the creator of the image is unfamiliar with metadata then they will not have the ability

to modify it. A more sophisticated creator may know how to manipulate metadata, posing a challenge

for the e-forensic investigator. If the metadata is manipulated, all is not necessarily lost; there can be

other facets of the image that disagree with the metadata that can cast doubt on the authenticity. The

metadata supports the image but the image should also support the metadata.

63
Let's take a look at an example of metadata and a couple of tools used for reading it.

The volume of information contained in the metadata (date captured, date taken, date original, date

created, date edited, date modified, date digitized, date accessed, etc.) can be overwhelming. What’s

with all of those dates? Those dates are where you will find clues to fakery. The dates are not the only

storytellers, but they are the items that most “move the needle,” so to speak.

Now that we are familiar with the metadata that can verify the date, time, location, and other

supporting documentation, and we know that it can be edited, how do we examine, evaluate, and

validate this data?

I like Open Source, freely distributed tools. In part, because they are free of cost but also because they

are not proprietary, and there is usually good support from the user community. I always look for Open

Source first. I chose to look at the metadata of my sample photo.

Some of the available tools are made for editing metadata, but, naturally, they can display the data in

an easily readable format.

Here, we can see the dates that are important to us.

The investigator should look at the metadata to see that it supports the claims made by the image

creator. Does the date match when the creator says that the photo was taken? Does the geo location

support the stated location? If not, then we have some doubts cast upon the authenticity. Even if the

64
metadata does appear to support the claims, we still don't stop there. We want to see if the photo

supports the metadata.

Before examining the image using the tools, the investigator should look closely for signs of obvious

fraud and deception. Is there something that looks out of place? Is there a person or object in the

photo without a shadow? Does it appear to be a different time of day or season than told by the

metadata? Does the weather report from the alleged day of the photo say that it rained but the ground

is dry? Look closely at the image, write a detailed description of the contents, then use your tools to

take a closer look at the details.

Again, I first looked for Open Source tools to examine the image. I also like simple things. If I can find

something that is easy to use and quickly identify a fake, I will use that for my initial examination.

I like to use forensically.com, a set of free tools for digital image forensics that includes clone detection,

error level analysis, meta data extraction and more. I see it as a free and easy way to take a quick look

at an image. With forensically, I can quickly debunk an image, or at least begin to cast doubt on its

authenticity but I may still need to take a closer look at it. There are more sophisticated online and

downloadable tools.

http://fotoforensics.com is another online tool that can be used to examine details of a photo including

metadata and image analysis. This could help identify areas of an image that have been manipulated

plus many other features.

65
These are two online tools. I may not want to upload a file to server or not have access at that time, so I

also need an offline tool, an app installed on my computer.

For this article, I decided to take a look at JPEGsnoop, a freely distributed tool for Windows.

JPEGsnoop examines and decodes details of JPEG, MotionJPEG, AVI and Photoshop files, as well as

analyze the source the authenticity of the image. There was no installation, as it is a downloadable .exe

file. I especially like that when I want to test something out or use it to take a quick look.

Another helpful feature is the internal database that compares an image against compression

signatures, identifying the digital camera or software that was likely used to generate the image. This

feature is extremely useful in determining whether or not a photo has been edited or tampered with. If

the compression signature matches Photoshop, then it is a safe bet that the photo is not original.

JPEGsnoop reports a large amount of information, that includes quantization table matrix (chrominance

and luminance), chroma subsampling, JPEG Quality, JPEG resolution, Huffman tables, EXIF metadata,

Makernotes, RGB histograms, etc.

The app does what the web site says it does, quickly and easily.

Most tools have the same basic functionality, it is best for each investigator to experiment with tools

and decide which they like working with the best. User interfaces and intuitiveness may vary, some may

be more complicated to install. I do not go looking for new tools every day, but I read and periodically

do a Google search for the top rated tools. If something is new or improved, I download a copy and try

66
it. I am always using the best available tools. This is another reason why I like Open Source tools, I don't

have financial investments in tools that soon become outdated.

About the Author

James (Jim) McCoy, Jr - I have been living and teaching in China for nine

years. Originally hired to teach a course on Globalization with a focus on the

global financial crisis of 2008, I went on to teach American Government,

Political Science, American History, and other courses. My previous

experience as a Systems Analyst brought an opportunity to teach a semester

of AP Computer Science using JAVA. I have a BA in International Business

and earned an MA in Intentional Relations during my time as a Teacher. My

interests in terrorism grew out of my MA studies and the partial PhD studies that pursued in

Homeland Security. Technology has always had a place in my heart and I found a way to combine my

interests in technology and terrorism. I am currently studying Cybersecurity, Ethical Hacking, and

Cyberforensics. As I continue to teach, I am developing an online business that includes writing and

consulting. I publish a blog at www.thisismychina.com. I currently reside in Tianjin, China with my

partner Claire and our two daughters YoYo and Li Li (age 2 ½ and 5).

67
 Malware - The
Nightmare Time
by Wilson Mendes

The evolution of technology and the rapid growth of the internet have brought the threat of cyber
attacks to private and public infrastructure. Words like backdoors, spyware, worm, keylogger, trojan,
miners, botnet, rootkit, and ransomware have permanently entered to general use.
With the arrival of the Internet of Things, we have many more devices available, significantly
increasing connections to access information; watches, refrigerators, lamps, smart homes, smart TVs
and various devices that are already part of our daily lives, bringing great changes to our lives,
increasing the ability of cybercriminals to act. This has revolutionized the way organizations do
business.

Introduction

Governments, the financial sector, the public sector, large corporations, electric and energy companies,

the data centers of hundreds of segments around the world are at this very moment compromised.

A data breach is more and more common in our lives, it is not difficult to find a lot of information about

the company, about you, about me, about us. In the internet space, we have a very big opportunity to

get a credential.

68
Data centers in hundreds of social segments around the world are currently compromised through

security breaches.

APT (Advanced Persistent Threat)

Many countries invest in APT, hacker armies with advanced technological capability, sponsored by the

government to carry out cyber attacks such as:

• financial industry information,

• national defense,

• intellectual property,

• military plans,

• manufacturing,

69
• government agencies,

• business organizations,

• foreign embassies,

• telecommunications companies,

• universities,

• multi-system infringement,

• healthcare organizations,

• businessman,

• universities and pharmaceutical companies.

Some of the most famous APT (Advanced Persistent Threat) groups in the world:

APT/Titanium,

The Shadow Brokers,

Carbanak,

Equation Group,

Grupo Lazarus,

APT28/Fancy Bear,

APT29/Cozy Bear,

APT34, APT37/Reaper,

Iron Tiger APT.

These cyber attacks that make use of malicious software, also known as malware, represent a great

challenge for people and institutions. Advanced zero-day vulnerability exploits, social engineering,

targeted spear phishing, and cyber espionage are some of the techniques used by these groups

targeting thousands of organizations around the world.

The United States, Canada, United Kingdom, Russia, Norway, Ukraine, Mexico, Germany, France, Brazil,

England and dozens of other countries have already detected the fingerprints of these groups with the

70
aim of stealing information since companies located in these countries deal with confidential and high-

value information.

What Is Malware?

Malware is a broad term that refers to different types of programming code; it can take the form of an

executable, which performs malicious actions with intent to steal, encrypting your data and selling your

personal information. For example: viruses, trojan, scareware horses, trojans, spyware, rootkits and

worms.

Usually, it enters your system without your consent. These cyber attacks use malware to steal

confidential information. That's why without the knowledge, skills, and tools needed to analyze

malicious software, it's nearly impossible to recognize the symptoms of an infected device. These

specialties are essential for detecting, investigating, and defending against these attacks. These cyber

attacks are undoubtedly on the rise, and they focus on extracting valuable information.

Some malware terminology and definitions

While performing malware analysis, you will often come across various types of malicious programs;

some of these malicious programs are categorized based on their functionality and attack vectors as

mentioned here:

Rootkit: Malware that provides the attacker with privileged access to the infected system and

conceals its presence or the presence of other software.

Downloader or dropper: Malware designed to download or install additional malware components.

Trojan: Malware that disguises itself as a regular program to trick users to install it on their systems.

Once installed, it can perform malicious actions such as stealing sensitive data, uploading files to the

attacker's server, or monitoring webcams.

Virus or Worm: Malware that is capable of copying itself and spreading to other computers. A virus

needs user intervention, whereas a worm can spread without user intervention.

Botnet: This is a group of computers infected with the same malware (called bots), waiting to receive

instructions from the command-and-control server controlled by the attacker. The attacker can then

71
issue a command to these bots, which can perform malicious activities such as DDOS attacks or

sending spam emails.

Backdoor/Remote Access Trojan (RAT): This is a type of Trojan that enables the attacker to gain

access to and execute commands on the compromised system.

Adware: Malware that presents unwanted advertisements (ads) to the user. They usually get

delivered via free downloads and can forcibly install software on your system.

Information stealer: Malware designed to steal sensitive data such as banking credentials or typed

keystrokes from the infected system. Some examples of these malicious programs include key loggers,

spyware, sniffers, and form grabbers.

Ransomware: Malware that holds the system for ransom by locking users out of their computer or by

encrypting their files.

Malware classification based on its definitions is not always possible because a single malware

containing multiple functionalities may include a worm component, a backdoor and a ransomware for

example, discarding some of these components after successful exploitation of the target.

Some of these sources allow you to download malware:

• Das Malwerk: http://dasmalwerk.eu,

• VirusShare: https://virusshare.com,

• VirusBay: https://beta.virusbay.io,

• MalwareBazaar: https://bazaar.abuse.ch/browse/,

• Malware DB: http://ytisf.github.io/theZoo/,

• Vx-underground: https://vx-underground.org/samples.html,

• AVCaesar: https://avcaesar.malware.lu,

• Hybrid Analysis: https://www.hybrid-analysis.com,

• Malwr: https://malwr.com,

• TheZoo: http://thezoo.morirt.com.

72
Searching and scanning online for the suspect file with multiple anti-virus and malware scanning

service:

• VirusTotal: http://www.virustotal.com,

• Malware Scan: https://virusscan.jotti.org,

• VirSCAN: http://www.virscan.org,

• Metadefender: https://www.metadefender.com.

So that better defenses can be built and protect an organization's network, malware analysis involves,

through reverse engineering, analysis of suspicious binaries to identify their characteristics and

functionality, determining identifiable patterns through different techniques of how the system was

compromised and impacted and can be used to cure and prevent future infections.

These techniques include dynamic analysis, fingerprinting the malware, code analysis, file type, memory

and static analysis, determining malware's target architecture, extracting strings, functions, and

metadata, obfuscation techniques, classifying and comparing the malware samples, and can reveal

different information about the attack and the context around the suspicious file.

Malware developers can modify code using obfuscation techniques to circumvent these detections

because they are always looking for new ways to attack systems whose vulnerabilities have been

patched. Remember that the engines rely on signatures and heuristics to detect malicious files.

The program Pegasus, a famous spyware whose sale is not illegal, developed by the Israeli company

NSO Group, and whose main customers are governments around the world, allows you to capture

audio and video calls, text messages, and photos, contact a network, activate the microphone and

camera, as well as remotely allowing full control of the device, sending the collected files on a schedule

to its servers without being detected. Facebook has denounced NSO for using its platform to distribute

this malicious software.

A very famous case that caught the attention of the world

Amazon founder Jeff Bezos' cell phone was hacked

The owner of Amazon and The Washington Post, Jeff Bezos, was invited in 2018 by the Crown Prince of

Saudi Arabia, Mohammed bin Salman, to a dinner in Los Angeles. On the night of the dinner, Jeff

73
Bezos and Mohammed Salman exchanged phones and, moments later, Prince Mohammed started

writing messages to Jeff Bezos through the app WhatsApp.

According to an investigation contracted by the entrepreneur himself, a few weeks later, Jeff Bezos

received an MP4 video file, which showed a photogram with a Saudi and Swedish flag and text overlaid

in Arabic, via WhatsApp from the prince's number.

Hours later, his iPhone, which on a daily average consumed kbytes of data, after receiving the video for

allegedly containing some type of malicious code that managed it remotely, behaved strangely,

sending data thousands of times more than usual, reaching at more than 126Mb daily traffic, stabilizing

after a few days at 101Mb.

The details are that the newspaper, The Washington Post, owned by Bezos, became very interested in

the case, publishing investigative articles by the famous dissident Saudi journalist Jamal Khashoggi,

subsequently murdered at the behest of the prince.

This does not mean that the message was sent from Prince bin Salman's device, as the accounts of this

application are linked to a telephone number, which may be contained in other devices controlled by

other people. Please, for a better understanding, read the article: Mobile Service Breach https://

eforensicsmag.com/product/osint-and-social-media-forensics/.

Emails, messages, photos, videos, audio and all kinds of files that were transiting that smartphone

started to be monitored in an unwanted way. The spying continued until 2019, and data output reached

4.6 gigabytes. Hackers had gained access to the files and applications of the richest man in the world.

Weeks after the murder of Khashoggi, November 2018, Jeff Bezos receives, according to the UN

report, through the Saudi prince’s account, a photo of his alleged lover Lauren Sanchez accompanied

by a message: “Arguing with a woman is like reading a software license agreement. In the end you

have to ignore everything and click 'agree'"

At the same time Jeff Bezos was negotiating a secret divorce settlement with his ex-wife, released

months later by the American tabloid National Enquirer. Jeff Bezos accused the tabloid of attempted

extortion by threatening him with posting sexual photos and messages captured from his device.

74
Newspaper

RedCurl uses hacking techniques similar to well-known groups such as Red October and CloudAtlas.

These would have stolen confidential corporate documents including contracts, financial documents,

employee records and legal records they employ various techniques to cover up their activities

including using legitimate tools that are difficult to detect.

US renews program that allows indiscriminate spying outside its borders. An authorization that allows

you, without the need for permission from companies such as Google or AT&T, to intercept from emails

to phone calls outside the US, even if the authors of the messages are talking to a US citizen. Hackers

from the DarkSide group forced the temporary shutdown of the Colonial Pipeline network, which

supplies 45% of the fuel consumed on the US East Coast.

Political espionage virus denounced by WhatsApp was used in Brazil. In 2018, researchers found a

digital trace of a mechanism sold by an Israeli company to governments as a weapon of war. APT29 is

using malware known as WellMess and WellMail to target various organizations worldwide. Secret

report links North Korea to cyber attack WannaCry - The US National Security Agency links the

Pyongyang regime to the virus. North Korea was behind the WannaCry virus, which affected 300,000

people in 170 countries.

Government of President Rafael Correa of Ecuador spied on politicians and journalists to control

opponents. The Intelligence Service had individualized files on surveillance of politicians, journalists,

businessmen, indigenous groups, tweeters and even members of its own team. TikTok Geopolitics,

privacy and security flaws motivate campaign against the Chinese app. Citing national security reasons,

India vetoed 59 Chinese apps, including TikTok.

Former Colombian Army chief ordered illegal wiretaps of politicians, judges and journalists. Semana

magazine reveals that General Nicacio Martínez's departure from the Armed Forces took place when

the espionage was discovered. A platform called Invisible Man, which was bought from a Spanish

company, could access WhatsApp and Telegram Web conversations, and deleted photos and

conversations on cell phones and computers without leaving a trace.

North Korean 'hackers' steal South Korea's plans for an eventual war. The documents include details of

a plot to assassinate Kim Jong-un, according to a South Korean lawmaker. Germany suffers the biggest

attack of 'hackers' in its history. Personal data of more than 400 politicians was leaked. Only the far-right

75
Alternative for Germany party was saved from the invasion, which also affects Chancellor Angela

Merkel.

Spanish justice investigates the movements of Russian spies in Catalonia. Police find the presence of

members of an elite military unit specializing in destabilization operations in Europe. UK accuses Russia

of trying to steal data on the coronavirus vaccine. Several organizations, including some investigating a

drug against the virus, were attacked with malicious 'software' to obtain information.

Chinese 'hackers' stole information on Spanish vaccine against covid-19. US court accuses Beijing of

cyber attacks in 11 countries, including Spain. Hacker group leaks stolen NSA spy programs. Former

agency analyst Edward Snowden points to Russia as responsible for the attack.

Mexican government declares secrecy on contracts for the acquisition of software used to spy on

journalists. The Attorney General has ruled that data on alleged contracts with the security firm NSO

Group cannot be consulted until 2021. Nearly 13,000 programs bypass Android's permissions to collect

data from cell phone owners. Thousands of applications circumvent limitations and spy, even without

receiving authorization from the cell phone owner.

Note: The author of the article and the eForensics Magazine are not responsible for any damages

or failures attributed to said software.

Final considerations

Cybersecurity is an ongoing activity that requires constant updates and changes in the behavior of

technology use. We are facing a cyber arms race, with lower barriers to entry, in which any nation can

enter the game.

With the constant growth of data leakage and commercialization by the billion-dollar industry of data

brokers, multiplied by the fragility in the use of secure unencrypted communications and the failed laws

to protect the privacy of users, governments, people, companies, hospitals, and justice systems, any

device connected to the internet is vulnerable, running the risk of being spied on.

The information you store on a smartphone these days is bigger and more valuable than the

information you store on your personal computer. In the world of the internet, a profitable business for

information thrives through espionage to blackmail people and companies.

76
Malware analysis requires deep knowledge with mandatory skills in different subjects. Learning malware

analysis takes a lot of time and patience. The malicious and increasingly sophisticated use of emerging

and disruptive technologies continually makes the search for cybersecurity professionals to combat

advanced malware and targeted attacks increase.

Why will the spyware market remain strong?

Facebook, Instagram, Gmail, Tik Tok, Pokemon go, WhatsApp and dozens of other apps can remotely

activate our cameras, microphones, access our photos, read messages, determine our geolocation…

Noble reader, what would be the difference between these applications accepted and used by billions

of users around the world and malware services?

Read the terms of use?

1... 2 he will get you

3…4 you better close the doors.

5... 6 It is better to hire a good information security professional.

7... 8 It is better not to rely on luck.

9... 10 Never sleep again.

About the Author

Wilson Mendes - I am a cryptanalyst and work with information security,

artificial intelligence and cybercrime.

www.wicasame.com

LinkedIn https://www.linkedin.com/in/wilson-mendes-72161016/

77
 Reversing Malware
Anonymously
by Anderson Sales

Anonymity on the internet is important for many different purposes, and malware analysis is one of
them. The malware analyst mindset before starting the activity should be: you are the perimeter to
be protected!
During your analysis, it is not good for you to directly interact with the malware; caution must be
used in anonymization as the threat actor behind an active campaign may collect your personal
information, such as geolocation, operating system and others. Check below for a list with the most
used techniques, remembering that depending on the scenario you will need to use them all at the
same time.

Windows x Linux

There are situations where, during hands-on analysis, the malware code escapes from the browser

sandbox; after all, one of the malware’s goals is to create a file on disk or code execution in memory, so

sometimes this kind of failure occurs.

To mitigate this problem, if the malware does not need to run and the analysis performed is non-

dynamic, it is recommended that if the artifact is a Linux malware, use Windows operating system and

vice versa, except for some exceptions: for example, dynamic and interactive analysis of a malware

script that uses PowerShell must be performed in the Windows operating system because it is

necessary to see the output using Write-Output command, etc.

78
Virtual Machines

Configure the virtual machine's network interface in host-only mode and then renew the IP using DHCP.

Hide your real IP

Another important tactic is to hide your public IP. There are enterprise solutions (NordVPN, AirVPN and

others) that cover this functionality, but it is possible to do it using opensource solutions.

The most used operating system for malware analysis is Remnux and it has the TOR tool by default,

which is one of the most popular for anonymous browsing on the internet.

Terminal + TOR

TOR alone is not enough to start reverse malware activities, because there are situations where you

need to use commands via terminal: for these cases, tools like Torify and Proxychains are used (both are

installed by default in Remnux).

Current public IP query example using torify:

torify 2> /dev/null curl inet-ip.info/json/indent

79
This query returns your new information about public IP, geolocation, connection country, etc.

Proxychains is the most used for this need (terminal + TOR), its usability is similar to torify. The

command below automatically opens Firefox using the TOR network by default.

Example:

#proxychains firefox

IP Leak

It is important to verify that the DNS is not leaking your operating system and other network

information. The following sites provide this information:

• https://www.dnsleaktest.com,

• https://ipleak.net.

Geo Targeted Website Popups

When browsing malicious websites, if the page requests your geolocation through popup, don't click

the "Allow location Access" button, otherwise your real location will be discovered.

80
User agent and language spoof

A very important (and very difficult to do) task is attribution; in other words, figuring out who's attacking

you and assigning that threat actor to the attack. But just as it is difficult to attribute an attack, we can

also hide our personal information to make it difficult to attribute the malware investigation to our real

person.

One of these ways is checking browser, user agent and language details as they each provide clues as

to who your opponent is, and this technique can be used to our advantage. There are some Firefox

plugins that make this kind of change, like “User Agent Switcher Switcher” and “Language Switch”.

For interactions using wget command, it is possible to change manually by typing the parameter "--
user-agent":

user agent list:

https://developers.whatismybrowser.com/useragents/explore/operating_system_name/windows/

For convenience, and to keep from having to type "wget --user-agent" every time you need to

use it, Remnux also has a configuration file called “wgetrc” that allows you to change the user agent

information of the wget command.

81
HTTP header spoof

There are situations in which the malware uses information that is in the header to communicate with

C2 or check some data that is in the cookie, etc.; in the HTTP headers of a web page there is important

information. To analyze this kind of information, the curl command is used to save a page or collect

header information. Below is an example of collecting the connection header.

#curl --dump-header headers.txt --output page.html "https://malicious.com"

Then we will open the file, #nano headers.txt

82
We can see that the requested page is redirecting (HTTP/1.1 301 Moved Permanently) and to which

location it is directing the navigation.

Remnux also has a configuration file that allows you to change the default curl parameters

(~/.curlrc) to hide your personal information during analysis. This is important because there are

situations where it is necessary to automate some tasks, such as handling digital evidence that uses the

HTTP header, creating a script and applying it in an information collection flow that uses the SOAR tool,

doing a first response and checking a lot of websites at the same time.

OSINT Malware

This is the process that uses open source information to understand and analyze malware. From OSINT,

it is possible to discover (if the malware has already been submitted by other analysts) information such

as the reputation of the IP and/or URL that is hosting the artifact, kind of C2, malware environment, etc.

If someone has already done the analysis, you just check the analysis, you don't have to do the analysis

all over again.

Below is a list of websites about OSINT to find out more about malware threats:

• https://www.urlvoid.com,

• https://global.sitesafety.trendmicro.com,

• https://zeltser.com/lookup-malicious-websites/,

• https://www.virustotal.com.

83
WHOIS

Why is collecting WHOIS information important? Because usually, malware campaigns have domains

that have recently been registered; they are new domains, that is, newly created domains are highly

likely to be phishing. There is a tool called “ipwhois” (https://github.com/secynic/ipwhois) that allows

the option to proxy during the query without you appearing.

IP, URL, and Hash Passive Analysis tool

Automater - This tool will search several sites like Ipvoid.com, Robtex, alienvault. VT, VxVault,

ThreatExpert information about URL/Domain, IP, hash, etc.

Malwoverview - Another similar tool worth checking out is Malwoverview (https://github.com/

alexandreborges/malwoverview) created by Alexandre Borges.

Online Sandboxes

The sandboxes that currently exist have a high level of maturity in their automated analyses, but there is

the false positive possibility in the reports produced by them.

Below is a list of some sandboxes:

• https://any.run,

• https://www.hybrid-analysis.com,

• https://www.joesandbox.com.

Conclusion

Every malware has a threat actor behind it who is monitoring the campaign closely and, nowadays,

malware is a profitable source of money for criminals. When you take down or disrupt a campaign, you

are causing a financial loss and that is bad for the malware business; that's why the malware analyst's

mindset should always be focused on anonymity before starting the hands-on; in addition, your actions

need to be efficient, analyze artifacts quickly and avoid rework.

84
 About the Author

Anderson Sales - graduated in Computer Engineering and Cibersecurity

Master's Degree Student, has most 15 years experience with SOC/MSS and

blue/red team. Linkedin profile: https://www.linkedin.com/in/salesanderson/

85
 Cyber-Savvy Board
Of Directors
by Longinus Timochenco

“Cyber Security on the Board!! Is this already a reality or still a necessity?”

Dear Readers,

with your permission, before we start reading, I like to reinforce a few things so that we can start from

the same principle and objective.

It is important to highlight that Information Security is everyone's responsibility. Security is part of our

virtual education, respecting limits and preserving the integrity and availability of information!

86
It is important to emphasize the need for digital security in our lives today, we cannot respond only with

IT-Technology, the issue must be dealt with in a more comprehensive and in-depth manner. Let's not

fool ourselves and think we are safe.

Current security is high level and strategic for predictive and real time performance. Think about it

responsibly.

Security must exist to protect us and not limit and intimidate us, but for that we have to collaborate with

rules and education, to avoid loss, damage and unnecessary exposure.

Alignment of communication and expectations accelerates corporate information security maturity.

It is high time for information security to stop saying “bit & byte” and for boards to just talk about

business.

Digital is embedded in all aspects of the business. Cyber risk affects the entire organization: it impacts

business activities at all levels and can be a factor in other relevant risks such as operational, regulatory

and reputational. The concern with cyber security and privacy and data protection must be on the

agenda during the planning and execution of any project.

87
But, truth be told, we need to improve our understanding of information security, and this is not just a

task for senior management. Expert teams must know how to explain the impact of security breaches

on the business, the bottom line, the competitive advantage.

For this, strengthen “Periodic Education and Governance”, it will translate security for those who make

strategic decisions in the business and frame this dynamic issue in an appropriate way.

Cyber Security Concept

Cyber security is a way to protect people and companies against cyber attacks, which take advantage

of digital vulnerabilities to invade, steal and manipulate data or files, but in my view we can no longer

guide or target our efforts and visions only in IT, believing that our problems will be solved by

technology. Our vulnerabilities are much deeper, broader and more sensitive. I believe we must quickly

make this an important topic on the agenda of your daily strategies. How can you think about

innovation, globalization, integration, uncontrolled digitization and adequate security? Understand, we

are no longer talking about options, but the need for survival of your business and even lives, adopt a

new lifestyle and business with wisdom and cyber security.

88
Cyber Security x Information Security

In summary:

Cyber security: involves prevention and protection acting only in cyber space, that is, one connected to

the internet or to networks that link one computer (and other devices) to another.

Information security: involves the prevention and protection against all types of risk, whether physical or

digital, controlling people's access to places, file access permissions, among others.

Be prepared and step forward to face the C-Level with equality because now the CISO/BISO is part of

this decision chain, and if applied, they can add a lot of value to the business at the right time:

• Clear and Objective Goal: "The business is the most important” -> The board does not want to know
the technical details of cybersecurity, but the real situation of your company's business risk.

• Simple language -> The board will never hear technical language, you need to be able to present an
objective and clear language. Ex: "Our security controls ensure a high level of compliance and

efficient risk management in our services and satisfied customers".

• Car metrics -> CISO needs to focus on strategic and business-relevant metrics for a better
understanding of everyone and their degree of importance.

• Adverse inquiries, prepare -> Executives are smart to ask tough questions, especially when they're
cornered. Ex: "What is my risk of loss now in $?" “How many customers can be affected?”

Cybersecurity has become a more frequent topic on the board, but how should you report failures?

Analysis carried out during Infosecurity Europe points out a great difficulty for Security Officers to face

the executive board to report losses, attacks and information leaks. According to the survey, more than

half of information security professionals, Security Officers, prefer to face a dental root canal treatment

than report failures to the executive board. The good news is that cybersecurity has become a more

frequent and necessary topic at executive meetings.

In the last 12 or 18 months, due to several global security incidents, the issue of cybersecurity has

attracted more attention from the executive board. The regulations of some sectors, such as the

financial sector, for a long time guide and make demands on the sector, requiring greater executive

89
supervision. However, other sectors, such as health, are beginning to move to safeguard their

customers' information.

However, the Security Officer's difficulty in reporting failures and threats without being classified as

“terrorist” is still notorious, so how can you report effectively without causing general panic? Be

consultative and become necessary to the board for decision making, CISOs make a difference and add

value to the business.

The tip from the InfoSecurity Magazine website, which the author of this news has already experienced,

is to create a periodic schedule of reports and status updates, with the most relevant reporting points

from a business perspective.

Let's give an example: reporting to the board how many calls have been handled by the access control

team; it is no more than area control numbers, but reporting the history of answered calls,

demonstrating a growth curve, compared to the amount of operational resources in FTEs that work in

access control can demonstrate productivity gains or the need for investment in automation or team

growth or even a differentiated action taken by managers.

For this reason, the strategy of creating a monthly report, which reaches the executive's desk, with

metrics carefully structured and thought out under the executive vision, can create a means of showing

trends that may generate impacts in the future or even demonstrate the actions of analysis of risk and

demands for decision-making by the board to assume risk or release investments to reduce the level of

risk to levels acceptable to everyone.

The company's objective is to make a profit for its shareholders and not invest in security.

Let's understand that we never had and will never have a priority for investments in the security area,

not even in the financial sector. Investments are made based on the need for regulatory compliance

and financial, productive gains or operational risk reduction for the company. Thus, it is imperative that

the security professional be strategic in his interaction with the board, understanding their objectives

and seeking to adapt their language to the executives who will be their interlocutors. Periodic,

consistent and continuous communication is necessary, so that the Security Officer is not called only in

times of crisis and problems, when the spirits, patience and willingness to deal with the matter are the

90
worst possible. In these moments, the Security Officer will certainly be seen as a hindrance and not as a

solver and protector of the company's results.

*** Accurate risk analysis (quantitative and qualitative) is a vital element.

Conclusion

You already understand that cybersecurity must be a top priority in the company, as it ensures that your

strategic information is not lost.

Therefore, it is essential to be open, holistic, and flexible to new Cyber Security management models to

defend information, periodically assess strengths, weaknesses, opportunities and threats, be bold and

don't be afraid to take a stand, but structure yourself. Raise the maturity of your organization on the

Cyber Security theme. I've been through huge organizations and I can guarantee that with good

planning and strategy, the chance of assertiveness will certainly increase.

Good luck and count on my help colleagues.

Dear readers,

I hope I have contributed and that this way we can increase the maturity of our companies and that we

make a difference!

91
Reflection readers

I recommend that the industry launch its products and solutions mainly technological, reinforcing the

item "digital education". We know that this raises the cost of the product, but minimizes mass losses for

everyone.

Together we can provide Convenience with Security, I guarantee that we will increase the difficulties for

digital crime and improving our quality of digital life.

I strongly recommend that you strengthen the physical and logical security boundaries in this order and

in an integrated manner and with good governance, such as:

1. PEOPLE;

2. PROCESSES;

3. TECHNOLOGY;

4. INTELLIGENCE.

Every day we are seeing more cases of data leaks, major losses and threats to humanity and our

business. So I ask you, how long are we going to allow it? We must unite to fight cyber warfare in an

organized and intelligent way, otherwise we will see great damage and loss.

We must tell the world what level of security we want in our lives, think about it and turn it into attitude.

Thank you for the opportunity to share information and knowledge.

Security in our lives is our new style of life.

Good luck and let's go ahead!

92
About the Author

Longinus Timochenco

CISO & Corporate Governance Director – KaBuM!

Contact:

LinkedIn https://www.linkedin.com/in/longinustimochenco/

e-mail – [email protected]

93
 Malware Analysis
And Its Forms
by Daniele Giomo

Malware Analysis is the process of studying how a particular malware works and its side effects. It is
divided into two approaches that are useful for better understanding the functioning of the malware
being analyzed, namely Static Analysis and Dynamic Analysis.

• Before going into the details of the two analysis methods, it is necessary to specify some of the most
common types of malware:

• RAT (Remote Access Tool): a type of malware that create a virtual back door on the machine, which

guarantees remote access to the attacker.

• Spyware: used to collect information from the system on which they are installed and to transmit it

to the person concerned. The information obtained may vary according to the attacker's needs.

• Adware: software that presents advertising messages to the user during use, for a reduced or no

price. They can cause damage, such as PC slowdowns, and privacy risks as they communicate

browsing habits to a remote server.

• Backdoor/bot: programs that allow unauthorized access to the system they are running on. Typically,

they spread in combination with a Trojan or worm, or they constitute a form of legitimate emergency

access to a system, inserted to allow, for example, the recovery of a forgotten password.

• Rootkits: consist of a driver and sometimes modified copies of programs normally present in the

system. Rootkits are not harmful in themselves, but have the function of hiding, both from the user

94
 and from anti-virus programs, the presence of particular files or system settings. They are, therefore,

used to disguise spyware and Trojans.

• Ransomware: Virus that encrypts all data on a disk, according to a complex encryption key; to

obtain it and decrypt the computer, you have to pay the attacker who infected the PC and then

obtain the encryption key to "translate" the data.

• Cryptojacking: malware that aims to steal the computing power of the CPU, to mine

cryptocurrencies.

The purpose of malware analysis is to study its functioning, extract its characteristics and write rules for

its detection. When a malware analysis is performed, it will be unreadable to the human eye. To

understand its behavior, it will be necessary to use specific tools and some tricks in order to identify the

necessary information.

Static Analysis

Analysis consists of examining the file without running it. Static analysis can confirm whether a file is

malicious, provide information on its functionality, and sometimes provide information that will allow

simple signatures to be produced. Basically, static analysis is simple and can be quick, but it is largely

ineffective against sophisticated malware and can miss important behavior. It also consists of the

process of reverse engineering the malware code, loading the file into a disassembler and looking at

the program instruction by instruction in order to find out how it works. The instructions are executed

by the CPU, so a static analysis will tell you exactly what the program does.

Here are some steps:

• Inspecting the file format: The metadata of the file can provide very useful information, for example,
Windows PE (portable executable) can provide a lot of information about compile time, imported and

exported functions, etc.

• Extraction of strings: This refers to examining the output that the software generates and information
regarding the operations done by the malware.

• Fingerprinting: This step includes hashes of the encrypted file, find artifacts, such as file name or log
strings.

95
• AV scanning: If the file being scanned carries with it the signatures of a family of malware already
scanned, or it is known malware, many antivirus will be able to detect it.

• Disassembly: In this phase, reverse engineering is performed on the assembly code of the file in order
to deduce the logic and intentions of the analyzed file.

The steps listed above can be carried out through the use of some useful tools for this type of analysis,

such as:

• PEStudio: a tool that allows the static analysis of the file being analyzed, extracting a lot of useful
information, such as the signature and the format. It allows the analysis with VirusTotal and

extrapolates all the strings present in the file, which is very useful.

• IDA Pro: a disassembler commonly used for reverse engineering.

It supports numerous executable file formats for different processors and operating systems. IDA

provides simplified tools to support reverse engineering activities, obtaining information on cross-

references (XREFs) between the various sections, on the parameters of API calls, etc. This tool is

also used in the dynamic analysis phase as it provides a debugger.

96
Dynamic Analysis

Dynamic analysis involves the execution of the malware and the observation of its behavior on the

system in order to understand what it does. Before you can run the malware safely, you need to set up

an environment that allows you to perform this type of analysis, without the risk of damaging your

system or network. Dynamic analysis may also include using a debugger to examine the running status

of the malicious file. This type of analysis allows the extraction of further detailed information about the

malicious file that is difficult to extract with other techniques. Some tools used during a dynamic

analysis can be the following:

• Process Monitor: an advanced monitoring tool for Windows that shows the real-time file system, log
and process/thread activity. This tool combines the functionality of two legacy Sysinternals utilities,

Filemon and Regmon, allows filtering of various processes, complete properties of events such as

session IDs and usernames, reliable process information, complete thread stack with integrated

symbol support for each operation, simultaneous recording to a file, etc.

97
• Wireshark: an open source sniffer, a packet capture tool that intercepts and logs network traffic.
Wireshark provides visualization, packet flow analysis, and in-depth analysis of individual packets.

It can be used to analyze internal networks and network usage, application debugging problems and

study protocols in action. But it can also be used to capture passwords, reverse engineer network

protocols, steal sensitive data or information.

98
In addition to these tools, there are also automatic dynamic analysis systems, called Sandbox, which

allow the execution of the sample on a machine in order to monitor in detail the behavior of the sample

being analyzed. Some of these systems are:

• Cuckoo: an advanced, modular, automated malware analysis system and is open source. Basically, it
allows you to analyze different types of malicious files (executables, Office documents, pdf files, e-

mails, etc.). Tracks API calls and general behavior of the file being parsed and extracts information

and signatures. Downloads and analyzes network traffic, even if encrypted with SSL/TLS. It also allows

you to perform an advanced analysis of the memory of the infected system.

• Any.run: an interactive online service for static and dynamic analysis of malware, it is very similar to
the service made available with Cuckoo, the only difference is that this service has a free version and

a full paid version of all the services necessary for a detailed analysis.

Malware Detection

Malware detection includes various techniques that are used with the aim of detecting malware and

preventing infection of the computer system, protecting it from potential information loss or system

compromise.

99
Here are some techniques used for malware detection:

• Signature-based detection: The most common method used in malware detection is signature-based
detection. A signature is a string of bits that uniquely identifies a specific virus. Signature-based

detection scans files on your computer and cross-checks their contents with a dictionary of virus

signatures. With this method the antivirus software can quarantine, repair or delete the infected file

and fix the virus problem. However, this technique can identify a small subset of emerging threats but

cannot identify new viruses.

• Anomaly Detection: Responsible for observing any unusual or potentially harmful behavior. Anomaly
detection can be described as an alert for strange system behavior. This process can be performed in

two phases: the training phase and the discovery phase. First, the software is trained to learn normal

host behavior, while for the second, the trained model is used to recognize any unexpected or

unusual behaviors that occur in the system. One of the advantages of anomaly detection is that it may

include the detection of never-before-seen malware.

• Change Detection/Integrity Checking: The main purpose of the integrity check is to detect any
changes in the files that may have been caused by some malware. To achieve this, all files on the

system are hashed and monitored periodically. If a file has been modified, the calculated hash will not

match the previous one.

Machine Learning

Machine learning is a branch of computer science that is also linked to artificial intelligence (AI), it deals

with creating systems that learn or improve performance based on the data that is given to it to

process. In this way, the algorithm can behave accordingly in the face of situations never encountered

before. In the context of malware detection, an example could be a new malware sample never

analyzed before where its actions are therefore unknown. It was initially possible, and sometimes still is,

to use the file signature as a method of detecting whether it is a malicious file or not. Unfortunately, this

is no longer enough as the attackers have started developing malware capable of modifying their

signature using the polyformation technique, or using packing, thus making the above analysis useless.

To deal with these new threats, it was necessary to move to a more complex analysis, which can also

include the use of machine learning, thus analyzing the behavior of the malware during execution,

100
looking for malicious behavioral patterns: file changes suspicious hosts, registry keys and connections.

The main advantage of this method is the ability to identify if a sample is malicious or not, but also,

through specific clustering techniques, the family to which the malware might belong.

How does it work?

In order to build a malware detector with machine learning, the following steps are generally followed:

• Collection of malware samples used to train the system to recognize future malware.

• Extraction of certain characteristics for each sample in order to make the detection system more
precise.

• Training of the machine learning system to recognize malware through the extracted functionalities.

• Verification through tests on some samples not present in the original reference dataset in order to
see if they are effective or not.

In machine learning, there are two main algorithms: supervised and unsupervised machine learning

algorithms, their difference lies in the way they approach the data made available to them to arrive at a

certain conclusion or prediction.

Supervised machine learning: a machine learning technique that has the purpose of instructing a

computer system in such a way as to allow it to automatically elaborate predictions or conclusions with

respect to an input, based on a series of examples initially provided consisting of pairs of input and

output.

Unsupervised machine learning: a machine learning technique which consists of providing the

computer system with a series of inputs that the machine will reclassify and organize on the basis of

common characteristics in order to try to make conclusions and predictions on subsequent inputs.

Unlike supervised learning, uncategorized examples are provided as this step must be performed

autonomously by the algorithm.

Training

In order to implement a model that can detect malware and non-malicious files, it is first necessary to

collect malware and benign samples in order to have several examples to prevent any false positives.

Thanks to the opensource community, finding these samples is quite simple, the malware dataset can

be found online or through the Virus Total paid platform. Then we move on to extracting the features,

101
which depend on the format of the file you are using and the type you can get. Finally, we move on to

machine learning, dividing the dataset into two parts (malicious and not malicious), one for training and

the other that will be used later to train the model and test how efficient it is in detecting malicious files.

Based on the results obtained, it will be evaluated whether it is appropriate to add features or remove

them.

About the Author

Daniele Giomo - I have been in charge of Digital Forensics and

systems analysis since 2007, when I worked closely with the Italian

Public Prosecutor's Office. My collaboration is based on the Third

Department, which includes the range of crimes related to violence

against people. From 2007 to 2013 I took care of about 50 cases a

year, including some events that have found visibility in major

newspapers and national newspapers. In June 2017 I obtained the

CAS (Certificate of Advanced Studies) in Advanced Digital Forensics at the SUPSI University of

Manno (Switzerland).

102
 A Systematic Literature Review
For OSINT (Open Source
Intelligence) Evaluation As A Tool
To Aid Combating Cybercrime
by Francisco de Assis F. Henriques

Information has great importance in modern society. In this context, we have technological
developments and information from the use of this technology, impacting our society globally and
characterizing it as an information society, making information systems fundamental for its
operation. This universe of content and environments is subject to a growing increase in people and
cyber fraud.
The objective of this article was to highlight, through a systematic review, the use of OSINT as a
necessary instrument to support security/intelligence agents in the fight against digital crimes.
In parallel with other authors, OSINT fonts are legally accessible by the public without violating any
copyright or privacy laws and distinguished from other forms of intelligence for that reason. That's
why they are considered "publicly available", this allows the use of OSINT to go beyond security
services.

Introduction

According to Hassan and Hijazi (2018), society has been transformed by the advent of the internet with

billions of people communicating and exchanging information. The author makes it clear that the

benefits of the digital age have brought different types of risks. Malicious actors, like terrorist groups,

cybercriminals or swindlers, are using the internet for their crimes.

103
What exists in open sources can compose a large body of knowledge for a specific situation. With

structured methods of research in open sources, the process of digital intelligence emerges, a process

that uses all technological, digital, telematic and signal interception means to obtain data and analyze

them in order to produce knowledge.

Due to this scenario, the following research question was formulated:

1. Can OSINT be used as a tool to support security forces in cases involving Cyber Crimes?

And secondary questions:

1.1. For which functions does OSINT apply within the context of research in Computer Forensics?

1.2. What are the opportunities in the area envisaged in the study?

1.3. What are the challenges described in the study?

In this context, this work proposal aims to present the concepts of OSINT and how it is used to support

the solution of cyber crimes, advocated by a vast compilation of scientific articles.

The research method adopted in this work was the systematic literature review, which consists of

gathering evidence from previously published material, consisting mainly of books and journal articles

that are available in different databases.

Research, from the point of view of objectives, can be: exploratory, descriptive and explanatory. The

present study is characterized as a descriptive research, whose main objective is to “describe the

characteristics of a certain population or phenomenon or the establishment of relationships between

variables. It involves the use of standardized data collection techniques: questionnaire and systematic

observation. It generally takes the form of a survey.” (GIL, 2009:42)

This article is organized as follows: section “Summary”, where we will address the general objective,

exposing the research methodology and describing the review method, with its criteria.

The “Introduction” section will provide a contextualization of all the topics covered. The “Theoretical

Framework” presents the concepts relevant to the theme, OSINT concepts and its role in Intelligence,

the historical context of cybersecurity and OSINT tools that help investigations and fight against

cybercrime.

104
Then, in “Research Methodology” we will show the entire protocol followed for the elaboration of the

systematic review. The results of the review, together with a detailed analysis and discussion of each

research question, share space in the “Results and Discussion” section, where we will discuss the scope

of this systematic literature review, as well as point out new research to be explored on the use of the

OSINT in the acquisition of intelligence against cybercrime, and the "Final Considerations" section that

presents final considerations, limitations and proposals for future work.

Theoretical Framework

The systematic review of the literature shows us that the researcher seeks up-to-date sources on

debates related to the field of knowledge studied. The theoretical framework that guides this article

addresses the concepts of OSINT and references research that addresses the methodologies for using

OSINT in collecting information, as well as other works that will serve to demonstrate the efficiency of

OSINT in helping security forces to combat crimes, as well as concepts used by researchers in the

creation of methodologies and frameworks that use the information obtained by OSINT as a basis for

their work.

Cybersecurity Ventures estimates the global costs of cybercrime to grow 15% per year over the next

five years, reaching $10.5 trillion annually by 2025, prompting governments to invest in developing

open source intelligence (OSINT) tools and techniques to combat these crimes. (MINDSECBLOG, 2021)

As shown by Barreto and Wendt (2020:2), the numerous data and information available are not used by

public security operators, more specifically intelligence and police investigation agents. Although

elaborated in a coordinated way with all the knowledge phases elaborated, due to some lack of

knowledge of the security agent in the collection and search of the data, the knowledge is generated in

an incomplete or imprecise way.

According to Silva and Menezes (2005:38), the literature review/bibliographic research will contribute

to: obtain information about the current situation of the researched topic or problem; knowing existing

publications on the topic and aspects that have already been addressed; check for similar and different

opinions about the topic or aspects related to the research topic or problem.

105
OSINT - Basic Concepts

The concept of OSINT is broad, its applicability will depend on how each researcher uses open sources

for queries on a given subject. Source is "any data or knowledge that is of interest to the intelligence or

investigation professional for the production of knowledge" (BARRETO and WENDT, 2020:4).

Second Evangelist et al., (2020), the concept of OSINT is a concept that addresses the search,

collection, processing, analysis and use of information from open sources that can be legally accessed

by any individual or organization. As Cepik assures us (2003:32), the OSINT concept is analysis based

on “legally obtaining official documents without security restrictions, direct and non-clandestine

observation of political, military and economic aspects of the internal life of other countries or targets,

monitoring the media, legal acquisition of books and specialized magazines of technical-scientific

character”.

OSINT includes all public accesses for obtaining information, including: the Internet, traditional media,

specialized newspapers or geospatial information. It can be said that open sources have been around

for many years, but with the explosion of the internet there have been many cybersecurity professionals

and researchers publishing journals and articles on cybercrime threats, as well as ordinary people

publishing relevant information, or not, about particularities of their lives.

In this context, it is clear that much predictive intelligence can be obtained from public and unclassified

sources. Intelligence data must be collected from different sources, in this way, as advocated by

Yeboah-ofori and Brimicombe (2018:88), the importance of OSINT has become a conflict between the

private sector, the government and the military over how the data intelligence must be collected from

different sources.

Collecting, exploiting and disseminating them correctly and in a timely manner for the purpose of

addressing specific intelligence requirements has been a major challenge. IDC Research, in its 2020

survey, reports that the “total amount of digital data created worldwide will reach 44 zetabytes and the

number will increase faster within five years to reach 180 zetabytes in 2025” (DNA DATA STORAGE

ALLIANCE, 2021).

106
As explained above, we conclude that the increase in the number of people using the Internet to do

their jobs and, consequently, the growing volume of digital data, will make online sources the main

source of OSINT for both governments and business corporations in the future.

According to Hassan and Hijazi (2018:10), several authors can benefit from OSINT and their motivations

can be the most diverse. The biggest consumers of OSINT sources are the military departments,

government and government agencies, owing this consumption to the huge technological

development and the widespread use of the Internet around the world.

Governments use OSINT sources for a variety of purposes, from national security to understanding

national and foreign public opinions on different issues.

International organizations use OSINT to protect their supply chain from terrorist groups by analyzing

social media sites and internet messaging apps to predict future terrorist actions.

The authors make it clear that all methodologies have some limitations and challenges, among them

the high volume of data, reliability of sources and human efforts.

It can be said that OSINT brings great responsibilities to the agent that makes use of its tools, in this

context, it is clear that there are legal concerns in many cases. The most worrying thing, however, is that

there are ways for someone to acquire information through illegal means and how the legal system

should deal with this. Another concern is when some forms of hidden public information are collected

and widely disseminated as part of a scandal.

It is important to consider that the benefits of OSINT are in several areas and no one should

underestimate its use. Collecting from open sources does not provide risks when compared to other

forms of intelligence and its cost is much lower when compared to other sources, for example, the use

of spy satellites.

Hasan and Hijazi (2008:341, our translation), shows us the importance of OSINT when they say:

The information age has resulted in an explosive amount of potential sources of intelligence and will

shape the future of OSINT collection. In the intelligence arena, the practice of online data collection to

combat terrorism and solve crime is predicted to increase. In addition, OSINT will continue to offer an

inexpensive method to acquire intelligence on any community around the globe [The information age

has resulted in an explosive amount of potential intelligence sources and will shape the future OSINT

107
gathering. In the intelligence arena, it is predicted that the practice of harvesting online data to counter

terrorism and solve crime will increase. In addition, OSINT will continue to offer a cheap method to

acquire intelligence about any community around the globe. (HASSAN; HIJAZI, 2018:341)].

The author makes it clear that OSINT is the preferred method for obtaining information from agencies

around the world. Importantly, OSINT is not limited to security forces and intelligence services alone,

OSINT can be used as a fundamental decision-making process by non-governmental agencies as well

as civil society.

In this way, OSINT is expected to be increasingly inserted into the daily life of ordinary citizens so that

they can obtain information beyond the most common sources - often with manipulated information -

in order to seek knowledge about how criminals act in the digital world and have access to tools that

will help protect against cybercrime.

Cybersecurity and OSINT

The origins of Cybersecurity date back to the 1970s, when in 1977 the US government recognized that

open access to computer systems could lead to security breaches, at that time the proposed federal

computer system protection bill had not passed the Congressional review (KREMLING and PARKER,

2018:57).

According to Lynett (2015), network computing was emerging, because until the late 1980s the internet

as we know it had not yet materialized. Large organizations, especially governments, were starting to

connect computers via telephone lines even though there was no worldwide network. Recognizing this,

people started looking for ways to get into phone lines connected to computers so they could steal

data. These people became the first groups of hackers.

In the 1980s, the film WarGames was released and in 1983, attempts to hacking increased, in part

thanks to its release. In 1987, the Computer Security Law was created to strengthen security measures

for online systems.

The 1990s presents us with the beginning of the Information Security industry. The networks based on

Internet Protocol (IP) shifted the focus to availability, with threats such as viruses and denial-of-service

attacks appearing at the same time (NAKAMURA and GEUS, 2007).

108
The malicious activity of the Internet morphed into the first decade of the 21st century and financial

gain was seen as a lucrative business. Threats like Code Red, Nimda, among others, began to take

advantage of outdated and unprotected machines.

Today's crimes include enhanced identity theft attacks, malware, social engineering and denial of

service attacks, and add to the problem considerably.

Cybersecurity professionals need to be able to handle incidents in different areas. Alencar (2010) tells

us that the approach is multidisciplinary and worked by different areas of knowledge such as

Administration, Computer Science, Information Science, Economics, Engineering, Information

Technology, among others.

Currently, the number of cyber threats is continuously growing and the techniques used for the

development of illicit acts have become increasingly intelligent and advanced. We must understand the

link between cyber attacks by analyzing the relationship of data and the techniques used.

KIM, N. et al., (2018) shows us that OSINT is an invaluable tool for collecting this data when he

proposes in his work Design of a Cyber Threat Information Collection System for Cyber Attack

Correlation a system whose function is to collect the infrastructure attack data from various open data

sources (OSINT) and uses the collected data as an input value to collect more data recursively.

A cyber threat intelligence gathering system was developed and tested based on the structure and

functions of the proposed system. Twelve types of information related to cyberattacks were collected.

About two million data items related to cyber attacks were collected over a one-month data collection

period.

With the new tools and resources available, open source investigation has been an invaluable source of

information for anyone investigating a wide variety of topics and for a wide range of reasons.

OSINT Tools

As Bielska et al. assure us (2020:3), considering that OSINT was once exclusive to intelligence analysts

and national security professionals, it is currently observed that there is a growing performance of

professionals in areas such as journalism, cybersecurity, human rights and advocacy. In recent years,

organizations, human rights activists and journalists have embraced these new tools and resources.

109
Open source research will become a basic part of the work of many researchers, regardless of their

background (HIGGINS, 2016:195). There are a number of OSINT related websites that have a

considerable number of specialized tools to perform open source and different source searches to get

information on a regular basis. The key is knowing how to differentiate the information sought from the

plethora of information provided by a specific source.

Pedersen (2021:6) tells us that Open Source Intelligence is not a tool, although many excellent tools are

available as data aggregators to facilitate the collection phase. No tool will be able to achieve what a

properly trained analyst can.

With the advent of new tools, open source research has become a valuable source of information for

anyone investigating a topic.

According to Bielska et al., (2020) the right tool can determine if you gather the right information and

that the more tools you have in your portfolio, the more flexible your OSINT capabilities will be. Here

are some tools used for OSINT:

1. Privacy oriented search tools:

• DuckDuckGo (https://duckduckgo.com/): a tool that gathers results from over 400 sources,
including Yahoo, Bing and Wikipedia.

• Swisscows (https://swisscows.com): Located in Switzerland, the search engine uses its own
private servers and is not dependent on third-party infrastructure, with datacenter protected by

Swiss data privacy laws. privatelee (https://privatelee.com): Search the web and images privately.

2. Tools for collecting information:

• CheckUserNames (https://checkusernames.com/): online tool that can help you find usernames
on 170+ social networks.

• BeenVerified (https://www.beenverified.com/): Tool used to obtain information from people in

public records.

• maltego (https://www.maltego.com/): tool for recognition on the internet and that allows you to
obtain the results for the specified target, such as IP, domains, etc.

110
 • theHarvester (https://github.com/laramies/theHarvester): Python-based tool to be used in the
early stages of an investigation, taking advan

Methodology

Gil, (2009:17) states that research is a rational and systematic procedure that aims to provide answers to

proposed problems. When we do not have information to solve a proposed problem, research is

required. Scientific research can be classified according to its nature (basic or applied), its objectives

(exploratory, descriptive and explanatory) and its method or approach (qualitative, quantitative or

mixed). The author tells us that descriptive research describes a phenomenon or object of study and

establishes relationships between its variables.

The article is characterized likede scriptive, aiming at the analysis of OSINT as a tool to support

security or intelligence agents in solving crimes.

The main objective of descriptive research is “to describe the characteristics of a given population or

phenomenon or the establishment of relationships between variables”(SILVA and MENEZES, 2005:21).

Cervo and Bervian (2002) tell us that the bibliographic reference “seeks to know and analyze the

existing cultural or scientific contributions on a certain subject, theme or problem.” It seeks to explain a

problem from theoretical references published in documents.

This article emerged from a bibliographic survey on open source intelligence and its role in research

and studies published in newspapers and specialized magazines. We sought to carry out a quantitative

analysis from data collected from bibliographic sources.

Research Questions (QP)

The objective of this systematic review is to demonstrate through primary studies how OSINT is used as

a support tool in solving cyber crimes. In this way, to complete, we intend to answer the main research

question:

1. Can OSINT be used as a support tool for security forces in cases involving Cyber Crimes?

Guided by the main research question, secondary questions were elaborated:

1.1. For which functions does OSINT apply within the context of Computer Forensics and

Cybersecurity research?

111
 1.2. What are the opportunities in the area envisaged in the study?

1.3. What are the challenges described in the study?

Strategies and search process

Dieste et al. (2009) tells us that the systematic review identifies relevant empirical studies based on a

search strategy. An adequate strategy must be defined to detect relevant empirical studies involving

several decisions: selecting the appropriate information sources (i.e. bibliographic databases or digital

libraries), selecting the article fields in which to search for the terms, defining the research to identify

empirical studies of interest and perform the research.

The first step consisted of determining the keywords to search for related works. The keywords defined

were: “OSINT”, “Digital Forensics” and “Threat Intelligence”. The OR and AND operators, used

respectively for synonymous terms and alternative terms for each keyword, were defined. From there,

the following result was obtained: string generic search query: (OSINT) OR (OSINT AND "DIGITAL

FORENSICS") OR (OSINT AND "THREAT INTELLIGENCE").

The search string was adjusted to suit the characteristics of each electronic database. Systematic

literature searches were performed to find relevant studies based on the following databases:

• ACM Digital Library (http://portal.acm.org);

• IEEE Digital Library (http://ieeexplore.ieee.org);

• Science@Direct (http://www.sciencedirect.com);

• Scopus (http://www.scopus.com).

The choice of electronic databases was guided by the study by Dieste et al. (2009), which defines some

criteria as available primary studies, relevant conferences in the research area, search for studies in

English (language adopted in the main events and scientific journals).

Job selection process

The selection process of the works was elaborated with the help of the tool parsifal (https://parsif.al).

That, according to definitions ofAbout Parsifal, (2021) is: „an online tool designed to support

researchers in carrying out systematic literature reviews in the context of Software Engineering.

Geographically distributed researchers can work together in a shared workspace, designing the

112
protocol and conducting the research. In addition to providing a way to document the entire process,

the tool will help you remember what is important during a systematic literature review.”

The selected studies addressed aspects of using OSINT as a tool or methodology for collecting

information about digital crimes, systems developed with OSINT methodologies, as well as studies that

address theoretical concepts of OSINT in Intelligence to combat digital crimes.

The initial selection of articles was made by analyzing the title of the work, abstract and keywords. After

the initial selection, inclusion and exclusion criteria were applied, in order to extract the works of

interest at the end. The following inclusion criteria for the works were defined:

• Inclusion criterion 1: Studies dealing with OSINT;

• Inclusion criterion 2: Studies dealing with OSINT and Cyber Crimes;

• Inclusion criterion 3: Studies dealing with OSINT and Incident Responses;

• Inclusion criterion 4: Studies dealing with OSINT in Digital Forensics. The exclusion criteria for the
works were defined as follows:

➡Studies prior to 2017;

➡Duplicate studies;

➡Studies that are outside the theme;

➡Studies that are not in English or Portuguese;

➡Short Papers (five pages or less).

Result and data analysis

After string search has been adapted, according to the characteristics of each electronic database

consulted, 487 publications were found in the study selection stage. Of the 487 papers obtained from

four digital libraries published in the years 2017 to 2021, 43 articles were obtained after applying

exclusion and inclusion criteria.

The result extracted from these electronic databases was imported into the Parsifal tool and presented

the following quantities:

• ACM Digital Library: 67 publications;

113
• IEEE Digital Library: 76 publications;

• Science@Direct : 126 publications;

• Scopus: 218 publications.

Of these works, 444 results were disregarded, with 133 duplicate works and 311 works rejected

because they are subjects that do not fit the OSINT theme, studies prior to 2017, studies in languages

other than English and Portuguese - the latter included in the search to evaluate the existence of works

developed in Brazil related to the theme - and Short Papers (publications with less than five pages).

This initial selection can be seen in figures 1 and 2, below:

Figure 1 - Articles by electronic base

Source: Data produced by the author (2021)

114
The criterion used for the first selection of articles was to search for the occurrence of the OSINT

terminology in the title, abstract and/or keywords of national publications in Journals in the database.

Figure 2 shows the number of publications on the OSINT topic found in the databases of publications

consulted.

Figure 2 – Selected articles x Articles accepted electronically

Source: Data produced by the author (2021)

After the selection steps, 43 relevant studies were found, as shown in Table 1, below:

115
116
Analyzing the results of Figure 2, we can see that the databases with the highest concentration of

publications on OSINT were Scopus and Science Direct.

A temporal analysis was carried out to identify the period in which the largest number of publications

on OSINT is found. This was verified in Figure 3 that the highest concentration of publications occurred

in the period between 2018 and 2020, and in 2018 is the largest amount of published works with the

OSINT theme.

117
 Figure 3 – Number of articles per year.

Source: Data produced by the author (2021)

In addition to the inclusion and exclusion criteria, an assessment of the quality of the studies was also

carried out through a questionnaire that sought to assess the methodology of the studies, the objective

of the research, practical aspects, limitations of the study and whether the study was cited by other

researchers. After analyzing the studies, a quality assessment list was answered with the following

questions:

1. Does the study provide an experimental model to evaluate the presented framework or

methodology?

2. Is the research objective well described?

3. Did the study carry out a well-described practical experiment to evaluate the proposal?

4. Do the authors describe limitations of the study? (Scope)

5. Was the study cited by other authors?

For each study evaluated, according to Table 2, the following scores were assigned based on the sum

of the weights assigned to the previously defined criteria:

Yes – Weight: 1.0 ; Partially -

Weight:0.5 and Not -

Weight: 0.0.

118
119
Results and Discussion

This section seeks to show the evidence found in the studies that contribute to answering the following

questions proposed in this work:

1. Can OSINT be used as a support tool for security forces in cases involving Cyber Crimes?

It was possible to verify that all 43 studies surveyed are related to OSINT and its use as a tool to help

fight cyber crimes; it is possible to perceive methodologies, applications and theoretical knowledge

that aim to increase the use of OSINT as an analysis tool and search for information. Several studies

were found whose main theme is the processing of information to combat cybersecurity threats.

1.1. For which functions does OSINT apply within the context of research in Computer Forensics?

120
 Among the studies analyzed, there are several works that develop topics related to research in

computer forensics. Studies raise questions relating to the analysis of the TOR networktwo,

according to Narayanan et al., (2020) and delay et al., (2018). Forensic intelligence is evidenced in

studies by Quick and Choo (2018). Data analysis through OSINT tools to provide behavioral

information on a particular group can provide excellent inputs for behavioral analysis of extremist

groups in Dawson's et al. studies (2018).

1.2. What are the opportunities in the area envisaged in the study?

We are in a society influenced by data and information. The internet has revolutionized the way

information travels, how companies trade and how data is produced. OSINT – Open source

Intelligence – came to explore these revolutions, through the wide range of research sources.

Technologies that allow companies to collect information about competitors impact the corporate

environment. State intelligence technologies that allow knowing more about individuals or

corporations, these and other opportunities make OSINT a broad terrain to be explored with

countless opportunities, as seen in Pellet studies et al. (2019) and Eldridge et al. (2018).

1.3. What are the challenges described in the study?

The enormous supply of information covering all areas of humanity's knowledge provides a major

challenge for intelligence activities and the fight against cybercrime. Dependence on quality data

collection generates difficulties that permeate physical, logical and human resources structures.

The results of the study showed that several works are being developed to minimize the difficulties

of OSINT regarding the large amount of data on the Internet.

Final considerations

The scope of this work was limited to highlighting the importance of OSINT from primary studies and

demonstrating the sources of research for future works in the area of intelligence in open sources.

At the end of this work, we consider it to be an attempt to observe and understand the OSINT universe

through the analysis of scientific literature, as well as to bring light to common doubts to people who

use open source collection in their daily lives.

121
Constant advances in information technologies change the way data is generated and collected. The

interest of the scientific community in the subject will allow the creation of tools and methodologies

that will help OSINT and the quality of its collections.

Data from studies of this RSL highlight the importance of OSINT in the fight against cyber crimes and

the immense field of research that can be developed. It is up to each of us to reflect on the paths that

must be traced to expand the questions and hypotheses raised in the field of open data.

References:

• About Parsifal. parsifal, 2021. Available at: <https://parsif.al/about/>. Access on: 27 Oct. 2021.

• AKHGAR, B. OPEN SOURCE INTELLIGENCE INVESTIGATION. Place of publication not identified:

SPRINGER INTERNATIONAL PU, 2017.

• ALENCAR, G.D. Strategies for mitigating internal threats. 2010. 137 p. Dissertation (Computer
Science) — Federal University of Pernambuco UFPE, Pernambuco.

• BIELSKA, A. et al. OPEN SOURCE INTELLIGENCE TOOLS AND RESOURCES HANDBOOK 2020.
2020. ed. [Sl]: i-intelligence, 2020.

• BARRETO, A.G.; WENDT, E. Intelligence and Criminal Investigation in open sources. 3. ed. Rio de
Janeiro: Brasport, 2020.

• DAWSON, M.; LIEBLE, M.; ADEBOJE, A. Open Source Intelligence: Performing Data Mining and Link
Analysis to Track Terrorist Activities. in: LATIFI, S. (Org.). Information Technology - New Generations.

Advances in Intelligent Systems and Computing. Cham: Springer International Publishing, 2018, V.

558, p. 159–163.

• DELONG, M. et al. OSINT Analysis of the TOR Foundation. arXiv:1803.05201 [cs], 24 Mar. 2018.
Available at: <http://arxiv.org/abs/1803.05201>. Accessed on: 19 Apr. 2021.

• DNA DATA STORAGE ALLIANCE. PRESERVING OUR DIGITAL LEGACY: AN INTRODUCTION TO

DNA DATA STORAGE. [Sl]: DNA Data Storage Alliance, 2021.Available at:<https://

dnastoragealliance.org/dev/wpcontent/uploads/2021/06/ DNA-Data-Storage-Alliance-An-

Introduction-to-DNA-Data- Storage.pdf>. Access on: 25 Oct. 2021.

122
• ELDRIDGE, C.; HOBBS, C.; MORAN, M.Fusing algorithms and analysts: opensource intelligence in
the age of 'Big Data'. Intelligence and National Security, 16 Apr. 2018. v. 33, no. 3, p. 391–406.

Available at: <https://www.tandfonline.com/doi/full/ 10.1080/02684527.2017.1406677>. Accessed

on: 23 May 2021.

• EVANGELIST, J.R.G. et al. Systematic Literature Review to Investigate the Application of Open Source
Intelligence (OSINT) with Artificial Intelligence. Journal of Applied Security Research, 7 May. 2020. p.

1–25. Available at: <https:// www.tandfonline.com/doi/full/10.1080/19361610.2020.1761737>.

Accessed on: 19 Apr. 2021.

• GIL, A.C. How to design research projects. Sao Paulo: Atlas, 2009.

• HASSAN, N.A.; HIJAZI, R. Open Source Intelligence Methods and Tools: A Practical Guide to Online
Intelligence. in: HASSAN, N.A.; HIJAZI, R. (Org.). Open Source Intelligence Methods and Tools: A

Practical Guide to Online Intelligence. Berkeley, CA: Apress, 2018, p. 1–20.

• KIM, N. et al. Design of a Cyber Threat Information Collection System for Cyber Attack Correlation.
in: 2018 INTERNATIONAL CONFERENCE ON PLATFORM TECHNOLOGY AND SERVICE

(PLATCON), 2018, Jeju. Electronic Annals... Jeju: IEEE,2018.p. 1–6.Available in: <https://

ieeexplore.ieee.org/document/8472775/>. Access on: 13 Mar. 2021.

• KREMLING, J.; PARKER, A.M.S. Cyberspace, cybersecurity, and cybercrime. First Edition ed. Los
Angeles: SAGE Publications, 2018.

• MINDSECBLOG. Cybercrime will cost the world $10.5 trillion annually by 2025. Security Minute,
March 16. 2021. Available at: <https://minutodaseguranca.blog.br/ crime-cibernetico-custara-ao-

mundo-us-105-tricos-anuais-ate-2025/>. Access on: 10 Oct. 2021.

• NAKAMURA, E.T.; GEUS, P.L. De. Network security in cooperative environments. São Paulo (SP):
Novatec, 2007.

• NARAYANAN, P.S.; ANI, R.; KING, A.T.L. TorBot: Open Source Intelligence Tool for Dark Web. in:
RANGANATHAN, G.; CHEN, J.; ROCHA, A. (Org.). Inventive Communication and Computational

Technologies. Lecture Notes in Networks and Systems. Singapore: Springer Singapore, 2020, v. 89, p.

187–195.

123
• PELLET, H.; SHIAELES, S.; STAVROU, S. Locating social network users and profiling their movement.
Computers & Security, Mar. 2019. v. 81, p. 49–57. Available at: <https://linkinghub.elsevier.com/

retrieve/pii/S0167404818301524>. Access on: 14 Mar. 2021.

• QUICK, D.; CHOO, K.-K.R. Digital forensic intelligence: Data subsets and Open

• Source Intelligence (DFINT + OSINT): A timely and cohesive mix. Future Generation Computer
Systems, Jan. 2018. v. 78, p. 558–567. Available at: <https:// linkinghub.elsevier.com/retrieve/pii/

S0167739X16308639>. Accessed on: 6 May 2021.

• SILVA, E.L.; MENEZES, I.N. Research methodology and dissertation writing. 4. ed. Florianópolis:
UFSC, 2005.

• YEBOAH-OFORI, A.; ALLAN BRIMICOMBE. Cyber Intelligence and OSINT: Developing Mitigation
Techniques Against Cybercrime Threats on Social Media. International Journal of Cyber-Security and

Digital Forensics, 2018. v. 7, no. 1, p. 87–98. Available at: <http://sdiwc.net/digital-library/cyber-

intelligence-and-osintdeveloping-mitigation-techniques-against-cybercrime-threats-on-social-

media.html>. Access on: 9 Oct. 2021.

About the Author

Francisco de Assis F. Henriques - holds a Master's degree in Computer Science .

His specialties include: Computer Forensics, Cyber Law, Information Security

and Project Management . Always in continuous learning. His areas of interest

are: Information Security, Data Protection, Cyber Security and Computer

Forensics. He currently works at a Federal Institute of Technological Education in

Brazil.

124
 Applying Zero Trust
Principles To Critical
Controls
by Paulo Pereira, PhD

The emergence of the Zero Trust network concept involves the evolution of cyber-attacks,
considering, essentially, that a traditional network cannot keep up with this evolution.

Critical examples

Taking as a first example, last year, the attack on the fuel pipeline in the United States, we now know

what occurred in greater depth: attackers were able to scale privileges on the network because of

administrative compromised credentials (for example, old passwords still in use). That is, at some point,

there was no continuous verification of the credentials of these administrators and users accessing the

network that controls fuel distribution in this region of the United States. In addition, traffic was not

monitored across the entire length of the network (or at least in the most critical segments), which

culminated in the absence of a control over the data.

A second example perfectly illustrates the lack of these security layers provided in a Zero Trust network.

The attack against the City Hall of a mid-sized town, which occurred at the end of August 2021, shows a

scenario in which:

• There is no coordinated response to cyber incidents.

125
• There is no information available for local businesses to know if their registration data was captured
by the attackers (via the Lockbit 2.0 ransomware) and even if they were leaked or if there was a

repayment payment.

• Essential services have been stopped, servers and systems were affected, blocking the issuance of
Invoice and Service Center (which concentrates 90% of the documents of companies and citizens of

the city), showing that network traffic is not properly monitored and that the network of the city has

not had its segments audited.

Zero Trust Principles

Contrary to the above attack scenario, considering these two examples described above, a Zero Trust

network considers some principles that are the pillars for deploying security layers in a network (BARTH,

2017, pp. 5-10):

• A traditional network has failures at specific points, either by administrators or on behalf of users and
non-homologated devices accessing the network.

• There is no inspection of traffic passing through network segments. In fact, few companies know what
is going through corporate network traffic.

• There is little flexibility in positioning hosts, making it easier to enumerate and identify connected
devices on this network.

• The network is always considered hostile, therefore, the verification should be continuous, with zero
confidence.

• External and internal threats exist on the network all the time.

• The network locale is not sufficient to decide trust in a network.

• Each device, user, and network flow are authenticated and authorized.

• Policies must be dynamic and calculated from as many data sources as possible.

It is because of these existing security needs in a traditional network that one of the central aspects of a

Zero Trust network is the creation of policies dedicated to existing resources in a network. In other

words, there is a control plan under which accesses, identities, devices, and systems are referred to.

This means that there must be a policy defined where there are these resources are in use. This is called

126
a data plane that follows the control plan and is defined in each resource access or usage situation.

Therefore, the following important points should be followed in the implementation of the Zero Trust

network:

• There should not be general authentication, and access should always be verified and granted with
privilege limitations.

• Micro network segmentation should allow mapping of resources where policies will be defined.

• All enterprise systems are considered.

• The company ensures that all its own systems are in their safest possible state.

• All communications are made securely, regardless of the location of the network. Possibly the use of
end-to-end encryption.

• Access to individual business resources is granted per connection.

• User authentication is dynamically and strictly applied before access.

• Access to resources is determined by the policy defined in the control plan, including the observable
state of the user, system, and environment.

We can observe a concept that differs frontally from a traditional network architecture: micro

segmentation. In the conceptualization of a Zero Trust network, it is believed that traditional networks

cannot cover the entire perimeter and thus validate all devices and users who try to access the

network's resources. Micro segmentation would divide the network into smaller parts and in these parts

the control plan would be applied. That is, with a clear definition of the critical areas of the network in a

micro segment, there would be more effective monitoring (ROSE, 2019, p. 4)

127
 Figure 1: Micro Segment for Access to the Financial Server on a Zero Trust Network

The 0-Day log4j vulnerability

The 0-Day log4j vulnerability (CVE-2021-4428) has already been much discussed in articles and other

communication channels. The key to this vulnerability is the possibility for attackers to access

administrative accounts and from these accounts deliver ransomware that will impact servers and

systems and, consequently, enable access to critical data, such as access to medical data, registrations

on refunds, military registrations, among other examples that have already occurred and are properly

reported.

128
Figure 1 above shows a micro network segment in which there are two devices accessing some network

resource, represented by the Finance Department server. The control plan must identify the host, the

user (including administrators’ accounts), and deliberate on authentication on the network with

minimum privileges defined.

Currently, the accounts of the donor are configured with a maximum of privileges, and the examples of

recent attacks show that it is time to review this condition by configuring these accounts with the Zero

Trust principles, delimiting the privileges in time and use of those accounts.

References:

• BARTH, E. Zero Trust Networks. Boston: O'Reilly, 2017.

• ROSE, S. Zero Trust Architecture. NIST Presentation. 2019.

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2021-44228.

• MITRE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228.

About the Author

Paulo Pereira, PhD - I was born in São Paulo, the big, boring and

bestial industrial city of my country, Brazil. I obtained my PhD at São

Paulo University (USP) in analytical induction, a math, logic, statistical

and philosophic area. I never work in this area...but, one day, walking

on a Sunday morning, I discovered that I could use my statistical skills

to analyze malware behavior, like a math model. So, I invested my

time in this area since 1989. Nowadays, I teach forensics at the

University Nove de Julho (UNINOVE) and I work with forensic analysis and malware analysis (reverse

engineering of malware) as a free consultant. To escape from reality, in my spare time, I go to some

place to practice fly fishing in the rivers that cut through the mountains and I keep going to

programming in C and Python my own pieces of software.

129
 Significance Of Image
Tools In Digital
Forensics
by Avirup Dutta, Gaurav Kumar Singh

Digital visual media represents one of the most important means for correspondence. Recently, the
unwavering quality of digital visual data has been addressed, because of the simplicity in
duplicating both its origin, or source, and content. The use of image tools in digital forensics is a
new field of research that targets approving the legitimacy of images by recovering data about their
set of experiences. Two primary issues are considered: the distinguishing proof of the imaging
device that caught the image, and the recognition of traces of forgeries. These days, because of the
promising outcomes achieved by early investigations and the continually developing number of
uses, digital image forensics addresses an engaging examination space for many analysts. This
overview is intended for investigating existing tools and giving a view of the past, the present, and
the eventual fate of image tools in digital forensics.

Introduction

Images and recordings have turned into the primary data transporters in this digital period. The

expressive capability of visual media and the simplicity in their securing, dissemination, and capacity is

with the end goal that they are increasingly more taken advantage of to pass on data. As a result,

images and recordings today address a common source of proof, both inconsistent disagreements and

in preliminary gathering of evidence. The least complex video in TV news is regularly acknowledged as

a certificate of the honesty of the detailed news. Essentially, surveillance video recordings can establish

major trial material in a courtroom.

130
Along with a huge number of benefits, the accessibility of digital visual media brings a significant

disadvantage. Image processing specialists can undoubtedly get to and adjust image content, and

hence affect its importance, without leaving visually noticeable traces. Besides, with the spread of

inexpensive, user-friendly, altering tools, the craft of altering and forging visual content is no longer

limited to specialists. As an outcome, the altering of images for malicious intent is currently more

widespread than at any other time. Digital Image Forensics is that branch of multimedia security that,

along with Digital Watermarking, targets differentiating and uncovering malevolent image control.

In July 2010, Malaysian legislator Jeffrey Wong Su En professed to have been knighted by Queen

Elizabeth II, as an acknowledgment for his commitment to the worldwide guide association Médecins

Sans Frontières. An image of him being granted the honor by the Queen of England went with his

assertion, and was discussed in local media (Fig. I.a). When addressed concerning the honor, however,

the British High Commission in Kuala Lumpur clarified that the name of Mr. Wong was not on the list of

knighthood recipients and that the picture conflicted with the typical convention for knighthood

functions. The picture was, finally, demonstrated to be a merge between a unique function photograph

(Fig. I.b) and Mr. Wong's face, which worked to build his popularity.

This sort of episode [1] contributed to making increasingly more problematic the utilization of digital

pictures as proof. [2] An affirmation of their realness is required, before further depending on their

substance. Consequently, two questions concerning the historical backdrop of the picture must be

answered:

a) Was the picture captured by the professed device?

b) Does the picture portray its original substance?

The main question is of significant interest when the source of the picture is simply the proof, for

example, at the point when the responsibility for the recording camera is compromised, or when an

accusatory content is such provided that it was recorded by a particular device (for example, video

surveillance). The second inquiry is of more broad interest and can be straightforwardly applied to the

fake knighthood picture case. Addressing those inquiries is somewhat simple when the first picture is

known. On account of the fake knighthood, the basic accessibility of the first picture was adequate to

uncover the fraud. In reasonable cases, however, practically no data can be thought to be known

131
deduced about the first picture. Therefore, specialists need to validate the picture history

independently.

Picture: (I.a.) The doctored picture portraying Jeffrey Wong Su En while getting the honor from Queen Elizabeth and picture (I.b.) the original

image of Ross Brawn getting the Order of the British Empire from the Queen.

Digital Image Forensics (DIF) targets offering tools to help blind examination. This fresh-out-of-the-box

new discipline comes from existing sight and sound security-related examination spaces (for example,

watermarking and steganography) and takes advantage of picture handling and examination

apparatuses to recover data about the historical backdrop of a picture. Two ways of exploration

advance under the name of Digital Image Forensics. The first incorporates strategies that attempt to

reply to question a) by playing out some sort of comparison examination to determine the device that

caught the picture, or possibly to figure out which devices didn't catch it. These techniques will be

grouped in the article under the normal name of picture source device distinguishing proof methods.

Then the second group of strategies points at uncovering hints of semantic control (for example,

imitations) by concentrating on irregularities in regular picture measurements. We will allude to these

techniques as tampering detection techniques.

Both these fields and the DIF area overall are drawing in a developing interest from established

researchers. The first distributions in the theme concerning "DIF" date back to 2003, although past

work may have been made public a couple of years sooner, for example, Hani Farid's examination on

bicoherence highlights for altering detection [3]. These days, the topic is so well known that the analysts

are beginning to propose strategies to differentiate criminology techniques, taking advantage of their

shortcomings to more readily stow away or fake the control. These examinations address a valuable

132
commitment to the improvement of picture legal sciences, pushing specialists to make an ever-

increasing number of vigorous instruments.

Application of Image Tools in Image Processing: Digital image processing includes a wide assortment

of assignments, like picture improvement and reclamation, design acknowledgment, information

pressure, spectral assessment, picture examination, versatile separating, and so on. To tackle these

assignments, a ton of algorithms and strategies have been created and are now under review, which

extends traditional and non-old style approaches. Fuzzy logic is a grounded discipline and many

amazing discoveries are accessible in the logical writing concerning fuzzy set hypothesis and related

applications [5] [6] [7].

A successful method for applying fuzzy logic in advanced picture handling is to deal with every pixel of

a picture based on rules applied to a bunch of pixels in its area. Without huge limits, we can accept

these pixels to have a place with a rectangular window, called the fuzzy mask.

It might be utilized to attempt to distinguish slanted lines. Without critical limits, we will accept the

logic connectives between a rule's antecedents to be just.

Much of the time it is helpful to manage relative qualities rather than outright ones. From a practical

perspective, relative handling can be executed by accepting as fuzzy factors the contrasts between the

upsides of the pixels in the mask and the worth of the focal pixel. Contingent on the particular idea of

the issue, both relative and outright handling can be utilized in a similar standard: for example, an edge

location issue might require relative handling beforehand and outright handling afterward.

Picture II: Main tasks performed by the tool

133
General structure of the tool

Exploring different avenues regarding fuzzy processing might require an l& of "test and modify" cycles,

the principle plan objective was to abbreviate the general time needed by the advancement grouping.

For this reason, specific strategies have been taken on to make the altering stage fast and user-

accommodating and to diminish the handling time also. The instrument is written in C language and

includes a local Graphical User Interface (GUI) with pull-down menus and mouse-driven user

connections. Menu-driven activities are diminished to a base, including basically documenting the

board and the choice of altering, test, and code age areas. The aspect N of the fuzzy mask is

characterized by menu (O<N<6).

The structure adopted for the fuzzy rule involves:

1. (2N+1) X (2N+1) antecedents;

2. only AND operators;

3. one consequent;

4. relative and absolute processing.

The fuzzy reasoning which has been adopted includes:

1. the Rc implication operator [8];

2. the max-min composition [9];

3. the centroid method [10].

Application examples

To represent the presence of the instrument for picture handling some models are given. The first tends

to edge detection issues. A notable edge detector that removes the edges of a picture is the Sobel

operator, which is utilized in old-style picture handling. An alternate methodology is presented by fuzzy

handling. For this reason, a 3 X 3 mask has been taken on and a relative-forerunner/outright resulting

handling has been executed. The point of the remarkable standard is to make the pixels of the picture

white that are encircled by pixels of comparative power, and to make the wide range of various ones

dark (the edge pixels). The point of the guidelines is to address pixels whose qualities are excessively

unique compare to the neighbor pixels (as an impact of noise). [10]

134
Conclusions

The strategies that we looked into in this overview address significant outcomes for media security,

particularly thinking that the issues they tackle were beforehand (nearly) neglected. An enormous

arrangement of tools is currently accessible to explore picture sources and to validate procurement

devices. Among them, tools that investigate design commotion were demonstrated to be promising for

distinguishing even various models of a similar model device. An even bigger number of strategies

have been created to identify picture altering, some of which are likewise ready to confine the

manufactured regions. Notwithstanding these accomplishments, significant difficulties stay open for

Digital Image Legal sciences. A first fundamental concern is the power of the current tools. Aside from

[11], no genuine similar review exists that assesses the real exactness of DIF techniques. This is

fundamental because of the absence of set up benchmarks and public testing information bases. Few

endeavors toward this path [12, 13] have been done; be that as it may, an enormous dataset exhaustive

of various scenes, light, and ecological conditions and assaults is as yet missing for altering discovery,

for example. Given the development of the area, it is sensible to accept that new information bases and

relative investigations will show up soon, also as open contests, like the BOSS test for steganalysis [14].

Such advancement is attractive both for further developing correspondence among analysts and for

better building up the genuine cutting edge in DIF.

A software tool committed to picture handling with fuzzy guidelines has been introduced. The

adequacy of the device depends on an exact plan which has zeroed in on user-invitingness and

intelligence. The handling execution depends on fuzzy derivation systems which have been shown to

have the option to give great outcomes on test pictures. According to an overall perspective, fuzzy

logic addresses an ideal interface between the user and the issue, permitting the idea of handling to be

instinctively indicated through common human-like terms. According to a more explicit perspective,

fuzzy logic offers an extremely clear method for carrying out versatile handling and, what is disturbing, a

novel compelling way to deal with an address by rules an expansive assortment of handling issues.

References:

• [1] Farid H (2006) Digital Doctoring: How to tell the real from the fake. Significance 3(4):162–166;

135
• [2] Photo tampering throughout history: http://www.cs.dartmouth.edu/farid/research/digital
tampering/;

• [3] Farid H (1999) Detecting digital forgeries using bispectral analysis. Technical Report, AIM-1657,
MITAI Memo;

• [4] D. Dubois and H. Prade: "Fuzzy Sets and Systems: Theory and Applications", Academic Press,
New York, 1980;

• [5] F. Russo, P. Russo, S. Broili: "A Graphical Prototyping System for Computer-Aided Development of
Expert Instrumentation Software", Proceedings of IEEE IMTC/91, Atlanta, GA, May 1991, pp.

495-500;

• [6] A. Kandel: "Fuzzy Techniques in Pattern Recognition", Wiley Inter-science, New York, 1982;

• [7] M. Mizumoto, and H. J. Zimmermann: "Comparison of fuzzy reasoning methods", Fuzzy Sets and
Systems, North-Holland Publishing Company, n.8, 1982, pp.253-283;

• [8] L. A. Zadeh: "Outline of a New Approach to the Analysis of Complex Systems and Decision
Processes", IEEE Trans. Systems, Man and Cybernetics, vo1.3, 1973, pp. 28-44;

• [9] Y. F. Li and C. C. Lau: "Development of Fuzzy Algorithms for Servo Systems", IEEE Control
Systems Magazine, April 1989, pp.65-72;

• [10] Apple "Inside Macintosh" vol. I, Addison-Wesley, Reading MA, 1985;

• [11] Shi YQ, Chen C, Chen W (2007) A natural image model approach to splicing detection. ACM
Workshop on Multimedia and Security (ACM MMSEC07). ACM, New York, NY, USA, pp 51–62;

• [12] Gloe T, Bohme R (2010) The Dresden Image Database for benchmarking digital image forensics.
SAC, Sierre;

• [13] Ng T-T, Chang S-F (2004) A data set of authentic and spliced image blocks. Columbia University
technical report, Available: http://www.ee.columbia.edu/trustfoto;

• [14] BOSS—Break Our Steganographic System, http://boss.gipsa-lab.grenoble-inp.fr/Warming/.

136
 About the Authors

Avirup Dutta and Gaurav Kumar Singh - Department of Forensic Science, Chandigarh University,

Mohali, Punjab, India

137