Malware forensic

For doing Malware forensic, we can use Volatility for analyzing processes, network socket/connection, DNS queries.

We can use lddl command to find all dependencies of an executable file: https://linux.die.net/man/1/ldd

For having a memory dump for Windows, you can use this tool: WinPMem And for Linux, you have LiME.

https://www.blackhat.com/docs/eu-15/materials/eu-15-KA-Automating-Linux-Malware-Analysis-Using-Limon-Sandbox-wp.pdf

Protection against malware

We can use Honeyposts for having a false device in the IT environment

Tools for forensic - reverse engineering

Binwalk

Tool for analysing a binary:

$ binwalk mybinary.bin

Apktool

Tool analysing an APK package (Android):

$ apktool decode myapk.apk
$ cd myapk/

Objdump

$ cat main.c
#include <stdio.h>
#include <stdlib.h>

int main(void){
    char buffer[64] = "Hello world\n";
    return 0;
}
$ gcc -o0 -ggdb main.c -o main
$ objdump -d main
$ readelf -a main

Hexdump

Read the file and display the result in hexdecimal. Useful for forensic and read binaries

$ cat main.c
#include <stdio.h>
#include <stdlib.h>

int main(void){
    char buffer[64] = "Hello world\n";
    return 0;
}
$ gcc -o0 -ggdb main.c -o main
$ hexdump -C main | grep "Hello"
00001120  e9 7b ff ff ff 55 48 89  e5 48 b8 48 65 6c 6c 6f  |.{...UH..H.Hello|

Steganography

ELA - Error Level Analysis

https://en.wikipedia.org/wiki/Error_level_analysis

https://headt.eu/How-to-Detect-Image-Manipulations-Part-1

Documents

pdfinfo

PeePDF

This powerful tool can analyse a PDF file and extract malicious content: [peepdf][https://github.com/jesparza/peepdf)