Chapter 7: Digital Forensics and Malware Analysis

Digital evidence is any binary data — stored on or transmitted by a computing device — that can be used in an investigation. Its sources span hard drive images, packet captures, audit logs, deleted file fragments, and memory dumps. Evidence is not equally useful: courts apply a classification hierarchy that determines how much weight each piece carries and what documentation is required.

The Three Core Evidence Classes

Best Evidence

Best evidence is the original, unaltered record. In digital forensics, best evidence includes:

• An unmodified disk image captured with a write-blocker
• Original log files with intact timestamps and SHA-256-verified checksums
• Unedited CCTV or body-camera footage
• A forensic memory dump taken directly from a live system

A SHA-256 hash taken at acquisition time and re-verified at every subsequent step is the mechanism by which analysts prove a file has not changed.

Corroborative Evidence

Corroborative evidence supports and reinforces primary evidence. It does not prove the main fact on its own, but it makes the primary evidence more credible. Examples:

• Browser history that corroborates the timeline established by server-side access logs
• Firewall logs that confirm traffic was blocked at the same time an alert fired in the SIEM
• IP geolocation records that support claims about connection origin

Indirect (Circumstantial) Evidence

Indirect evidence does not directly prove a fact — instead, it allows a reasonable inference about what happened. Examples:

• Deleted files recovered from unallocated disk space (imply files once existed)
• Prefetch records suggesting a program was executed even if the executable was removed
• Residual registry keys suggesting a program was installed then uninstalled
• Outbound DNS queries to an unusual domain suggesting C2 communication

Chain of Custody

Chain of custody is the documented, unbroken record of who collected evidence and when, how it was transported and stored, who accessed it and for what purpose, and what transformations were performed. A practical form records the SHA-256 hash of every artifact at the moment of collection. Before analysis, the hash is re-verified. If hashes do not match, the evidence may be inadmissible.

Rules of Evidence

For digital evidence to be accepted in legal proceedings, it must satisfy four properties:

1. Authentic — it is what it claims to be (proven via hash verification and documentation)
2. Complete — it tells the whole story, not a cherry-picked fragment
3. Reliable — collected using sound, repeatable methods
4. Believable — can be explained to a judge or jury in plain terms

Logs are the primary narrative of any security incident. Every operating system, application, network device, and security platform generates log records as it operates. The investigator's job is to correlate these records across sources and reconstruct a coherent timeline.

Windows Event Logs

Windows Event Logs are stored in .evtx format under C:\Windows\System32\winevt\Logs\. The most security-relevant event IDs:

Pattern: Lateral Movement Detection

1. Event 4625 (failed logon) for administrator from 192.168.10.45 — 47 times in 90 seconds
2. Event 4624 (successful logon) from the same IP — logon type 3 (network logon)
3. Event 4688 (process creation) — cmd.exe spawned by services.exe

This sequence — brute force → network logon → command shell from a service process — is a classic indicator of credential stuffing and remote command execution via a compromised service account.

Linux / syslog

A burst of "Failed password" entries from a single IP followed by "Accepted password" is the syslog signature of a successful brute-force attack.

SIEM: Aggregation, Correlation, and Alerting

A SIEM ingests log data from hundreds of sources, normalizes it into a common schema, and applies correlation rules. A single failed login is noise. Ten thousand failed logins across fifty accounts from one IP in five minutes is an alert. Common platforms: Splunk (SPL), Microsoft Sentinel (KQL), IBM QRadar, ELK Stack.

SIEM workflow:

1. Collection — agents push logs to the SIEM
2. Normalization — raw data parsed into structured fields
3. Indexing — records stored for search
4. Correlation — rules match patterns across multiple events
5. Alerting — correlation rule fires; alert routed to SOC queue
6. Investigation — analysts query raw logs surrounding the alert

index=windows EventCode=4656 Object_Name="*lsass*" Access_Mask="0x1410"
| stats count by ComputerName, Account_Name, Process_Name
| where count > 1

This Splunk SPL query detects attempts to open a handle to lsass.exe with read permission — the hallmark of credential dumping tools like Mimikatz.

SOAR: Automated Response Playbooks

SOAR platforms take SIEM alerts and execute automated response workflows (playbooks). A typical phishing SOAR playbook:

1. Receive alert: "User clicked suspicious URL"
2. Automatically query VirusTotal for URL hash score
3. Pull email headers, extract sender, reply-to, originating IP
4. Check originating IP against threat intelligence feeds
5. If malicious: quarantine inbox, block URL at proxy, create ITSM ticket
6. Notify SOC analyst with pre-populated summary for human review

SOAR reduces mean-time-to-respond (MTTR) from hours to minutes. Platforms include Palo Alto XSOAR, Splunk SOAR, and IBM Security SOAR.

Application and Command-Line Logs

A typical suspicious Apache log entry:

192.168.1.100 - admin [15/Jan/2026:03:15:42 +0000] "GET /admin/config.php?cmd=id HTTP/1.1" 200 1234 "-" "curl/7.68.0"

Red flags: cmd=id parameter (command injection attempt), user-agent curl/7.68.0 (automated tool), HTTP 200 response (succeeded), /admin/ from external IP (privileged path accessed remotely).

PowerShell Event ID 4104 logs the full content of scripts as they execute. An encoded command:

powershell.exe -EncodedCommand JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0...

is a strong indicator of obfuscation — decoding the Base64 payload in a sandbox often reveals a reverse shell or dropper.

Analyzing malware presents a fundamental problem: to understand what it does, you must run it — but running it risks infecting your analysis environment. The solution combines two complementary approaches: static analysis (examining code without executing it) and dynamic analysis (executing it in a controlled, isolated environment).

Static Analysis

Static analysis examines a malware sample without executing it. Key techniques:

File Identification and Hashing

The first step is always to hash the file:

sha256sum suspicious_file.exe
# e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Submit the SHA-256 hash to VirusTotal or threat intelligence databases — this immediately reveals if the file is a known malware family.

String Extraction

Running strings against a binary extracts printable ASCII/Unicode sequences, often revealing hardcoded C2 addresses, file paths for dropped payloads, registry persistence keys, and HTTP user-agent strings.

strings -n 8 malware.exe | grep -E "(http|https|cmd|powershell|HKCU|HKLM)"

PE Header Analysis

For Windows PE format executables, tools like PEStudio examine:

• Import Address Table (IAT) — API functions the binary calls. CreateRemoteThread, VirtualAllocEx, WriteProcessMemory indicate process injection.
• Section entropy — packed/encrypted sections have high entropy (close to 8.0). Normal code runs 5–6.
• Digital signature — is the file signed? Is the signature valid or revoked?
• Compilation timestamp — can provide context (though easily falsified)

Disassembly and Decompilation

Ghidra (NIST-released, free) and IDA Pro disassemble binary code into assembly language or pseudo-C, allowing analysts to trace execution logic and identify anti-analysis techniques.

Dynamic Analysis: Sandboxes and Detonation Chambers

When a sample is heavily packed, obfuscated, or uses runtime decryption, dynamic analysis in a sandbox or detonation chamber is required.

The Sandbox Detonation Workflow

1. File submission — analyst uploads sample via UI or API
2. Pre-filter — quick signature check; known malware flagged immediately
3. Detonation — sample executes in isolated VM (Windows, Linux, or Android)
4. Event logging — sandbox monitors all system activity during execution
5. Report generation — analysis returned in human-readable format, typically within minutes

What the Sandbox Monitors

Interpreting a Sandbox Report

VERDICT: MALICIOUS (High Confidence)
MALWARE FAMILY: Ransomware — LockBit variant

NETWORK ACTIVITY:
  DNS: resolves lockbit-news.onion.to — [C2 CHECK-IN]
  HTTP POST: http://45.33.32.156/upload — [DATA EXFILTRATION]

FILE SYSTEM:
  CREATED: C:\Users\Public\readme.txt — [RANSOM NOTE]
  MODIFIED: 847 files with extension change to .locked

REGISTRY:
  HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost32 — [PERSISTENCE]

PROCESS:
  cmd.exe -> vssadmin.exe delete shadows /all /quiet — [SHADOW COPY DELETION]

MITRE ATT&CK MAPPING:
  T1486 — Data Encrypted for Impact
  T1490 — Inhibit System Recovery
  T1547.001 — Registry Run Keys / Startup Folder

Sandbox Evasion Techniques

An Indicator of Compromise (IOC) is a forensic artifact that, when observed in a system or network, indicates with high confidence that a security breach has occurred or is in progress. IOCs are the actionable outputs of malware analysis and incident investigation — they answer: "What observable evidence can we use to detect this threat?"

File-Level IOCs: Hash Values

The most precise IOC for a specific file is its cryptographic hash. SHA-256 is the current standard:

ssdeep (fuzzy hashing) identifies malware variants that share significant code regions — useful for tracking malware families even after recompilation.

Network-Level IOCs

IP Addresses

IP IOCs have a short shelf life — attackers frequently rotate infrastructure. Validation rules:

• Exclude private RFC1918 ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
• Exclude loopback (127.0.0.0/8) and link-local (169.254.0.0/16)
• Verify against threat intelligence feeds before blocking
• Check passive DNS history for context

Domain Names

Domain IOCs are more stable than IPs. Malicious domains frequently show:

• Very recent registration (days before the attack)
• DGA patterns — random-appearing names like kqmxplbv.com
• Typosquatting — paypa1.com instead of paypal.com
• Fast-flux DNS — the domain resolves to a different IP every few minutes

System Artifact IOCs

Registry Keys (Windows Persistence)

File System and Process Artifacts

• Dropped executables in C:\Users\Public\, %TEMP%, or %APPDATA%\
• Modified legitimate system binaries (DLL sideloading)
• Processes with no associated executable on disk (process hollowing / fileless malware)
• Unexpected parent process chains (explorer.exe → cmd.exe → powershell.exe)

STIX and TAXII: Sharing Intelligence

STIX (Structured Threat Information eXpression) is a JSON-based language for describing cyber threat intelligence objects:

TAXII (Trusted Automated eXchange of Indicator Information) defines how STIX bundles are distributed. TAXII 2.1 uses REST API endpoints with Collections (named repositories of STIX objects) and Channels (pub/sub for real-time distribution). TAXII consumers (SIEMs, EDR platforms) automatically pull new indicators and create detection rules.

The Pyramid of Pain

David Bianco's Pyramid of Pain ranks IOC types by how difficult they are for attackers to change once defenders start detecting them: