DYNAMIC ANALYSIS
Dynamic analysis involves actually running a program to see what it does. There are a number of tools that you can use to analyze an unknown program’s behavior. Before we proceed, we need to talk about safety. Think about it. Does running an unknown, possibly malicious program on your forensics workstation sound like a good idea? You have two basic choices. Either you can use some spare hardware that is disconnected from the network and only used for examining unknown files, or you can set up a virtual machine using VirtualBox, VMWare, or other virtualization software.
The separate machine is the safest option. This allows you to run the program with reckless abandon, knowing that you will re-image the machine when you are done with your analysis. Virtualization is definitely more convenient, but there is potential risk to your host machine if you misconfigure the virtual machine. If you do use virtualization, make sure that you have no network connections to the virtual machine. Also, be aware that some smart malware will detect that it is being run inside a virtual machine and refuse to run or, even worse, attempt to exploit possible vulnerabilities in the virtualization software to attack the host machine.
If you need an image for your virtual machine, you could use a fresh install of your favorite Linux distribution. If you think you will be investigating unknown binaries often, you might consider backing up the virtual disk file after you have installed all of your tools and before transferring any unknown files to the virtual machine. Remember that most virtualization software will install a NAT network interface out to the Internet which you should disable! If you really want to duplicate the subject system, you can create a virtual machine from the subject disk image. This assumes that you have sufficient disk space, RAM, etc. The command to convert the raw image to a virtual hard disk file, if you are using VirtualBox, is vboxmanage internalcommands converthd srcformat raw -dstformat vhd
FIGURE 10.18
Running the PAS subject system in a VM after converting the raw image to a VHD file.