How-Tos

How To Use AXIOM In Malware Investigations: Part II

Hey everyone, Tara Nelson here with Magnet Forensics. Today I’m going to give a little insight into how AXIOM can help with some of your day-to-day investigations. In this video we’re going to talk a little bit about malware investigations.

There is a Part I to this segment, in which I focus on reviewing memory as part of a malware investigation in AXIOM, so if you haven’t seen that yet, I encourage you to go check it out. This video will focus on additional key features that AXIOM has to offer that could also be useful in a malware examination.

To start off, I’ve identified this process of interest, named ‘Fake Intel’, through our Volatility output from memory, that I believe could be malicious.

Because we also have the end point loaded into our case, we can quickly see if there’s any correlating artifacts on the operating system that might be useful to our examination.

So I’m going to go ahead and search for that name up here, and hit Enter. And then I can switch to our operating system artifacts. And you can see that there’s a few places where this process appears on the end point: there are prefetch files; there’s references in Windows event logs – you can see that highlighted when I scroll down here – and here we can also see this Fake Intel executable in the AutoRun Items.

So it’s always pretty key to try and determine how malware maintains persistence on the infected workstation, and one of the common locations that is used is the run key in the user’s registry hive.

So we can see here pretty easily that this potentially malicious executable file, that’s referenced in the run key of this user’s NT registry hive, will be launched each time the user logs in from the location in the user’s Temp folder.

Doing analysis within AXIOM allows us to use some additional features within the tool, such as building a timeline of activity to see the different types of events that happen when this incident occurred.

The timeline in AXIOM includes file system dates and times, as well as the timestamps associated with the artifacts that are parsed out. So I’m going to go ahead and build a timeline out of this modified registry key date and time. I’m going to see what happens one minute before and after, and it’s going to open in the Timeline explorer.

When I click ‘OK’, as you can see as I’m scrolling through, there are artifacts here as part of this timeline that are both from the infected operating system, and we can also see activity from the memory image as well.

So you can really see the advantage of having all your evidence sources in one interface, to be able to correlate all of this data and really get an idea of the events that occurred in your evidence during a malware incident.

AXIOM also allows you to build connections, to give you an idea of how artifact attributes in your case are related across all of your evidence items.

So you can see I’m able to build connections off of anything that you see this little icon next to it. So I click that, and I build it off of that file name of interest. And now you can see it gives a representation of related artifacts: some are from the memory, and some are also from the operating system as well.

So those are just a couple of tips of how AXIOM can help in a malware examination. We hope you try it out. Thanks for watching, everyone.

About Scar de Courcier

Scar de Courcier is Senior Editor at Forensic Focus.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 1,276 other followers

%d bloggers like this: