I was recently working on a case in tandem with a law enforcement agency. I was given a RAM dump and some volatile data output and asked if I could see any signs of malware in a Point of Sale (POS) system. Taking what I believe (and what has been proven) to be a solid approach, I started looking at the RAM dump for binaries with standard names running from non-standard locations, or binaries with subtle misspellings.
Not finding anything there...I have done my own research on which API function calls are made by the main types of POS malware, namely RAM dumpers, Key Loggers, and Network Sniffers...so I looked for those APIs in temporal proximity to each other in memory. I am still working out the methodology, but the technical specifics are solid. Anyway...I didn't find anything.
Next, I pulled up my volatile data and started looking for which services were running and from where. This is normally not something I do manually, but since I had nothing else to go on, and since I was doing it as a favor for an LE buddy, I grabbed some coffee and Pretzel M&Ms (I know right...they are like crack) and manually went through the list of running services using the same methodology...right name, wrong directory, or slightly misspelled name, right directory (for the answer to why I do this, check this out... http://support.microsoft.com/kb/222193).
Aaaand...I still found nothing. So I went back to my buddy and asked for some more context. Why was this particular location under the impression that they were compromised? What were the factors that led them to believe that? Was there fraud? Customer complaints? What was the timeframe from when they "thought" there was a problem until the RAM and voldata was acquired? Basically, his answer to all of my questions was an email forwarded to me from another LE who was looking at the evidence.
The email stated that this individual believed that the system was compromised and that the attackers were in China. So of course, I asked, "What makes you think that?" His answer was that he saw multiple references to .cn URLs as well as IP addresses that resolved to China.
So, my next question was, "Under what context did you find that information? Was it an email from somebody talking about Chinese language websites? Was it someone doing research on the Great Wall of China? Simply seeing IPs and country codes in URLs does not equal malware."
Again, my response was a bit nebulous, "We have confirmed that these are malicious."
OK...so wanting to know what the dude was looking at, I pulled up the RAM dump and grepped for the URL he provided in the email. It was definitely there. Next, I wanted to see the context, so I again used grep, but this time with the -C (context) option and grabbed 5 lines on either side of the hit.
The syntax looks like this:
strings memdump.img | grep -C 5 -i chineseurl.cn
What I saw was more IP addresses. Odd...so I increased the line count...10, then 50, then 100, then 200, then 250. It was a list of about 500 IP addresses and URLs. And what, my friends, contains lists of known bad IP addresses and URLs on a computer? Right...AV and firewall programs do.
This was not a "hit" from a Chinese hacker, this was a blacklist from the desktop firewall. By taking a step back and gathering more information regarding the context of the finding, I was able to determine what exactly I was looking at...I made it more than a random piece of data...I made it a piece of data with adequate context so as to understand it's role on the system.
Unfortunately, I have seen this scenario play out numerous times. In fact, I have worked cases in the past with former team members that have done the exact same thing. They take a single piece of information, and arbitrarily assign value to it based on their assumptions of what it should mean.
Do NOT make this mistake in your investigations! Instead, take a step back and look at the context that surrounds that data element. Decide what role that piece of the puzzle plays in the overall picture. Don't assign value without knowing if there's even value to be assigned.
I have said this for the past three years in my Sniper Forensics talks...NEVER allow your theory shape how you look at the evidence. Allow the evidence to shape you theory! You will be more effective and efficient an investigator.