DIY Malware Analysis · Chapter 9 425 After collecting network and currently running process data, you should have enough information about the current state of the machine to enable you to go forward and collect non-volatile data, in order to determine the initial infection vector. Collecting Non-volatile Data Non-volatile data (meaning data stored in files on the infected machine) is easier to collect, since trusting the operating system is less of an issue.The typical approach to collecting non-volatile data includes booting the machine off a trusted (known safe) CD-ROM or other non-writeable medium. By doing this, you can be sure that the underlying operating system has not been compromised by the malware you are hunting. The following steps depend on actions you want to pursue in the future. If there is a chance that this forensic analysis might involve legal action you should follow proper, specialized incident procedures that you should have in place and written before the inci- dent actually happened. (Best get writing now!) This step typically involves creating at least two images of the hard disk from the compromised system, together with their checksums (the use of SHA-1 checksums is recommended). One of these images is then safely stored so that you can perform forensic investigation on the other image.This way, in the event that the incident ends up as the subject of a court case, there is a chain of custody and it can be proved that the original image has not been tampered with. If, on the other hand, you are just performing an internal malware analysis and there is no likelihood of legal involvement, you might want to mount the hard disk of the infected machine directly under a live Linux distribution (such as Knoppix-www.knoppix.org), and begin collecting files and data. If you do not feel comfortable working under Linux, you can still create the hard disk image of the infected machine and mount it on a different Windows machine, where you can use Windows tools during the analysis. While this has certain advantages, like being able to scan the acquired hard disk image with your AV directly, be aware that you may be exposing the host machine to malicious software, especially if you decide to execute any files from the acquired hard disk. It is best to have a separate, isolated machine for this purpose. Determining the Initial Vector At this point, if you have collected all volatile data, you should have enough information about the infection status of the machine, and you will now be interested in determining the infection vector. Before going into deep technical analysis of the malware, it is always recommended that you approach the user or owner of the machine and ask him or her for as much detail as possible about possible infection vectors. In many cases, the user will at least be able to tell you if he executed a file or casually browsed the Internet. However, do not be surprised if the user breached internal policy (for example, by using a peer-to-peer program) and is hesitant and evasive about what really happened. www.syngress.com