Computer Forensics - Analysing hostile code
In this week, you need to analyze software. In your forensics practice, you often need to analyze hostile codes. In order to be safe, we do not recommend you take the risk of analyzing a real hostile code. However, if you could set up a secure environment and you decide to get some real experience on analyzing a real hostile code, you can do so. You need to select the software (e.g., WinWord, notepad, etc.) to investigate as soon as possible. Then you may use software such as pslist, PMDump, handle or Holodeck to find out what kind of external resources it is using. To deeply understand it, you may also try to figure out why it uses which resources. Write a report on your findings and submit it by the end of this week in the assignment folder.
Some Hints:
For Linux systems, the following is a list of commands that you may use to analyze binaries:
md5sum, file, strings (e.g., strings -a xxx|more), hexdump (e.g, hexdump -C -v xxx|more), nm, ldd, readelf, objdump, strace (e.g., strace -o strace.txt -x -e write=all -ff ./xxx), gdb,
For windows, you may use systeminternals.com tools and also the following commands:
edit, cl, type, and cygwin based linux commands as above.