Introduction

At times during an investigation you might come across a suspicious file and decide that you d like to perform some analysis of that file to get an idea of what it does or what function it performs. Often an intruder leaves behind scripts or configuration files, generally text files that can be opened and viewed. In the case of scripts, some knowledge of programming might be necessary to fully understand the function of the file.

In Chapter 5 we discussed file signature analysis, a method for determining whether a file had the correct file extension based on the file s type. This is one of the most simple means of obfuscation used by an attacker to hide or mask the presence of files on a compromised system; by changing the filename and extension, the attacker can (often correctly) assume that if the administrator discovers a file with an extension such as .dll, he won t be very eager to access it and determine its true nature.

In this chapter, we ll discuss ways in which you, the investigator, can attempt to determine the nature of an executable file. We will present tools and techniques you can use to gather information about an executable file and get clues about the purpose it serves. This discussion will not be simply about malware analysis; rather, we will present techniques for analyzing executable files in general, of which malware might be just one class. We ll discuss several analysis techniques, but we will stop short of any...