Sunday, February 14, 2016

Got Tools?

I was recently approached about what tools might be good for use in a malware lab, so I created a directory listing of my "Tools" hard drive and then just added a little formatting.  Afterward, I decided that the list I had might be helpful to others who may be building a virtual lab analysis environment for the first time (malware or otherwise), so just in case it's useful to others, I figured I would post it.  The list is by no means exhaustive, and by its nature includes some duplicates, but it does (in my humble opinion) seem to represent a nice blend of both malware analysis and digital forensics tools. Enjoy!

Update: I had a long plane ride after I wrote the above post, and I wanted to address a follow-up question my friend had about building a malware lab.  I may devote an entire post to that down the road, however for now a couple of quick updatesI was asked which flavor of OS to use, and there are a couple thoughts I have about that... 

(1) If you're building the lab for your work environment, and most of your users have a standard image, there is an argument toward using that exact configuration.  That way, when testing a piece of malware, you may have a better sense of how it may behave in your environment.

(2) No matter which OS you choose, if you are using VMWare to detonate malware, make sure you turn OFF memory sharing...just to be safe!


H. Carvey said...

Interesting list, I'd be more interested in how they're used.

Also, there are tools that appear to be under the wrong "heading"...why would a JumpList or LNK file parser be listed under "Registry"?

Mary Ellen said...

Wow! Harlan Carvey! I was in an airplane all day and when I landed I couldn't believe my eyes when I looked at my messages! Thank you for your post! What a privilege that you reached out to me. I'm a little star-struck, I must admit!

You mentioned the placement of the JumpList and the LNK parsers under the Registry heading. I have always kept those tools together like that since, in one of my former roles, I was often tasked with giving the client a very quick report of initial findings, and those were always some of the first things I ran, and I always ran them closely together.

The Tools listing was a straight dump of the "Tools" folder on my hard drive, basically a directory listing, and I didn't take the time to dedupe or move items around, but your post got me thinking. I could perhaps spend some time on building-out that listing, maybe with a blurb about each one and a link on where to get it. Or, I even thought that I could pull a David Cowenand try to post a how-to video about one tool a day until I got through them all, but alas, as my posting history shows, I haven't found time to post much at all since taking on a more intense work role in which I start my day at 5AM and then once I'm finished my day-job by 5PM, it's all about family ...picking them up, cooking dinner, helping with homework, reading bedtime stories, packing lunches, and most evenings I don't even turn on my computer.

So, lots to think about. I don't know if I will be able to carve out enough time in my day to take action, but I do have a 30 minute train ride, twice a day, every day, and maybe I can start posting a tiny blurb about each tool as time allows?

Thank you for your thought-provoking comment! I'm a huge admirer of all your work! I have played and replayed your videos, and read and reread your blog posts over the years. I do want to give back to the community, so your words and many examples are not taken lightly.