This article has been published on the 10th of Feburary 2020.
The machine on which the analysis takes place, known as the workstation, should be set-up in a safe yet easy to use manner. In this article, several best practice tips will be given, as well as several options to set-up your own analysis workstation.
Note that the precise virtualisation software does not matter. In this course, VirtualBox is recommended, as it is a free and open-source virtualisation tool that fulfills all requirements.
When handling or analysing malicious files, it is best to follow certain best practices. Below, several best practices are given.
Use a different operating system
When using an operating system that is unable to execute the sample type that is generally analysed, one cannot make the mistake to accidentally execute the sample on the host. Even though the chance that one makes this mistake is slim, it is better to prevent than to cure.
When analysing a sample, one should be flexible and make efficient choices on what path to take. Sometimes, it takes a while before the next piece of the puzzle is uncovered. Yet, not all leads result in the next piece of the puzzle. It might be better to approach the problem from a different angle and disregard the previously invested time. This might feel like the previously invested was all in vain, but it provided the insight that was required to alter the method. Additionally, it serves as additional knowledge for future reference.
One way traffic
Sharing files from the host to the guest is required, as the samples need to be transferred in some way. When using a writable shared folder, the samples can alter files in this folder as well. As such, one has to be really careful what is placed in this folder. When mounting an ISO file that contains the sample, there is no way to access the host’s file system from the guest without using an exploit to escape the virtual machine.
Air-gap the system
Restrict the internet access of the VM by default. This prevents an accidental outbreak on your network when executing the malware. Since the internet access is disabled by default, enabling it becomes a conscience choice.
A snapshot of a virtual machine is an exact copy of its state that can be restored at any given moment in the future. As such, one can create a snapshot of a clean system that has all tools installed. Analysing any sample using is then possible. When the investigation is finished, one simply has to restore the snapshot. The restoration of a snapshot does not take longer than a few minutes, which provides a smooth way of working for the analyst.
Note that the restoration of a snapshot reverts all changes that have been made on the virtual machine. This includes notes that were made during the analysis, or unpacked samples that are present on the virtual disk.
To get images of operating systems that are required for both the host and the guest, one can choose between Windows images and Linux distributions. There are two methods to obtain a free Windows 10 ISO. The first one can be done when one already owns a Windows 10 computer, as can be seen here. Alternatively, one can download an image that is designed to test Microsoft’s browsers here. A stable Linux distribution is Ubuntu, which can be found here. Other Linux distributions are freely available, based upon the analyst’s preference.
Whilst keeping the above-mentioned best practices in mind, one can then move on to the workstation itself. Note that one can use more than one (virtual) machine to analyse malware, and that the choice is likely based upon both personal preference, as well as the target architecture of the malware that is usually analysed.
The hardware of the analysis workstation should have 12 gigabytes of RAM as a bare minimum, whereas more is preferred. When working with one or multiple VMs, the read and write speed of a SSD is required. The size does not matter too much, but 512 GB should suffice. A modern CPU, regardless of the vendor, does the job perfectly. There is no need for a GPU in general.
This Windows-based security distribution by FireEye contains the most common analysis tools. The provided script is used to transform a virtual machine into the FlareVM. The installation takes some time, depending on your internet speed and the device’s hardware.
After the installation, the Flare folder on the desktop contains all tools, catagerised in sub folders. Several tools already contain plug-ins, due to which the analyst can focus upon analysing samples, rather than installing software. Updating software can be done centrally, as is described in the text file on the desktop.
Contrary to FlareVM, Remnux is a Linux-based security distribution. It is maintained by Lenny Zeltser and David Westcott. One can import the complete virtual machine into VirtualBox, using the import appliance function, or install it on a virtual machine that runs Ubuntu. All tools can be updated centrally via the repositories.
Aside from the existing solutions, one can always install the preferred tools on a platform of choice. The downside is the fact that the installation takes up a lot of time, as well as maintenance. On the other hand, one can make the workstation precisely based on personal wishes.
Based on the tips and advice in this article, one can create their own analysis workstation. A lot of settings and choice come down to personal preference, but the mentioned best practices ensure a safe way of working at all times.