Evaluating Malware Forensics Tools

TL;DR

This paper demonstrates a systematic framework for evaluating malware forensics tools through case studies, identifying optimal execution times and differences between tools in malware behavior observation.

Contribution

It introduces the Malware Analysis Tool Evaluation Framework (MATEF) and applies it to empirically assess forensic tools using a large malware sample.

Findings

Optimal execution time for malware analysis identified

Differences observed between forensic tools in malware behavior detection

Framework proves effective for systematic malware tool evaluation

Abstract

We present an example implementation of the previously published Malware Analysis Tool Evaluation Framework (MATEF) to explore if a systematic basis for trusted practice can be established for evaluating malware artefact detection tools used within a forensic investigation. The application of the framework is demonstrated through a case study which presents the design of two example experiments that consider the hypotheses: (1) Is there an optimal length of time in which to execution malware for analysis and (2) Is there any observable difference between tools when observing malware behaviour? The experiments used a sample of 4,800 files known to produce network artefacts. These were selected at random from a library of over 350,000 malware binaries. The tools Process Monitor and TCPVCon, popular in the digital forensic community, are chosen as the subjects for investigating these two questions. The results indicate that it is possible to use the MATEF to identify an optimal execution time for a software tool used to monitor activity generated by malware.