An Ontology for Digital Forensics in IT Security Incidents - OPUS
An Ontology for Digital Forensics in IT Security Incidents - OPUS
An Ontology for Digital Forensics in IT Security Incidents - OPUS
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Chapter 8<br />
Evaluation<br />
This chapter shows the eectiveness and eciency of the developed procedure<br />
by apply<strong>in</strong>g it to four cases. The cases consist of real malware samples that<br />
are run on a test system and analysed later.<br />
8.1 Procedure<br />
A VirtualBox[Oracle, 2012] virtual mach<strong>in</strong>e with W<strong>in</strong>dows XP SP3 was<br />
<strong>in</strong>stalled and a snapshot was taken at the rst start. The virtual mach<strong>in</strong>e<br />
has 10 GB hard disk space and 256 MB random access memory. VirtualBox<br />
is started with --dbg --startvm parameters to be able to use<br />
the debug console.<br />
For each malware sample the follow<strong>in</strong>g steps were taken:<br />
1. At rst the malware was <strong>in</strong>serted with a virtual CD, started and allowed<br />
to run <strong>for</strong> a while. Depend<strong>in</strong>g on the malware, the system was<br />
restarted to nd traces that make the malware run at every start of<br />
the operat<strong>in</strong>g system.<br />
2. Next the system was paused.<br />
3. To extract the hard disk, the command<br />
VBoxManage clonehd --<strong>for</strong>mat RAW<br />
was used from a command l<strong>in</strong>e.<br />
4. To extract the random access memory, the command<br />
. pgmphystofile <br />
was executed <strong>in</strong> the debug console that can be started by the<br />
Command l<strong>in</strong>e... button <strong>in</strong> the Debug menu.<br />
5. For the next step, the developed program was started to extract the<br />
<strong>in</strong><strong>for</strong>mation from the snapshots and put it <strong>in</strong>to the database. As expla<strong>in</strong>ed<br />
<strong>in</strong> section 7.8, this step took around two hours.<br />
65