Amanda Rousseau talks about computer forensics investigations
Amanda Rousseau, aka Malware Unicorn, discusses her time in computer forensics investigations with the DoD, as well as the joys of reverse engineering malware encryption by hand.
Amanda Rousseau, the senior malware researcher at Endgame who is also known as Malware Unicorn, began her career working for the Department of Defense Cyber Crime Center performing computer forensics investigations before moving into the private sector.
At Black Hat USA 2018, Rousseau talked about her experiences with dead box computer forensics investigations -- studying a device after a crime has been committed in order to find evidence -- how to de-stress after spending a week reverse engineering malware encryption, and how to tell the difference between code written by a script-kiddie and a nation-state actor.
This interview was edited for length and clarity.
What was your role in computer forensics investigations?
Amanda Rousseau: When I did forensics, I did criminal investigation. So if there was a murder, if there was domestic terrorism or something like that, they would give me the hard drive and I would analyze it.
It was very specific; it's not really intrusions, right? Intrusions are more dynamic. But even when you talk about attribution, I cringe because no one really wants to put their finger on where it came from, exactly. If you get it wrong, you could start a war.
I was never on threat intel, thank goodness. I was mainly doing case-by-case, just looking at a certain thing in malware, writing a report on it, giving it up to someone else so that they can do the groundwork. I was more behind the scenes.
Even now, I feel like it's my job to take out all of the interesting information for them to put the clues together on there. Because when you think about when an FBI agent, or someone that's doing the investigation, [they know] much more that I don't know outside of what I see. I can only give my nonbiased results from what I've analyzed. And they can put the clues together themselves.
It takes a team. It takes a team to do that kind of stuff.
When it comes to computer forensics investigations, what were the challenges in ensuring the evidence was accurate?
Amanda Rousseausenior malware researcher, Endgame
Rousseau: We had to prove that that person was at the computer at that time. Because there would be incidents where the wife's husband, boyfriend, or whatever would be at her computer or vice versa. So you really couldn't put that person at the computer doing that thing. Maybe there was a camera that took a picture that [proved] they were there, or maybe their alibi would prove that they were at the computer. But it's really hard, even for that tiny moment in time, for dead box forensics.
For intrusion forensics, it's completely different. You can trace the IP [address] to the server, and it's another jump server, and then you see who owns the server, and then the people on the ground have to go trace who's at that address who owns the server and you get all the credit card accounts that paid for that server.
What was the most difficult thing that you had to do in dead box cyber forensics investigations?
Rousseau: One difficult thing was when I was learning; it was just a learning curve. All you had to do was do it more and practice. It's kind of like reversing; the more you do it, the more experience you get and [you] see quicker ways to do things.
I think when I did intrusions investigation, the hardest thing to do was encryption, because you have to sit there and try to identify encryption algorithms backwards. And so you're sitting there with pen and paper like, 'OK. This bit gets flipped here.' And you're writing the whole algorithm down and trying to visualize it. And then you'd identify, 'Oh, it's doing this.' And that's like a week's worth of work. But it's fun. It's like a puzzle to me.
A week-long puzzle, though. It sounds taxing.
Rousseau: Yeah. You really have to time-manage your brain. Like, 'OK, it's the end of the day. I'll put my notes down." Next day, pick it back up, figure it out.
What's a good way to decompress when trying to reverse encryption like that?
Rousseau: You know, it's funny because there's a lot of reverse engineers that are runners, or triathletes. So I haven't done a lot of running this year, but before, I was marathon training. Because you're sitting there for hours and hours ... just staring at code. We forget to stand up and move around and everything. But running was my only way to ...
Overcompensate with marathons.
Rousseau: Yeah, exactly.
Now, rather than cyber forensics investigations, you're mainly doing reverse engineering of malware. Can you walk us through that process?
Rousseau: Pretty much my day-to-day job is looking at malware, taking it apart, writing a detection for it, doing the research. It's either short term or long term, depending on what the product needs, or what the customer needs at that time, pretty much.
There's a process. If you're looking at thousands of samples, you've got to have a way to triage all of that and bubble up the things that are important, or the ones that you should be looking at. Same with the file itself. I don't want to just start from the beginning. I want to look at a clue and start there.
A lot of the research that I did for my Black Hat talk was triage analysis. My boss asked me to do 1,000 samples in three days, manual analysis. I'm like, 'I can do one sample in a few hours, but I don't know if I can do all 1,000 samples in three days.'
So I developed this tool that helped me print out all the stuff that I needed in order to look at samples. I don't have to look at every single sample, but just the ones that are important because otherwise I would be there forever.
How do you determine what is important?
Rousseau: In a binary, you have these things called libraries that load -- imports, pretty much. And a lot of these imports give you an idea of what the program is doing. So as an indicator, say it is loading user32.dll. What that is, is it could be doing user-related actions on the system. If you load in Winsock, it's for sockets, right?
All of these different clues as to what libraries are loading, you can kind of get a sense of what it's actually going to do, even the function that it's going to call. Because then you kind of build in, 'OK, well, it's going to do something to the file system, it's going to open up a socket and connect out to some IP address. I'm going to have to look for an IP address, I'm going to have to look for some strings creating a file in the file system.' That kind of stuff.
But in order to that, I need to disassemble it and see when that happens, in what order it happens. Because goodware can do the same thing, but depending on the context -- the order -- is it doing it all in one function, or is it spread out? Some of those little clues pinpoint the ones that you need to look at.
And these clues help you understand what kind of malware you're studying?
Rousseau: Yeah, and it depends on the motive. If you're ransomware, you're going to do encryption; you're going to do file system activity; you're going to call out to some onion server for the Bitcoin. If you're spyware, you're going to be doing keylogging; you're going to be accessing the camera; you're going to be trying to take screenshots of the desktop. So those are all different libraries to look.
If you're just a regular Trojan or a remote access Trojan, you're going to be calling back out to your [command-and-control network]. You'll receive instructions to do stuff. So if you know what kind of class they are, you're looking for those indicators to place them into that class of malware.
Have you seen any trends in the code across different malware types?
Rousseau: Yeah, it's funny because with ransomware, there were two main libraries that a lot of the ransomware stemmed off of. It's kind of like this growing tree of variations of the same code. And because some idiot posted it on GitHub somewhere, all these little 19-year-old to 26-year-olds are playing with this code and making ransomware to make a quick buck.
The ones that do well are the crimeware people that adopt ransomware and make it more like a business, a little large-scale business.
Rousseau: Right, right. But when you're reversing, you can see different code, kind of a mishmash of someone writing it this way and another. It's like handwriting. You can tell when there's two different types of handwriting on a page. It's like that in code for me.
If you look at enough of it you can identify, 'OK, this is kind of weird. Someone wrote it backwards,' or that kind of thing. Even with WannaCry, the code for the exploit is completely different than the actual ransomware code. Actual ransomware code is really crappily done, but the exploit code was beautiful. So you know they were kind of mishmashed together.
Well, the exploit code came from ...
Rousseau: It was released, yeah, from ... Yeah.
I guess we know that the government has really good coders. I guess that's the key there.
Rousseau: Yeah, the nation-state stuff, you can tell the level of expertise in that developer because usually, that whole thing will look similar. If it's one or two guys, maybe it will look different. But the more common malware, they buy that stuff off of black market deployment and it comes in a kit. And these kits, they add on their own pictures or whatever they want in the thing. So it kind of has this variant of this s----- code with whatever s----- code that they add in, pretty much.