CLOUDOSCOPE: Detecting Anti-Forensic Malware using Public Cloud Environments

Abstract

Many modern malware employs runtime anti-forensic techniques in order to evade detection. Anti-forensic tactics can be categorized as anti-virtualization (anti-VM), anti-debugging, anti-sandbox, and anti forensic-tools. The detection of such malware is challenging since they do not reveal their malicious behavior and are therefore considered benign. We present CLOUDOSCOPE, a novel architecture for detecting anti-forensic malware using the power of public cloud environments. The method we use involves running samples on bare metal machines, then running and monitoring them in multiple forensic environments deployed in the cloud. That includes virtual machines, debugging, sandboxes, and forensic environments. We identify anti-forensic behavior by comparing results in forensic and non-forensic environments. Anti-forensic malware would expose a difference between bare-metal, non-forensic, and virtualized forensic executions. Furthermore, our method enables the identification of the specific anti-forensic technique(s) used by the malware. We provide background on anti-forensic malware, present the architecture, design and implementation of CLOUDOSCOPE, and the evaluation of our system. Public cloud environments can be used to identify and detect stealthy, anti-forensic malware, as shown in our evaluation.