Static vs. Dynamic Analysis of Artifacts: Key Differences, Scenarios, and Examples

In digital forensics, an artifact is any evidence or data uncovered during an investigation. Artifacts include, but are not limited to, sync and file management metadata, cached files, data from cloud services, authentication details, encryption information, and artifacts from browsers and mobile apps.

While these artifacts provide key insights into user activity and system behavior during an investigation, an investigator needs to properly and comprehensively analyze them to acquire the relevant information, reconstruct actions, identify timelines, and ultimately build a strong case around the digital evidence.

Digital forensics investigators can use two primary methods to perform an analysis:

Static analysis: which examines artifacts without running them, and Dynamic analysis, which involves observing artefacts in action.

Static Analysis

A static analysis involves examining artifacts without executing them. In this case, an examiner can carefully examine every component of the artifacts, including the code, structure, and file system, without altering the artifacts’ original state.

The results of a static analysis may include suspicious API calls, hardcoded C2 addresses, cryptographic constants, and suspicious import tables.

Some of the critical characteristics of static analysis of artifacts include:

• Non-intrusive

Static analysis ensures that no changes are made to the artifacts as they are analyzed as they are.

• Code Inspection and File System Analysis

In static analysis, a forensics investigator can examine the source code, strings, headers, and file structures. For executable files, they can also perform reverse engineering or disassemble the code for a more comprehensive analysis.

• Hash Verification

In static analysis, the investigator calculates the hash values to ensure the integrity of the artifacts. They can use this information to compare against known exploit databases to find any similarities.

• Identification of potential Indicators of Compromise (IOCs)

During a static analysis, an investigator can scan for specific patterns, strings, or potential indicators of compromise without necessarily having to execute a piece of code.

• Resource-Efficient

Unlike dynamic analysis, static analysis does not require an investigator to set up a controlled environment such as a sandbox to execute files, saving time. Secondly, dynamic analysis may require specialized tools that may be costly.

Preferred Scenarios

• When working with limited resources, the investigator needs a quick, instant triage. For example, if a small business suspects a breach and would like to quickly identify and eliminate a potential malicious file on their system, they may fall short with limited forensics tools and computing power and cannot afford highly skilled forensics experts.

• Analyzing very destructive malware where execution poses significant risks. For example, ransomware with very advanced capabilities may quickly spread in a live environment and cause irreversible damage.

• When looking for specific signatures or patterns across a large set of data, for instance, a dataset of log files from a web server is used to detect a potential SQL injection. Static analysis would be used to search for specific SQL keywords such as UNION SELECT

• Conducting preliminary threat assessments which help to determine whether or not a file contains malicious content, then decide further action based on the information extracted. For instance, if an employee receives a potential phishing email with a file, the cyber security team conducts a static analysis to extract the file’s metadata, embedded strings, and hash values to check against threat intelligence databases for commonly known malware signatures.

Dynamic Analysis

Dynamic analysis involves executing or “running” the artifact in a controlled environment to observe and analyze its behavior. It enables an investigator to observe how it interacts with a system or its environment in general. The results of a dynamic analysis may include network connections to unknown endpoints, registry modifications, process creation chains, file system activities, and memory-resident payloads.

Some of the characteristics of a dynamic analysis include:

• Real time behavior observation

• Network communication patterns

• System level changes and interactions

• Memory analysis and manipulation

Preferred Scenarios

• When dealing with heavily obfuscated code that can only reveal its nature when executed. This is particularly useful when the code appears simple and harmless on a quick surface look. Executing the file enables an investigator to observe its behavior and understand its functionality.

• Analyzing malware that has anti-static analysis features. Certain modern malware are programmed to detect signature forensic tools and virtual environments. So, to bypass detection during static analysis, they alter their behavior or delay execution. In dynamic analysis, the investigator can run it as if it were in a real system and reveal its operations, bypassing its anti-analysis capabilities.

• To investigate the command-and-control Infrastructure, for instance, malware that connects to a remote server for instructions.

• To study and examine ransomware encryption behaviors, for example, when investigating malware that uses process injection to hide its activities within legitimate processes.

Conclusion

It is important to note the fact that modern malware is equipped with environment-aware techniques. These techniques allow them to detect and alter behavior based on the current analysis conditions. To bypass these techniques, an investigator should always perform both static and dynamic analysis whenever it is possible. Relying on either may lead to incomplete or misleading conclusions.