Analyzing files for embedded content and malicious activity

To investigate files for hidden threats, you can look at file entropy values, download embedded files and scripts for further analysis, and view the document and its attributes.

Because intruders can obfuscate the contents of binary files within container files, you can use file analysis in IBM® QRadar® Incident Forensics to examine whether files contain embedded scripts or other binary content.

File entropy measures the randomness of the data in a file and is used to determine whether a file contains hidden data or suspicious scripts. The scale of randomness is from 0, not random, to 8, totally random, such as an encrypted file. The more a unit can be compressed, the lower the entropy value; the less a unit can be compressed, the higher the entropy value.

In the following diagram, entropy is used as an indicator of the variability of bits per byte. Because each character in a data unit consists of 1 byte, the entropy value indicates the variation of the characters and the compressibility of the data unit. Variations in the entropy values in the file might indicate that suspect content is hidden in files. For example, the high entropy values might be an indication that the data is stored encrypted and compressed and the lower values might indicate that at runtime the payload is decrypted and stored in different sections.

Procedure

  1. On the Forensics tab, select one or more recovered files from the Grid view.
  2. From the investigative tools menu at the top of the grid, click File Analysis.

    In the results, each row of the grid contains an analysis data for a document, for example, the file name, description, whether suspect content is detected, and entropy values.

  3. To sort files by a specific attribute, such as entropy, click the associated column heading.
  4. From the list of files, right-click a file for further investigation
    • To review the document and its attributes, click Display Document.
    • To review an entropy graph and check whether an embedded file or script might contain malware, click Display Entropy.

      You can use entropy values as an indication of whether the file might contain malicious content. For example, ASCII text files are typically highly compressible and have low entropy values. Encrypted data is typically not compressible, and usually has a high entropy value. Malware is often packed and hidden in both files and images.

    • To download embedded files, click Extract Embedded Files and select the files to download.

      This option is available only for documents with embedded files or scripts. Files are downloaded to the download location of your web browser. Be careful not to open potentially harmful scripts in an unprotected environment.