Java File Analysis¶

Java Decompilation and Reverse Engineering¶

JD-GUI¶

JD-GUI is a graphical tool that decompiles Java .class files into readable Java source code.

Usage¶

Open the .class file or JAR with JD-GUI.

Why it's useful¶

JD-GUI helps you understand the source code of compiled Java files, especially useful when analyzing suspicious or unknown binaries to identify malicious behavior.

CFR (Another Java Decompiler)¶

CFR is a command-line Java decompiler that can be used to decompile .class files.

java -jar cfr.jar <input.class>

Why it's useful¶

CFR handles difficult-to-decompile Java classes (such as those with obfuscation) better than some other decompilers, making it a great tool for reverse engineering Java malware.

Fernflower¶

Fernflower is another decompiler, typically used for decompiling .class files into Java source code.

Usage¶

Fernflower is often integrated with IDEs like IntelliJ IDEA, but can also be used via the command line by using the procyon decompiler or similar tools.

Why it's useful¶

Similar to JD-GUI, Fernflower helps reverse-engineer Java bytecode into readable code, and is particularly useful for examining obfuscated code.

JADX (For APKs)¶

JADX decompiles APK files (Android applications), which are often written in Java. This tool is vital for analyzing Java-based Android malware.

jadx -d output_folder <input.apk>

Why it's useful¶

When analyzing Android malware, JADX allows you to view the source code and structure of APKs, helping identify malicious behavior or backdoors.

Disassembling Java Bytecode¶

javap (Java Disassembler)¶

The javap tool disassembles Java bytecode to provide detailed information about the class, methods, and fields, without needing the source code.

Display class structure¶

javap -c <file.class>

Display class details (e.g., methods, fields)¶

javap -p -v <file.class>

Why it's useful¶

javap is invaluable for inspecting the bytecode of a Java class when the source code isn't available. You can analyze the class structure, method signatures, and bytecode instructions, which is useful for reverse engineering and understanding the behavior of Java applications or malware.

Java Runtime Analysis for Forensics¶

jmap (Heap Memory Dump)¶

jmap is used to generate heap dumps of a running Java process, which can be valuable for analyzing the memory state of an application during an incident.

Dump heap¶

jmap -dump:live,format=b,file=heapdump.hprof <PID>

Display heap summary¶

jmap -heap <PID>

Why it's useful¶

Memory dumps can provide insight into the state of the Java application, including objects in memory, potential memory leaks, or malicious payloads. Analyzing the heap dump is useful for malware analysis and root cause investigation in runtime incidents.

jstack (Thread Stack Traces)¶

jstack generates stack traces for all threads in a Java process. This helps identify what a Java process is doing at a given point in time.

Get stack traces:¶

jstack <PID>

Why it's useful¶

This command is essential for diagnosing performance problems or debugging issues, as it shows which method each thread is currently executing. In DFIR, this can help track suspicious activity or identify what malicious code is being executed in a Java process.

Java Security and Integrity Analysis¶

Jarsigner (Verify/Sign JAR Files)¶

jarsigner is used to sign JAR files and verify their signatures. In a DFIR context, this tool can verify if a JAR file has been tampered with or is legitimate.

Verify a JAR file signature¶

jarsigner -verify -verbose -certs <file.jar>

Sign a JAR file¶

jarsigner -keystore <keystore.jks> -signedjar <signedfile.jar> <unsignedfile.jar> <alias>

Why it's useful¶

Verifying the integrity of JAR files can help identify if malware has replaced or modified legitimate applications. Ensuring the signature is valid confirms that the file hasn't been tampered with.

Keytool (Managing Keystores and Certificates)¶

keytool is a utility for managing keystores and certificates, used to handle cryptographic operations in Java applications. It's useful when analyzing applications that use certificates or encryption.

List keystore certificates¶

keytool -list -keystore <keystore.jks>

Generate a keystore¶

keytool -genkey -keyalg RSA -keystore <keystore.jks> -alias <alias> -dname "CN=YourName"

Why it's useful¶

In cybersecurity, checking for the presence of valid certificates and analyzing keystore contents can help determine if an application is authentic or if it's being used for malicious purposes. This is critical when analyzing Java-based malware or securing Java applications.

Incident Response Tools for Java Malware¶

jps (Java Process Status)¶

jps lists all Java processes currently running on the system, along with their Java process IDs (PID). This is useful for monitoring suspicious Java processes.

List all Java processes:¶

jps -l

Why it's useful¶

By listing running Java processes, jps helps identify which Java applications are running on a system. This can be useful during an incident when trying to find malicious or unauthorized Java applications.

jdb (Java Debugger)¶

jdb is a command-line debugger for Java programs. It's useful for attaching to a running Java process or analyzing specific Java code during an incident.

Debug a running Java process¶

jdb -attach <PID>

Why it's useful¶

In a forensic investigation, jdb can be used to debug a Java process and step through the execution of the application. If you're investigating malicious behavior in a running Java process, this tool is essential for performing live analysis.

Summary of Key Tools and Use Cases¶

JD-GUI, CFR, Fernflower: Use for decompiling Java bytecode and examining suspicious code.
JADX: Decompiles APKs, useful for Android-based Java malware analysis.
javap: Disassembles .class files to inspect bytecode.
jmap: Generates heap dumps for memory forensics and identifying potential malicious objects.
jstack: Provides stack traces for live Java processes to identify suspicious activity.
Jarsigner: Verifies the integrity of JAR files and checks for tampering.
Keytool: Manages certificates and keystores, useful for verifying the legitimacy of Java applications.
jps: Lists running Java processes, helping to identify suspicious activity in an incident.
jdb: Debugs running Java processes, allowing you to step through code during an investigation.