I'm currently using FTK for an assignment where we are tracking some credit card fraud and the victim has given us permission to search his computer.
I was told that there is valuable evidence in the svehost.exe process but I've never had to do such a thing previously.
If the malware author was any good, you probably won't find it, unless you are an expert, even after being told which file is the malware.
Assuming they were a rubbish author you could look for unencypted strings, unexpected TCP/IP traffic, unexpected ports being opened and listened on, unexpected changes to other files on the system and the registry when the executable is run. rookits being dropped, AV software being turned off. You could also disassemble it into assembler code and step through it, see which DLLs it has dependencies on and see how it compares to the original svchost.exe I assume it is trying to pass itself off as.
tryan6,
As you are an FTK user (not sure which version) it may be worthwhile requesting a trial on Cerberus Malware Detection from AccessData or from your reseller. This is an add on for FTK4. I am not sure if trials are still available though
This video explains in depth how it works (be warned it is 50 min) and I recommend it for anyone considering Cerberus or wanting to learn more.
https://
Access Data has had a big push into Enterprise Security and I expect Cerberus to get a lot of attention in the future, as it is one of the core modules for the CIRT product.
More info on Cerberus here - http//
Please note that the FTK4 add-on only handles Stage One analysis, but it does give you a relatively fast analysis of what the potential malware is attempting and you can then perform further analysis with more dedicated tools.
The Enterprise Products includes stage 2 analysis and offers the ability to re-mediate the process.
Others may prefer a more hands on approach to Malware analysis.