I’ll start off by saying I know next to nothing about this kind of stuff
My mothers old laptop has a hidden partition at the end of the disk - something the TDSS malware was known for. Additionally there were folders or file system with all these “ntunistall$$” titles only the ZeroAccess botnet created to my knowledge. (Backed up by antivirus software showing zeroacces. Kind of like unique footprints left behind
That got me thinking; does every major malware leave behind clues that you can say “aha! This was an infection caused by Zeus!”, for example? Even long after it’s been cleaned up with antivirus software? I’d find it super interesting to go back through it and see what other kind of infections I could see.
Let’s say I said to you- I’d like to see if this hard drive had a Zeus infection or a Zlob infection or a Torpig infection at one point in time, would you be able to say , yep, just look for this, this and this. I hope I’m making sense.
Have you tried running one or more antivirus tools against the hard drive contents?
Here is a relatively reliable and free to use anti-virus tool: Immunet AntiVirus
Try running multiple anti-virus tools against the hard drive contents and see if you get any positive hits.
Generally speaking, malware will attempt to hide its tracks such as turning off Windows event logs, creating Base64 encoded persistence, etc., so identifying changes made to a computer by malware requires significant expertise and experience.