Java deployment cache index files

Interesting.

So, you may be concerned with malware on a system, but not so much as to how it got there?

No I just have not encountered a case where malware analysis has been necessary.

No I just have not encountered a case where malware analysis has been necessary.

So in a case you never check if a system contains malware? If so are you in e-discovery?
If not what are you using a virus scanner?

Ever heard of the trojan horse defense?
https://www.cerias.purdue.edu/assets/pdf/bibtex_archive/2005-15.pdf

So in a case you never check if a system contains malware? If so are you in e-discovery?
If not what are you using a virus scanner?

Ever heard of the trojan horse defense?
https://www.cerias.purdue.edu/assets/pdf/bibtex_archive/2005-15.pdf

If you are investigating a fraud case do you look for malware? If so why?

If you are investigating a drug trafficking ring do you look for malware? If so why?

And even if you scan an image with A/V to protect your analysis system, does the presence of a virus or other piece of malware always impact the case?

The trojan defense is as ridiculous as the Chewbacca defense.

If you are investigating a fraud case do you look for malware? If so why?

Someone may claim the Trojan Defense. Seriously…yes, files were exfil'd from the box, but I didn't do it, it was the result of a virus or Trojan that had infected my system.

If you are investigating a drug trafficking ring do you look for malware? If so why?

Perhaps, it depends on what the 'customer' asks.

And even if you scan an image with A/V to protect your analysis system, does the presence of a virus or other piece of malware always impact the case?

Again, it depends on the type of case, who your customer is, etc. Does it mean that this is always done as a matter of process…it might, depending upon the type of processes you have set up in your lab. I can't say definitively, "no", because I haven't seen every lab.

However, I think that the issue of what one may or may not do on a case has eclipsed the original question. For example, take a look at this image
https://blogs.sans.org/computer-forensics/files/2012/04/Spearphish-Attack.jpg

The image is taken from a SANS course…it's a snippet of a super timeline created using data from the course. The data itself is used to illustrate the effectiveness (or lack thereof) of AV solutions in protecting a system, but what you see in the timeline is a malicious PDF doc hitting the system, and before the files are dropped, two Java *.idx files are created.

Now, at the time that the course was developed and the timeline was created, tools for parsing *.idx do not appear to have been available….they are now. Many analysts looking at such a timeline (if they had created one) might look at the creation of the *.idx files as "kimchee" (term taken from a recent thread in another forum) and simply ignore them. But now we have tools to parse this information apart and provide additional context to raise awareness of intelligence that is available in the timeline.

The trojan defense is as ridiculous as the Chewbacca defense.

The Chewbacca defense does have (IMHO) it's merits (of course rarely so in drug trafficking cases).
After all it was actually (very loosely) inspired by a real case, the O.J. Simpson Murder Trial
http//en.wikipedia.org/wiki/Chewbacca_defense

If the issue at hand is "objectionable pictures" or "warez" or similar unlawful content found on a PC's hard disk, or dDOS and the like originated from a machine the Trojan defense may actually be "Trojan truth".

jaclaz

If you are investigating a fraud case do you look for malware? If so why?

Yes in case of financial fraud, because of something called banking trojans. Since a lot of financial software uses Java technology, the recent Java vulnerabilities are very good way to spread your banking trojan. And as you point out most A/V is pretty much worthless in finding new strains of malware.

Now the boss of company X likes to surf the internet on random PCs, so the one of the financial administration. The boss also does this to annoy the financial administrative employee since there is a bit of friction between the two. The system gets infected with a banking trojan and scams a company out of money.

The boss hires an investigative company and since the friction points to the employee. All the investigative company finds are the fraudulent transactions. The bank cannot trace the transactions and everything points in the direction of the employee, like the employee suddenly having more to spend (although due to personal circumstances). Since their digital investigator does not bother to check for malware the employee gets fired.

The company and the employee get into a legal conflict. After half a year of the start of the legal conflict the bank informs the company that the fraudulent transactions were caused by a banking trojan.

The investigative company get's sued for malpractice and the investigator looses his job.

All the investigator nowadays does is watching South Park reruns.

Yes in case of financial fraud, because of something called banking trojans.

So on EVERY single case you do malware analysis? Wow. Your case load must be significantly different than mine.

So on EVERY single case you do malware analysis? Wow. Your case load must be significantly different than mine.

I never said I do malware analysis on EVERY case or that it useful for EVERY case. For some cases or context of law it is not relevant.

However a well considered decision to do malware analysis or not, is an essential part of my job, high case load or not. A high case load should not be an excuse of poor quality, the work we do can have too much negative impact when things go wrong because of stupid mistakes, especially under stress.

However if you state

In all seriousness I personally have not had a cause to examine Java deployment cache index files.

And

No I just have not encountered a case where malware analysis has been necessary.

So my interest get's triggered about the type of investigations you are doing and how/if you check for malware. Especially since you recently did a review of Internet Evidence Finder (IEF). And for someone that seems to do Internet analysis and has not looked at Java idx and or malware does not compute for me.

And alas with the following remark you only prevail more ignorance.

The trojan defense is as ridiculous as the Chewbacca defense.

So on EVERY single case you do malware analysis? Wow. Your case load must be significantly different than mine.

BitHead, I think that's true in a lot of cases…case loads are vastly different.

Let's say that you do a number of a specific type of case…financial fraud, PCI, etc. You begin to develop and reuse the intel you learn from each case, tightening the analysis process/OODA loop. Chris Pogue has demonstrated this in his "Sniper Forensics" briefs. If you have other team members or other analysts within the industry that you share intel with, that loop gets even tighter…your analysis process becomes optimized, and you're spending less time looking for the things you always find, and more time engaging in actual analysis.

I notice one thing that hasn't been shared is Joachim's malware process, which I'm thinking is more one of detection than actual analysis. Perhaps looking at the process would give some clues as to how he's able to look for malware in every case.

This is exactly what I use the Forensic Scanner for, internal to our organization. It's extremely fast, and the plugins are written so that both specific (file or Reg value names) and general (all values within a Reg key) items are looked for, so that I can see what artifacts need closer examination.

I never said I do malware analysis on EVERY case or that it useful for EVERY case. For some cases or context of law it is not relevant.

And yet in your post

So in a case you never check if a system contains malware? If so are you in e-discovery?
If not what are you using a virus scanner?

Ever heard of the trojan horse defense?
https://www.cerias.purdue.edu/assets/pdf/bibtex_archive/2005-15.pdf

you blast me and accuse me of never looking for malware. Apparently you are not reading my posts. On the first page I wrote I personally have not had a cause to examine Java deployment cache index files. Yet. Where did you make the leap from Yet to never?

Harlan made a similar mistaken leap to

So, you may be concerned with malware on a system, but not so much as to how it got there?

I am not sure how he made the leap from Yet to that.

And yet when I question if you do malware analysis on every case you start back peddling.

You then wrote

I never said I do malware analysis on EVERY case or that it useful for EVERY case. For some cases or context of law it is not relevant.

and

So my interest get's triggered about the type of investigations you are doing and how/if you check for malware. Especially since you recently did a review of Internet Evidence Finder (IEF). And for someone that seems to do Internet analysis and has not looked at Java idx and or malware does not compute for me.

How did you jump to never looked at malware? That is a pretty big leap. I hope you do not make those kinds of assumptions in your analysis.

Lastly I think your assumption about my supposed ignorance about the merits of the trojan and Chewbacca defense shows how little knowledge you have of the legal system in which I work. And I find your name calling petty at best and at worst a reflection on your character.