lucpel,
Sorry, I wasn't clear at all. What I meant is
1) Sometimes you need to employ data carving techniques to recover data of damaged file systems. How would you find 'second artifacts' of viruses when file-name and metadata are lost ?… or
Again, I'm not sure what you're referring to here, nor do I understand how we got on the subject of "damaged file systems".
Regardless, I was referring to "secondary artifacts"…which, in my earlier post, are not artifacts directly associated with a malware infection, but instead, those artifacts created by the operating system as a result of the malware interacting with the "ecosystem", or environment.
As an example, Windows XP, Vista, and Windows 7 have application prefetching enabled by default. Some malware which runs as an EXE may have a Prefetch file created/modified when it's launched.
My point is that sometimes you can find the secondary artifacts after a malware infection, and after the malware itself has been removed or deleted. This doesn't have anything to with "damaged file systems".
2) What if the 'second artifacts' have become orphan files?… Wouldn't be the signature the only way to search for them?
Well, that's my point…they aren't "orphan files". AV scanners don't look for secondary artifacts of infections; in fact, most don't look for indications of malware infections beyond checking files for signatures. This is why infections via Conficker, Zeus, etc., are missed when the malware itself is modified.
For the sake of analysis, about 3 yrs ago, I came up with four malware characteristics…initial infection vector, propagation mechanism, persistence mechanism, and artifacts. Again, AV looks at files…opens files, checks for indicators of malicious software. We have techniques that we can add to that…check for packers, digital signatures, etc. However, if we extend our checks to other artifacts of malware (Registry keys/values, persistence mechanism), we have a greater chance of detecting a malware infection when AV fails. By understanding these characteristics, we can even detect the effects of malware on a system when the malware EXE itself has been deleted.
Again, this has nothing to do with "damaged file systems", recovering the malware EXE file from unallocated space, etc.
ok, very clear answer…..thanks a lot.