Hi all,
I am interested in malware forensic. I want to find in a system unconventional malware. For example you can install "all in one keylogger" without any reaction from norton.
Which should be the correct way and instruments?
thanks
Timeline analysis
Try the Mandiant Redline tool. It isn't signature based, but identifies potential infection by using a range of indicators of compromise (IOC's).
And it's free D
This book is a fantastic read and will give you a complete mindset to use when analyzing a RAM image for malware, allowing you to enumerate and analyse every process that looks a little suspicious.
I read it and was most impressed. Just google it or buy it on Amazon.
The Art of Memory Forensics Detecting Malware and Threats in Windows, Linux, and Mac Memory
Learn to dump your live memory and use volatility.
Use heuristic approach and realize that malware is no use to anyone unless it connects and "phones home". So, build baseline of valid open ports and monitor network traffic. Learn to use nmap to see open ports from the external point-of-view.
When you don't know what you are looking for, look for a pattern of out of ordinary, but it only works if you know what ordinary is.
ok, many thanks all
if you are looking at detecting malware activities on a potentially compromised system, as Keydet says, a proper timeline analysis is the best way of spotting malicious activities.
I'd also add the suggestion on working on the memory dump, this really helps out alot in understanding what's going on.
If, instead, you are looking at analyzing the malware once you have collected the sample, then the best tools imho still remains a proper sandboxing platform (like cuckoo sandbox) and a disassembler like IDA, Hopper, Radare2 and so on.