malware investigation

Hi Guys,

I have been tasked to investigate a machine that has been hit with malware. I have never a case like this before and I wanted to know some good pointers on where to start. The machines were shut down and no memory dumps were taken before being handed off to our group. I do not see any hibernation files I can use only a pagefile.sys exists.

Here is my current plan

-find a method to parse the pagefile.sys to see if there are any remnants of malware activity maybe volatility can pull information from it

I'm a bit unclear as to your reasoning for this step…Volatility was designed to work with memory dumps.

-check the recent folders
-check deleted files,unallocated space, slack space
-check prefetch files
-mount the drive and scan for viruses
-boot the image in live view and run a virus scan again
-if anything is found, research it to see if it creates any files, registry keys, etc
-collect the infected files and have my malware team research it and break it apart

do you guys have any suggestions on my approach? Again this is my first time doing a case like this

suspect system

Windows XP SP3

I see that you're going to "check" various areas, but not what you're going to be "checking" for.

I wrote an entire chapter on malware detection in "Windows Forensic Analysis Toolkit 3/e". I've got a number of blog posts regarding malware detection, Prefetch file analysis, etc., that may be helpful. I've even posted a malware detection checklist off of my blog (http//windowsir.blogspot.com)

One thing I think that may be helpful is to go back to the customer and ask them what it is that led them to believe that the system was infected with malware. This will help you narrow down aspects of the incident…behavior, possibly the time frame, etc…and may provide some direction for your analysis.

Sorry to be terse, but there's a LOT that you can do. In fact, you don't need to boot the system via LiveView in order to run AV scans…and if you don't know the password, you'll have to use Nordahl's tools to be able to log into the system once you have it booted. It may simply be easier to mount the image as a volume and scan it.

I hope that helps enough to get you started…

-boot the image in live view and run a virus scan again

You don't need to boot the system to run a virus scan, you could just mount it (but be sure you mount it as read-only) and run one or several anti-virus on it.

Also, I don't think your registry examination should come at the end of your investigation. One of the first thing I do in such investigation is going for autoruns, and usually it brings me results quite fast. You can use "autoruns" from Microsoft for that, or Regripper.

Be aware, however, that the malware might not be there (there are more ways to make a binary persistent than the autoruns).

Harlan's malware detection checklist is a must-read.

Maybe a bit overkill at your current state, but if you look for evidence if/when a executable has been started you should also read this

https://blog.mandiant.com/archives/2459

I didn't hear about Shim Cache before …

The Mandiant tool is a great place to start, but there are a number of other Registry keys that contain valuable data, in a similar regard. Also, there are a number of other data sources outside the Registry that can be helpful.

I think that the key to this type of analysis is understanding the four main characteristics of malware Initial infection vector, propagation mechanism, persistence mechanism, and other artifacts. Knowing this, it's possible to look for indications of the malware having executed…this is akin to knowing that someone dropped a rock in a pond, not because you saw them drop the rock, but because you saw the ripples.