Hi Guys,
This is a job that I keep getting through my doors. "Can you see if my laptop has been attacked" or "Is there any malicious software on my laptop".
My question is what steps would you take to investigate such a open question when the user isn't that tech savvy.
I can only investigate the hard drive image of the device so no memory dumps etc which is where I would normally start for malware etc.
My normal steps are
1) Create an image of suspect drive.
2) Virus check the suspect hard drive through 3 virus checkers to flag any starting points.
3) Check auto run locations within the registry.
4) Hash the entire hard drive against the NSRL hashsets remove the 'knowns' and see whats left. (This is useless at the moment as it normally leaves thousands of entries.
Then I really come to a end of what else I can check. I dont know of any malware hashsets that are publicly available etc.
Does anyone else have any experience of this sort of blind analysis and the steps they take?
Thanks in advance
Andy
Andy,
What you have here is a good start.
In WFAT 3e, I have a chapter on malware detection. You might consider checking that for additional steps. For example, malware can use a variety of autostart mechanisms, and having a process or check list that you follow would be a great way to try to discover if there is, in fact, malware on the system.
You might also check for other known artifacts. When I get cases like this…and I do…what I usually start off with is asking the person what makes them believe that the system is infected…what did they see that led them to that belief?
Another thought is that this is an excellent use for the Forensic Scanner.
Many thanks for your very prompt response.
Excuse my ignorance but what is WFAT 3e and the forensic scanner?
They sound very interesting and I would like to take a definate look.
I do believe that I need to start asking the user very specifically what happened but even that can be meaningless.
It just feels like one of those processes that by the end of it I would never be able to 100% say for certain their system is clean or dirty and that actually maybe buy a new hard drive and reinstall.
Excuse my ignorance but what is WFAT 3e and the forensic scanner?
WFAT 3e - http//
Forensic Scanner - http//
Where to get it http//
I do believe that I need to start asking the user very specifically what happened but even that can be meaningless.
Always a good start. I use a triage checklist of 10 questions (I don't ask those that don't apply) so I don't miss anything.
It just feels like one of those processes that by the end of it I would never be able to 100% say for certain their system is clean or dirty and that actually maybe buy a new hard drive and reinstall.
It depends. I have seen where the user would have a "feeling" and nothing definitive they could point to, and I'd find all kinds of stuff on their system. I've also had instances where an HR Rep swore that someone had hacked her system, when what we found out *really* happened is that she'd printed a sensitive document, and left it sitting on the printer while she went to lunch. 😉
The key is to _have_ a comprehensive process, one that you add to and continues to grow over time. I got tired of using spreadsheets and began to implement plugins for the Forensic Scanner. What you see in the download is just a few of the plugins I've written that help me detect artifacts of malware.