Trojan Defense

keydet89 · 2005-03-29T17:08:47Z

I saw the topic mentioned, so I thought I'd start a thread…I guess the first step is to determine where you want to stand on the issue…do you want to prove or disprove the claim that a bit of malware was at fault? I think that this is going to be more of an issue, as malware (to include spyware and adware) continues to grow (in capabilities) and proliferate.So, how would you go about this? As I've blogged about (blog listed in .sig file below), on XP systems, you could check the contents of the Prefetch directory to see if (and possibly when) the malware was executed. Of course, you'd also have to check the deleted files to see if a Prefetch file was created, and then deleted.One way of determining intent would be if the files for the Trojan existed on the system, but the usual suspects are not located within the Registry (ie, "Run" key, etc.) - this may indicate that the user himself copied the files to the system, but never actually installed it. What else would you look at? Try to be specific with regards to OS, versions, applications (and versions) as necessary. Some versions of os's or applications may not have capabilities of later versions. Saying "Windows" isn't very helpful, unless the capability or functionality applies to all versions.H. Carvey"Windows Forensics and Incident Recovery"http://www.windows-ir.co

Page 2 / 2 Prev

General (Technical, Procedural, Software, Hardware etc.)

Last Post by reverendlex 18 years ago

11 Posts

10 Users

0 Reactions

1,808 Views

RSS

reverendlex

(@reverendlex)

Eminent Member

Joined: 20 years ago

Posts: 23

26/06/2007 2:25 am

Depends on the crime doesn't it?
What is the malware being blamed for?

A remote access trojan isn't going to open IE and leave browser artifacts is it? No, but a perv would.

A remote access trojan wouldn't, but one of those redirecting pieces of spyware could- IE would accept the cookies and history as if the client was doing the clicking. That's the argument that Julie Amero's defense counsel should have used
.

A remote access trojan wouldn't install kazaa and start downloading unlicensed software would it? No, but half the country is.

But a warez trader might compromise a machine to host files. The evidence of P2P software and use might not be there, but the warez would be there. It would take some good work on the expert witness for the defense on that one to show it.

I bet the lawyers are gonna love this.

Most of them don't get the basics. A few of us do get the distinctions, and we're either going to sharpen or blur them, depending on what's best for our client.

Smart investigators will use multiple approaches to prove the same facts.
One case I worked on, the lead detective got the defendant to initial every page of the chat logs. Even if I could show evidence of malware that _could_ control the defendant's PC, it's not going to fly- the defendant has admitted to the crime.

ReplyQuote

Page 2 / 2 Prev

8 Forums
15.7 K Topics
92.3 K Posts
235 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed