SlideShare a Scribd company logo

Malware forensics

Download as PPT, PDF
S
Sameera Amjad

This document discusses keyloggers, malware detection, and forensic investigation of infected systems. It defines keyloggers as hardware or software that captures keystrokes and malware as malicious software like viruses and Trojans. It provides tips for detecting keyloggers and malware through artifacts in the system, registry, prefetch files, and suspicious files and entries. It outlines methods for determining the infection source and timeline, and identifying captured data, attacker information, and next steps for investigators.

Technology
1 of 36
Download to read offline
1
2
Most read
3
4
Most read
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
Computer Forensics Infosec Pro Guide Ch 15 Keyloggers and Malware Rev. 5-4-15
Topics • Defining keyloggers and malware • Detecting keylogger and malware • Determining how the infection occurred • Identifying what data was captured • Finding information about the attacker
Defining Keyloggers and Malware
Keyloggers • Keyloggers capture keystrokes for an attacker • Hardware keyloggers as shown contain flash memory
Software Keyloggers • Programs that capture keystrokes, and often other user activity, such as screenshots and mouse actions • API-based hooks into the OS to capture keystrokes • Kernel-based intercepts keystrokes via a modified keyboard driver • Form grabbing intercepts Web-form data before it is sent to the Internet
Malware • Malicious software – Includes viruses, Trojans, rootkits, spyware – Also "Potentially Unwanted Programs"
Detecting Keyloggers and Malware
Malware Artifacts • Artifacts may be created in – System startup – Running processes – Services – Installed or modified drivers – System files – More
Registry Files • NTUSER.DAT – Creation date shows when a user first logged on • SOFTWARE • SYSTEM – Use Registry Viewer or regripper
Registry: User Profiles • Who has been using this computer? • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionProfileList
Last Written Time • Not visible in Regedit, but shown in Registry Viewer in lower left pane • Shows last time this user logged off
Run Keys • Malware often puts itself here to survive a system reboot • HKLMSoftwareMicrosoftWindowsCurrent VersionRun • HKCUSoftwareMicrosoftWindowsCurrentV ersionRun – Many more, as listed in link Ch 15a
Examples of Infected Machines • Top: Suspicious RUN key entry • Bottom: Keylogger entry
Registry: System Services • HKLMSystemCurrentControlSetServices • Long, complex list; infections may appear here
Prefetch Files • .PF extension, in C:WindowsPrefetch
Inside Prefetch Files • List of files the application depends on • Unicode-encoded
Keyword Searches • Often locate commercial keyloggers • Search for "keylogger" and for names of popular product • Tip: install the keylogger in a VM, use RegShot to see what registry keys it makes
Handling Suspicious Files • Use online scanners like – virustotal – Jotti – Threatexpert (links Ch 15b, c, d)
Determining How the Infection Occurred
Timing • Look at creation dates of malware files to determine time of infection • What was the user doing at the time of the infection? – At work, checking email, surfing the Web? • Was the user away, perhaps home asleep during this time?
Other Files • Sorting files created or modified near that time will help determine what activity was taking place • Check event logs – Export them from C:WindowsSystem32Config – View them using Event Viewer from the same OS they were created in • Fix corrupted event logs with Fixevt.exe (link Ch 15e)
Example: Fake Antivirus • Run key showed a filename "lj1ioi6l.exe" • Searching for that keyword in EnCase or FTK found a deleted file • That file contained more strange filenames to search for
Malware forensics
Malware forensics
Malware forensics
LNK File • Infection came in on a USB stick
USBSTOR Key • Can identify the exact USB stick that caused the infection
How to Get Serial # of USB Stick • Use a hardware USB write-blocker that will display the serial number on its screen • Use forensic imaging software to pull the serial number • Use a registry hack to block USB writes on a test machine, then compare USBSTOR entries to see if you have a match
Identifying What Data was Captured
Micro Keylogger's Website
Found Captured Data
Antiforensic Measures • If you encounter these – Packed binaries – Encryption – Data wiping – Obfuscation • You may have better results with live analysis—infect a virtual machine and watch the effects
Finding Information About the Attacker
Help.HTML File • Left behind by malware • Examples and directions to connect webmail accounts and upload to FTP server • Use keyword search for webmail accounts – Gmail, Yahoo, Verizon, Hotmail, etc.
Gmail Account and Password • Found on deleted XML file in slack space
Don't Log In! • Just finding the password is NOT legal authorization to log in to the account • Report your findings and let legal counsel decide what the next steps should be

More Related Content

What's hot (20)

PPTX
E-mail Investigation
edwardbel
 
PPTX
Digital forensics
Vidoushi B-Somrah
 
PPTX
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Sam Bowne
 
PPTX
Introduction to Cyber Crime
Dr Raghu Khimani
 
PPTX
Digital forensics
Roberto Ellis
 
PDF
Wired and Wireless Network Forensics
Savvius, Inc
 
PDF
Threat Intelligence
Deepak Kumar (D3)
 
PPTX
Introduction to Metasploit
GTU
 
PPTX
mobile forensic.pptx
Ambuj Kumar
 
PDF
CS6004 Cyber Forensics
Kathirvel Ayyaswamy
 
PPTX
Cryptography and Information Security
Dr Naim R Kidwai
 
PPT
Digital Forensic
Cleverence Kombe
 
PPTX
Digital forensics
yash sawarkar
 
PDF
Social Media Forensics
John J. Carney, Esq.
 
PDF
Email Forensics
Gol D Roger
 
PPT
Digital Forensics
Nicholas Davis
 
PPT
Windowsforensics
Santosh Khadsare
 
PPT
Port scanning
Hemanth Pasumarthi
 
PPTX
Email investigation
Animesh Shaw
 
PPTX
Penetration testing reporting and methodology
Rashad Aliyev
 
E-mail Investigation
edwardbel
 
Digital forensics
Vidoushi B-Somrah
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Sam Bowne
 
Introduction to Cyber Crime
Dr Raghu Khimani
 
Digital forensics
Roberto Ellis
 
Wired and Wireless Network Forensics
Savvius, Inc
 
Threat Intelligence
Deepak Kumar (D3)
 
Introduction to Metasploit
GTU
 
mobile forensic.pptx
Ambuj Kumar
 
CS6004 Cyber Forensics
Kathirvel Ayyaswamy
 
Cryptography and Information Security
Dr Naim R Kidwai
 
Digital Forensic
Cleverence Kombe
 
Digital forensics
yash sawarkar
 
Social Media Forensics
John J. Carney, Esq.
 
Email Forensics
Gol D Roger
 
Digital Forensics
Nicholas Davis
 
Windowsforensics
Santosh Khadsare
 
Port scanning
Hemanth Pasumarthi
 
Email investigation
Animesh Shaw
 
Penetration testing reporting and methodology
Rashad Aliyev
 

Similar to Malware forensics (20)

PDF
How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...
AbundioTeca
 
PPT
Keyloggers and Spywares
Ankit Mistry
 
PDF
4 threatsandvulnerabilities
richarddxd
 
PPTX
Information security & EthicalHacking
Ave Nawsh
 
PDF
Forensics perspective ERFA-møde marts 2017
J Hartig
 
PDF
Logging for hackers SAINTCON
Michael Gough
 
PDF
A Survey of Keylogger in Cybersecurity Education
ijtsrd
 
PDF
CH1- Introduction to malware analysis-v2.pdf
WajdiElhamzi3
 
PDF
12 Investigating Windows Systems (Part 2 of 3)
Sam Bowne
 
PDF
Proper logging can catch breaches like retail PoS
Michael Gough
 
PDF
Proper logging can catch breaches like retail PoS
Michael Gough
 
PPT
InformationSecurity.ppt
AnshikaGoel42
 
PPT
Information Security - Viruses, Bots, and Phish
JAYALAKSHMIP13
 
PPT
Virus phish concepts bots Spyware Phishing Spam
JAYALAKSHMIP13
 
PDF
Logging for Hackers - What you need to know to catch them
Michael Gough
 
PPT
Information Security , Malware and virus
munazamalik62
 
PDF
Detection and prevention of keylogger spyware attacks
IAEME Publication
 
PPT
Ch02 System Threats and Risks
Information Technology
 
PDF
CNIT 152 12 Investigating Windows Systems (Part 2)
Sam Bowne
 
PPT
Lecture 12 malicious software
rajakhurram
 
How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...
AbundioTeca
 
Keyloggers and Spywares
Ankit Mistry
 
4 threatsandvulnerabilities
richarddxd
 
Information security & EthicalHacking
Ave Nawsh
 
Forensics perspective ERFA-møde marts 2017
J Hartig
 
Logging for hackers SAINTCON
Michael Gough
 
A Survey of Keylogger in Cybersecurity Education
ijtsrd
 
CH1- Introduction to malware analysis-v2.pdf
WajdiElhamzi3
 
12 Investigating Windows Systems (Part 2 of 3)
Sam Bowne
 
Proper logging can catch breaches like retail PoS
Michael Gough
 
Proper logging can catch breaches like retail PoS
Michael Gough
 
InformationSecurity.ppt
AnshikaGoel42
 
Information Security - Viruses, Bots, and Phish
JAYALAKSHMIP13
 
Virus phish concepts bots Spyware Phishing Spam
JAYALAKSHMIP13
 
Logging for Hackers - What you need to know to catch them
Michael Gough
 
Information Security , Malware and virus
munazamalik62
 
Detection and prevention of keylogger spyware attacks
IAEME Publication
 
Ch02 System Threats and Risks
Information Technology
 
CNIT 152 12 Investigating Windows Systems (Part 2)
Sam Bowne
 
Lecture 12 malicious software
rajakhurram
 
Ad

Recently uploaded (20)

PDF
The Future of Mobile Is Context-Aware—Are You Ready?
iProgrammer Solutions Private Limited
 
PDF
OFFOFFBOX™ – A New Era for African Film | Startup Presentation
ambaicciwalkerbrian
 
PDF
Per Axbom: The spectacular lies of maps
Nexer Digital
 
PPTX
AVL ( audio, visuals or led ), technology.
Rajeshwri Panchal
 
PDF
Tea4chat - another LLM Project by Kerem Atam
a0m0rajab1
 
PPTX
Agile Chennai 18-19 July 2025 | Workshop - Enhancing Agile Collaboration with...
AgileNetwork
 
PPTX
AI in Daily Life: How Artificial Intelligence Helps Us Every Day
vanshrpatil7
 
PDF
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
 
PPTX
Agile Chennai 18-19 July 2025 | Emerging patterns in Agentic AI by Bharani Su...
AgileNetwork
 
PDF
RAT Builders - How to Catch Them All [DeepSec 2024]
malmoeb
 
PDF
AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...
Sandesh Rao
 
PDF
Researching The Best Chat SDK Providers in 2025
Ray Fields
 
PDF
Peak of Data & AI Encore - Real-Time Insights & Scalable Editing with ArcGIS
Safe Software
 
PDF
introduction to computer hardware and sofeware
chauhanshraddha2007
 
PPTX
Farrell_Programming Logic and Design slides_10e_ch02_PowerPoint.pptx
bashnahara11
 
PPTX
Simple and concise overview about Quantum computing..pptx
mughal641
 
PDF
Brief History of Internet - Early Days of Internet
sutharharshit158
 
PPTX
Introduction to Flutter by Ayush Desai.pptx
ayushdesai204
 
PPTX
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
PPTX
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
Priyanka Aash
 
The Future of Mobile Is Context-Aware—Are You Ready?
iProgrammer Solutions Private Limited
 
OFFOFFBOX™ – A New Era for African Film | Startup Presentation
ambaicciwalkerbrian
 
Per Axbom: The spectacular lies of maps
Nexer Digital
 
AVL ( audio, visuals or led ), technology.
Rajeshwri Panchal
 
Tea4chat - another LLM Project by Kerem Atam
a0m0rajab1
 
Agile Chennai 18-19 July 2025 | Workshop - Enhancing Agile Collaboration with...
AgileNetwork
 
AI in Daily Life: How Artificial Intelligence Helps Us Every Day
vanshrpatil7
 
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
 
Agile Chennai 18-19 July 2025 | Emerging patterns in Agentic AI by Bharani Su...
AgileNetwork
 
RAT Builders - How to Catch Them All [DeepSec 2024]
malmoeb
 
AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...
Sandesh Rao
 
Researching The Best Chat SDK Providers in 2025
Ray Fields
 
Peak of Data & AI Encore - Real-Time Insights & Scalable Editing with ArcGIS
Safe Software
 
introduction to computer hardware and sofeware
chauhanshraddha2007
 
Farrell_Programming Logic and Design slides_10e_ch02_PowerPoint.pptx
bashnahara11
 
Simple and concise overview about Quantum computing..pptx
mughal641
 
Brief History of Internet - Early Days of Internet
sutharharshit158
 
Introduction to Flutter by Ayush Desai.pptx
ayushdesai204
 
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
Priyanka Aash
 
Ad

Malware forensics

  • 1. Computer Forensics Infosec Pro Guide Ch 15 Keyloggers and Malware Rev. 5-4-15
  • 2. Topics • Defining keyloggers and malware • Detecting keylogger and malware • Determining how the infection occurred • Identifying what data was captured • Finding information about the attacker
  • 4. Keyloggers • Keyloggers capture keystrokes for an attacker • Hardware keyloggers as shown contain flash memory
  • 5. Software Keyloggers • Programs that capture keystrokes, and often other user activity, such as screenshots and mouse actions • API-based hooks into the OS to capture keystrokes • Kernel-based intercepts keystrokes via a modified keyboard driver • Form grabbing intercepts Web-form data before it is sent to the Internet
  • 6. Malware • Malicious software – Includes viruses, Trojans, rootkits, spyware – Also "Potentially Unwanted Programs"
  • 8. Malware Artifacts • Artifacts may be created in – System startup – Running processes – Services – Installed or modified drivers – System files – More
  • 9. Registry Files • NTUSER.DAT – Creation date shows when a user first logged on • SOFTWARE • SYSTEM – Use Registry Viewer or regripper
  • 10. Registry: User Profiles • Who has been using this computer? • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionProfileList
  • 11. Last Written Time • Not visible in Regedit, but shown in Registry Viewer in lower left pane • Shows last time this user logged off
  • 12. Run Keys • Malware often puts itself here to survive a system reboot • HKLMSoftwareMicrosoftWindowsCurrent VersionRun • HKCUSoftwareMicrosoftWindowsCurrentV ersionRun – Many more, as listed in link Ch 15a
  • 13. Examples of Infected Machines • Top: Suspicious RUN key entry • Bottom: Keylogger entry
  • 14. Registry: System Services • HKLMSystemCurrentControlSetServices • Long, complex list; infections may appear here
  • 15. Prefetch Files • .PF extension, in C:WindowsPrefetch
  • 16. Inside Prefetch Files • List of files the application depends on • Unicode-encoded
  • 17. Keyword Searches • Often locate commercial keyloggers • Search for "keylogger" and for names of popular product • Tip: install the keylogger in a VM, use RegShot to see what registry keys it makes
  • 18. Handling Suspicious Files • Use online scanners like – virustotal – Jotti – Threatexpert (links Ch 15b, c, d)
  • 19. Determining How the Infection Occurred
  • 20. Timing • Look at creation dates of malware files to determine time of infection • What was the user doing at the time of the infection? – At work, checking email, surfing the Web? • Was the user away, perhaps home asleep during this time?
  • 21. Other Files • Sorting files created or modified near that time will help determine what activity was taking place • Check event logs – Export them from C:WindowsSystem32Config – View them using Event Viewer from the same OS they were created in • Fix corrupted event logs with Fixevt.exe (link Ch 15e)
  • 22. Example: Fake Antivirus • Run key showed a filename "lj1ioi6l.exe" • Searching for that keyword in EnCase or FTK found a deleted file • That file contained more strange filenames to search for
  • 26. LNK File • Infection came in on a USB stick
  • 27. USBSTOR Key • Can identify the exact USB stick that caused the infection
  • 28. How to Get Serial # of USB Stick • Use a hardware USB write-blocker that will display the serial number on its screen • Use forensic imaging software to pull the serial number • Use a registry hack to block USB writes on a test machine, then compare USBSTOR entries to see if you have a match
  • 29. Identifying What Data was Captured
  • 32. Antiforensic Measures • If you encounter these – Packed binaries – Encryption – Data wiping – Obfuscation • You may have better results with live analysis—infect a virtual machine and watch the effects
  • 34. Help.HTML File • Left behind by malware • Examples and directions to connect webmail accounts and upload to FTP server • Use keyword search for webmail accounts – Gmail, Yahoo, Verizon, Hotmail, etc.
  • 35. Gmail Account and Password • Found on deleted XML file in slack space
  • 36. Don't Log In! • Just finding the password is NOT legal authorization to log in to the account • Report your findings and let legal counsel decide what the next steps should be