Initial Examination Steps & First Challenge

Thursday, August 12, 2010 Posted by Corey Harrell
Initial Examination Steps

Starting out I decided to investigate a single system infected with malware. The books I referenced helped identify the data that can be examined to answer my two questions, which for a single computer involved volatile data, the hard drive, and the various locations in the both of them. Next I was interested in the examination steps I could use to help collect and examine the data. I was already involved in performing digital forensic investigations therefore my focus was on identifying the additional examination steps required to investigate a system infected with malware. For example, I already perform keyword searches, hash analysis, and file signature analysis on my cases so I wanted to identify the additional required steps. The following were the initial steps I used to investigate a single system:

     * Examine the volatile data
     * Hash the files on the system
     * Perform a file signature analysis against the files on the system
     * Examine the files on the system that were identified in volatile data
     * Search for known malware on the system
     * Examine the programs ran on the system
     * Examine the host-based logs
     * Examine the auto-start locations
     * Perform a keyword search
     * Examine any executables of interest

Windows Forensic Analysis and Malware Forensics Investigating and Analyzing Malicious Code do an outstanding job of explaining the majority of those steps. As a result, I am not going to explain the steps in detail but I wanted to post the examination steps that I used to for my initial investigation. Plus, I thought it would help explain why I decided to do certain things like use memory analysis to find the infection. The steps I mentioned above were the initial steps I used last Spring. I have not listed any additional steps because I wanted to present how I approached the examination at the time.

First Challenge

The first issue I encountered on my journey was when I wanted to test the process and examination steps I had learned from researching. This is when I noticed the lack of available test images of compromised systems.

This made it difficult to understand the investigation process because tests could not be conducted against a known image to see if I could duplicate the results. I was hoping to find images of compromised systems similar to challenge files available for the forensic challenges on the Internet. For example, the Honeynet Project has an archive of challenges along with the winners’ solutions. I think these challenges are great learning tools because the challenges can be attempted then the winners’ solutions can be referenced to see what was done correct or wrong. However, I was unable to locate an equivalent for images of compromised systems including images of memory along with the image of the hard disk.

To get around this issue, I resorted to creating my own images of compromised systems. At first I was compromising systems using random malware samples from Offensive Computing. This worked well for trying to find the infection on a system but the infection vector was always an executable being launched by a user account. To find the infection vector I had to use a different method to infect a system in order to simulate how a real attack might look like. This evolved into creating compromising systems by opening suspected malicious emails and/or visiting suspected malicious websites. There was a lot of trial and error but I was able to get enough compromised systems for the testing of answering the question of how did the system become infected.

All of the systems were restarted before imaging the memory in order to remove any potential artifacts of the attack in the volatile data. The following blogs about answering my two initial questions will be referencing images from two systems infected by visiting malicious websites. The images will be referenced as Infected 1 and Infected 2.


Aquilina, J. M., Casey, E., & Malin, C. H. (2008). Malware Forensics Investigating and Analyzing Malicious Code. Burlington: Syngress Publishing, Inc.

Carvey, H. (2009). Windows Forensic Analysis. Burlington: Syngress Publishing, Inc.

Mandia, K., Prosise, C., & Pepe, M. (2003). Incident Response & Computer Forensics. Emeryville: McGraw-Hill/Osborne.

Post a Comment