Windows Forensic Analysis

File Analysis (Windows Forensic Analysis) Part 8

Alternative Methods of Analysis Sometimes when you’re conducting a postmortem computer forensic analysis (after you’ve acquired an image) you might need to perform analysis that is simply more cumbersome when you’re working with an image. For example, you might decide that you want to scan the system for malware, such as Trojans, backdoors, or spyware. […]

File Analysis (Windows Forensic Analysis) Part 9

Discovering Malware One laborious analysis task that many analysts encounter is locating malware on a system, or within an acquired image. In one instance, I was examining an image of a system on which the user had reported suspicious events. I eventually located malware that was responsible for those events, but using a tool to […]

Executable File Analysis (Windows Forensic Analysis) Part 1

Introduction At times during an investigation you may come across a suspicious executable file on which you would like to perform some analysis to get an idea of what it does or what function it performs. Many times, an intruder may leave scripts or configuration files behind, and these files are generally text files that […]

Executable File Analysis (Windows Forensic Analysis) Part 2

The PE Header At www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx, Microsoft has thoroughly documented the format of PE files (as well as the Common Object File Format, or COFF, found on VAX/VMS systems), and has made that documentation public. Microsoft has also made most of the structures used within the file headers publicly available, as part of the documentation for […]

Executable File Analysis (Windows Forensic Analysis) Part 3

EXPORT Table As DLLs provide functions that other executable files can import, the DLLs themselves maintain a table of functions available in their (you guessed it) EXPORT table. These are functions that are available for other executable images (DLLs, EXEs, etc.) to import or make use of so that application authors do not need to […]

Executable File Analysis (Windows Forensic Analysis) Part 4

Dynamic Analysis Dynamic analysis involves launching an executable file in a controlled and monitored environment so that you can observe and document its effects on a system. This is an extremely useful analysis mechanism, in that it gives you a more detailed view of what the malware does on and to a system, and especially […]

Rootkits and Rootkit Detection (Windows Forensic Analysis) Part 1

Introduction At the RSA Conference in February 2005, Mike Danseglio and Kurt Dillard, both from Microsoft, mentioned the word rootkit, and the ensuing months saw a flurry of activity as "experts" pontificated about rootkits and software companies produced tools to detect them. Even though rootkits had been around for years, originating in the UNIX world […]

Rootkits and Rootkit Detection (Windows Forensic Analysis) Part 2

Helios Helios (www.mielesecurity.com/) is described as an "advanced malware detection system" that uses behavioral analysis and does not employ signatures as a detection mechanism. Although it is described as a malware detection system, Helios is also capable of detecting rootkits. Helios is not open source, but it is free, and (according to the Web site, […]

Tying It All Together (Windows Forensic Analysis) Part 1

Introduction Throughout the topic so far, we’ve covered a great deal of very technical information, but in each case that information has been very specific to one particular area—Windows memory, the Registry, files, and so on. However, most of the incident response that a responder is required to do, or computer forensic analysis that an […]

Tying It All Together (Windows Forensic Analysis) Part 2

Case Study 7: The App Did It Not long ago, I was performing some incident response that might have had to do with some malicious activity. As is very often the case as a corporate consultant, my initial call with respect to the incident came from the customer, and one common factor among most of […]

← Previous Entries

Next Entries →