Warning – before you get started reading this blog post, it’s only fair that I warn you…in this post, I make the recommendation that you document your analysis process. If you find this traumatic, you might want to just move on. 😉
Robert Jan Mora, a name that I’ve known for some time within the DFIR community, recently posted something pretty fascinating on LinkedIn, having to do with a case that he worked a bit ago. His post, in turn, leads to this The Wire article, from India, and includes an interview with him.
The “so what” of the article itself has to do with an initial report that states that no malware was present, and two subsequent reports, one of which is from Robert Jan’s analysis, stating that malware was found on a USB device.
In his LinkedIn post, Robert Jan emphasizes the need for malware scans in a law enforcement environment. Back when I first started working cases, even internally, in the early 2000s, I recommended the same thing, albeit with AV scanners not installed on imaged endpoint. Even more tools are available these days; for example, consider Yara, or something more along the lines of the Thor Scanner from Nextron Systems.
To learn a bit more about this man, check out this Forensic Focus interview.
Okay, but so what? Why does this matter, or why is it important?
When looking to see if malware exists, or did exist on an endpoint, there are different approaches you can take, perhaps using AV scanners, or something like Yara. Or, sometimes, we may not find the actual malware itself, maybe not right away, but we will see clear indications of it’s presence, or that it had executed. For example, if you’ve created a timeline of system activity, you may find a cluster of activity with different components derived from different sources, such as the Registry, Windows Event Log, file system, etc. Separately, these may not be entirely conclusive, but when viewed together, and within a narrow timeframe, they may provide clear indications
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: