Skip main navigation

£199.99 £139.99 for one year of Unlimited learning. Offer ends on 28 February 2023 at 23:59 (UTC). T&Cs apply

Find out more

Attribute 0x10 $STANDARD_INFORMATION

Attribute 0x10 STANDARD_INFORMATION The Standard Information attribute contains the files ownership information together with the files permissions and associated dates and times. This attribute is known as a resident attribute …

Prefetch Files

Prefetch Files When system or user programs are executed on a Windows computer a Prefetch file is created. The purpose of the Prefetch file is to increase the performance of …

MFT Record Attributes

MFT Record Attributes File metadata is stored within various attributes within each MFT record. Each attribute is uniquely identified by a header followed by attribute information. The number of attributes …

Drive-By-Downloading

Drive-by-Downloading An infection or attempted infection by drive-by -downloading is when a web resource such as a website has been compromised and contains exploits or pointers to download malware. When …

Windows 10 Overview

Windows 10 overview Windows 10 was released by Microsoft mid 2015, and statistically holds slightly more than 50% of the worldwide desktop market as of June 2020, with the second …

Attribute 0x80 $DATA

Attribute 0x80 $DATA The purpose of the data attribute is to point to where the content of a file is located. This attribute can be either a resident attribute or …

Hooked process

Process hooking Malware must run! All malware must be loaded into memory to function as either a process in its own right or it must form part of another process …

MFT Structure

$MFT The $MFT is a relational database which maintains a record of all files (including directories) saved to the file system. Each file will have at least one (sometimes more …

NTFS Files

NTFS Files The NT File System is made up of a number of file system metadata files which collectively allow the file system to function. All files including directories are …

Memory Examination – Static

Memory Examination – Static Before we can examine a static copy of the computers memory, we must first make that copy! In order to do this an appropriate program must …

Executable Files

Executable files An executable file is a file that contains encoded instructions that can be executed by an operating system. Executable files can be platform specific (only executes in a …

Welcome to the course!

Welcome to the Introduction to Malware Investigations course! This course was designed to give those who have an interest in malware investigations and the methods used to find evidence of …

File location

File location Malware wants to hide on your computer and there are essentially two locations namely; user areas or system areas. The first location is simply hiding somewhere in your …

NTFS Overview

NT File System (NTFS) Overview NTFS is the primary file system used by Windows computers. The file system consists of file system metadata files which collectively enable the file system …

Other triggers

Other Triggers There can be many other events that can trigger the execution of malware some examples include: • Specified date(s) and time(s) • Boot number • Mouse overs • …