Course: Introduction to Digital Forensics: Malware Analysis and Investigations

Attribute 0x10 STANDARD_INFORMATION The Standard Information attribute contains the files ownership information together with the files permissions and associated dates and times. This attribute is known as a resident attribute …

Prefetch Files When system or user programs are executed on a Windows computer a Prefetch file is created. The purpose of the Prefetch file is to increase the performance of …

MFT Record Attributes File metadata is stored within various attributes within each MFT record. Each attribute is uniquely identified by a header followed by attribute information. The number of attributes …

Drive-by-Downloading An infection or attempted infection by drive-by -downloading is when a web resource such as a website has been compromised and contains exploits or pointers to download malware. When …

Windows 10 overview Windows 10 was released by Microsoft mid 2015, and statistically holds slightly more than 50% of the worldwide desktop market as of June 2020, with the second …

Attribute 0x80 $DATA The purpose of the data attribute is to point to where the content of a file is located. This attribute can be either a resident attribute or …

Process hooking Malware must run! All malware must be loaded into memory to function as either a process in its own right or it must form part of another process …

$MFT The $MFT is a relational database which maintains a record of all files (including directories) saved to the file system. Each file will have at least one (sometimes more …

Memory Examination – Static Before we can examine a static copy of the computers memory, we must first make that copy! In order to do this an appropriate program must …

NTFS Files The NT File System is made up of a number of file system metadata files which collectively allow the file system to function. All files including directories are …

Executable files An executable file is a file that contains encoded instructions that can be executed by an operating system. Executable files can be platform specific (only executes in a …

Welcome to the Introduction to Malware Investigations course! This course was designed to give those who have an interest in malware investigations and the methods used to find evidence of …

File location Malware wants to hide on your computer and there are essentially two locations namely; user areas or system areas. The first location is simply hiding somewhere in your …

NT File System (NTFS) Overview NTFS is the primary file system used by Windows computers. The file system consists of file system metadata files which collectively enable the file system …

Other Triggers There can be many other events that can trigger the execution of malware some examples include: • Specified date(s) and time(s) • Boot number • Mouse overs • …