Course: Introduction to Digital Forensics: Malware Analysis and Investigations

Infected files This is self-explanatory, a file that contains malicious code! Additional information… Complex malware will more likely than not hide in plain sight. It will typically hide as an …

System processes/services Running processes or services can also execute programs or load files as part of their function. This can therefore load files containing malicious code. Additional information… Complex malware …

Task scheduler The Windows task Scheduler will start a program when a given event is triggered. That event can be based on a date and time, when the computers boots …

Startup folders Every user account on a computer has Startup folders. The users account will start up any program or link to a program contained within those folders when that …

Start-up scripts & related Scripts simply contain instructions to do something. There are different types of scripts for example Batch scripts, Python scripts and PowerShell scripts. Each script may need …

Windows registry The Windows registry is essentially a database that contains the computer hardware, software and user settings. It may also contain supporting information depending on the installed product. The …

Persistence Malware can be persistent or non-persistent. Malware persistence simply refers to the ability to survive a program closing down (such as a browser for example) or a computer being …

Other infection vectors Other vectors for infecting a computer with malware can include: • Man-in-the-middle (MitM) attack • Malvertising/Scareware • Downloading from unverifiable sources • File sharing (Peer to Peer …

Memory Examination – Live Information about running processes can be obtained using Windows built-in tools or third party tools. Examples of built in tools include Task Manager a GUI based …

Phishing This is the most prevalent method used in today’s interconnected world. There are several different types of phishing techniques used today but the most popular are simple emails containing …

Infection Vector An infection vector refers to the origin of the malware. Did the malware arrive via an Internet connection or did it infect your computer following access of a …

File association File association is the method by which a file icon is associated to a file extension. This includes what program is to be used to open that particular …

Other program execution aretfacts of interest There are several locations on a computer with Windows 10 installed that contain aretafcts indicating a previous process execution. An example of of one …

Computer Memory Basics The computer memory commonly referred to as RAM stores all the information relating to the functionality of the computer. It is a temporary storage area which holds …