Forensic analysis refers to the process of collecting documents and evidence from a system or drive that was involved in cybercrime. For detecting a malware infection on a Windows computer, the process of forensic analysis has four different components. Let’s try to understand the components.
It starts with obtaining an image of the drive contents or data for computer forensics, mounting it on a forensic image processing software, identifying potential blind spots for analysis, and then analyzing the malware as its whole. So, these are the four components in forensic analysis.
A write blocker is essentially a device in which you connect your external drive before inserting it into a computer. How does this device aid in IT forensic analysis? This provides read-only access to data storage devices. In effect, it protects data integrity. Owing to its limited access provision, a write blocker prevents accidental damage of the drive contents by the user.
How does the name write blocker come into the picture? The device ideally allows all read commands to pass but ensures to block all write commands, limiting access to read-only versions. This helps ensure that nothing alters acquired digital evidence. The NIST-National Institute of Standards and Technology has laid down some requirements for Write blockers.
These include a write blocker tool:
- Will not allow any changes on a protected drive
- Will not allow any functions or operations on an unprotected drive
- Will not prevent obtaining information about a drive
There are two different kinds of write blockers available for IT forensic analysis. The first is the hardware write blocker that connects externally to drives and prevents any modifying commands from reaching the drive. The second is the software write blocker, directly installed on a forensic workstation that filters out modification commands.
The next step in IT forensic analysis is image processing or mounting. Using a write blocker, we were able to protect the data and provide it read-only access to convert it into an image. In this step, the same image is mounted on an image processing forensic software.
This processing happens with an attempt to identify malicious activities on the drive. How does image processing or mounting help? Essentially, this gives the user access to browse through individual directories, logs, executable files, and the likes. The alternative to image mounting would be manually going through the data on the drive.
But doing it manually brings in a number of different risks with it. Most commonly, manual browsing is common only when you need a quick overall glance to get a qualitative idea of the data. This is why a professional forensics package for image mounting comes in handy.
This has automated solutions that help categorize the resident image files on the disk into different buckets. While this is the more expensive solution for this purpose, this provides a more holistic view of the image by thoroughly analyzing the contents. So, it is worth the money.
Now that the drive is write-protected and is mounted on the processing software, the next logical step is looking for the malware files for forensic analysis. However, since the drive is heavy and well segregated, where do you first check for these suspicious files in the system?
Logically analyzing locations suggests starting with the common folders like Desktop, Downloads, and Documents. The idea is to find any executable files that might be present in any of these folders. Common libraries are another point of concern for Windows systems. So, you need to check these folders.
Once you finish diving into the individual folders one by one, the next step involves going through the browser directories and history log to get an idea of the hacker’s activities. Chrome and Outlook are the most common browsers that store such malicious files or activity information.
For Google Chrome, navigate to C:\Users\(username)\AppData\Local\Google\Chrome\User Data\Default to view the cache and history. For Microsoft Outlook, it is also a good idea to go through the email contents and information on C:\Users\(username)\AppData\Local\Microsoft\Outlook.
However, hackers usually are quite efficient at removing their trails in these traditional approaches. To uncover the malicious activities here, you could opt for a deeper dive into the registry keys on the system. These contain crucial configuration information about Windows operations. A thorough examination of the registry keys is helpful for IT forensic analysis.
If you are successful in identifying the malicious files in the paths mentioned above, the next step involves conducting a thorough analysis of the file. This helps you understand how the malware functions, the impacts it has on the other processes and the likes, and its purpose.
In this context, sandboxing is an important technique used in analyzing the malware file. Understanding the software vulnerabilities and behavior can prevent the spread of these vulnerabilities in other parts of the system. The following are some of the aspects analyzed using the sandbox technique:
- Sandbox allows the user to understand the behavior of the malware file
- Observe unbound connections from the malware
- Identify processes running in the background
- Identify registry changes
- Analyze the payloads that the malware downloaded on the system
IT Forensic analysis creates a separate environment for malware, where it runs in an isolated environment. Thereafter, you can document all the behavioral patterns and traits exhibited by the malware to understand its impacts on the bigger framework. What happens at the end of this sandboxing phase?
Ideally, you can also generate a report describing how the malware operates in the system. The computer forensic investigator can highlight certain suspicious indicators, screenshots of its operations, and other related information. This concludes the forensic analysis process that reports in detail about the malware detected.
If you are looking to get maximum forensic cybersecurity for your IT environment, it is a good idea to make use of VirtualMetric IT Security Monitoring for complete and secure IT monitoring. This provides real-time monitoring of your IT infrastructure, with enhanced security management. Some of the features of this tool include:
- Server security monitoring
- TCP connections monitoring
- Log analysis
- Security logs
- Firewall logs
- Change tracking
VirtualMetric has the ability to provide fast forensic analysis to prevent forensic security breaches. It offers advanced data visualization so that you can perform forensic analysis conveniently. It combines real-time monitoring with robust features. You can start with a 30-day trial to understand how the software works.