Malware Analysis & OS-Level Forensics

🔎 Malware Investigation Workflow

Initial Indicators and Triage

Investigation begins with initial indicator: detected file, network alert, user report, or anomalous process. Security team triages indicator: determine severity, assess affected systems, collect preliminary evidence. Triage determines investigation priority. High-priority cases (potential ransomware, data exfiltration) receive immediate response. Lower-priority cases (potential PUP, adware) scheduled for investigation.

Evidence Collection Phase

Rapid evidence collection occurs during window before attacker becomes aware of detection. Collect compromised host memory dump, disk image, event logs. Collect network logs showing connections from compromised system. Collect endpoint logs from EDR/antivirus. Preserve evidence following chain-of-custody procedures—evidence admissibility depends on proper collection. Time is critical—attackers actively monitor for detection and may execute destruction routines (wiper malware).

Analysis and IOC Extraction

Analysis of collected evidence identifies attacker actions. Process tree analysis reveals command sequences. Registry analysis identifies persistence mechanisms. Network analysis reveals command-and-control server. File analysis identifies dropped malware. String extraction identifies embedded URLs, IP addresses, domain names. From this analysis, IOCs extracted: file hashes, registry paths, domains, IP addresses. IOCs enable deployment of detection rules preventing additional systems compromise.

📋 Event Log Architecture

Event Log Categories

Windows maintains multiple event logs: System (driver/service events), Security (authentication/access control), Application (program events). Each event assigned event ID, timestamp, source, and descriptive data. Security log contains critical forensic information: logon events (who logged in, from where), process creation (what programs ran), file access (which files accessed), policy changes (security modifications). Security log requires administrator-level access to read.

Event Log Limitations and Gaps

Event logs store limited history—by default 20MB on Windows, oldest events overwritten when limit reached. Attacker-focused activity may occur over days with event log recycling daily—early activity records lost. Event logs disabled on compromised system prevent forensic trail creation. Some malware specifically targets event logs for deletion. Chain of attacks often reconstructed from partial logs, network logs, and other forensic artifacts. Event log retention policies (store logs centrally) critical for comprehensive forensic investigation.

Forensic Significance

Event logs provide timeline of system activity. Process creation logs identify executed programs. Logon logs identify user who interacted with system. Access control logs identify file/registry access attempts. Authentication logs reveal lateral movement attempts. Timeline construction from event logs combined with other artifacts creates comprehensive compromise timeline. Investigators establish: when breach occurred, who performed suspicious actions, what systems accessed, which data touched.

🎯 Critical Security Events for Investigation

Authentication Events (Event IDs 4624, 4625)

Event 4624 (Successful Logon): Records user login. Indicates who logged in, from which system, via which method (interactive, network, batch). Lateral movement often involves successful logons from unexpected systems. Event 4625 (Failed Logon): Records failed login attempts. Multiple failed attempts indicate brute-force attacks or compromised credentials being tested against systems. Attacker attempts to compromise additional accounts or systems show up as failed logon storms.

Process Creation Events (Event ID 4688)

Records process creation: parent process, created process, command-line arguments, user context. Enables reconstruction of command execution sequence. Malware command sequences visible: malware process spawning cmd.exe, cmd.exe spawning PowerShell, PowerShell executing attacker commands. Process creation events with suspicious parent-child relationships (explorer.exe spawning cmd.exe) indicate compromise. Command-line arguments reveal attacker intentions: data exfiltration commands, lateral movement attempts, persistence installation.

Registry and Object Access Events

Registry access events show attempts to read/modify critical keys. Malware often reads registry for antivirus presence, Windows Defender status, security software. Modifications to Run keys, services registry indicate persistence installation. Object access events (file open/read/write/delete) show which files accessed. Data exfiltration leaves traces of file access events for sensitive files. Deletion of event logs shows attempts to hide activity.

📍 Prefetch Files Analysis

What Are Prefetch Files?

Windows maintains prefetch folder (C:\Windows\Prefetch) containing records of program execution. When program executes, Windows records execution metadata into prefetch file (.pf extension). Prefetch files enable faster subsequent program launch by pre-loading necessary files. Forensically valuable: prefetch files record program execution HISTORY. Files named after program: notepad.exe generates NOTEPAD.EXE-XXXXXXXX.pf. Last write time indicates last execution. Multiple prefetch files for same program indicate repeated execution.

Forensic Reconstruction

Prefetch files enable precise timeline: when program executed, how many times, last execution time. Investigator finds suspicious binary, searches prefetch folder, discovers program executed 47 times, most recent execution 2 days ago during business hours (suggesting user action) or 2am (suggesting automated execution). Prefetch file timestamps enable determination of attacker activity window. Presence of PowerShell prefetch file with high execution count indicates script-based attack. Absence of prefetch file for malware binary indicates execution from unusual location (USB drive, attacker-deleted prefetch).

Limitations and Evasion

Prefetch data limited to 128 most recent programs executed. Prefetch folder can be disabled by attacker. Prefetch files deleted if attacker gains administrative access. Despite limitations, prefetch provides valuable historical evidence. Combination of prefetch with other artifacts (event logs, registry) provides comprehensive timeline. Modern investigations assume prefetch may be incomplete and seek corroborating evidence.

🗂️ Registry Forensic Investigation

Registry as Evidence Artifact

Registry maintains extensive forensic artifacts: program execution history (UserAssist keys), USB device connections, recent documents, installed software, network connections, user activity. Registry hives stored in C:\Windows\System32\config and user profile folders. Registry timestamps (created, modified) indicate when entries modified. Modification timestamps often precede observable malware activity—when persistence mechanism installed. MFT (Master File Table) tracks file modifications independently enabling comparison with registry timestamps.

UserAssist Keys and Execution History

UserAssist registry key (HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist) maintains detailed program execution history including command-line arguments. Data stored in ROT13 encoding (simple encoding, not encryption). UserAssist entries include execution count and last execution time. Forensically valuable: reveals programs user executed, frequency of execution, suspicious script execution (PowerShell scripts, VBScript, batch files). Execution of suspicious programs with high frequency indicates attacker activity—unusual program executed hundreds of times is significant anomaly.

Network Connection History

Registry records network connections established by system. NBTSTAT cache records NetBIOS names of systems connected to. Network parameters show configured DNS servers, proxy servers. If attacker modified DNS to point to attacker server, malware redirected to phishing site. Event logs combined with registry analysis reveal: which systems contacted, at what times, bidirectional data suggesting data exfiltration versus single DNS query suggesting malware reconnaissance.

💾 Memory Snapshot Analysis

Memory Forensics Overview

Memory snapshot (dump) captures system RAM content at moment of capture. Memory contains running processes, network connections, encryption keys. Live response often requires memory capture before system shutdown—memory lost once power removed. Memory dump enable forensic analysis of: what processes were running, what threads executing, what network connections established, malware strings in memory, unpacked malware code (malware sometimes packs code, unpacks in memory to avoid detection).

Memory Artifacts and Indicators

Memory analysis reveals: process list (what was running), process memory regions (injected code detection), network connections (what was connecting outbound), API hooks (malware modifying function behavior), kernel modules (rootkits in kernel), driver verification (unsigned drivers indicating rootkit installation). Memory forensics often reveals injected code not visible on disk—attacker removes disk copy after injection but process memory still contains injected code. Memory analysis combined with disk forensics provides complete compromise picture.

Memory Analysis Challenges

Memory analysis requires specialized tools (Volatility, MemProcFS). Memory large—64GB system creates 64GB dump file. Analysis time intensive, requiring expertise. Memory encryption (in newer systems) limits some analysis. Despite challenges, memory forensics critical for complete investigation—reveals running processes and injected code impossible to detect on disk. Modern investigations assume multi-artifact approach: disk, memory, event logs, network logs combined for comprehensive understanding.

🚨 Incident Response Phase Overview

Comprehensive incident response follows structured phases: Preparation (tools, training, procedures), Identification (detect breach), Containment (stop spread), Investigation (understand scope/impact), Recovery (restore normal operations), Post-Incident (lessons learned, prevention). This framework ensures comprehensive, systematic response. Skipping phases or rushing leaves organization vulnerable to re-compromise or incomplete recovery.

⛔ Containment Mindset and Strategy

Short-Term vs Long-Term Containment

Short-term containment: Immediate actions halting active attack. Isolate compromised system from network—disconnect network cable or disable network interface. Terminate malware processes. Disable compromised user accounts. Block attacker IP addresses at firewall. Goals: stop data exfiltration, prevent lateral movement, buy time for investigation. Short-term containment often crude but necessary to protect remaining systems.

Long-term containment: Systematic remediation removing attacker access. Identify all persistence mechanisms (registry, services, scheduled tasks, DLLs, etc.) and remove. Close attack vector (patch vulnerability, revoke credentials). Change all passwords. Search entire network for similar IOCs. Rebuild compromised systems from clean backup. Long-term containment ensures attacker cannot immediately re-compromise system even if short-term containment removed.

Evidence Preservation During Containment

Containment actions must NOT destroy evidence. Investigators need access to compromised systems to understand attack. Before disconnecting system: capture memory dump (evidence of running processes), collect event logs, preserve malware binary. During containment, document all actions taken—what was isolated, when, by whom. This documentation critical for chain-of-custody and regulatory compliance. Preserve evidence first, take containment actions second—never delete or modify forensic artifacts during response.

Stakeholder Communication During Containment

Incident response team communicates with: affected users (their system affected), leadership (breach scope/impact), legal/compliance (reporting obligations), customers (potential data exposure notification). Clear communication prevents panic and enables coordinated response. However, communication must not reveal investigation details to attacker who may be monitoring communications. Operational teams restore services while security teams investigate—coordination prevents mutual interference.

📋 Evidence Preservation and Chain of Custody

Chain of Custody Principles

Evidence chain of custody documents who collected evidence, when, where, how, under what conditions. Every person handling evidence signs chain of custody form. Digital evidence copied with forensic tools (bitwise copy with checksums), original preserved. Chain of custody enables evidence admissibility in legal proceedings. Without proper chain of custody, evidence dismissed as potentially tampering. For internal investigations, chain of custody demonstrates rigor and integrity.

Forensic Copying and Hashing

Digital evidence copied using forensic tools (dd, FTK Imager, EnCase) that verify data integrity. Tool generates hash (MD5, SHA-256) of original and copy—hashes match proves faithful copy with no data modification. All analysis performed on copy—original preserved. Multiple copies made for different analysis requirements (malware analysis, timeline reconstruction, etc.). Hash verification performed before and after each copy transfer ensuring data integrity throughout investigation.

Evidence Storage and Access Control

Evidence stored in secure location with access control. Investigators log access to evidence. Hard drives placed in write-protected containers. Evidence stored in physically secure location. For sensitive cases involving potential legal action, evidence maintained in secure chain until legal conclusion. Evidence retention policies specify how long evidence retained—typically until legal matter resolved or statutory requirement met.

📑 Incident Reporting and Documentation

Report Structure and Components

Professional incident response report includes: Executive Summary (incident overview, impact, response actions), Timeline (when events occurred), Technical Details (attack vector, malware behavior, persistence mechanisms), IOC Summary (file hashes, IPs, domains), Recommendations (patch vulnerabilities, implement controls, monitor indicators). Report targets multiple audiences: executive leadership (business impact), technical teams (implementation), security operations (detection rules).

Compliance and Regulatory Reporting

Regulatory requirements mandate incident reporting to authorities. GDPR (EU), CCPA (California), HIPAA (healthcare) specify notification timelines if personal data exposed. Report to law enforcement if criminal activity suspected. Different jurisdictions have different requirements—multinational organizations navigate complex compliance landscape. Internal legal team coordinates regulatory notifications. Incident response team provides technical details; legal/compliance team handles regulatory filing.

Lessons Learned and Prevention Roadmap

Post-incident, organization documents lessons learned: what happened, why defenses failed, what prevented earlier detection, what could improve response. From lessons learned, prevention roadmap created: which vulnerabilities to patch, which procedural changes to implement, which monitoring to enhance. Prevention roadmap prevents repeat of same attack vector. Regular review of previous incidents ensures organization applies lessons learned.