Malware Forensics — Finding and Analyzing Malicious Software in Investigations

Malware forensics sits at the intersection of digital forensics and incident response. When a system is compromised, forensic investigators need to determine what the malware did, when it arrived, how it persisted, and what data it accessed or exfiltrated.

This analysis produces Indicators of Compromise (IOCs) and tells the story of the breach for legal, insurance, or remediation purposes.

Types of Malware Investigators Encounter

Ransomware: Encrypts files and demands payment. Leaves clear artifacts — the encryption event timestamps, ransom note creation, and network communications with C2 servers.

Remote Access Trojans (RATs): Provide the attacker persistent remote control. Often persist through registry run keys, scheduled tasks, or Windows services.

Keyloggers: Record keystrokes to a local or remote log file. Often found alongside RATs.

Information stealers: Harvest credentials, browser data, and files, then exfiltrate to attacker infrastructure.

Fileless malware: Executes entirely in memory, using legitimate Windows tools (PowerShell, WMI) rather than writing executable files to disk. Leaves minimal disk artifacts but leaves RAM and log artifacts.

Rootkits: Modify the OS to hide the malware’s presence. Detected through RAM analysis or offline analysis (booting from a forensic environment).

Cryptominers: Use system resources for cryptocurrency mining. Often detected through performance anomalies and network traffic analysis before forensics.

Forensic Analysis Approach

Step 1: Triage without disturbing evidence
Connect forensic tools before shutting down the system. Capture RAM (critical for fileless malware), document network connections, photograph the screen.

Step 2: Disk imaging
Create a forensic image before any remediation. The original state of the system is evidence.

Step 3: Establish the timeline
Use filesystem timestamps, registry last write times, and event log entries to build a chronological picture of what happened. When did the infection begin? What executed first?

Step 4: Identify persistence mechanisms
Malware almost always establishes persistence. Check:

Step 5: Identify malicious files
Hash every executable and compare against VirusTotal and threat intel databases. Check executables in unusual locations (AppData, Temp, ProgramData, root of C:\).

Step 6: Analyze the malware
Static analysis: strings extracted from the binary, import table analysis (which Windows APIs it uses), YARA rule matching.

Dynamic analysis: Execute in a sandbox (ANY.RUN, Cuckoo Sandbox) and observe network connections, file writes, registry modifications, and process creation.

Indicators of Compromise (IOCs)

Malware analysis produces IOCs that can be used to detect the same malware elsewhere in the environment:

Common Malware Analysis Tools

Volatility: RAM analysis to find injected code, hidden processes, and network connections from fileless malware.

YARA: Pattern matching tool for identifying malware families from code or string signatures.

Strings / FLOSS: Extract readable strings from binary files — often reveals C2 addresses, registry keys, or version information.

Wireshark / NetworkMiner: Analyze captured network traffic from infected systems.

Process Hacker / Process Monitor: Live system tools for observing process behavior in sandbox analysis.

ANY.RUN, Cuckoo Sandbox: Online and self-hosted sandboxes for dynamic malware analysis.

Autoruns (Sysinternals): Comprehensive scan of all persistence locations — far more complete than manual registry checking.

FAQ: Malware Forensics

Q: Can we tell who sent the malware?
A: Attribution is difficult and often inconclusive. Network forensics may identify C2 infrastructure that has been associated with known threat actors. Code analysis may reveal overlapping techniques or reused code. But positive attribution to a specific individual typically requires additional intelligence beyond what forensics alone provides.

Q: Is a computer safe to use after malware removal?
A: Not without verification. Removing detected malware doesn’t guarantee all persistence mechanisms were removed. Rebuilding from a known-clean backup or OS reinstall is the only way to be certain. Forensic analysis of the infected system informs what data may have been accessed or exfiltrated.

Q: Can malware hide from forensic tools?
A: Rootkits can hide files and processes from live OS analysis. This is why offline analysis (forensic image, not live system) is standard practice. Analyzing the raw disk image bypasses OS-level hiding mechanisms.

Q: How long does a typical forensic examination take?
A: Timelines vary based on data volume and case complexity. A single device may take one to three days; multi-device investigations can span weeks.

Q: What certifications should a digital forensics examiner hold?
A: Common certifications include EnCE, CFCE, CCE, and GCFE. Relevance depends on the examination type and the jurisdiction’s expectations.

Case Example

A small firm experienced a ransomware incident during a critical business period. The forensic examiner preserved volatile memory before imaging affected systems. RAM analysis identified the ransomware variant and command-and-control infrastructure. Windows Event Logs established the initial compromise occurred through a phishing email. The timeline showed the attacker maintained access for eleven days before deploying ransomware, during which data was exfiltrated — triggering breach notification obligations that would not have applied to an encryption-only attack.

Practitioner Takeaways

• Verify forensic images with cryptographic hashing before analysis.
• Document every examination step for reproducibility.
• Cross-reference findings across multiple artifact types.
• Note tool versions used — behavior changes between versions affect reproducibility.
• Distinguish facts from inferences in your report.

See also: Nft Fraud Forensics | Tiktok Forensics | Employment Investigation Forensics