A proactive malicious software identification approach for digital forensic examiners

TL;DR

This paper proposes a proactive approach for digital forensic investigators to identify malware by analyzing its behavior across different Windows OS versions, improving detection beyond traditional AV tools.

Contribution

It introduces a method to correlate malware behavior with OS artifacts, aiding in the early detection of new and unknown malware.

Findings

Malware exhibits distinct behaviors on different Windows versions.

Correlation with OS artifacts can improve malware detection accuracy.

The approach reduces reliance on traditional AV signatures.

Abstract

Digital investigators often get involved with cases, which seemingly point the responsibility to the person to which the computer belongs, but after a thorough examination malware is proven to be the cause, causing loss of precious time. Whilst Anti-Virus (AV) software can assist the investigator in identifying the presence of malware, with the increase in zero-day attacks and errors that exist in AV tools, this is something that cannot be relied upon. The aim of this paper is to investigate the behaviour of malware upon various Windows operating system versions in order to determine and correlate the relationship between malicious software and OS artifacts. This will enable an investigator to be more efficient in identifying the presence of new malware and provide a starting point for further investigation.