Cyber Forensics: Discovering Traces of Malware on Windows Systems

Malware Crimes are ubiquitous nowadays. One of the challenges faced by Cyber Forensics Investigators is to retrieve the details of a suspicious program, which might be malware, from a computer. Another challenge is that anti-forensics techniques are often adopted by criminals after committing cybercrimes to hide the presence of suspicious programs and their associated details. In such cases, footprints of the suspicious programs and the related details may be deleted or overwritten from the Suspect's computer. This paper presents a detailed procedure to reconstruct or retrieve crucial information related to those suspicious programs from various sources on a Windows Computer. This type of analysis reveals the traces of these programs from their remnants available on a computer. This paper describes methodologies for examining the storage media as well as random access memory content of the Suspect's computer to retrieve such footprints. It also includes the steps for analyzing various Windows 10 artefacts that may hold the footprints of malware even after it is deleted or overwritten from the original location. The paper also explains the results of experiments conducted to identify the traces of suspicious executables which are deleted or still existing on the Computer.