How to Streamline a Malware Investigation Down to 30 Minutes or Less

Malware incident response can be a time-consuming and frustrating process. A seasoned investigator, however, has documented steps to help you investigate malware in 30 minutes or less.

Joseph Salazar, an information security practitioner, presented his methodology in a lecture called “Streamlined Malware Incident Response with EnCase®,” at the Enfuse™ conference (formerly known as CEIC®) held earlier this year. This highly rated session outlined a framework to minimize user and system exposure to malware; utilize supporting infrastructures and processes; and leverage the flexibility of not only EnCase Endpoint Security, but even more so, EnCase Enterprise.

EnCase® Enterprise? Isn’t that a digital forensics tool?  

According to Salazar, “EnCase Enterprise is critical in malware incident response. The ability to do a live examination of a running system across the network is part of the reason you can do this in 30 minutes.”

If you missed this popular lecture, you can read a brief summary of it here, in this blog, and also download the complete slide presentation here: Streamlined Malware Incident Response with EnCase. We’d also like to remind you to register early for Enfuse 2016, where you can hear similar topics that will help you to further decrease your company’s exposure to unknown cyber risks or threats.


Malware is a real threat. Antivirus (AV) is not enough.

Salazar, with decades of experience in information security, including 22 years as a counter-intelligence agent, military intelligence officer and cyber security officer in the U.S. Army Reserves, introduced his session with a strong warning to information security professionals: Malware is a real threat. AV is not enough.

He cited a plethora of industry sources that prove the ineffectiveness of AV in malware detection, including reports that AV only detects 45 – 50 percent of cyber attacks (see presentation for sources).

To augment AV and perform malware incident response in 30 minutes, Salazar proposed a five-step investigative flow, as outlined below:





  1. An alert is received from network monitoring. Examples: through an IDS alert, reputational alert, etc.
  2. The host and/or the user is located. Examples: through proxy logs, internal DNS or AD authentication, firewall logs, etc. 
  3. The possible malicious executable is researched. Example: If you have a pcap, research on the binary, submit to VirusTotal, or send it through a sandbox.  
  4. The potential infection is investigated using EnCase Enterprise. Note: it takes longer to find a negative result than a positive result.
  5. The malware is remediated via a wipe: Submit a request to wipe or reimage the system, or use EnCase Endpoint Security to perform a selective forensic wipe of the malicious binaries.

Using EnScripts® to assist with and automate malware detection 

Since EnCase Enterprise is the primary investigation tool recommended, Salazar suggested that EnScripts be used with it to reduce and automate the data to be reviewed.  He said to create an EnScript to search for IOCs on the subject system, or find an EnScript already developed, available from EnCase® App Central.

The most common indications of a compromise were reviewed:

File signature analysis: This will help you to identify renamed files. Look for exes renamed as .zip or similar, MZ file headers, java cache files, and anything that malware can use to execute on a system.
Executables (in locations they don’t belong): You shouldn’t see executables in a user’s internet temp directory, for example.
Unexpected running processes: These will show up when you do a quick snapshot in EnCase Enterprise, since it captures running process memory.  This is very useful to find what is in memory that shouldn’t be.
Files with weird or missing time stamps: These are candidates for close inspection, as the file may have been time-stamped.
Lexical or short file names: A file with some random, alphanumeric file name of six consecutive consonants without a vowel is a dead giveaway that it may be malicious.  You have to tinker with this one, as it can also identify legitimate files.  Files with short file names, such as “a.exe” or “out.bin” are suspect as well.

More IOCs to Narrow Your Malware Investigation Scope

To learn about more IOCs to narrow your investigation scope, click here to download the complete presentation: Streamlined Malware Incident Response with EnCase.

Don’t forget that you can attend other top-notch sessions like this one at Enfuse 2016 in Las Vegas, May 23-26, 2016. Enfuse brings the power of hands-on labs, learning sessions, and networking events together in a way that will take your work—and your career—to a whole new level.

Click here to learn more about Enfuse and how you can save over 40% off the regular conference registration fee if you act by November 30, 2015.

No comments :

Post a Comment