Here are my usual steps:
1. Create a forensic image (.e01) of suspect media (System Hard Disk).
2. Objectives of the analysis:
– Identification of the involved banking trojan
– Detection of the trojan files on the infected computer
– Discovery of the method of infection
– Analysis of the functionality of the malware (especially banking behaviour)
– Detection of the C&C server and dropzone(s)
– Cleaning up the infected computer
3. Record of the basic informations
– Affected bank
– All details of the criticized online transaction(s)
– If available: Logfiles (IP addresses, user agent strings, click-paths)
– Used user account
– Used web browser
– What happened exactly?
How many indexed transaction numbers were inquired/entered? When was the victim prompted to provide the indexed transaction numbers? Immediately after successful login? How did it look like? Pretext? Exact wording?
– Operating System
– Service Pack
– Computer Name
– User accounts (with priveleges)
– Installed web browsers
– Internet Service Provider
3.4 Essential Security Settings
– Windows Update Settings
– Anti-Virus Software
– Adobe Reader
– Adobe Flash Player
– Sun Java
Feel free to create a timeline-table for better overview.
4. System Scans
Start a full system scan with Malwarebytes’ Anti-Malware and use HiJackThis.
Check also the logfiles of the installed Anti-Virus softwares. It’s important because the victims mostly run system scans after realization the fraud.
Note: I do all my investigations on the infected computer. The changes on the computer are neglectable.
Note: I also use the free version of Gadwin PrintScreen to document my steps. Gadwin PrintScreen can capture the entire Windows screen, the active window, or a specified area.
6. Banking Trojan
– Banking Trojan (e.g. ZeuS Version 2.x)
– Synonyms (e.g. Zbot, Wsnpoem, Infostealer.Banker.C)
– Analysis of the decoded configuration files
– Phishing attack variant (iTAN stealer, real-time attacks like background transaction and real-time manipulation)
Cleaning up the infected computer
The data integrity is compromised. Data has been maliciously modified, altered, or destroyed. Please change all your account passwords from a clean system. I highly recommend to do a format and re-install windows (after a backup). It’s also important to overwrite the master boot record.