SRI Security Research Institute, Edith Cowan University, Perth, Western Australia
Digital forensics procedures should be developed to obtain digital evidence with regard to legal requirements such as admissibility, authenticity, completeness, reliability and believability. On the other hand, Trojan banking malware incident has grown significantly and creates a great threat to online banking users globally. This type of malware is known to use anti-forensic technique to avoid forensic detection. Moreover, there are numerous works and researches that impose the drawbacks on post-mortem forensics approach in dealing with evidence that only resided on non-persistence memory or non-volatile memory. There are works that reveal the disadvantage of live-response approach on incident response that might compromise the evidence as well. For the last four years, there is notably developed on memory forensics approach that focusing on malware incidents. This paper demonstrates the procedures that use three different forensics approaches on three different Trojan banking malware samples: Cridex, ZeuS and SpyEye. The aim of this work is to obtain the proper forensics approach on Trojan banking malware incidents. The paper also uses a network forensics approach to gather and analyse the network-based evidence.