Forensic Recovery and Analysis of the Artefacts of Crimeware Toolkits

Authors

Murray Brand, Edith Cowan UniversityFollow

Document Type

Conference Proceeding

Publisher

secau - Security Research Center

Faculty

Faculty of Computing, Health and Science

School

School of Computer and Security Science / Security Research Centre (secAU)

RAS ID

12758

Comments

Brand, M. W. (2011). Forensic Recovery and Analysis of the Artefacts of Crimeware Toolkits. Paper presented at the 9th Australian Digital Forensics Conference. Citigate Hotel, Perth, WA. Available here

Abstract

The total cost of cybercrime has been estimated to exceed US$388 billion annually. The availability of crimeware toolkits has lowered the bar for entry to the world of cybercrime. With very little technical knowledge required, cybercriminals can create, deploy and harvest financial data using banking trojans though a point and click graphical user interface that can cost less than US$1000. Technical support is also available for a fee, including technical infrastructure and servers to store harvested data. Fraudsters employing crimeware toolkits have been reported to have stolen US$3.2 million dollars in as little as six months. This paper presents preliminary research that has been conducted to forensically recover and analyse artefacts from the process of using crimeware toolkits from the file system and memory of systems that have been potentially engaged in such banking trojan authoring activities. Construction of a banking trojan using a crimeware toolkit follows a process that typically requires a set of configuration files and a small suite of program tools within the toolkit. Artefacts can be recovered from the process that could potentially be presented for admission as evidence in a court of law. Artefacts from the toolkits vary, as does the versions and variants of available toolkits. This paper proposes further research to construct a library of baseline artefacts to assist in the reconstruction of events to assist the forensic analyst in determining the provenance of any particular banking trojan.

DOI

10.4225/75/57b2b94e40ce8

Access Rights

free_to_read