Forensic Recovery and Analysis of the Artefacts of Crimeware Toolkits

Document Type

Conference Proceeding


secau - Security Research Center


Faculty of Computing, Health and Science


School of Computer and Security Science / Security Research Centre (secAU)




This article was originally published as: Brand, M. W. (2011). Forensic Recovery and Analysis of the Artefacts of Crimeware Toolkits. Paper presented at the 9th Australian Digital Forensics Conference. Citigate Hotel, Perth, WA. Original article available here


The total cost of cybercrime has been estimated to exceed US$388 billion annually. The availability of crimeware toolkits has lowered the bar for entry to the world of cybercrime. With very little technical knowledge required, cybercriminals can create, deploy and harvest financial data using banking trojans though a point and click graphical user interface that can cost less than US$1000. Technical support is also available for a fee, including technical infrastructure and servers to store harvested data. Fraudsters employing crimeware toolkits have been reported to have stolen US$3.2 million dollars in as little as six months. This paper presents preliminary research that has been conducted to forensically recover and analyse artefacts from the process of using crimeware toolkits from the file system and memory of systems that have been potentially engaged in such banking trojan authoring activities. Construction of a banking trojan using a crimeware toolkit follows a process that typically requires a set of configuration files and a small suite of program tools within the toolkit. Artefacts can be recovered from the process that could potentially be presented for admission as evidence in a court of law. Artefacts from the toolkits vary, as does the versions and variants of available toolkits. This paper proposes further research to construct a library of baseline artefacts to assist in the reconstruction of events to assist the forensic analyst in determining the provenance of any particular banking trojan.