Australian Digital Forensics Conference

Document Type

Conference Proceeding


SRI Security Research Institute, Edith Cowan University, Perth, Western Australia


Digital forensics procedures should be developed to obtain digital evidence with regard to legal requirements such as admissibility, authenticity, completeness, reliability and believability. On the other hand, Trojan banking malware incident has grown significantly and creates a great threat to online banking users globally. This type of malware is known to use anti-forensic technique to avoid forensic detection. Moreover, there are numerous works and researches that impose the drawbacks on post-mortem forensics approach in dealing with evidence that only resided on non-persistence memory or non-volatile memory. There are works that reveal the disadvantage of live-response approach on incident response that might compromise the evidence as well. For the last four years, there is notably developed on memory forensics approach that focusing on malware incidents. This paper demonstrates the procedures that use three different forensics approaches on three different Trojan banking malware samples: Cridex, ZeuS and SpyEye. The aim of this work is to obtain the proper forensics approach on Trojan banking malware incidents. The paper also uses a network forensics approach to gather and analyse the network-based evidence.


Originally published in the Proceedings of the 10th Australian Digital Forensics Conference, Novotel Langley Hotel, Perth, Western Australia, 3rd-5th December, 2012