A Digital Triage Forensics Framework of Window

Malware Forensic Toolkit

Based on ISO/IEC 27037:2012

Da-Yu Kao* Guan-Jie Wu

Department of Information Management, Department of Information Management,
Central Police University, Taoyuan City, Taiwan 33304 Central Police University, Taoyuan City, Taiwan 33304
*Corresponding author: [email protected]

Abstract—The rise of malware attack and data leakage is The growing need of digital forensics has sparked heated
putting the Internet at a higher risk. Digital forensic examiners debates about tools, terminology, definitions, standards, and
responsible for cyber security incident need to continually update other aspects. It should come as no surprise that this study
their processes, knowledge and tools due to changing technology. reflects the issue of access original data in the terminology
These attack activities can be investigated by means of Digital debate. Examiners need quick examination or analysis within a
Triage Forensics (DTF) methodologies. DTF is a procedural short period of time. Investigating the entire computer is
model for the crime scene investigation of digital forensic impossible in limited hours [4]. An organization may have lots
applications. It takes place as a way of gathering quick of computer and other digital devices. Lots of information is
intelligence, and presents methods of conducting pre/post-blast
stored on a single computer. There are simply too much
investigations. A DTF framework of Window malware forensic
computers and information. In some circumstances, the
toolkit is further proposed. It is also based on ISO/IEC 27037:
2012 - guidelines for specific activities in the handling of digital
following traditional digital forensics approaches are no longer
evidence. The argument is made for a careful use of digital appropriate [18]: seizing a media, transporting it to the lab,
forensic investigations to improve the overall quality of expert making a forensic image, and searching the entire system for
examiners. This solution may improve the speed and quality of potential evidence.
pre/post-blast investigations. By considering how triage solutions This study is organized as follows. Studies of digital
are being implemented into digital investigations, this study forensics, Digital Triage Forensics (DTF), ISO/IEC
presents a critical analysis of malware forensics. The analysis
27037:2012 and its follow-up ISO/IEC 27043:2015 are
serves as feedback for integrating digital forensic considerations,
and specifies directions for further standardization efforts.
discussed in Section 2. The proposed three stages and periods
in DTF framework, which is based on ISO/IEC 27037:2012,
Keywords—digital forensics; digital triage forensics; ISO/IEC are presented in Section 3 and Section 4. Three periods in DTF
27037; cybercrime; malware, hacker (key words) framework are also analyzed from the viewpoints of people,
process, and technology. The Window malware forensic toolkit
of DTF framework is further discussed and analyzed in Section
I. INTRODUCTION
5. Future research is presented in Section 6. Conclusions are
Malware is short for malicious software, which broadly given in Section 7.
provide unauthorized access or perform unauthorized actions
on a system. Security breaches become a part of life nowadays. II. REVIEWS
As society becomes increasingly digitalized, it also becomes
necessary to optimize the forensic examination process. A. Digital Forensics and DTF
Hackers have often destroyed evidence by modifying logs,
overwriting files, or encrypting incriminating data. Examiners, 1) Digital Forensics
such as system administrators, incident response specialists, Digital forensics is a branch of forensic science to
and forensic laboratory managers, are rarely presented with a encompass the investigation of data in digital devices [14]. It
perfect incident scene. They are called to an incident after a focuses on the recovery and analysis of raw data in electronic
victim has taken steps to remediate an incident [1]. This creates devices. It is a maturing science that needs to be continuously
investigative difficulty and legal challenges to prove the held to higher standards [16]. Digital forensics is separated by
evidence is authentic and reliable. In order to ensure that the dead forensics and live forensics, which identify that the
evidence is admissible in court, examiners should closely system is power-on or power-off at that time. If the system is
follow some rigorous procedures or recommendations. boot then it called live forensics. Dead forensics may lose data
Forensics is intangible by nature. It is essential for digital or information due to shutdown of digital device or removal the
examiners to develop appropriate skills. Forensics is plug [5]. Current attitudes towards the process of digital
heterogeneous and digital forensics is no exception to this. forensic investigations are examined to improve the speed of
Certifications are a good way to develop examiners’ skills. pre/post-blast investigations. Once the initial incident scene
examination is concluded, the media can be transported back to
a lab for a detailed examination.

217
 2) Destructive Challenge in Digital Forensics standards are intended to give fundamental principles or
The tests of DNA or fingerprint are destructive. Traditional guidance on the investigation of information security incidents,
forensic disciplines of DNA or fingerprint analysis show that and to ensure that tools, techniques, and methods can be
measure of forensic soundness does not require the original to selected appropriately.
be left unaltered. Despite the changes that occur in data
processing, these methods are considered forensically sound.
DNA evidence is regularly admitted as evidence [6]. Some
practitioners of digital forensics think that a method of
preserving or examining digital evidence is only forensically
sound if it does not alter the original evidence source in any
way [5]. However, preserving everything but change nothing is
almost impossible in malware, cloud or mobile forensics.
Postulating the above unaltered principle as a best practice only
opens digital evidence to criticisms. It is also impossible to
conform to such a principle at the incident scene. The main
reasons are [5, 6, 7]: (1) many cases are handled at the same
period for law enforcement agents; (2) many computers are
found at the incident scene; (3) the time is limited in data
processing; (4) the man-power is limited in forensic lab; (5)
less information can be recorded from the first responder; (6)
inconsistent principles are listed with other forensic disciplines
(i.e., fingerprint process or DNA analysis); (7) some volatile
data will be lost in some circumstances; (8) The backlog of
digital evidence processing is obvious in a legal context.
Fig. 1. Core Processes in ISO/IEC 27037:2012
3) The Gathering Quick Intelligence Need for DTF
As digital forensics is still an immature science, scientific 1) Identification: Essential Logs
processes are integrated into investigations in order to make The identification process involves the recognition of
digital evidence acceptable in court. Digital Triage Forensics digital evidence. It identifies electronic storage devices, which
(DTF) is a procedural model of digital forensic applications for may contain digital evidence in an incident. As far as the
the initial assessment of an incident. DTF determines its digital forensics process is concerned, some elemental sources
severity, prioritizes resources and sets the direction for further of auditing logs (e.g. IP address, date-time stamp, digital
action of crime investigation [15]. By considering how the action, and response message) should be identified.
solution of DTF can be implemented into digital investigations,
this study presents a critical review of gathering quick 2) Collection: Evidence Process
intelligence in the proposed DTF framework. With the rise of The collection process includes documenting the handling
challenges in the forensic investigation field, some problems approach and packaging mobile phones, laptops and other ICT
interesting are looming on the horizon for both victims and devices [12]. The evidence of collecting digital evidence at the
examiners. Digital forensics is the science of recovering digital incident scene is a topic constantly under debate, and no single
evidence from a digital source under forensically sound right answer exists.
conditions using scientifically derived and proven methods [8].
3) Acquisition: Evidence Copy
It is no longer sufficient to collect the non-volatile data of
The acquisition process involves producing a digital
digital evidence when examiners pull the plug and take the
evidence copy (e.g. complete hard disk, partition, or selected
computer back to the lab. Different approaches and tools are
files) and documenting the decision for using a particular
required, depending on the state of the device [11]. The
method, appropriate tool or performed activities. The examinerʳ
appearance of DTF meets this need.
should adopt a suitable acquisition method based on the
situation, cost and time.
B. ISO/IEC 27037:2012 and Its Follow-up ISO/IEC
27043:2015 4) Preservation: Necessary Information
Many digital forensics tools have been designed to resolve The preservation process involves the safeguarding of
the existing challenges of forensic investigation. The purpose digital devices and their evidence. When first responders
of this study is to compare the performance of the popular evaluate the scene, they should [12]: (1) leave all electronic
tools, which follow with the criteria of ISO/IEC 27037:2012 devices off if they are already turned off; (2) ensure no
[9]. It mainly involves the identification, collection, unauthorized person has access to any electronic devices at the
acquisition, and presentation of digital evidence processing scene; (3) secure all electronic devices.
(Fig. 1). The scope of this International Standard relates only to
the core handling process of digital evidence although the III. PROPOSED THREE STAGES IN DTF FRAMEWORK
complete digital evidence handling activities in ISO/IEC Reconstructing an event is a necessary process in forensics
27043:2015 include plan, prepare, respond, identify, collect, investigations [13]. This section shows some ways in advance,
acquire, preserve, understand, report, and close [10]. These at scene and in lab to support or refute that certain actions took

218
place on a computer system. The proposed DTF framework is The identification process is essential in the scope of legal
divided into three stages which are highlighted below (Fig. 2): authority. Some paperwork is necessary to take photos, take
prepare tools in advance, perform investigation at scene, and notes, tag evidence items and document the taken steps at
analyze evidence in lab. scene.

TABLE I. VOLATILE DATA IN WINDOW MALWARE FORENSIC TOOLKIT

Date Type Tool's Command
Date-time date /t, time /t
Stamps
Network Tcpvcon, netstat –an, net view, net session, net use,
NetResView /stext, Psfile, net share, net file,
Status OpenedFilesView /stext
Opening fport –p, getport, cports /stext
Port
Running
Process Pslist, Psservice config, Handle, listdlls, psgetsid, pulist

Login User Whoami, net accounts, userdump, net user, net localgroup,
psloggedon, Joa, UserProfilesView /stext
Autorun Autorunsc, net start, WhatInStartup /stext
Table route print -4, route print -6, arp –a
Information

TABLE II. NON-VOLATILE DATA IN WINDOW MALWARE FORENSIC

TOOLKIT
Data Type Tool's Command
IP Configuration Hostname, ipconfig/all
System Configuration Systeminfo, net config, psinfo, awatch /stext
myuninst /stext, dir /t:c /s %windir%, dir /t:c /s
Fig. 2. Proposed Three Stages in DTF Framework System File "C:\Program Files (x86)\", dir /t:c /s "C:\Program
Files\"
recentfilesview /stext, usbdeview /stext, auditpol,
A. Prepare Tools in Advance: Window Malware Forensic Psloglist, faview /stext, schtasks /Query
Used Log SkypeLogView /stext, mzcv /stext,
Toolkit Mozillahistoryview /stext, MyLastSearch /stext,
browsinghistoryview /stext, iehv /stext
Various forms of digital evidence have become crucial to insideClipboard /stext, chromecacheview /stext,
solving a cybercrime. Examiners can match up the certain Cache View Mozillacacheview /stext, IECacheView /stext,
characteristic of known sample (suspicious malware) and OperaCacheView /stext
unknown sample (at scene) [13]. The collected information of
volatile or non-volatile data meets this need. Window malware 2) Collection: Collect Information before It Disappears
forensic toolkit can be prepared in advance for digital evidence Collecting initial facts of volatile data includes underlying
collection and investigations of cyber activities [17]. operating state of the system, and plays a vital role during
system examinations [18]. It helps understand the impacts of
1) Know Initial Facts: Observe Volatile data the running system and network process. To demonstrate
The list of connected users to a computer system may be information in volatile data, three tools in Table I are capable
disconnected at any single time. The volatile data of a victim of capturing digital evidence. Examiners should start with the
computer contains significant information that helps examiners most unstable data and proceed toward stable data. This will be
determine the ‘who’ and ‘how’ of the incident. To help answer less likely to miss valuable information before it disappears [7].
these questions, examiners can collect data from the following
areas on the victim machine (Table I) [1, 13]: date-time stamp, 3) Acquisition: Minimize Modification in Evidence Copy
network status, opening port, running process, login user, auto Examiners should minimize modification when conducting
run, and routing table information. forensics. However, network-based evidence is often highly
volatile and must be collected through active means that
2) Understand Investigative Priorities: Non-volatile Data inherently modify the evidence status [4]. In cases where the
Non-volatile data is less likely to change, and can be data acquisition is impossible without changing the
collected later. Examiners can collect non-volatile data from configuration of the device, the procedure and the changes
the following areas on the victim machine (Table II) [1, 13]: IP must be tested, validated, and documented [19].
configuration, system configuration, system file, used log, and
cache view. C. Analyze Evidence in Lab: Post-blast Investigations
B. Perform Investigation at Scene: Pre-blast Investigations 1) Preservation: Necessary Information in Details
Digital evidence is subject to strict rules regarding its
The following processes can be conducted at scene [9]: admissibility in the court record. Examiners should take time to
identification, collection, and acquisition. It allows examiners preserve it properly for a court trial. They should consider the
to direct contact with the suspect. initial response to preserve the integrity and admissibility of the
1) Identification: Initial Response from Essential Logs essential logs [7].

219
 2) Analysis: Cross-validated Results in Data Analysis Numerous mistyped commands or unsuccessful login
A third-party forensic tool evolution is needed to facilitate attempts can be signs of SQL injection or brute-force intrusion
malware analysis [7]. The analysis process evaluates potential attempts. These signs can indicate a potential area of concern.
digital evidence and assesses its relevance to the investigation The toolkits in Table I and Table II can be valuable in helping
[10]. The analysis should describe tool version numbers, system administrators conduct ongoing assessments of network
techniques and their results, and the results can be cross- status, and distinguish between normal and abnormal activities
validated by another examiner. Enough information is crucial over a given period.
for another examiner to confirm/dispute the findings.
3) Technology: Security Management
3) Report: Quality Assurance in Legal Issues Sometimes administrators cannot afford to remove the
The report should be written in simple language and should computer from the network, and a traditional forensic
be clear, concise, unambiguous and understandable for a wide duplication cannot be acquired in its place. Immediate attention
audience in its statements [10]. Examiners need to focus on and proper preparation can facilitate smooth execution and
what they can do, why they do it and what they have found. include [12]: (1) establish an information security policy to
They can offer opinions and conclusions in court within their ensure available services; (2) maintain an approach to handle
areas of expertise. an incident; (3) collect the related information to detect
hackers; (4) report an incident to the authority.
IV. PROPOSED THREE PERIODS IN DTF FRAMEWORK
B. Incident Period: Incident Response Specialists Perform
As the cybercrime increases in the modern society, there is Live Forensics for Fact Finding
an urgent need to set up a standard of evidence collection [4].
Live forensics is complementary to dead forensics in the 1) People: Incident Response Specialists
modern era of computing. Live forensics primarily targets the If first responder specialists find it necessary to access the
volatile data which can only be collected from a running original data on a computer or on storage media, they must be
system, and which cannot be extracted from a dead system competent to do so and be able to explain the relevance and the
whose power cord is pulled out [2]. When a computer is implications of their actions [2]. However, every operation may
involved in an incident, there are several choices to proceed modify the computer status and can impede the forensic
during an investigation. Three periods in DTF framework are analysis. Changing the system as little as possible is standard
discussed below (Table III): prelusion, incident, and aftermath practice.
periods. Each period should be performed in order, and be 2) Process: Live Forensics
analyzed from the viewpoints of people, process, and The process of live forensics becomes an important issue in
technology. This section provides a framework for directing a security breach. It is impossible to ignore the volatile data of
and managing a digital forensic job [16]. computer memory in performing digital evidence collection
and acquisition. Live forensics allows recovering and analyzing
A. Prelusion Period: System Administrators Collect Evidence memory content, processes and data without shutting down the
for Security Management system [15, 17]. Live forensics can be considered as the first
Prelusion period includes identifying where the incident step towards an incident response scenario [16]. This live
begins and how system administrators find an incident at the forensic methodology can extract volatile data, system running
very beginning. processes, cached processes, network connections, and opened
ports.
TABLE III. PROPOSED THREE PERIODS IN DTF FRAMEWORK 3) Technology: Fact Finding
If victims have filled complaints to prosecute hackers,
Period Stage People Process Technology
examiners should document all the steps and hash the acquired
Prepare Tools in System Evidence Security data to vouch for the validity of the collected data.
Prelusion
Advance Administrators Collection Management
Perform
Incident Investigation at
Incident Response Live
Fact Finding C. Aftermath Period: Forensic Laboratory Managers
Specialists Forensics Perform Dead Forensics for Forensic Conclusion
Scene
Forensic Aftermath period includes identifying how to recover from
Analyze Dead Forensic
Aftermath Laboratory
Evidence in Lab
Managers
Forensics Conclusion the incident, and how to get back to normal business sooner.
1) People: Forensic Laboratory Managers
1) People: System Administrators If first responders forward all media on to lab without any
System administrators are responsible for the reliable exploitation attempts at scene, and make the forensic laboratory
operation and security maintenance of computer systems. They managers responsible for all processing, it becomes back
seek to ensure the performance of the computers can quickly logged very quickly by the sheer volume of data that must be
recover from a security incident. Administrators often know analyzed. This backlog can be completely erased by
when a program is running exceptionally slow, or when there is implementing the DTF procedures [15].
something odd.
2) Process: Dead Forensics
2) Process: Evidence Collection

220
 In dead forensics, it is much easier for examiners to been potentially compromised, the native programs may be
minimize system modification when working with a copy of a modified. When they conduct live forensics it is essential to
write-protected drive. implement trusted toolkits and linked libraries to acquire data
from the examined system. Incident period includes identifying
3) Technology: Forensic Conclusion potential evidence. Hackers often look for known weaknesses
The conclusions of the investigation must be fairly or exploits in the Operating System or any application
supported by the fair and reasonable depiction of what the programs. At the start of any investigation, several questions
overall evidence will show [19]. Each incident response team must be answered by first responders and system
had to evolve the truth from a mass of confused evidence. administrators immediately. Are there any file deletion
Examiners should always offer objective opinions and activities? If so, incident response specialists must pull the
conclusions that are supported by facts, and facts alone. power cable out of the wall. This will freeze the computer and
its network [6, 12]. Let the forensic laboratory managers to
V. DISCUSSIONS AND ANALYSES IN WINDOW MALWARE obtain potential evidence later. The entire scenario usually
FORENSIC TOOLKIT dictates the next steps an examiner takes.
Defending against malware has focused on intrusion 2) Volatile and Non-volatile Data in Malware Forensic
detection, content filtering, detecting and blocking malware, Toolkit
and other reactive technologies. The Window malware forensic This proposed toolkit presents a malware forensic toolkit to
toolkit of DTF framework is discussed and analyzed below [1, capture evidence from computer memory. When the collection
3, 6, 11, 12]. tools are stored on a CD-ROM, the collected information of
volatile and non-volatile data can be recorded in other
A. Characteristics in Malware Forensic Toolkit removable disk. The collected data consists of two main
The analysis of malware forensic toolkit can put some subsets: volatile and non-volatile data. This volatile data would
information all together and analyze the following two lose if examiners were to rely on the traditional analysis
characteristics: class and individual. Class and individual methods of forensic duplications. The volatile data will not be
characteristics can be found in Table I and Table II. present if examiners shut down a computer.
1) Class Characteristics C. Malware Forensic Toolkit in Digital Forensics
Class characteristics help the examiners narrow the pattern
down to specific malware patterns. It is impossible to be 1) Case-oriented Difference
familiar with every kind of malware in all of its various forms As hacker attacks become sophisticated, malware continues
[1]. Better investigative efforts include a comparison of to advance and automate effective attack techniques. The
unknown malware with known samples in their patterns or impact of malware ranges from minor system performance
behaviors. issues to remote control of a system by an attacker. As ICT
devices continue to update, examiners must adopt new
2) Individual Characteristics principles, methods or tools to keep in good status of handling
Individual characteristics may establish the uniqueness of cybercrime issues [11]. This is applicable especially in
an object. When individual characteristics are determined, the malware investigation. It is problematic that the accused can
malware can be identified. With the help of the collected data use this malware defense strategy to camouflage his/her
on the target computer, the examiners are able to determine if a crimes. Every case may differ from each other. The collected
sample of malicious code or code pattern is consistent with the evidences may vary in their time, relationship or function.
unknown sample found at the scene. When the modification of digital data is unavoidable, the
procedure and the changes must be documented [19].
B. Command Line Interface in Malware Forensic Toolkit Examiners can use video, photography, notes or sketches to
Examiners need to continually perform digital evidence help convey or reconstruct the details of the scene later [12].
analysis using various tools. Digital forensic tools generally fall 2) Put Data All Together
into one of two categories: Command Line Interface (CLI) and Volatile or non-volatile data are often putted together in a
Graphical User Interface (GUI). A GUI is a human-computer batch file to get a picture of what happened after examiners
interface that uses windows, icons and menus by a mouse. On sincerely parse the stored data, analyze the relevant
the other hand, a CLI uses only text by a keyboard. To have a information, and interpret their relationship. Those data can
simple and easy way in collecting batch information, this study provide certain action indications which were performed by
presents a malware forensic toolkit in CLI tools (Table I and malware or a user. Mutual comparison among different
Table II). Some tools use ‘/stext’ parameter to export the evidential sources becomes an essential part to support or
retrieved data to a text file. Multi-operations can be performed refute a malware defense.
much faster than in GUI tools.
3) Need for Malware Forensic Toolkit
1) Implement Trusted Toolkit A malware forensic toolkit is essential to collect
If hackers have broken in and achieved administrator rights, information from the Windows system for volatile and non-
examiners must prepare some trusted tools to quickly analyze volatile data (Table I and Table II). That toolkit can [3]: (1)
the compromised machine. Examiners should never trust the acquire memory contents for forensic analysis; (2) parse data
compromised computer. Because the examined system has from the physical memory; (3) reduce data size; (4) look into

221
the large volumes of data for analysis; (5) monitor the running Technology of the Republic of China under the Grants MOST
program. 103-2221-E-015-003-.

VI. FUTURE RESEARCH REFERENCES

Digital evidence can be fragile in nature. It may be altered, [1] Aquilina, J. M., Casey, E., and Malin, C. H., “Malware Forensics:
tampered with or destroyed through improper handling or Investigating and Analyzing Malicious Code,” Burlington, MA: Elsevier
Inc., pp. 93-282, 2008.
examination. Some symptoms can be creased by different
[2] Association of Chief Police Officers (ACPO), “ACPO Good Practice
approaches. While attackers can lunch their attacks on various Guide for Digital Evidence, Version 5,” pp.6-12, March 2012.
platforms, this framework is not powerful enough to detect [3] Andress, J., Winterfeld, S., and Ablon, L., “Cyber Warfare: Techniques,
various OSes (such as Windows, Unix family, iOS) or various Tactics and Tools for Security Practitioners (2nd Edition),” Burlington,
devices (such as desktops, smartphones, embedded devices). In MA: Elsevier Inc., pp. 181-192, 2014.
circumstances where a person finds it necessary to access [4] Bashir, M. S. and Khan M. N. A., “Triage in Live Digital Forensic
original data, that person must be competent to do so and be Analysis,” The International Journal of Forensic Computer Science
able to give evidence explaining the relevance and the (IJOFCS), vol. 1, no. 1, pp. 35-44, 2013.
implications of their actions [2]. Digital forensic investigators [5] Casey, E., “Handbook of Digital Forensics and Investigation,”
should be competent to manage the follow-up consequences Burlington, MA: Elsevier Inc., pp. 21-208, 2010.
when dealing with digital evidence. While emulators or virtual [6] Casey, E., “Digital Evidence and Computer Crime: Forensic Science,
Computers, and the Internet (3rd Edition),” Waltham, MA: Elsevier Inc.,
environments become more prevalent as an analysis tool in pp. 187-306, 2011.
digital forensic investigations, they may allow digital forensic [7] Flandrin, F., Buchanan, W. J., Macfarlane, R., Ramsay, B., and Smales,
investigators to observe the malware activities and their various A., “Evaluating Digital Forensic Tools (DFTs),” 7th International
processes. It can reduce the risk of damaging evidences. While Conference : Cybercrime Forensics Education & Training, Canterbury,
this work represents an important initial exploration into the September 2014.
use of digital triage forensics framework for malware [8] Hosseinkhani, J., Koochakzaei, M., and Keikhaee, S., “Detecting
identification, there is still a need for further experimentation to Suspicion Information on the Web Using Crime Data Mining
Techniques,” International Journal of Advanced Computer Science and
keep the integrity of digital evidences across different OSes Information Technology (IJACSIT), vol. 3, no. 1, pp. 32-41, 2014.
and various devices. Future research will take these
[9] International Organization for Standardization (ISO), “ISO/IEC
mechanisms into account so that it can make the life of an 27037:2012 - Information Technology: Guidelines for Identification,
investigator easier. Then the evidences can be accepted by a Collection, Acquisition and Preservation of Digital Evidence,”
court. Switzerland: ISO Office, 2012.
[10] International Organization for Standardization (ISO), “ISO/IEC
27043:2015 Information Technology - Security Techniques - Incident
VII. CONCLUSION Investigation Principles and Processes,” Switzerland: ISO Office, 2015.
The malware incident response process has become a [11] Jingle, D. J. and Rajsingh, E. B., “ColShield: An Effective and
technique for collecting and analyzing forensically sound Collaborative Protection Shield for the Detection and Prevention of
evidence. The data currently in memory may be the only Collaborative Flooding of DDOS Attacks in Wireless Mesh Networks,“
Human-centric Computing and Information Sciences, vol. 4, no. 8.,
evidence of the incident. A live forensic process contains 2014.
information such as the current network connections, running [12] Johnson, L., “Computer Incident Response and Forensics Team
processes, and open files. The proposed Window malware Management: Conducting a Successful Incident Response,” Burlington,
forensic toolkit can collect relevant data from the target MA: Elsevier Inc., pp. 97-184, 2013.
computer to confirm whether an incident has occurred. The [13] Ligh, M. H., Case, A., Levy, J., and Walters, A., “The Art of Memory
data is collected by running a series of commands. Each Forensics: Detecting Malware and Threats in Windows, Linux, and Mac
command produces data in an easily readable format. The Memory,” Indianapolis. IN: John Wiley & Sons, Inc., 2014.
nature of this framework suggests substantial benefits from [14] Marshall, A. M., “Standards, Professionalization and Quality in Digital
Forensics,” Digital Investigation, vol. 8, no. 2., pp. 141-144, 2011.
using ISO/IEC 27037:2012 approach as a critical reference for
[15] Pearson, S. and Watson, R., “Digital Triage Forensics: Processing the
system administrators, incident response specialists and Digital Crime Scene,” Elsevier Inc., MA: Burlington, 2010.
forensic laboratory managers. The purpose of this theoretical
[16] Raghavan, S., “A Framework for Identifying Associations in Digital
framework is to provide selection with an entire view of Evidence Using Metadata,” Brisbane: Queensland University of
Window malware forensic toolkit. It is vital to recover possible Technology Dissertation, pp. 73-124, 2014.
evidence from a digital source in a forensically sound manner. [17] Roger, A. E. and Achille, M. M., “Multi-Perspective Cybercrime
Examiners can look at a piece of digital evidence in an Investigation Process Modeling,” International Journal of Applied
investigation, gather more information, and try to explain what Information Systems (IJAIS), Foundation of Computer Science FCS,
happened during an incident. They should only make New York, USA, vol. 2, no.2, June 2012.
conclusions based upon what the science can show, but cannot [18] Rogers, M. K., Goldman, J., Mislan, R., Wedge, T., and Debrota, S.,
“Computer Forensics Field Triage Process Model,” Journal of Digital
overstate the conclusions from the discovered electronic Forensics, Security and Law, vol. 1, no. 2., 2006.
evidence. [19] Stephenson, P., “Official (ISC)2® Guide to the CCFP CBK,” Boca
Raton, FL: Auerbach Publications, pp. 293-404, 2014.
ACKNOWLEDGMENT
This research was partially supported by the Henry C. Lee
Forensic Science Foundation and the Ministry of Science and

222