Forensics? Trace source of when, how, who infected Windows with malware to prevent repeat in future

[xbliss]

We help a small NGO in Asia having limited resources & budget with technical help now & then.

• Bootable Clone has been imaged and several virus/ malware scanners have been run.
• It is currently isolated & off the network.
• We will be doing a fresh installation in a few weeks and then put in tougher policies in place to prevent a repeat of the same.

We wish to trace the "source" of how malware was installed & when; in order to create technical/ people process & policies to prevent a repeat in the future.

Most likely, it was due to faux paux by not technically competent personnel, which is very common here. We wish to trace it to the Person & Activity via Time/ Date stamps - to prevent such activity in future; via system policies and/ or people procedures/ guidelines

We found they had gotten some people to work on their Window Server:

• Person 1: Did something with their Database/ SQL Server

  • CRM Application that uses SQL Server
  • SQL Log Files were flushed/ disabled and some clean up
  • Did a remote login and did some additional things; will get details today on phone call wit him

• Person 2: Came in, installed Malware Bytes, found and quarantined a bunch of malware

  • We can list out the malware for more feedback if that will add more specifics to question
  • Please let me know if you'd like me to detail out the malware names or as a screenshot

Example: - There were some non corrupt zip/ rar files left by Person 2 on the Desktop which we traced to them via looking at created & modified dates.

Thinking out Loud: Asking for approach and how we could check/ trace to time/ date stamps and the people

On the other hand, the quarantined files are sitting in quarantine and in the MB UI show the date of detection/ quarantine.

• Any way to check the Quarantine in a similar way?

What way can I figure out when these files were installed/ created and modified?

• Can I do this without Restoring these files?

  • Or maybe restore only few non executables?

• Any other ideas / ways / approaches on tracing this?

• What approach would a Data Forensics expert take for this?

[David H. Lipman]

You need to have a Data Forensics expert come in and physically take hold of said computer(s) and perform that examination.  That Data Forensics expert should already know what steps to take.  We can't enumerate them for you to them them.

 

You stated "Person 2: Came in, installed Malware Bytes, found and quarantined a bunch of malware" and also "Window Server...Person 1: Did something with their Database/ SQL Server".

This is the retail product support sub-forum and the retail MBAM is not designed for nor licensed to be used on a Server Platform.  Only "personal" computers and not ones for business.

 

You also stated... "Malware Bytes, found and quarantined a bunch of malware" and ask a bunch of questions but you do not state what was quarantined and and what they were detected as.

BTW: It is Malwarebytes. 

 

I'm not sure we can help you with what you want.