**********************QUESTION # 1******************************
RAT — Remote Access Trojan
Give an example of an incident where it was discovered that a RAT was found in a corporate network.
Corporate networks are more vulnerable to RAT because of the classified files stored by these corporations some of which can be used by competitors to devise wining strategies. In our local branch, the company realized that there were times when stranger accessed the company’s networks and servers remotely. One of the main reason why RAT was suspected was the there were sensitive passwords that not many could easily find, but in the end it was realized that the key strokes of the general manager were logged by in a limited function Trojan that could easily be identities that may have been remotely downloaded (UMUC, 2011). During the forensic investigation, it was realized that the malware also downloaded chat information from the chat servers, and unauthorized FTP malware. Finally, the system administrator also realized that there were constant complaints of a slow computers which means that the computing resources were being shared with unauthorized users while the authorized users though they were using legitimate software (Agrawal et al., 2007, pp. 296-310)

Identify one method a forensic investigator may use to identify a potential RAT program?

Virtualization may be a new technique used by forensic investigators to identify the potential RAT program. The virtualization process involves using a virtual computers or partitioned hard disk to examine the behaviors of the malware and determine the files it can corrupt in a real system. For example, because the RAT was used to successfully exploit the vulnerabilities and deficiencies of the windows OS, windows OS can be virtualized to help identify the changed that the RAT can make to the registry file of the computer

*****************************QUESTION # 2***********************
Malware analysis lab: what are two items to consider when creating a malware analysis environment?

The two items to be considered include creating a separate network or separating the network to prevent the malware from affecting the entire network

The other item to consider is if the malware can make a wireless access if so, the administrator needs to prevent wireless access (UMUC, 2011

Could malware detect and react differently if a potential malware analysis tool/environment is detected?

Malware are intelligent and advanced malwares can easily detect the environment in which they are running and even conceal themselves from the automated threat analysis tools and system. Malwares can easily hide from any detected malware analysis tools. They execute DecryptCode subroutine, then execute the Modify Registry, and finally execute the Network_main subroutine (Li, &, Lach, 2008, pp. 8-14). For example, malware such as packer program can easily blend with other sample files and other antivirus applications fooling the automated threat analysis systems by stopping the registry entry especially the registry of a virtual environment as well as stopping the drivers of peripheral devices


J. Li and J. Lach, (2008). ‘‘At-Speed Delay Characterization for IC Authentication and Trojan Horse Detection,’’ Proc.IEEE Int’l Workshop Hardware-Oriented Security and Trust (HOST 08), IEEE CS Press, pp. 8-14.

D. Agrawal et al.,(2007). ‘‘Trojan Detection Using IC Fingerprinting,’’Proc. IEEE Symp. Security and Privacy (SP 07), IEEE CS Press, pp. 296-310.

UMUC (2011). CSEC 650 Module 4: Cybercrime Investigation and Digital Forensics
CSEC650. Acquisition and Analysis. March 5, 2014, from UMUC Cybercrime Investigation and Digital Forensics:


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s