A piece of malware is running on a Windows 7 machine via pro

A piece of malware is running on a Windows 7 machine via process injection, so it does not show up in a process list. What remote forensic technique could be used to discover the malware is running under the contents of a specific process?

Solution

Remote Forensic Technique:

                                      Since the malwares are designed in such a way that are not listed in the process list on windows machine. So it is difficult to work against the malware since it is invisble from process list.

However we can use \"Process Monitoring tool from Sysinternals\" technique to catch and eliminate the malware/thread activities. It makes use of two legacy sysinternal utilities like \"Filemon\" and \"Regmon\". also it includes rich and non destructive filtering,session ID\'s reliable process informations,parallel login to file and more.It achives the process monitoring to become the more powerful troubleshooting and malware hunting toolkit.

Features of Process Monitoring:

a. Data capture of input and output parameters for operation.

b. Setting non destructive filter to filter without losing the data.

c. Identifying the thread stacks for each operation, which allows to find root cause of the operation in many case.

d. Native log format preserves all data for loading in different process monitor instances.