Approach to analyzing local tracks

•Before/After-analyse: in virtual machine: with sandbox

•Installation traces:

–Naked installation as basic

–Installation in change-disk

–Comparing images or debugging the installation logs

•Traces of using

–Typical usage of user, start, online registration

–Creating traces

–Analysing the differences between before

•Manuall analysing the image

–System area: installed programms, folders, registry

–User area: Userdata, %AppData%, files, Logfiles , …

–Free spaces, eg. Webmails

21

Limits: Portable Software

•Without installation

•Leaving less traces

No traces on System

Ideally portable software leaves no traces on the host system. Tracks can be part of any installation items (for example, in the registry, in the user profile, or something like that), or be user data that should not be left on a shared computer.

22

Limits: Portable Software

•Still traces

–If you excuting an portable application, there can be still traces on the system without userdata.

•Prefetch

•Or LNK

•Registry

•Event Log

•...

•E.G. Truecrypt: Installtion and mount point in registry, format in prefetch

23

Limits Malware

•Malware can detect virtualisation

•„blue pill“ (executing Malware on Hypervisor)

•Limited usage of Fingerprints

•Differnet behavior in virtual enviroment

24

Special software

•How to get results without knowing something

•Depends on what you are looking for:

•For chats

–Nirsoft

–IEF

–Belkasoft

25

Approaches

•Analyzing the Behavior of Installation and runtime

•Protected Environment

–Sandboxing

–Virtualization

26

Sandboxies

Windows Artefacts

27

What is a Sandbox

•A Sanbox (protected/ unsular Quarantine)

–Special Runtime enviroment for software

–Unsular of the rest of the system

–No action outside of the sandbox

•The behavior of the software can be recorded

•Implementing

–Filesystem and registry are redirected

–Completly simulating of computer

28

What is Sandboxies

•Sandboxie (http://www.sandboxie.com/) is one typical sandbox software that provides an isolated frame such that changes within the frame will not affect the rest of the outside (should).

29

Advances of Sandboxies

•Dataprotection

•Security

•Stability

•Easy to use

•portable

30