A proactive malicious software identification approach for digital forensic examiners

Muhammad Ali, Stavros Shiaeles*, Nathan Clarke, Dimitrios Kontogeorgis

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

136 Downloads (Pure)


Digital investigators often get involved with cases, which seemingly point the responsibility to the person to which the computer belongs, but after a thorough examination malware is proven to be the cause, causing loss of precious time. Whilst Anti-Virus (AV) software can assist the investigator in identifying the presence of malware, with the increase in zero-day attacks and errors that exist in AV tools, this is something that cannot be relied upon. The aim of this paper is to investigate the behaviour of malware upon various Windows operating system versions in order to determine and correlate the relationship between malicious software and OS artifacts. This will enable an investigator to be more efficient in identifying the presence of new malware and provide a starting point for further investigation. The study analysed several versions of the Windows operating systems (Windows 7, 8.1 and 10) and monitored the interaction of 90 samples of malware (across three categories of the most prevalent (Trojan, Worm, and Bot) and 90 benign samples through the Windows Registry. Analysis of the interactions has provided a rich source of knowledge about how various forms of malware interact with key areas of the Registry. Using this knowledge, the study sought to develop an approach to predict the presence and type of malware present through an analysis of the Registry. To this end, different classifiers such as Neural Network, Random forest, Decision tree, Boosted tree and Logistic regression were tested. It was observed that Boosted tree was resulting in a correct classification of over 72% – providing the investigator with a simple approach to determining which type of malware might be present independent and faster than an Antivirus. The modelling of these findings and their integration in an application or forensic analysis within an existing tool would be useful for digital forensic investigators.

Original languageEnglish
Pages (from-to)139-155
Number of pages17
JournalJournal of Information Security and Applications
Early online date16 May 2019
Publication statusPublished - 1 Aug 2019


  • Agentless sandbox
  • Cuckoo
  • Digital forensics
  • Machine learning
  • Malware
  • Registry hives
  • Sandbox
  • Windows 7/8/10
  • Windows Registry


Dive into the research topics of 'A proactive malicious software identification approach for digital forensic examiners'. Together they form a unique fingerprint.

Cite this