Differentiating Remote Access initiated Network Traffic from Locally Induced Packets [8C8-C9B]
As malware continue to grow at a rapid speed, they are becoming more prominent in the computer forensics field. From a forensic investigation perspective, it is important to identify malware, especially those with remote control capabilities, on a suspect machine. When evidences of cybercrimes are discovered on suspect machines, the presence of malware may indicate some other perpetrator other than the owner. Malware with remote access functionalities rely heavily on the network; the attacker needs to send commands over the network to control the target system. This paper aims to find patterns that can differentiate network activities initiated by attackers through installed malware from those executed by the actual owner of the machine.