Tracking Malware using Internet Activity Data

Forensic Investigation into security incidents often includes the examination of huge lists of internet activity gathered from a suspect computer. In today’s age of increased internet usage, the internet activity log on any given system could produce a huge list of websites. This, couples with the fact that a huge percentage of malware is now distributed via the internet, often through compromised websites, means that valuable clues regarding the source and identity of malware infections are often hidden within the internet activity logs on a computer. While a multitude of tools exist to extract internet activity data from a host computer, most do not filter this activity data. As a result, an investigator could be faced with thousands of website URL’s to sift through for clues regarding malware infection. In this paper, we discuss some of the ways that computers are infected, and why internet activity data is an important resource that must be analyzed in a forensic investigation. We then present a tool that utilizes the Google Safe Browsing Lookup API, which is an extension of the broader Google Safe Browsing API, to do quick lookups on long lists of URL’s and significantly narrow the list to enable the investigator to conduct a more efficient investigation. KeywordsMalware Investigation, Internet Activity Data, Google