Evaluating Malware Forensics Tools

We present an example implementation of the previously published Malware Analysis Tool Evaluation Framework (MATEF) to explore if a systematic basis for trusted practice can be established for evaluating malware artefact detection tools used within a forensic investigation. The application of the framework is demonstrated through a case study which presents the design of two example experiments that consider the hypotheses: (1) Is there an optimal length of time in which to execution malware for analysis and (2) Is there any observable difference between tools when observing malware behaviour? The experiments used a sample of 4,800 files known to produce network artefacts. These were selected at random from a library of over 350,000 malware binaries. The tools Process Monitor and TCPVCon, popular in the digital forensic community, are chosen as the subjects for investigating these two questions. The results indicate that it is possible to use the MATEF to identify an optimal execution time for a software tool used to monitor activity generated by malware.