Is it possible to identify a financial fraud on a Windows machine? How?
Laycee last edited by
How do forensics identify a banking/financial fraud in a Windows system? Malware usually uses real-time TCP sockets to complete their deeds, infecting and compromising the PC it runs on (not the financial system itself), which if not configured otherwise, these connections are not logged anywhere. (As far as I know, you'd have to have some kind of network sniffing software running, like Wireshark).
So, how can forensics determine if a transaction was indeed fraudulent? Usually, malware signatures at the time of their spread and actions are not detected by anti-virus applications, rendering them pretty much useless at the time of the fraud to either detect, prevent or log the illegal actions performed on such computers.
The term you are looking for is "Indicator of Compromise" (IoC). IoCs may not be malicious in and of themselves, so security protections might not flag them. But if the person knows that a fraudulent transaction took place, then an investigator knows to look closer at those IoCs and start putting the pieces of the puzzle together.
Typically, an investigator is looking for code that does not belong, and there are lots of logs and records on a Windows machine that are not all about anti-virus, or even the OS.