Trojan Defence : A forensic view

Trojan is identical to a virus, but it doesn’t replicate itself. Trojan attack into a free game or
another in the computer doing damage or allowing someone from different location to take
control. It can be used to take private information or make error in the system to future use or
maybe simply destruct software and data. Trojan also called as a delivery mechanism that
include a payload ( spyware, adware, a backdoor, batch file) . Backdoor is a function of
authentication to obtain access to a computer. How trojan are made? Trojan created by Trojan-
making kits which known as wrappers. Wrappers means that they wrap the function of malicious
software or program into another carrier software or program. Attacker can easily attack the
software because they have the kit to create Trojan and the step is very simple to follow.

Nowadays, we used different structure of a file which compressing the space in a file LIKE
WinZip or Unix. Trojan can be hold and detected by AV . To protect software from Trojan,
people make AV killers. But unfortunately, technology always changes and hackers know how to
attack against AV killers. There are 2 kind of Trojan, detectable and undetectable. Trojan also
part into three components like server, client and creation tool / kit. Server is the backdoor itself
include another modules, Client is used to control from different location and Creation tool is
used to configure behaviour of the backdoor.
Trojan package can do camouflage as a AV killer to disable the AV engine in the user computer.
By doing that attacker can access the user computer remotely. Trojan package also can deploy
as firewall killer to disable personal firewall software in user computer.
There are many method to deal with this computer crime. The rationale is volatile information
such as network connections and data stored in memory are lost, the evidence on the hard disk
should be compact. Considering a potential Trojan defence votatile information should be
gathered, can be used to help investigator investigate offline. We can collect information from
suspect system but we have to make sure that is legal and have a technical perspective. We can
use the investigator machine to capture traffic from the suspected machine. There are device
that able to extract the traffic also analyse the machine. We also can obtain information from
investigation legally.
After we gain the evidences, we gather information from the system using Window Forensic
Toolchest (WFT). This tool will help to automated response also collect security information. This
tool will also help to sort current time, listings, network information and registry information. WFT
can do all this things because WFT uses a configuration file which we can add some additional
information and get some alternative techniques.