Malware Post-Mortem

To quote MF from page 193:

Given the number of vulnerabilities that exist in Microsoft applications, it is incumbent upon digital investigators to be aware that malicisiou code is not only found in executable files, but may be embedded in Microsoft Word or Excel files, or may be deliver through Web-based attacks involving ActiveX controls.

I have a friend right now who has a system chock-ful of Excel spreadsheets, some of which may well be infected, but it's less likely since his virus scanner is reporting them clean. (Virus scanners are at their strongest on such static file analysis.)

There has been a resurgence of Torpig/Mebroot around the net (in fact, it's the subject of today's campus IT security meeting), and it's entirely possible that he is a victim of this or another rootkit since none of his ordinary malware protection suites are detecting the problem...

So, how do we (cost effectively?) resolve my friend's problem?

Timestamping

One suggestion of MF on page 195 is looking at timestamps to see if we can notice any anomalies. Those anomalies might lead us to a file or files that have been surreptitiously modified.
MF also shows usage of The Sleuth Kit, a derivative of TCT. We will take a close look at how this package is put together. The help files are here for Autopsy.

Relational

Remember, host files such as \system32\drivers\etc\lmhosts can give you some clues about how this system might have been (mis)used.
Beyond that, look at how a system might have been compromised. The most common ways are (1) trojans (particularly those delivered by email), (2) malicious PDFs, and (3) malicious webpages.

Looking at email

Unfortunately, Microsoft doesn't make it easy to parse their email files. (Nor anything else: look at this SANS paper on trying to figure out how one of their newer filesystems is actually put together: Reverse Engineering the Microsoft exFAT File System.)
Outlook Express and Windows Mail use DBX files for storing mail.
Outlook uses the even more recalcitrant PST format (which includes enough weak encryption to be annoying but not useful.)

Where do failures tend to occur?

MF lists these places to look on page 201:

Insecure configuration
Email attachments
Web browsing
Peer-to-peer file sharing
NetBios/SMB

In the last six months or so, Adobe's Flash and PDF products have become the source of many observed security lapses, and Adobe has been slow to patch these products.

How to spot problems

Malware generally needs to communicate, and that need to communicate is a weak point that can often be observed — although some of the anti-forensics that are popping are showing that covert communication channels can be quite subtle.

The recent Aurora attacks, for instance, have been analyzed and found to use covert channels. McAfee published An Insight into the Aurora Communication Protocol in January of 2010 looking at the communication protocol used by Aurora. This revealed just sophisticated the command and control behind this attack was, and, in particular, the ability of the attacker to control the infected system at quite a fine level.

So look in network logs

These often are going to be in other machines; check DNS servers, routers, and even intelligent switches.
Don't forget programs such as Nmap, that might show that a machine is listening for connections on unexpected ports.
Webservers and email servers often have quite a bit of network logging information.
Also, check SAM. It's less likely these days that you might find anything since most attacks are not against conventional authentication mechanisms (with the possible and notable exception of hash table attacks; see Pass the Hash Attacks Tools and Mitigation.