Forensic Analysis of Malware: Identification of Indicators of Compromise and Automation of the Investigative Process in Windows and Linux Environments

Digital forensic analysis is fundamental for comprehending malware attacks and rebuilding the actions taken by attackers to compromise information systems. Modern malware frequently employs sophisticated persistence and evasion techniques that leave behind evidence, known as Indicators of Compromise (IoCs), on various artefacts, including disk, memory, and network environment. Identifying such IoCs is of prime importance for post-mortem analysis, enabling analysts to infer attacker actions and impact on the system. Nonetheless, the amount and intricacy of forensic data present significant problems, therefore rendering the process laborious and prone to oversights. This thesis examines the identification of IoCs in Windows and Linux environments and explores the combination of automation and AI to assist forensic workflows. The study focuses on three main areas: file system and disk artifacts, memory dumps, and network traffic. A proof-of-concept framework was developed for automating the extraction, analysis, and reporting of forensic evidence. Disk and file system artifacts are examined with Plaso and the Digital Forensics Virtual File System (DFVFS) python library, Memory dumps are analyzed through Volatility3 plugins, and network captures are analyzed via automatic extraction of contacted ips and domains and checking them against the VirusTotal Threat Intelligence APIs. The framework can generate a compiled, systematic report that combines all the IoCs identified and highlights unusual behavior for further analysis via forensic investigators. The generated report also suggests next steps to the Forensic Team and tries to provide a verdict about the state of the machine (compromised or not). The framework was evaluated with actual malware samples within managed virtual machine environments. Findings show significant time savings via automation, as a number of forensic processes—done manually for centuries—become a single workflow. In addition, the thesis compares the performance and practicality of local AI models against world-leading cloud AI solutions (e.g., Gemini 2.5 Pro) via the application of some prompt engineering and optimisation techniques like chunking. It also evaluates the compromise between efficiency and privacy. Large language models are employed for the purpose of understanding extracted evidence, determining potential attack patterns, and generating report narratives, providing analysts with intelligible information along with ongoing expert direction. The innovations of methodology presented here are threefold: (i) systematic evaluation and the related IoCs within the disk, memory, and network spaces for Windows and Linux; (ii) an experimental proof-of-concept framework showing the automated acquisition, examination, and reporting of forensic evidence; and (iii) an insightful analysis of AI-assisted forensic workflows, highlighting advantages, limitations, and privacy concerns. This work showcases that combining IoC-focused analysis with AI-supported automation can enhance the efficiency, consistency, and usability of digital forensic investigations, setting the stage for more scalable post-mortem analysis of malware.