When a malware outbreak happens in an organization, one of the main questions that needs to be investigated is how the malware got in. It is important to get an answer to this question to identify and close the exploited technical and/or human vulnerabilities. This paper proposes a method for malware intrusion path reconstruction in a network of computers running Microsoft Windows. The method is based on the analysis of Windows Restore Points from the compromised computers. The idea is that malware infection traces from different computers can be correlated in time to identify the progress of the malware through the network and to identify the likely initial point of infection.
A simulated case study is given that demonstrates the viability of the proposed attack path reconstruction technique.