Again, depends on the Trojan, and the examiner.
Two years ago, I found a malicious DLL on a system that four commercial AV products didn't find. We could *assume* that it had run, but we didn't know for sure. We ran it on a test system to see what artifacts it left...nothing in the Registry, nothing in the file system...it collected it's info and sent it out over the wire immediately. We found artifacts of this in the pagefile within the original image.
Locard's Exchange Principle tells us that a program running on a system should leave artifacts...they may be transient, but they will be there. I've looked in hibernation files, crash dump logs, even parsed Event Log records from unallocated space to determine if malware had executed on a system.
One thing I would suggest is creating a timeline, categorizing the various events (i.e, "Program Execution", etc.) and see what you find out.
↧