Lately in Japan the malware Citadel has been implicated in multiple internet banking unauthorised transaction incidents. Citadel is a type of malware much like the Zeus known as banking trojans. When the malware successfully infects the users environment it utilises special functions called Web Injects to alter the website displayed in the end users computer to steal login credentials for internet banking sites. To handle Citadel infection incidents, it is necessary to clarify whatsettings and what servers the Citadel malware uses and communicates totherefore its essential to have an in-depth knowledge of Citadel and to conduct research on the files left by Citadel. In this presentation I will present my findings on doing detailed analysis on Citadel and introduce data transmission reconstruction and file reconstruction tools which have been created to handle Citadel incidents. You Nakatsuru You 'Tsuru' Nakatsuru, CISSP is a "just married" Information Security Analyst of Analysis Center at JPCERT/CC (Japan Computer Emergency Response Team Coordination Center) since April 2013. His primary responsibilities are to analyze malware abused in highly sophisticated cyber attacks, along with R&D on advanced counter malware technologies and cutting-edge incident handling methods. He also takes an active role in capacity building for junior malware analysts.