The process of identifying a malware attack involves building a timeline of files created, modified, and accessed on disk, correlating that with the connection time to the command and control server, analyzing new or modified files, and narrowing them down to possible malicious files.