Week 9 - Hostile Code Flashcards
What is hostile code?
Any variety of malware or malicious code that might impact/inhibit the digital forensic investigation.
What can hostile code include?
Malware
Certain Anti-Forensic measures
What are two things a examiner must consider for hostile code?
They must:
- Determine the possible impact from existing malware on the devices (extant evidence)
- Avoid impairment of the investigative process through ‘live’ malware attacks
What is ‘live’ malware?
Malware that may affect a system during the ‘live’/current forensic investigation.
What must be considered about live malware?
It could be used to affect a system using a virtual machine
It could contaminate evidence, delete data or disable the analyst’s computer
What precuations must be taken to avoid the impact of hostile code and live malware?
Always initially investigate device images in passive mode as to not activate live malware/ This can be done as a target for physical search or as a mounted file system.
Virus scan device images to detect the presence of malicious software.
Ensure that suspected system as isolated until any network risk from malware has been contained or neutralised. This can be done using a VM.
Use local anti-malware facilities.