Week 9 - Hostile Code

Question 1

What is hostile code?

Answer 1

Any variety of malware or malicious code that might impact/inhibit the digital forensic investigation.

Question 2

What can hostile code include?

Answer 2

Malware

Certain Anti-Forensic measures

Question 3

What are two things a examiner must consider for hostile code?

Answer 3

They must:

• Determine the possible impact from existing malware on the devices (extant evidence)
• Avoid impairment of the investigative process through ‘live’ malware attacks

Question 4

What is ‘live’ malware?

Answer 4

Malware that may affect a system during the ‘live’/current forensic investigation.

Question 5

What must be considered about live malware?

Answer 5

It could be used to affect a system using a virtual machine

It could contaminate evidence, delete data or disable the analyst’s computer

Question 6

What precuations must be taken to avoid the impact of hostile code and live malware?

Answer 6

Always initially investigate device images in passive mode as to not activate live malware/ This can be done as a target for physical search or as a mounted file system.
Virus scan device images to detect the presence of malicious software.
Ensure that suspected system as isolated until any network risk from malware has been contained or neutralised. This can be done using a VM.
Use local anti-malware facilities.