Week 9 - Hostile Code Flashcards

1
Q

What is hostile code?

A

Any variety of malware or malicious code that might impact/inhibit the digital forensic investigation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What can hostile code include?

A

Malware

Certain Anti-Forensic measures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are two things a examiner must consider for hostile code?

A

They must:

  • Determine the possible impact from existing malware on the devices (extant evidence)
  • Avoid impairment of the investigative process through ‘live’ malware attacks
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is ‘live’ malware?

A

Malware that may affect a system during the ‘live’/current forensic investigation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What must be considered about live malware?

A

It could be used to affect a system using a virtual machine

It could contaminate evidence, delete data or disable the analyst’s computer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What precuations must be taken to avoid the impact of hostile code and live malware?

A

Always initially investigate device images in passive mode as to not activate live malware/ This can be done as a target for physical search or as a mounted file system.
Virus scan device images to detect the presence of malicious software.
Ensure that suspected system as isolated until any network risk from malware has been contained or neutralised. This can be done using a VM.
Use local anti-malware facilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly