I have a task that involves writing about the problems of malicious software in computer forensics. The only problem I can think of is that incriminating material could get on someone's PC because of a virus. Another problem I have come up with is that when a computer is turned on, malicious code can wipe evidence. Is this strictly true? Various books I have read barely mention the problems of malicious code to forensic investigators and I just wanted to know what problems are encountered in 'real life'.
Thanks
From a criminal prosecution perspective the biggest problem you face is establishing the impact of any malware on an exhibit. A common defence is to cite such software as a possible cause of any illegal activity on a computer.
I would suggest you look at ways of showing how you could establish the impact (if any) of such malware if you were faced with a computer containing it.
Another possibility is if a rootkit is installed it would affect the quantity and quality evidence collected from memory during incident response.
Intrusion investigations (related to your question about malware) involve three stages in the cases I've done.
1. Identification of the malware
2. Analysis of the malware and 'what it does' when dropped
3. Evidence of data exfiltration and classification of the data at risk.
1. could be done using AV software against the drive
2. submission of the malware to an online sandbox for testing
3. collection of company data on the asset and review by subject matter experts for impact against the company if lost.
Malware doesn't really cause problems for analysis per se - the evidence is readonly, not being executed, etc. There is this whole thing about anti-forensics, tampering with the evidence, but so far time-stomping is the only thing I've seen.