Malware analysis can provide vital
information to forensic investigations.
Malware is an important consideration for examiners working on traditional computer forensic cases.
Malware can add complexity to a case, but in some
instances, it actually can help investigators.
For some time it has been common for defense teams to cite malware as a defense in an attempt to create
reasonable doubt. For example, in child pornography cases defense teams frequently claim it wasn’t their
client but malware that was somehow to blame for the presence of illegal content on a computer.
Like any other piece of data, malware can be used as a clue within a forensic examination. Unbeknownst to a user, malware can capture data on a device that the user thought they had destroyed, or
which is inherently ephemeral in nature. The extra copy or copies of data captured via malware can provide examiners with valuable insight which may not have been available if the users had been successful in
their attempt to destroy data. Malware can also be useful in showing user intent.
Malware tends to be associated with risky user behavior such as surfing pornography sites. In certain
instances when a user is involved with risky behavior, malware can assist with a reflection of a user’s
behavior. For example, if an investigator were to examine a device that has multiple pieces of detected
malware on it, all of which are related to video codecs and players which the individual kept trying to
download multiple times in close succession to downloading a child exploitation video, these actions can
demonstrate user intent. If the user tried to play the video once and it didn’t work and then tried a second
and third time with no success, this demonstrates a pattern of behavior and tends to indicate that the user
really wanted to view the material in question. Therefore, in some instances, malware can actually serve as
an unexpected source of evidence of user intent. Obviously, the facts of each individual case matter, and
full analysis of the timeline and the nature of the malware are important as well.
When malware initially began to appear in traditional computer forensic cases involving PCs and laptops,
many examiners reacted with a great deal of stress because they didn’t know what to do. They didn’t understand how to fit the tidbit of information that malware was present into their examination and investigation. Nor did they understand how to combat often irrelevant defenses that were raised simply because
of the presence of malware (my client didn’t do it, it was the malware). Forensic examiners learned about
malware, adapted their examination techniques to include potential malware related defenses, and overcame the complications malware added to their examinations.
With mobile device usage surpassing (or soon to surpass) traditional PC and laptop usage, examiners
must take their malware knowledge from traditional computer forensic cases and apply it, along with some
new research and new knowledge, to mobile devices.
As third-party apps become increasingly popular, the industry has seen a rise in malware on mobile
devices, especially Android-based devices. Therefore, it is essential that malware be a consideration in a
forensic exam when an examiner looks at mobile data. Examiners must be familiar with the different types