Hostile Code and Forensic Investigators

The purpose of this document is to identify five different examples of hostile codes and how they impact information systems. Also included within this document is an explanation of how forensic investigators should find the sources of hostile code. This document is intended for anybody looking to gain a basic knowledge or understanding of hostile codes and how forensic investigators identify hostile codes.

Hostile code can be defined as malicious or mal-intended software that functions on a computer system without authorization. There are different types of hostile code with different functions, however the means of which the hostile code arrives onto a computer system is the same. Some of the methods in which malicious software can gain access to a computer system are by system misconfigurations, compromised system identities, network infrastructure vulnerabilities, or even by users unknowingly installing the software themselves (James Madison University, 2009).

Two types of hostile code found in the form of viruses or worms. Viruses are hostile code because they replicate on a system by infecting files, master boot records (as found in hard drives), and volume boot records (as found in removable media). Viruses can be Trojan horses as they can be hidden within a program or a file. Worms are similar to viruses, however they self replicate and spread throughout systems. What makes worms different from viruses is that they do not need to attach themselves onto a program. Worms are essentially self-contained and they keep making copies of themselves. Worms and viruses are also different because viruses infect files and corrupt the files, whereas worms do not attempt to modify system files, but rather use valuable network bandwidth as they spread. Viruses can be contained or removed by using antivirus software. Ensuring a system is patched with the latest software patches to minimize vulnerabilities on the system can prevent Worms. Forensic investigators can get to the source of viruses or worms by reverse engineering the code.

Another type of hostile code is a type of malware or spyware called a browser hijacker. Browser hijackers are not as notorious as viruses or worms, but rather more of annoyances. Browser hijackers work by modifying browser settings such as setting the default homepage to something other than what was previously set or intended. They also have been known to change error pages or even search pages. Browser hijackers are used to drive hits to an Internet address or website. With many recent browser hijackers third-party software can be used to return the settings to normal or in many cases a simple reboot of the system will return the settings back to normal. Forensic investigators can find the source of browser hijackers by using third-party applications that are designed to deal with this particular form of hostile code.

Logic bombs, otherwise known as time bombs, are a form of hostile code. Logic bombs are malicious in nature and a disgruntled employee can insert them into a piece of software so that if they got fired or release this logic bomb would go off and perform its actions. Logic bombs are triggered by an event, such as a specific time or date, where they can perform a set of actions, like deleting files on a system. Logic bombs are easier for forensic investigators to find the root of the issue because they function based on a date or time, so forensic investigators can turn back the clock on a system in order to return the system back to its original state before looking for the code.

Keystroke loggers are a form of hostile code as their intentions are malicious in nature. Keystroke loggers are designed to capture the keystrokes that a user types into a system. The captured keystrokes are then sent over the network or the Internet in order to gain access to systems or obtain passwords. Keystroke loggers can serve a positive purpose for the police, FBI, CIA, or other government agencies looking to solve crimes, however their intended purposes for being developed was malicious in nature (New Zealand Police, 2006). Depending on the type of keystroke logger, forensic investigators can easily find the source by actively searching the system or by sniffing traffic being sent by the system in order to find the source.

In conclusion, there are many different types of hostile code that can be found on the Internet. Each type of code may have a different function, as can be identified between viruses, worms, browser hijackers, logic bombs, and even keystroke loggers. All of these are malicious in nature and are intended to perform actions other than what the system’s user wants, however most of the different types of code is preventable and the source of the problem can be found by forensic investigators.

1. (2009, March 18th). How They Break In. Retrieved April 5, 2009, from James Madison University Web site:
2. (2006, April 9th). Keystroke loggers. Retrieved April 5, 2009, from New Zealand Police Web site: [URL Removed Broken link]