As new more sophisticated and stealthy forms of malicious code arrive on the scene how will they affect digital investigations?

From the bottom up, the purpose of metamorphic code is to evade discovery and a variety of techniques are employed to help disguise the static forms (i.e. files stored on the hard-drive) while more sophisticated forms morph the running version of each propagated malicious code.

Traditional investigation techniques that use hash sets to identify either “known good” or “known bad” software components are of little value in identifying this type of contraband. Block hashing techniques offer little assistance except against the most primitive form (mainly polymorphic Malware) and is then only effective when used to identify code running in memory when the polymorphic code is most vulnerable to identification. Note, only limited hash sets are available for memory or running process based identification, clearly a broadening of efforts in this area is required.

In addition to methods that identify metamorphic code (statically or dynamically) other approaches include behavior identification (both host and/or network) that can model the activities of specific types of malicious code that exhibit metamorphic or polymorphic processes.

At the end-of-the-day our investigative methodologies need to also morph, as the move from post-mortem to live investigation becomes the rule.

Chet Hosmer is the Chief Scientist at WetStone and would like to hear your comments and feedback to his opinions.