After creating an image and determining the directory location of the malware file, which of the following helps to determine when the system became infected?
A forensic analyst receives a hard drive containing malware quarantined by the antivirus application.
After creating an image and determining the directory location of the malware file, which of the following helps to determine when the system became infected?
A . The malware file’s modify, access, change time properties.
B . The timeline analysis of the file system.
C . The time stamp of the malware in the swap file.
D . The date/time stamp of the malware detection in the antivirus logs.
Answer: B
Explanation:
Timelines can be used in digital forensics to identify when activity occurred on a computer. Timelines are mainly used for data reduction or identifying specific state changes that have occurred on a computer.
Incorrect Answers:
A: This option will not help to determine when the system became infected.
C: A swap file is a space on a hard disk used as the virtual memory extension of a computer’s real memory, which allows your computer’s operating system to pretend that you have more RAM than you actually do.
D: This will tell you when the antivirus detected the malware, not when the system became infected.
References:
http://www.basistech.com/autopsy-feature-graphical-timeline-analysis-for-cyber-forensics/
http://searchwindowsserver.techtarget.com/definition/swap-file-swap-space-or-pagefile