Questioned Digital Documents - Documents that contain malware (Episode 8)

Digital documents are often not read-only entities. They may contain code in the form of computer instructions or in some macro language that give them the ability to also 'execute'. Even where they do not have such an inherent ability to execute, they may, through the use of buffer overflows or other vulnerabilities in their processing environment gain the ability to execute.

One area of particular concern is where such an ability to execute is used to create malware. A common defence when some (malicious) activity is traced back to a computer, is that some unknown malicious software could have been responsible for the activity of the computer. This is one form of a 'defence' that is colloquially referred to as the SODDI defence - some other dude did it. However, malware is not only used as a possible scapegoat for malicious actions. It is quite possible for an individual to use a document consisting of, say, a Trojan horse in a spearfishing attack, and once such an attack has been executed (or thwarted) the need to determine (and prove) the nature of the attack becomes necessary to take further legal steps.

This video provides a high-level overview of the examination of documents that (may) contain malware.

The video is part of a lecture series made at home to continue online education during COVID-19 lockdown.