388 ChAPTER 13: Computer Intrusions n n The names and storage locations of additional files that are related to the malicious code, such as related executables, configuration files or Registry entries, a keystroke log, or an archive of stolen data. The purpose of the malicious code, that is, whether it is to create a back- door, capture keystrokes, spread itself via some specific mechanism, etc. Analyzing malicious code to determine the answers to questions such as these often requires a deep understanding of computer programs, including the abil- ity to read and interpret a disassembled or decompiled executable, as well as the ability to identify and circumvent defenses built into the code against dis- assembly and debugging as discussed in Section 13.6. 13.2.3.5 AdversariesOutsideoftheRealmofInfluence While this is not new to forensic investigation or law enforcement in general, it is extremely common in computer intrusion cases for digital investigators to be dealing with adversaries or suspects outside of their realm of influence or jurisdiction. This is due to the ease with which an attacker can compromise a computer or network across national and geographic boundaries. With the exception of highly secure networks that are kept separate from the public, it is trivial to reach most large organizations across the Internet. Owing to this unfortunate reality, digital investigators will often find that they trace an attack back to a computer that is not in a location that would allow them to further pursue their investigation without obtaining the cooperation of another (often foreign) law enforcement organization. While there is precedent for such coop- eration, it is not yet a common occurrence. 13.2.3.6 LinkingEventstoanActualPerson It is important to remember that linking events to an actual person is a concern for all digital investigations, and especially so with computer intru- sions. Tracing events to a specific computer system is not sufficient to claim that a specific person was using that computer system during the time of those events, and that that same person was responsible for the observed events. 13.3 FORENSIC PRESERvATION OF vOlATIlE DATA The actual response to the scene of an intrusion can be slightly different from that of some other types of digital forensic investigations. For starters, there is typically a sense of urgency on behalf of the victimized individual or organi- zation. They will be aware that something is wrong, but they may be unaware of the magnitude and will often be anxious for the problem to be resolved. This will place additional pressure on the digital investigator to move quickly.