ForensicAnalysisofMobileMalware·Chapter9 319 How did the malcode access and infect the target device? What level of access to the device does the malcode have? What information has been compromised (nothing, PIN, PUK, Ki, IMSI...)? What is the nature and impact of the malcode? To truly judge the impact of any code sample, it may be necessary to obtain another hardware device with the same specification. Some venders provide suitable emulation plat- forms, but these rarely react in the same manner as the real device when analyzing malicious code. Many Java code samples provide for a simpler analysis. If the code can be extracted in a manner that provides for an analysis of the code source, it becomes simple to determine what the code is doing. Reproducibility of Evidence in the Case of Dead Forensic Analysis A dead forensic analysis involves an analysis of an unpowered device. An image of the storage system of the device (the hard disk, ROM, and other items) is created. A hash of this image will be stored to prove that no files have been altered on the image of the device that is cap-