158 Chapter6·MalwareAnalysis One method that can be especially helpful in determining some of these issues is to boot the infected virtual machine under an alternate operating system. This might be a system similar to the original system (same platform), or it might be an entirely different operating system. By examining a disk using an alternate operating system, you can examine the file system and directory structures without being subject to the effects of the infection. By noting any abnormalities you stand a fair chance of discovering the files that are associated with the infection. These abnormalities can be encountered in the existence of files and directories, as well as in the files themselves. To be thorough it is likely a good idea to perform some sort of hash on all the files inside the original operating system, and then to perform the same hash on every file under the alternate operating system. Any differences will certainly be something that should be investigated. It should be noted that files are changing all the time while the system is running, so abnormalities may also be attributable to other sources. Unfortunately each of these inconsistencies would have to be examined and checked to ensure that the changes were not caused by the infection. How Do You Recover from It?