Concealment Techniques 䡲 109
Knowledge of this operation is important for a cyber forensic investigator to consider when
attempting to determine (a) the validity of compiled code under review, (b) that no unauthorized
access to the API functions had been attempted, and (c) any action aimed at manipulating
electronic, system evidence.
Usually, a Hook system is composed at least two parts—a Hook Server and a Driver. e
Hook Server is responsible for injecting the Driver into targeted processes at the appropriate
moment. It also administers the driver and optionally can receive information from the Driver
about its activities whereas the Driver module that performs the actual interception [36].
Hooking is done by altering the Import Addres ...