Malware misinformation
Documenting misinformation in the infosecurity space, focusing particularly on malware analysis and forensics.
Created by @maldr0id
Claim ID: 00001
The following claim is often repeated in the context of spyware information:
only a complete examination of the physical device can lead to the detection of malware
The claim is considered: 
FALSE
Why is it false?
While indeed a complete examination of the physical device can lead to the detection of malware, it is not the only way to perform forensic analysis. Forensic analysis is based on finding indicators of compromise1. These are artifacts which can indicate malware, spyware or any other computer intrusion with some level of confidence. If these indicators are found on the operating system then a forensic investigator can recreate a timeline of infection2.
Example of a malware indicator can be a hash of a malware sample. If such a file is found on the system image it’s an indication that malware was successfully downloaded. Of course, you don’t need to have the whole physical device to confirm whether a particular file is present on the hard drive. An image of the hard drive - or even a previous backup of the hard drive contents - is enough to make that statement.
As such confirming malware presence is possible without the complete examination of the physical device. Especially since, according to Apple, iCloud backups include nearly all data and settings stored on your device3.
Statement sources
The websites below repeat the claim. This is not a full list of websites.
- The North Africa Post, Pegasus Case: North American Lawyers, experts refute as inadmissible the ‘pseudo-evidence’ presented by AI/Citizen Lab/Forbidden Stories - link, webarchive
Campaigns
The misinfomartion campaigns below have used this claim.
- Pegasus misinformation campaign.