All,

First off, I'd like to hear how folks are scanning imaged systems for malware. I know that you can mount the image in EnCase's virtual file system, or you can use LiveView to open up a dd image as a running system in VMWare.

Given, say, just a dd image, what are some other methods for scanning for malware?

This brings me to the issue of artifacts. Do you think it would be feasible to develop classes of artifacts such that exploits or other issues (malware, etc) could be easily culled from an image?

Harlan  

That could be one of the Holy Grails of CF. It seems I have to do a lot of research every time I run across a new possible artifact or malware that I don;t know artifacts of. I don't experience it enough to build a viable personal repository, I need the impact of many other folks discoveries.

As for dd images, I almost totally rely on finding artifacts or other traces of malware files. I have been playing with the Liveview/VMW combo, but my results are really mixed.

Bill
_________________
Replicants are like any other machine - they're either a benefit or a hazard. If they're a benefit, it's not my problem 

> That could be one of the Holy Grails of CF

Perhaps. This is something I've been wrestling with lately...a viable means of cutting through the "noise" in an image or on a live system. My thinking is that if something like this can be developed, something that can be used, then it *will* be used...and maybe we can move away from the mentality of reformatting the hard drive and reinstalling the OS.  

At one time I used simply scanned disk images via network devices SMB shares for the presence of viruses and malware. Initially, just to detect if anything was present.
I perfer to mount the image copy readonly in loopback mode on linux --allowing individual file granularity for the scanning. I have found it beneficial to use two different virus/malware products. This process is slower than direct attached devices. On the plus side I can access the data from different systems. I have one system setup for scanning and another one with forensic tools.
_________________
Give a man a fish and he can eat today. Teach the man how to fish and he will be able to eat his whole life. 

yes, if you wanna do it for free... mount the dd image(partitions) as LOOP DEVICE in linux. open up SMB share. scan it using windows.

SIMPLE! (o:  

Harlan,

Scanning for malware on a system could be done any number of ways.
Some things I've done...

Tried Gargoyle (pretty useless when it comes to malware..not sure how it is with the other files it claims to be able to search for) on images mounted with mount image pro.

Compared hashes against the nepenthes and offensivecomputing.net hashes.
I've yet to really delve in to ssdeep for this purpose but I imagine it would help an awful lot.

In my experience anyways I've noticed that the windows based antivirus tools kind of suck. Bitdefender seems to come up with a lot of things that Symantec and others seem to miss regularly so I mount an image in linux and scan with BDC.

Artifact libraries while a great idea are almost impossible to develop. I guess libraries already exist for things like spyware or trojans in so far as we have common search locations in the registry and the file system but other than that, with point and click malware dev tools and the abundance of programmers out there it would be extremely difficult to create an accurate library.

That said..
Someone *could* write a crawler that rips through the AV vendors sites to pull out the relevant technical sections of the malware descriptions, organize them by class and generate a generic library that way but it would still be behind the curve,  

I had success mounting the dd image as a RO loopback under Linux and scaning it with ClamAV.

I don't think we should move away from the mentality of reformat/reinstall because as with all malware scanners, you can only detect malware that is know to the scanner. There is no guarantee that your system is clean simply because your AV software says it's clean.