±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 4
New Yesterday: 2
Overall: 27634
Visitors: 41

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Scanning Images

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2, 3  Next 
  

Scanning Images

Post Posted: Tue Nov 28, 2006 12:49 pm

All,

First off, I'd like to hear how folks are scanning imaged systems for malware. I know that you can mount the image in EnCase's virtual file system, or you can use LiveView to open up a dd image as a running system in VMWare.

Given, say, just a dd image, what are some other methods for scanning for malware?

This brings me to the issue of artifacts. Do you think it would be feasible to develop classes of artifacts such that exploits or other issues (malware, etc) could be easily culled from an image?

Harlan  

keydet89
Senior Member
 
 
  

Re: Scanning Images

Post Posted: Tue Nov 28, 2006 7:21 pm

That could be one of the Holy Grails of CF. It seems I have to do a lot of research every time I run across a new possible artifact or malware that I don;t know artifacts of. I don't experience it enough to build a viable personal repository, I need the impact of many other folks discoveries.

As for dd images, I almost totally rely on finding artifacts or other traces of malware files. I have been playing with the Liveview/VMW combo, but my results are really mixed.

Bill
_________________
Replicants are like any other machine - they're either a benefit or a hazard. If they're a benefit, it's not my problem 

deckard
Senior Member
 
 
  

Re: Scanning Images

Post Posted: Tue Nov 28, 2006 8:11 pm

> That could be one of the Holy Grails of CF

Perhaps. This is something I've been wrestling with lately...a viable means of cutting through the "noise" in an image or on a live system. My thinking is that if something like this can be developed, something that can be used, then it *will* be used...and maybe we can move away from the mentality of reformatting the hard drive and reinstalling the OS.  

keydet89
Senior Member
 
 
  

Re: Scanning Images

Post Posted: Tue Nov 28, 2006 11:47 pm

At one time I used simply scanned disk images via network devices SMB shares for the presence of viruses and malware. Initially, just to detect if anything was present.
I perfer to mount the image copy readonly in loopback mode on linux --allowing individual file granularity for the scanning. I have found it beneficial to use two different virus/malware products. This process is slower than direct attached devices. On the plus side I can access the data from different systems. I have one system setup for scanning and another one with forensic tools.
_________________
Give a man a fish and he can eat today. Teach the man how to fish and he will be able to eat his whole life. 

az_gcfa
Senior Member
 
 
  

Re: Scanning Images

Post Posted: Wed Nov 29, 2006 8:35 am

yes, if you wanna do it for free... mount the dd image(partitions) as LOOP DEVICE in linux. open up SMB share. scan it using windows.

SIMPLE! (o:  

Member
Member
 
 
  

Re: Scanning Images

Post Posted: Wed Nov 29, 2006 8:55 am

Harlan,

Scanning for malware on a system could be done any number of ways.
Some things I've done...

Tried Gargoyle (pretty useless when it comes to malware..not sure how it is with the other files it claims to be able to search for) on images mounted with mount image pro.

Compared hashes against the nepenthes and offensivecomputing.net hashes.
I've yet to really delve in to ssdeep for this purpose but I imagine it would help an awful lot.

In my experience anyways I've noticed that the windows based antivirus tools kind of suck. Bitdefender seems to come up with a lot of things that Symantec and others seem to miss regularly so I mount an image in linux and scan with BDC.

Artifact libraries while a great idea are almost impossible to develop. I guess libraries already exist for things like spyware or trojans in so far as we have common search locations in the registry and the file system but other than that, with point and click malware dev tools and the abundance of programmers out there it would be extremely difficult to create an accurate library.

That said..
Someone *could* write a crawler that rips through the AV vendors sites to pull out the relevant technical sections of the malware descriptions, organize them by class and generate a generic library that way but it would still be behind the curve,  

hogfly
Senior Member
 
 
  

Re: Scanning Images

Post Posted: Wed Nov 29, 2006 9:35 am

I had success mounting the dd image as a RO loopback under Linux and scaning it with ClamAV.

I don't think we should move away from the mentality of reformat/reinstall because as with all malware scanners, you can only detect malware that is know to the scanner. There is no guarantee that your system is clean simply because your AV software says it's clean.  

jakec
Newbie
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 3
Go to page 1, 2, 3  Next