Notifications
Clear all

usb write blocker  

  RSS
d4n13l4
(@d4n13l4)
New Member

Hello

So I was doing this incident reponde and advanced forensics course from cybrary.it that states that for extracting evidences you should have a "clean usb" with write blocker to avoid copying anything to the infected machine.

But I'm failing to understand how will I be able to copy the malicious executable from the infected machine to the usb drive if it has this write block?
The course also says you can have a "useful tools" folder and then I read that the write blockers allow to execute commands so this means I would have to have some kind of copy command to extract the malicious file?

What I want is to have someone accesing the infected machine using this "clean usb" and extracting the malicious file

Thanks!

Quote
Posted : 03/05/2019 3:44 pm
passcodeunlock
(@passcodeunlock)
Senior Member

Dear Daniela!

You should go a bit deeper and learn the right forensic ways )

By using a write blocker it will prevent the infection of the pendrive. This is very useful when you try to create a ram dump of an infected machine, so your pendrive content and the tools running from the pendrive won't be altered in any way.

You shall never copy a malicious file to your devices. The good way is creating a binary image of the device data and analyze the image content later on. The analysis should be done in a sandbox or in a virtual machine, so in case of any infection, your forensic equipment and software would remain safe.

I hope it helps…

ReplyQuote
Posted : 03/05/2019 8:02 pm
d4n13l4
(@d4n13l4)
New Member

thanks for the reply

well my interest goes to the incident response part so I'm not looking for a deep forensics knowledge at the moment, particularly as my first post said for a way to extract the malicious file in an infected machine.

I still don't get how would I copy the image from the machine without infecting the usb.

ReplyQuote
Posted : 03/05/2019 8:58 pm
Share: