I recently tried to upgrade some anti virus software on an analysis PC to Norton 2009. To activate the software, you have to be online. I know this is an old chestnut but I like the idea of being able to say that an analysis PC has never been connected to the internet, therefore the risk of infection from this source is zero
so whats the solution I am missing (short of being more flexible and plugging the network cable in),
have a good weekend,
Pat
Well, even if you do not connect your Analysis Computer to the Internet, you are still under risk of infection from other resources, such as CD drive, USB thumdrives, mapped network drive, etc. Never assume yourself completely free from infection, considering you have never ever got onto the Internet.
Secondly, what is infection? In terms of forensic point of view, anything outside your case is deemed infection. So, if you have a windows sytem file .dll file, which was accidentaly copied to your case files, there it is, you are infected. In other words, infection does not only come from the Net, but it may also come from the way you work.
If you want to be free from infection, use Standard Operating Procedures, that is the quality assurance, which we have recently gone through and achieved.
If you want to be free from infection, use Standard Operating Procedures, that is the quality assurance, which we have recently gone through and achieved.
What Standard Operating Procedures were those yunus? I'd be interested in finding out. Thanks.
I recently tried to upgrade some anti virus software on an analysis PC to Norton 2009. To activate the software, you have to be online. I know this is an old chestnut but I like the idea of being able to say that an analysis PC has never been connected to the internet, therefore the risk of infection from this source is zero
so whats the solution I am missing (short of being more flexible and plugging the network cable in),
have a good weekend,
Pat
As it has already been pointed out, the net is not the only avenue by which you can acquire malicious software. If you ever have to extract files from images onto the analysis machine, you need to ensure that those files are not infected with any malware too.
My suggestion is to create a standard analysis machine, take a ghost image or convert it to a virtual machine and securely wipe the disk and restore that image for each new case. You know then that the machine is clear of any previous case data and/or malware.
Thanks for the replies.
The ghosting procedure is already in place and, yes, you are right, there are threats from all other sources of data. But I just like the idea of being able to say, in the box, that I can guarentee that there was no infection via the internet.
In the past, I'm sure Norton had the option to activate via phone; is this not an option anymore? I haven't used Norton in a long time, so not sure.
I hear Norton 2009 is a massive improvement upon previous releases (at least performance wise, if not detections)
Kind Regards,
Minesh
Yes, I had heard that it was better, hence the installation.
You are right, previous versions offered the alternative of activation via phone, but not anymore. this was confirmed by the support people
What about having a machine with your antivirus on it that can be connected to both your network and the internet. Disconnect from your network and connect to the Internet and update. Disconnect from the Internet and run the anti virus over the computer to confirm clean. Then connect to your network and run the antivirus over the network drive you are working on.
You can also try Gargoyle Investigator™ Forensic Pro as well.
Standart operating procedures are list of best practices in a laboratory environment for maintaining a reliable service. It includes everything from your environment to what you should wear working on a case. It is like, you can't bring in laptops from outside and plug it into the lab network, you can't use USB thumdrives from outside, you have to document all your actions during the examination.
So, in a lab environment you never have to get onto the internet for antivirus update, as all machines are updated by a antivirus updates server, however, it is not 100% malware-free either.
If you are working on your own - without a laboratory team where there is not an enterprise Antivirus and security management system- you have to take your own measures.
Remember, no computer or system is or will remain virus or malware-free, even after a clean installation. Early or late, they will get infected with a malicious code. So, it is just natural.
It is like human body. All humans will get into contact with viruses either this way or that way. What matters is to be aware of it as soon as possible and to get rid of - either by cleaning it or by re-installing your system, and not to be affected by it.
In order keep your workstation(body) strong against viruses, you have to keep your antivirus sofware updated - just like vaccines-, so connect it to the updating web site - if it is only way to do it. Anyway, it is better to have an updated antivirus software on the analysis machine, than not to do it at all and be vulnerable to hundreds more just because you want to make yourself belive in something that is not true.
There is nothing wrong with updating your antivirus. Simply update it, do not surf or stay on the internet. Infection, in terms of computer forensics, does not just refer to viruses, but it refers to anything that comes from outside into the case files. So, rather than guaranteeing that you have not ever got online, just try to guarantee that your case files are exactly what they are on the suspect computer and not contaminated at all.
We are straying a little off topic,
all I was saying was that with previous versions of Norton Anti Virus, I could install and register the software on an isolated, standalone PC (with updates coming over via CD or thumbdrive) and now I can't.
Thanks, Norton