On a stand-alone forensic computer is it advisable to instal anti-virus software? If so what software would you recommend? What speed reduction have you experienced when it is installed?
Personally I only ever instal and use anti-virus software when a customer requires that a scan be carried out or for specific jobs that involve Malware attacks.
Would your views and recommendation change for a small closed forensic network with a server and several forensic work stations?
On a stand-alone forensic computer is it advisable to instal anti-virus software? If so what software would you recommend? What speed reduction have you experienced when it is installed?
Personally I only ever instal and use anti-virus software when a customer requires that a scan be carried out or for specific jobs that involve Malware attacks.
It seems to me a correct approach.
The theory of operation (not necessarily doable in practice) is to re-image "clean" the workstation before any investigation or to use a PE (or other live/volatile OS).
But nothing prevents to install/use a non-real time scanning Antivirus (no slowdowns due to the antivirus) to check the contents of an image.
After all, I doubt you are going to double click on .exe's or similar and the whole point of forensics is normally to use a read-only or non-modifiable image, or at the very least, needed changes - if any - should be fully documented and in the "full control" of the investigator, whilst a real-time anti-virus may either block your work nagging for errors about its attempts to fo something on read only mounted media or actually change something on it outside your direct control.
Besides good luck if you are using "minor" or non-commercial (or self-written) tools, only as an example a lot of AutoIt or AutoHotKey scripts/programs tend to trigger anti-virus heuristic engines (and as well tools intended to have direct access to disk, memory etc. tend to have instructions that are "common" with some forms of virus/malware and may as wel trigger the heuristic engines) .
Would your views and recommendation change for a small closed forensic network with a server and several forensic work stations?
Not really, though of course when you enter a multi-user setup the weak link becomes the less knowledgeable user.
jaclaz
If you're the police no real need.
If you're the defense, looking for viruses, malware, rootkits, etc, should all be part of the plan.
On a stand-alone forensic computer is it advisable to instal anti-virus software? If so what software would you recommend? What speed reduction have you experienced when it is installed?
Personally I only ever instal and use anti-virus software when a customer requires that a scan be carried out or for specific jobs that involve Malware attacks.
Would your views and recommendation change for a small closed forensic network with a server and several forensic work stations?
If you're the police no real need.
No! Our job is to seek the facts - inculpatory or exculpatory. We do malware scans.
You may do malware scans. In the vast majority of all cases I've done police do not do any scans.
All I have to go on is the Detectives report, depo, and trial testimony. If asked and they don't mention it, then I can't assume that they did it.
If you're the police no real need.
No! Our job is to seek the facts - inculpatory or exculpatory. We do malware scans.
Always install anti-virus software.
You don't have to manually scan anything, but your OS should have a broad-based malware protection mechanism.
Hi Phobby. What anti-virus do you recommend and what affect has it had on the performance of your work station.
I ask this because it appears to be a requirement by UKAS for ISO accreditation.
We test the performance impact of anti-virus (AV) software. Example report here,
https://
Some of the AV products are awful. They can double or triple the time required to do certain tasks (e.g. download a web page, copy files, etc..). So they can certainly have an impact on your productivity.
But most of the commercial forensics tools don't mount disk images to a drive letter. Which means that the AV tool and the operating system itself don't see disk being investigated. Instead they do direct sector access to parse the MFT themselves. So most of the time the AV product doesn't see the file in the disk image and doesn't scan them.
There are some exceptions to this however. The big one for us being temporary files. When a disk image is scanned (e.g. for hashing or word indexing) then all the container files need to be opened up. So you might have a PDF, in a Zip, in a Email which is all in a PST file. And to extract the PDF file then you need to write some temporary files into a location that is visible to the AV. Then the scanning takes place. This has three bad effects,
1) It can dramatically slow everything down, especially when there is a large number of small files
2) The AV blocks access to the temp file while the AV scan takes place. Which can result in errors being throw in the Forensics tool, as the blocking returns a general access denied error. If is difficult for the forensics tool to know when and if the file will become available. So even if the scan take 0.5 seconds per file, the forensics might be delayed for seconds per file. This is a big deal if you have a million files.
3) If a suspect file is found by the AV, then the temp file gets deleted or quarantined. So from the point of view of the Forensics tool this is really unexpected. The tool writes a file, then tried to re-read the file 500ms later and the file is gone! This results in more errors and the file in question being skipped (e.g. not hashed, or not indexed).
So by all means install an AV solution if you think you need one, but turn it off for particular activities, or configure the AV to never monitor the temp folder(s) / drive(s).
My principal focus is IR forensics so the expedient identification of malware is a common requirement and most images we take in will be scanned at the outset for quick identification of malware for further analysis.
We run AV on our workstations (specifically ESET) with the majority of default protections in place, and have not noticed a performance impact. This is supplemented with multiple AV solutions which are licensed and kept updated for use in scanning mounted images.
We test the performance impact of anti-virus (AV) software. Example report here,
https://www.passmark.com/reports/Consumer_Security_Products_Performance_Benchmarks_2019_Ed_2.pdf Some of the AV products are awful. They can double or triple the time required to do certain tasks (e.g. download a web page, copy files, etc..). So they can certainly have an impact on your productivity.
But most of the commercial forensics tools don't mount disk images to a drive letter. Which means that the AV tool and the operating system itself don't see disk being investigated. Instead they do direct sector access to parse the MFT themselves. So most of the time the AV product doesn't see the file in the disk image and doesn't scan them.
There are some exceptions to this however. The big one for us being temporary files. When a disk image is scanned (e.g. for hashing or word indexing) then all the container files need to be opened up. So you might have a PDF, in a Zip, in a Email which is all in a PST file. And to extract the PDF file then you need to write some temporary files into a location that is visible to the AV. Then the scanning takes place. This has three bad effects,
1) It can dramatically slow everything down, especially when there is a large number of small files
2) The AV blocks access to the temp file while the AV scan takes place. Which can result in errors being throw in the Forensics tool, as the blocking returns a general access denied error. If is difficult for the forensics tool to know when and if the file will become available. So even if the scan take 0.5 seconds per file, the forensics might be delayed for seconds per file. This is a big deal if you have a million files.
3) If a suspect file is found by the AV, then the temp file gets deleted or quarantined. So from the point of view of the Forensics tool this is really unexpected. The tool writes a file, then tried to re-read the file 500ms later and the file is gone! This results in more errors and the file in question being skipped (e.g. not hashed, or not indexed).
So by all means install an AV solution if you think you need one, but turn it off for particular activities, or configure the AV to never monitor the temp folder(s) / drive(s).
Very interesting test benchmark, thanks.
What surprised me (and that is good to know ) ) is that current/recent Norton is as fast as (or faster) than ESET, the good guys at Symantec must have made some very relevant changes since - traditionally - ESET was of "light" impact on common operations whilst Norton used to be a snail (actually a snail trawling through molasses wink ).
jaclaz