Join Us!

Evidence contain vi...
 
Notifications
Clear all

Evidence contain viruses  

  RSS
triple_a
(@triple_a)
New Member

Working on case with the evidence (hard disk drive) contain viruses.

do I take the image without remove the viruses and start the examination?

or

I have to scan the hard drive and remove the viruses before take the image?

Quote
Posted : 16/07/2012 11:12 pm
PaulSanderson
(@paulsanderson)
Senior Member

Image before - why would you want to change the evidence - the viruses will only become a problem if you try to look/run the infected files on your system and hopefully your av scanner will pick them up.

ReplyQuote
Posted : 17/07/2012 1:24 am
TuckerHST
(@tuckerhst)
Active Member

Furthermore, if you have virus scanning software running while the evidence is being processed, it may interrupt or otherwise interfere with the processing. Acquire the drive as is; process it without anti-virus software running; then if there's some reason that the malware may be germane to the case, scan for it, identify it, and document what it might have done to the system.

ReplyQuote
Posted : 17/07/2012 2:44 am
triple_a
(@triple_a)
New Member

PaulSanderson and TuckerHST, thanks for your prompt reply.

I will turn off the antivirus, take the Image from the evidence as it is.

ReplyQuote
Posted : 17/07/2012 2:07 pm
csericks
(@csericks)
Member

As previously alluded to DON'T ALTER ORIGINAL EVIDENCE, unless dire or exigent circumstances dictate otherwise–in which case, you thoroughly document your procedure and the effect on the evidence.

That said, after you forensically image the source (i.e. make a bit for bit copy, after write-blocking the source)

1) Make a forensic copy of that image. This is now your "Working Copy."

2) Mount your Working Copy as a READ-ONLY network share or logical drive. This is easily done with FTK Imager, EnCase, or your favorite proven method.

3) Run AV against the share/drive. Don't worry about quarantine of suspect artifacts. It won't matter, since you–of course–complied with #2's instructions and mounted your Working Copy as READ-ONLY.

4) Export suspect artifacts for later analysis or reverse-engineering.

5) Dismount your share/drive and proceed with analysis as your situation or warrant dictates.

ReplyQuote
Posted : 22/07/2012 9:18 am
Share: