Hi everyone!
This may be a little simple but i thought i would ask it anyway -) so thanks for being patient.
The Situation
When indexing an image using ftk my on-demand AV detects viruses within the image and throws up a warning box (as you would expect).
I Obvioulsy understand that when the indexing function is progressing the image all the files are passed through the Host machines RAM and indexed by FTK.
The Question
Am i correct in assuming that the virus code within the RAM is detected which in an inactive state?
Or alternatively, is the virus code in an active state and the AV is infact eventing the Host machine from being infected?
The Quandary
By having the On-Demand scanner enabled, the FTK Indexing process is a lot slower than having it disabled (and then performing full system scans at the weekend).
However if the AV is disabled then i potentially run the risk of the machines becoming infected.
Conclusion
Can the host machine become infected by a virus within a forensic image during the Indexing process of FTK?
Thanks for your time.
As the images passes through memory, none of the code is "active", it is merely a stream of bits.
Look at it this way, if every bit of code that is in that image were to be started, not only would you have two of all of the standard windows utilities running, but also quite possibly Word, Excel, Doom, Firefox etc. basically every program on the disk …
Now that's not to say that you can't get infected - once the indexing is finished, you are capable of running things/opening things from the FTK GUI, and if you do this with an infected program - then you'll have an issue.
Either, create an exemption for files of the type .img .dd or whatever or turn off the AV during the indexing process - but turn it on again on completion.
This has been discussed before on the forum, have a look around and see what else is out there -)
Thanks for the quick reply,
we already exclude image files (E01, dd etc) however its the FTK temp files which appear to get caught by the AV no the image.
My thought process was more to do with the exploits viruses use to run themselves within RAM and possible security issues with the indexing process.
however this may be due to too much coffee.
Thanks once again, i'll take a look around some more.
I'm not sure in computing there is ever a things as too much coffee -)
You are spot on that there are some fun things that Virii do whilst in memory, however, you still need to execute the code to get it in there in the first place. What I think that you might be thinking of more is that there is often discussion of exploiting flaws in the forensic application ( e.g. buffer overflows etc. ) by deliberately planting malformed data on a disk to subvert the examination process of an image at a later date. I believe that such discussions are largely theoretical, and, whilst I don't doubt that enough of the applications that we use are seriously flawed … ( See FTK 2 discussion threads 😉 ) … I don't think that, at this point in time at least, this is a genuine risk.
Yeah thanks,
this was what i was thinking about, though i admit it wasnt put down on "paper" very well -)
I wonder if this sort of exploit is something we will see in the future once people become more aware of CF?
however its the FTK temp files which appear to get caught by the AV no the image
I haven't used FTK but I presume the temp files are written to some kind of directory? Can you exclude that directory from your AV scanning?
Ronan
I wonder if this sort of exploit is something we will see in the future once people become more aware of CF?
I don't honestly think that outside an academic environment the practice will take off - yeah, it's a cool idea, but it's a lot easier to encrypt, and you don't have to constantly rewrite your encryption each time the vendor adds a patch … Also, it's not like Windows or Linux to exploit, not every man and his dog has a copy - so the people who are going to do the research are going to be pretty select in any case.
This is, incidentally, a good justification for verifying all of your results using more than one tool. The chances of both being vulnerable in the same way are pretty slim.
Ronan makes a good point - funnily my FTK doesn't clash with my AV … What are you using ?