I was recently asked about whether or not you could obtain malware from a mobile extraction and then have it infect the computer you were using to view the data?
In a perfect world I would assume the best practice would be to only use computers for examinations that are not connected to the internet. I would also think that the computer should have the most updated virus protections and to run it against any downloads prior to viewing.
The reason I am asking is that in this case I don't believe any of these best practices are being followed.
In general what are you folks doing AND does anyone know of cases involving malware obtained from a mobile extraction infecting a work station?
Many thanks!
The majority of malware on phones are OS dependent. So malware on Android wouldn't infect a workstation running Windows. It is possible that a phone could be storing a Windows malware just waiting for sharing to a computer system, but I'd say that's unlikely. Also keep in mind that many mobile forensic tools require that AV be turned off to allow mobile OS attacks to attempt root access.
I've never had a mobile device acquisition infect the workstation.
Whenever is possible, we use virtual machines for our examinations. So far we didn't have any virus/malware issues, but if it happens, we'll just simply delete the vm and start over with a clean platform.
Whenever is possible, we use virtual machines for our examinations. So far we didn't have any virus/malware issues, but if it happens, we'll just simply delete the vm and start over with a clean platform.
Do you ever have issues with dongle detection, out of interest?
I do note from time to time that my AV (Vipre) will block some items when I'm dumping a phone download for a client.
In some cases they appear to be genuine malware attachments to emails etc, but in most cases they are false positives.
I always suspected that perhaps some legitimate mobile apps are coded in such a way that they get flagged by computer AV, but I'm not really sure.
In a perfect world I would assume the best practice would be to only use computers for examinations that are not connected to the internet.
… with a freshly installed OS on a previously wiped disk or just re-imaged from a pristine condition image (… in a perfect world).
jaclaz
This is a very good question, that illustrate yet another advantage of a stand-alone dedicated extraction solution such as the Cellebrite UFED Touch that was designed to be protected.