Hello, i'm new in this world , i ended a cybersecurity course and joined a company to build a forensic team. I don't have any problem with system management but i have some questions about forensics
1- If i analyze a malware RAM dump, i'm only checking its content but i don't execute any process so , can i get infected?
2- The same with a HDD, if i get for example a dd image and i analyze it, can i get infected?¿
3- Real case I got a RAM dump with dumpit and a HDD image with FTK imager, i want to analyze them with volatility and the TSK tools, and i would like to know if i can get infected and if those tools are really useful or should i use different ones.
Thank you for your time and it's a pleisure to help and get helped in a community like this one! )
In all cases you can get infected. Take the term connect - infect. A sandboxed environment helps to limit to a local infection. If you set up virtualized zones you can after clean them by not having the huge need to completely set up.
In general What is more worse? To be infected or not? Act like you always are infected. If you doubt you are safe. The other way around you are technically dead but not aware of.
Thank you for the answer, i thought that because i am analyzing a ram dumped i can't get infected because i don't really execute anything, i just analyze the memory content but i was wrong ( . The problem is that in my job i don't have a sandbox or virtualized enviroment so i can't be safe while i analyze something, probably i should test this at home in a forensic lab.
Thank you for your time and your answer.
1- If i analyze a malware RAM dump, i'm only checking its content but i don't execute any process so , can i get infected?
2- The same with a HDD, if i get for example a dd image and i analyze it, can i get infected?¿
3- Real case I got a RAM dump with dumpit and a HDD image with FTK imager, i want to analyze them with volatility and the TSK tools, and i would like to know if i can get infected and if those tools are really useful or should i use different ones.
Regarding question 1 and 2 you can get infected, if you isolate executable files and execute them accidently. Those executable files might find the suitable environment on your Workstation (Win x64) and start their routines. A fast double-click, the Enter button on your keyboard…it is easy to start a binary catastrophe. Be prepared for such a situation using dedicated Analysis Workstations in their own physical network are a "must have" precaution. Do NOT connect Analysis Workstations and Office Notebooks in one network!
Regarding question 3 make your own experience when it comes to tools. I would say all vendors offer a "test license" for a few weeks or months and you should use this offer. Have a look at OSForensics, Belkasoft, Magent, X-Ways (to be continued) for a few weeks …. and then decide which product(s) you prefer.
best regards,
Robin
PS i have written a guide for establishing Digital Forensic capabilities in a company and published it
Thank you very much, i will recommend that kind of precautions to my work responsable and don't expose my whole network to an unnecesary risk . Anyway , i will test different tools and check with which one i'm more comfortable at home workstation to avoid that risk.
Thank you for your time, i will check your blog too with a proper translation, as you can see, even my english isn't really good xD
Regarding question 1 and 2 you can get infected, if you isolate executable files and execute them accidently. Those executable files might find the suitable environment on your Workstation (Win x64) and start their routines. A fast double-click, the Enter button on your keyboard…it is easy to start a binary catastrophe. Be prepared for such a situation using dedicated Analysis Workstations in their own physical network are a "must have" precaution. Do NOT connect Analysis Workstations and Office Notebooks in one network!
Only to highlight the relevant part.
Which, translated, and as answer to the the original questions, means NO.
Once said that - i.e. that unlike real word viruses - it is not like you get contaminated by merely "touching" them, having a number of precautions in the case of an accident is a good idea.
An even better idea - where possible - is to use a different OS, i.e. use a Linux to examine a Windows system, while it is theoretically possible to have a file that executes both on Windows and on Linux, it makes anyway the probability that IF you accidental double click or press Enter causing anything to execute very, very remote.
The "integralist" approach suggested by Rolf, while initially seemingly excessive, has however its merits.
As seemingly unrelated anecdata, I had an electrician (that coincidentally learned the trade in Switzerland) that was taught (and I learned from him) that whenever you touch or go near an electric cable, you should ALWAYS treat it if it was "live".
At first it seems like an overcautious approach, but in time (and after a few electric shocks because you didn't follow the advice) it starts making a lot of sense.
As well, do not underestimate the risk of *somehow* contaminating the evidence.
In a perfect world the examination machine should
1) be air-gapped
2) the running OS should be a fresh deployment (just before the start of the examination) of a "known to be clean" system
jaclaz
Probably nothing that hasn't already been said…
1- If i analyze a malware RAM dump, i'm only checking its content but i don't execute any process so , can i get infected?
It depends…by "malware RAM dump", do you mean a dump of the malware's process memory, or a dump of physical memory that contains malware?
In either case, if you extract the executable image on a system with AV running, the extracted executable *may* be detected by the AV, and action taken (i.e., quarantine, deletion, etc.).
If you are working on a Linux system, and the memory dump you're parsing is from a Windows system, it's unlikely that even attempting to execute an image file extracted from the memory dump will be able to do anything…unless it's cross platform.
2- The same with a HDD, if i get for example a dd image and i analyze it, can i get infected?¿
Depends on what you mean by "analysis"…
3- Real case I got a RAM dump with dumpit and a HDD image with FTK imager, i want to analyze them with volatility and the TSK tools, and i would like to know if i can get infected…
Again, what is your analysis system? Linux or Windows?
…and if those tools are really useful or should i use different ones.
Oh, they're very useful…depending upon what you want to do. A hammer is extremely useful, but not so much for driving a wood screw, or planing a board.
Volatility is great for parsing specific items out of a memory dump, and the TSK tools can be used to great effect to do things like extract data and metadata from an image. However, it's up to the analyst, *not* the tools, to perform analysis.
What RolfGutmann said.
Your examination environment should be set up so it can be wiped and restored after use between cases - never assume that you are immune and that forensics tools cannot be subverted by malicious code. Get rid of any persistence foothold that exist in your setup.
Thank you very much for every answer. I'm talking about the proccess dump, for example to check its assembler content avoiding its execution.
About using a different OS, it's a good approach, i can avoid that kind of missclicked mistakes if, for example, i'm trying to execute an exe file in linux so probably i should create a better workstation before starting to work.
Now i have more basic knowledge to grow and build my own experience in this field, thank you everyone for your time and sorry for my not detailed questions and my unexperience, i just want to learn everything i can.
I hope i can help you back in the future, regards, Sergio.