I was reading a thread, and the thought of checking with others came up.
What tools do you use?
I run images through Symantec Endpoint Protection, ClamAV.
I was thinking of running something like Sybot-S&D too, but is there a way to get Sybot-S&D to point at a drive, instead of just going default C?
I tend to mount a working copy of the image read-only, using whichever means is appropriate (FTK Imager v3.0, ImDisk, VHD, etc.) and scan the mounted volume with AV that I know was not installed on the system prior to it being acquired. Scanning the system with the same AV package that was installed or had been run against the system doesn't really do much with respect to providing "value add" to the customer - other than the fact that the system isn't booted.
Most AV tools provide the ability to scan a specific folder/directory, so just point it at the mounted volume, so they're pretty easy to use.
Remember, however, that there is a good deal of malware out there that may not be detected by whichever tool you're using. It's not only a good idea to use multiple AV scanners, but to also use other tools to look for secondary artifacts; I recently ran across a system with an ADS attached to the Temp directory listing. Registry analysis has also proved to be very beneficial; however, I have seen malware that doesn't use the Registry as a persistence mechanism (think the DLL Search Order issue).
Finally, MBR infectors are an issue that may not be detected by the AV that you're using. To address this, I wrote some code for myself that I point at the image, and it runs through the sectors I designate (most often, 0 - 63) looking for sectors that are all zeros vs sectors with indications of executable code.
On most cases where I have good user (defendant) attribution (confession, etc.) I typically wait until the case moves toward trial before running AV.
My theory is that the time delay between when I conduct the exam and when I run the AV scan's (often a year or more) gives the AV developers time to build definitions for malware that may have been present on the media but unknown to the AV developers at the time of the exam.
When I do run it, I use keydet89's method of mounting the image (usually with EnCase PDE) and pointing the scanner at the mounted device.
What tools do you use?
ClamAV usually - can't beat the price. I have also used Gargoyle.
Eset's Nod32 (provides a nice log file).
Although I do run an antivirus scan in the beginning. I agree with Miket065 run one also before trial due to all the AV/Malware software updates. You can then run any apparent virus through virustotal.com and do research using the antivirus/malware company sites and your own tests.
Regards,
Chris
Whats the point in scanning the images?
I guess if you think your report is too short you could put it in.
Whats the point in scanning the images?
I guess if you think your report is too short you could put it in.
Grab low hanging fruit, save time, help confirm/deny "trojan defense", compare with other scans you've done for malware, to help verify your findings, to be thorough, to prepare for questions you know will come up at trial, etc.
If someone pulls out the trojan defence I'll do a virus scan. Its happened to me twice now, both times the case has never gone to court.
I've spotted a few malware infections during the course of my investigation, none of them relevant to the case of course. So what is the point in running an AV scan? No AV product is 100%. You're spending a lot of time and at the end of it if asked "are there any viruses on this computer?" You cant say "no", in fact the best you can manage is "I dont know".
If its relevant to the case, sure, run a scan. Its not something that should be standard practise imo.
Xennith, I do this to help shore up the case against reasonable doubt. In our US court's, we won't necessarily know that a "trojan" defense will be tried until the actual trial. The defense has wide discretion to ask questions of the examiner that may put "reasonable doubt" into the minds of the jury.
If I have done a virus scan, and I am asked by the defense if malware caused the offending content, I can explain that I attempted to find any malware that would exonerate his client, and didn't.
If I did nothing and the question is asked, what do you say?
Sure nothing is 100 %, including DNA.