"Xennith, were these images placed here by malware?"
"No, the locations, dates and timestamps are not consistent with an automated process, but are consistent with human interaction".
I've come across malware a few times, never as a result of a virus scan, but as a "hang about, whats that exe doing there?" then a quick sandboxing to see what it does.
Anyhow, in the UK this kind of thing comes up before the trial, if you guys want to run antivirus scans to cover your asses or increase the sizes of your reports I suggest microsoft security essentials.
I am not sure I grasp what you are implying here.
Are you suggesting that as a regular practice, scanning evidence for malware is not just unnecessary but is simply to pad a report?
"Xennith, were these images placed here by malware?"
"No, the locations, dates and timestamps are not consistent with an automated process, but are consistent with human interaction".
I've come across malware a few times, never as a result of a virus scan, but as a "hang about, whats that exe doing there?" then a quick sandboxing to see what it does.
Anyhow, in the UK this kind of thing comes up before the trial, if you guys want to run antivirus scans to cover your asses or increase the sizes of your reports I suggest microsoft security essentials.
Yeah, in the vast majority of cases its a complete waste of the 8 hours it would take.
If someones defence is "omg it was a virus" then you can start doing some malware analysis, but why do it to everything that comes through your door?
You arent going to catch a virus from your images, a virus scan if negative proves nothing as you could have simply missed the polymorphic virus present, and if positive proves nothing because you might still have missed something.
I'm not sure how it works in the states, perhaps its needed there, but in the UK I'd argue that you're just padding your report out.
Tell you what, you let me know what percentage of cases the results of an anti virus scan have been relevant to determining truth or innocence and if its over 20% I'll start doing it religiously.
In the meantime I'll stick to scanning for viruses and doing malware
analysis as its needed.
Heres a scenario for you
My client says it was a virus -> Virus scan didnt find anything
So you're saying there was no virus? -> I didnt find it
Are virus scanners foolproof? -> No.
So its possible that there was a virus? -> Yes.
It's all about reasonable doubt. If the jury knows you tried, then they are less likely to bite on the Trojan defense. It does not pad my report. I don't even put it in there typically.
I agree - I don't know how it pads the report in any way. At most it is a line or two that says "Virus Scan run using such and such software - no infections detected" or "x instances of y virus detected - report is attachment Z" Granted you will not find everything on a image that has been mounted as opposed to scanning a live drive and registry, but your AV should be able to find a file or two that was part of the virus hopefully.
You are correct - not finding a virus doesn't necessarily mean anything, but atleast you can say you didn't find one.
IMHO it shows prudent work to do a scan on a mounted image, especially on criminal cases where you may be up against the virus-did-it argument. At attempt is better than not having done one at all and only doing it after the defense claim has been made almost sounds like an "oh s**t…." )
You think its prudent and due diligence, I think it shows an over reliance on automated tools and a "push button, receive evidence" mentality.
Lets put it this way, if I were to write a bit of malware that planted evidence on a computer as soon as it had done its job it would erase itself and every forensic trace I could think of that would indicate it had been there.
Do any of you actually know of any malware that plants IIOC? No? Then why the hell do you use a virus scanner to look for one?
I cannot believe we are actually debating this.
"Push button, receive evidence" mentality"? I am not sure our concept of "push button" is the same. Last time I checked, using a DB of signatures to search through a data set does not make it "push button". I guess then according to your interpretation deNISTing is also "push button". Yeah, those good old days, when we could just ran DEBUG. Those hippies, John McAfee or Eugene Kaspersky, totally ruined it for real examiners! That was real work. And for that 300GB HDD? I read each sector and eye ball it against a printout! That is how real man do it! . . . please… Mr. Green
And, yes - in my experience in the corporate world, there have been several instances where the machines became zombies, and acted as storage.
Your argument of "its possible that there was a virus" is a straw man. If the opposing side suggest that a "yet unknown malware" somehow planted the evidence, they would be pressed to show any evidence of it. Furthermore, court would smack down an incessant "but where did that come from" game.
Maybe your cases produce inordinately large digital evidence. At a 40MB/s (horrible network traffic), 8 hours would scan 1TB of data. Normally, you should be getting something like 300MB/s, and that would put you at around 8TB.
If it is not the report length, as others have noted it would be a very short paragraph at best, it is not the technology, as it is readily available and it is not time, since in my experience, albeit anecdotal, few cases balloon to 8TB - what is the reason not to do it?
EDIT Sorry, edited, instead of replied…
Fine, virus scan everything that ends up on your desk, no skin off my nose.
I recommend Microsoft Security Essentials - free, fast and supports sandboxing and fairly decent heuristics.
scanning a mounted windows forensic image wont this miss files in use by Windows like NTUSER.DAT, SAM, etc..? Will it be better to scan the mounted image in Linux so all files can be scanned?
It won't miss those files because you won't be scanning a "booted" disk.