I was called out to take images on a ship recently. They were mostly live systems and I was able to complete the job and get back to lab. I started making copies of the images and all of the USB hard drives are infected with viruses from the ship's PC's. Thankfully, the lab machine AV caught the viruses before infecting my lab PC, but what do I do with the "best evidence" on the USB hard drives, as they need to be cleaned.
All the images are copied to another medium and the hashes match. Should I just document my steps and clean/wipe the USB hard drives?
Thanks everyone.
I don't see a problem as long as the image hashes match then you can copy those to clean drives and wipe the collection drives. Just document what you found and try to find out about the nature of the virus. May even want to VM it and see what you find and take note.
If you don't execute the virus, how would your lab PC get infected?
You may _not_ want to remove the virus from the acquired targets (are they image files or active files copied from live system?) depending upon your analysis requirements.
Cheers!
farmerdude
The virus wasn't part of the image, even though I'm sure there are viruses within the image/operating system itself. The target PC's were infected with one of the viruses that automatically infects any usb device attached to the PC. When I was making copies of the best evidence image, I could see that the usb drive contained the virus (.exe and autorun file) as well as the actual image file.
I haven't been asked to do anything other than make the images for possible future defense so I haven't dug into the images for analysis, yet.
Thanks for the help.
Well IF he was following the correct forensic procedure
1. His write blocker would prevent the AV cleaning the virus
2. He would NOT have infected the forensic machine.
Caught out by one of the oldest tricks in the book.
C.