Quick question..
If I mount an e01 image to scan it with a virus scan and it detects viruses, what do I do with those files? (I'm analyzing the image with EnCase, not as a live image)
Do I leave them and be sure not to export and run them? or do I quarantine them?
I just don't want to do anything that would be forensically un-sound.
Thanks
The answer to your questions depends on whether you need the files which may be infected as part of the objective of your case. In many cases, other files may help you solve a case such that you may not need to analyze those, export and run them. So, it depends…
Leaving them out of the analysis may not be forensically unsound, depending on the objective, and how critical the analysis of those files may be.
I agree with CFEx, but would like to add that If this is NOT part an Incident Response case; I would suggest configure you AV to ‘log/leave alone’; save the AV results as part of your report & then verify what the particular features each malware item has/does; after all you AV file system scanner is looking for known malware. Removing the malware from the system should only be done in cases where you are now doing a ‘clean-up’ post infection/outbreak, or as part of the case completion sanitization process (subject to local laws/company policy).
Finding good detailed write-ups on known malware is not easy as many Vendors do not cover the item in sufficient depth (unless it's news worthy), running the samples in a sandbox and then using that report to factor into your overall report, and saving the malware samples is good; in case the defense later tries to use the now infamous 'trojan defense'; in which you can also get an AV vendor to give you a detailed write-up and also do the static binary analysis yourself (if possible).
Just a thought.
I just don't want to do anything that would be forensically un-sound.
I'm not sure what you mean by "forensically un-sound".
Well you can't make changes to the .e01 file(s) so it would be forensically sound. Just document (most AV programs will create a log - and use more than one or two) where the infections are. You may want to run the image as a VM to see where in memory the virus/malware infects.
Again, as others have stated, it really depends on the scope of your investigation on how much granularity you need in the investigation of the infection.
If you have mounted a Vista/Windows 7 image and scanned it and you have Vista/Windows 7 as a forensic platform, you have probably virus scanned your own drive as well!
If you have mounted a Vista/Windows 7 image and scanned it and you have Vista/Windows 7 as a forensic platform, you have probably virus scanned your own drive as well!
Yes check your symbolic link settings.
I found this utility
Junction Link Magic
This utility will scan your system to modify
1. Symbolic links - can be thought of as a shortcut to a file or folder elsewhere in the file system
2. Junction points - can only point to a folder
3. Mount points - is a folder on a disk that points to an entire disk volume
And it's free.