Hi was wondering how other places approach this -
How do you update your forensic analysis machines if they're not connected to the internet? By update I mean Windows updates, fixes/patches. Most other software I can update offline.
Our IT dept have said they can update Windows via a SCCM server whilst blocking the internet. However, I don't want a forced reboot to occur if I'm in the middle of a job after an update is applied.
Any thoughts would be appreciated!
Thanks
Hi was wondering how other places approach this -
How do you update your forensic analysis machines if they're not connected to the internet? By update I mean Windows updates, fixes/patches. Most other software I can update offline.
Our IT dept have said they can update Windows via a SCCM server whilst blocking the internet. However, I don't want a forced reboot to occur if I'm in the middle of a job after an update is applied.
Any thoughts would be appreciated!
Thanks
great question! and I'm also wondering what methods can be applied to solve this problem
Forced reboot is a thing of the past, really. You may have to close a pop-up telling you to restart now and again, but it won't interrupt jobs.
thanks Chris_Ed
You can download all Windows Updates manually.
If you know the Hotfix reference for the issue you a looking to patch (usually KB1234567 or similar identifier) you can download via the Microsoft support portal on an internet connected PC and apply the updates locally.
Question - why are you looking to apply updates? Is it to fix issues you are having, or just for best practice? At a former workplace we never bothered applying updates unless something wasn't working - if it isn't broken, it doesn't need fixing!
I think Unicron provided very helpful information.
I would also add that it is important to consider whether or not your forensic machines are used "on the go" or if you are working out of a lab. In the lab setting, updating machines, even if its just Microsoft patches, should be a controlled practice. Usually it isn't even necessary because it is (ideally) a closed network or stand alone. Patches and such would only be needed if problems arise.
On the go, for on site use or live capture/preview/acquisition, the updates may be helpful to make sure your machines are up to date when you connect to other networks and machines.
Also remember that patches and updates are done on top of the OS (obviously) and can slow things down quite a bit as they add up.
Good luck!
I'll Echo Unicorn in this one.
I used to be responsible for software maintenance on a lab of 30 plus computers, all air gapped from the internet.
The only time any OS update was done was to fix a specific problem and the method was manual as Unicorn described so the lab machine was never connected to the internet.
Some useful points - Thank you all.
If you do need to get an off-network machine up-to-date with patches you may find this quite helpful
http//download.wsusoffline.net/
It's updated on a regular basis.
Hi all
This is a fairly easy one. If your IT department use SCCM, then they can just apply a policy that lets the end user choose when to reboot. The updates will install in the background.
It doesn't need to connect to the internet, your can have a server in your environment that connects to their master server.
As others have said, their is an argument that you can simply not bother. My feeling is that we all rely far too much on the air gap principal. Yes, it works, but it also holds us back.
From the sounds of it you have a reasonably mature IT dept. Managed correctly they can supply you with AV, updates, software deployment, capacity management and forecasting, the list goes on. All of these things are little issues that divert you, a forensic examiner, from examining stuff.
You do of course need to make sure they understand how your needs are different from that of other customers, but it should just be a matter of communication.
Regular patching just means that you avoid issues later down the line. As it wont affect your workflow, why wouldn't you do it?
another way is to use WSUS. You have one standalone server facing the internet to download the updates as per the policies you set. You can then manually copy the updates and catalogue to your internal WSUS server and use it to manage your workstations.