Windows Updates on ...
 
Notifications
Clear all

Windows Updates on Forensic Machine  

Page 1 / 2
  RSS
amandamorris
(@amandamorris)
New Member

Hi was wondering how other places approach this -

How do you update your forensic analysis machines if they're not connected to the internet? By update I mean Windows updates, fixes/patches. Most other software I can update offline.

Our IT dept have said they can update Windows via a SCCM server whilst blocking the internet. However, I don't want a forced reboot to occur if I'm in the middle of a job after an update is applied.

Any thoughts would be appreciated!

Thanks

Quote
Posted : 20/02/2014 5:06 pm
Georgefan
(@georgefan)
Junior Member

Hi was wondering how other places approach this -

How do you update your forensic analysis machines if they're not connected to the internet? By update I mean Windows updates, fixes/patches. Most other software I can update offline.

Our IT dept have said they can update Windows via a SCCM server whilst blocking the internet. However, I don't want a forced reboot to occur if I'm in the middle of a job after an update is applied.

Any thoughts would be appreciated!

Thanks

great question! and I'm also wondering what methods can be applied to solve this problem

ReplyQuote
Posted : 20/02/2014 6:28 pm
Chris_Ed
(@chris_ed)
Active Member

Forced reboot is a thing of the past, really. You may have to close a pop-up telling you to restart now and again, but it won't interrupt jobs.

ReplyQuote
Posted : 20/02/2014 6:58 pm
amandamorris
(@amandamorris)
New Member

thanks Chris_Ed

ReplyQuote
Posted : 20/02/2014 9:05 pm
Unicron
(@unicron)
Junior Member

You can download all Windows Updates manually.

If you know the Hotfix reference for the issue you a looking to patch (usually KB1234567 or similar identifier) you can download via the Microsoft support portal on an internet connected PC and apply the updates locally.

Question - why are you looking to apply updates? Is it to fix issues you are having, or just for best practice? At a former workplace we never bothered applying updates unless something wasn't working - if it isn't broken, it doesn't need fixing!

ReplyQuote
Posted : 20/02/2014 9:30 pm
pcstopper18
(@pcstopper18)
Member

I think Unicron provided very helpful information.

I would also add that it is important to consider whether or not your forensic machines are used "on the go" or if you are working out of a lab. In the lab setting, updating machines, even if its just Microsoft patches, should be a controlled practice. Usually it isn't even necessary because it is (ideally) a closed network or stand alone. Patches and such would only be needed if problems arise.

On the go, for on site use or live capture/preview/acquisition, the updates may be helpful to make sure your machines are up to date when you connect to other networks and machines.

Also remember that patches and updates are done on top of the OS (obviously) and can slow things down quite a bit as they add up.

Good luck!

ReplyQuote
Posted : 20/02/2014 11:17 pm
Adam10541
(@adam10541)
Senior Member

I'll Echo Unicorn in this one.

I used to be responsible for software maintenance on a lab of 30 plus computers, all air gapped from the internet.

The only time any OS update was done was to fix a specific problem and the method was manual as Unicorn described so the lab machine was never connected to the internet.

ReplyQuote
Posted : 21/02/2014 1:12 pm
amandamorris
(@amandamorris)
New Member

Some useful points - Thank you all.

ReplyQuote
Posted : 21/02/2014 3:09 pm
pragmatopian
(@pragmatopian)
Active Member

If you do need to get an off-network machine up-to-date with patches you may find this quite helpful

http//download.wsusoffline.net/

It's updated on a regular basis.

ReplyQuote
Posted : 21/02/2014 10:05 pm
Pedro281
(@pedro281)
Junior Member

Hi all

This is a fairly easy one. If your IT department use SCCM, then they can just apply a policy that lets the end user choose when to reboot. The updates will install in the background.

It doesn't need to connect to the internet, your can have a server in your environment that connects to their master server.

As others have said, their is an argument that you can simply not bother. My feeling is that we all rely far too much on the air gap principal. Yes, it works, but it also holds us back.

From the sounds of it you have a reasonably mature IT dept. Managed correctly they can supply you with AV, updates, software deployment, capacity management and forecasting, the list goes on. All of these things are little issues that divert you, a forensic examiner, from examining stuff.

You do of course need to make sure they understand how your needs are different from that of other customers, but it should just be a matter of communication.

Regular patching just means that you avoid issues later down the line. As it wont affect your workflow, why wouldn't you do it?

another way is to use WSUS. You have one standalone server facing the internet to download the updates as per the policies you set. You can then manually copy the updates and catalogue to your internal WSUS server and use it to manage your workstations.

ReplyQuote
Posted : 25/02/2014 8:34 pm
amandamorris
(@amandamorris)
New Member

Thanks all. Have definately learnt some useful info here. The moral of the story - everyone seems to do things slightly differently depending on the kind of forensic work they do. Cheers.

ReplyQuote
Posted : 25/02/2014 11:11 pm
Adam10541
(@adam10541)
Senior Member

Something to be aware of though is performance and software conflicts.

In my current role I only use a few pieces of software so if an update causes a problem or conflict it's fairly easy and quick to trouble shoot and fix. In my previous role the analysis machines had numerous pieces of software installed so applying all available updates (regardless via internet, internal server or manual) could make life very difficult if a conflict was caused by one of the updates.

Hence, "if it aint broke, don't fix it"

Many Windows updates are to address security flaws, if your machine is air gapped then you are unlikely to be in danger from these flaws.

The last thing on earth I would ever do is let an IT manager near my analysis machine 😉

ReplyQuote
Posted : 26/02/2014 6:15 am
athulin
(@athulin)
Community Legend

… - if it isn't broken, it doesn't need fixing!

The presence of a security update is an indication that it is broken.

Some years ago, vulnerabilities in graphics libraries were discovered by the dozen. These libraries apparently checked the imput files so badly that it was easy to create buffer overflows etc to inject hostile code. And of course there were lots of people who did. And this kind of problem is still there, though not quite as prevalent.

If that kind of hostile file happens to be part of a case, and at some point or other be viewed by the analyst, … do you know what happens? Or exported as a file, and viewed in some other way? Does the forensic platform in use do its own testing, or does it rely on whatever basic graphics libraries that are present in the platform? If it uses a third-party product (like this Inside Out from Oracle), the question still applies what does this product do?

It seems rather foolhardy not to patch up this kind of vulnerability as soon as possible.

Vunerabilities in network services, on the other hand, probably won't matter if the network is and remains well isolated, and controlled.

ReplyQuote
Posted : 26/02/2014 7:47 pm
Adam10541
(@adam10541)
Senior Member

A valid point, although my 'aint broke don't fix it' was more referring to the computer and all it's forensic software working, rather than flaws in third party drivers etc.

With regards to unknowingly copying or accessing malicious files that's where having a good AV comes in to play. As part of an in depth analysis we used to mount the image, then first run AV scans to identify any potentially malicious files. Obviously this is not fool proof but with an air gapped machine that has no network access there is very little damage that can be done should we access a virus.

ReplyQuote
Posted : 27/02/2014 12:27 pm
johnny
(@johnny)
New Member

Hi,

WSUS is the method we use - its provided as part of Windows Server 2008R2 and probably other server varieties.

Basically, we have a laptop running server 2008 which connects to the Internet and downloads all applicable updates (based on what OS all your machines have and what MS products they run e.g. SQl, Office). These updates are exported to a USB and then imported onto the air gapped server which distributes the updates to the forensic machines.

Our group policy is configured so as to allow a user to choose when they wish to reboot after update.

It seems to work well

john

ReplyQuote
Posted : 27/02/2014 7:37 pm
Page 1 / 2
Share: