Thanks all. Have definately learnt some useful info here. The moral of the story - everyone seems to do things slightly differently depending on the kind of forensic work they do. Cheers.
Something to be aware of though is performance and software conflicts.
In my current role I only use a few pieces of software so if an update causes a problem or conflict it's fairly easy and quick to trouble shoot and fix. In my previous role the analysis machines had numerous pieces of software installed so applying all available updates (regardless via internet, internal server or manual) could make life very difficult if a conflict was caused by one of the updates.
Hence, "if it aint broke, don't fix it"
Many Windows updates are to address security flaws, if your machine is air gapped then you are unlikely to be in danger from these flaws.
The last thing on earth I would ever do is let an IT manager near my analysis machine 😉
… - if it isn't broken, it doesn't need fixing!
The presence of a security update is an indication that it is broken.
Some years ago, vulnerabilities in graphics libraries were discovered by the dozen. These libraries apparently checked the imput files so badly that it was easy to create buffer overflows etc to inject hostile code. And of course there were lots of people who did. And this kind of problem is still there, though not quite as prevalent.
If that kind of hostile file happens to be part of a case, and at some point or other be viewed by the analyst, … do you know what happens? Or exported as a file, and viewed in some other way? Does the forensic platform in use do its own testing, or does it rely on whatever basic graphics libraries that are present in the platform? If it uses a third-party product (like this Inside Out from Oracle), the question still applies what does this product do?
It seems rather foolhardy not to patch up this kind of vulnerability as soon as possible.
Vunerabilities in network services, on the other hand, probably won't matter if the network is and remains well isolated, and controlled.
A valid point, although my 'aint broke don't fix it' was more referring to the computer and all it's forensic software working, rather than flaws in third party drivers etc.
With regards to unknowingly copying or accessing malicious files that's where having a good AV comes in to play. As part of an in depth analysis we used to mount the image, then first run AV scans to identify any potentially malicious files. Obviously this is not fool proof but with an air gapped machine that has no network access there is very little damage that can be done should we access a virus.
Hi,
WSUS is the method we use - its provided as part of Windows Server 2008R2 and probably other server varieties.
Basically, we have a laptop running server 2008 which connects to the Internet and downloads all applicable updates (based on what OS all your machines have and what MS products they run e.g. SQl, Office). These updates are exported to a USB and then imported onto the air gapped server which distributes the updates to the forensic machines.
Our group policy is configured so as to allow a user to choose when they wish to reboot after update.
It seems to work well
john
Better late than never. I have an Ethernet A/B switch on my machine with the PC connected to A and nothing on B resulting in A being on and B is off. I leave it off and when I need to run Windows Update I turn it on long enough to run.