What to do about viruses


Nov 14, 2006
6
0
#1
If you find a virus on a file should you delete it? What would that do to the hash? If you do delete the virus, what steps should be taken to document and make sure you don't tarnish your evidence?
 

Prickaerts

Administrator
Jan 2, 2006
765
0
#2
Hi Starting over,

Removing/deleting the virus would certainlu change the hash of the file. One thing we always do when encountering a virus on a evidence disk is to try and ascertain what it is that virus actually does.

Then we look for digitial evidence that might indicate of the virus actually went "active".

Regarding the hashing, you might have a look at a new tool written by Jesse Kornblum --> w w w.dfrws.org/2006/proceedings/12-Kornblum-pres.pdf

His tool creates and checks hashes on parts of files.

Cheers,

Chris
 

az_gcfa

New Member
Nov 30, 2006
42
0
#4
Never ever intentionaly modify the evidence. You should be working on an exact copy of the evidence. Note in you case notes that you found the virus, attempt to determine the exact location of the virus (file slack, unallocated space, zip archive, jpeg, etc.). Some viruses and malware can infect your workstation. You need to obtain as much information as possible to identify and prevent any secondary infestation.
Insure you document this fully. Don't devote your life to it - because this may have nothing to do with your case! However, you still need to protect yourself and others.

For example, you are working a case and must provide Discovery information. You provide counsel with the requested information and forget about the virus. (Now saying that anyone would -- just suppose) Counsel's equipment becomes infected. How valuable is your work and testimony now? That is just one of the hundreds of questions and problems that will now have to be resolved. Hopefully, you or the firm you work for has good insurance!
 

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu