Mobile extractions ...
 
Notifications
Clear all

Mobile extractions infecting your investigative platform?

7 Posts
7 Users
0 Likes
309 Views
hcso1510
(@hcso1510)
Posts: 303
Reputable Member
Topic starter
 

I was recently asked about whether or not you could obtain malware from a mobile extraction and then have it infect the computer you were using to view the data?

In a perfect world I would assume the best practice would be to only use computers for examinations that are not connected to the internet. I would also think that the computer should have the most updated virus protections and to run it against any downloads prior to viewing.

The reason I am asking is that in this case I don't believe any of these best practices are being followed.

In general what are you folks doing AND does anyone know of cases involving malware obtained from a mobile extraction infecting a work station?

Many thanks!

 
Posted : 28/11/2016 11:57 pm
troyschnack
(@troyschnack)
Posts: 13
Active Member
 

The majority of malware on phones are OS dependent. So malware on Android wouldn't infect a workstation running Windows. It is possible that a phone could be storing a Windows malware just waiting for sharing to a computer system, but I'd say that's unlikely. Also keep in mind that many mobile forensic tools require that AV be turned off to allow mobile OS attacks to attempt root access.

I've never had a mobile device acquisition infect the workstation.

 
Posted : 29/11/2016 1:48 am
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

Whenever is possible, we use virtual machines for our examinations. So far we didn't have any virus/malware issues, but if it happens, we'll just simply delete the vm and start over with a clean platform.

 
Posted : 29/11/2016 3:04 pm
Chris_Ed
(@chris_ed)
Posts: 314
Reputable Member
 

Whenever is possible, we use virtual machines for our examinations. So far we didn't have any virus/malware issues, but if it happens, we'll just simply delete the vm and start over with a clean platform.

Do you ever have issues with dongle detection, out of interest?

 
Posted : 30/11/2016 12:40 pm
Adam10541
(@adam10541)
Posts: 550
Honorable Member
 

I do note from time to time that my AV (Vipre) will block some items when I'm dumping a phone download for a client.

In some cases they appear to be genuine malware attachments to emails etc, but in most cases they are false positives.

I always suspected that perhaps some legitimate mobile apps are coded in such a way that they get flagged by computer AV, but I'm not really sure.

 
Posted : 30/11/2016 12:47 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

In a perfect world I would assume the best practice would be to only use computers for examinations that are not connected to the internet.

… with a freshly installed OS on a previously wiped disk or just re-imaged from a pristine condition image (… in a perfect world).

jaclaz

 
Posted : 30/11/2016 3:43 pm
 RonS
(@rons)
Posts: 358
Reputable Member
 

This is a very good question, that illustrate yet another advantage of a stand-alone dedicated extraction solution such as the Cellebrite UFED Touch that was designed to be protected.

 
Posted : 30/11/2016 6:56 pm
Share: