Hello
So I was doing this incident reponde and advanced forensics course from cybrary.it that states that for extracting evidences you should have a "clean usb" with write blocker to avoid copying anything to the infected machine.
But I'm failing to understand how will I be able to copy the malicious executable from the infected machine to the usb drive if it has this write block?
The course also says you can have a "useful tools" folder and then I read that the write blockers allow to execute commands so this means I would have to have some kind of copy command to extract the malicious file?
What I want is to have someone accesing the infected machine using this "clean usb" and extracting the malicious file
Thanks!
Dear Daniela!
You should go a bit deeper and learn the right forensic ways )
By using a write blocker it will prevent the infection of the pendrive. This is very useful when you try to create a ram dump of an infected machine, so your pendrive content and the tools running from the pendrive won't be altered in any way.
You shall never copy a malicious file to your devices. The good way is creating a binary image of the device data and analyze the image content later on. The analysis should be done in a sandbox or in a virtual machine, so in case of any infection, your forensic equipment and software would remain safe.
I hope it helps…
thanks for the reply
well my interest goes to the incident response part so I'm not looking for a deep forensics knowledge at the moment, particularly as my first post said for a way to extract the malicious file in an infected machine.
I still don't get how would I copy the image from the machine without infecting the usb.