USB Malware and WinFE

The recent release of USB malware, in which any USB device is suspect of being infected after plugging into an unknown-if-clean machine, makes a problem for bootable USB devices in forensic collection.  Some of the very scary claims to the USB malware are (http://news.discovery.com/tech/gear-and-gadgets/warning-usb-malware-code-unleashed-141006.htm):


  • Alter files from thumb drives

  • Redirect Internet traffic

  • Tap and spy on USB-enabled smartphones

  • Hijack keyboards to type commands

  • Potentially inject malicious elements as files are being transferred

  • badusb


  •  


That is bad stuff for a forensic bootable USB device.   I've seen a few suggested solutions to the USB infection issue, but the fastest solution with WinFE is to burn to a CD/DVD instead of making a USB bootable.  Problem solved.

Building a WinFE is still very very very very easy.  Using the Mini-WinFE build, I just timed creating a WinFE DVD is less than 6 minutes.  That was a few minutes with Winbuilder and a few minutes burning the ISO to DVD, while taking my time in the short process.  If you haven't yet built a WinFE, the process is almost completely automated.  Just point Winbuilder to your Windows 7/8 source and press go.  Less than 5 minutes later, you have a forensically sound, bootable ISO/CD/DVD/or USB.

Granted, creating a WinFE CD/DVD in less than 10 minutes is not going to save you time compared to imaging a removed hard drive using a hardware imaging device.  But...if you have LOTS of machines to image, booting the machines to be seized to WinFE most likely will be faster than removing hard drives and sharing hardware imaging devices.  And for those pesky drives that won't come out, WinFE may be a good solution than fighting with an ultralight, can't-find-the-screws-to-remove-the-darn-hard-drive machines.

Workarounds to Workarounds (and some hints & remin...
New version of X-Tension
 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Guest
Thursday, 25 May 2017