Question about disk images / BitCurator / and malware

[K Smith]

In reading through the great information ont he BitCurator wiki FAQ I was curious how creating a disk image and performing the scripts in BitCurator protects a computer from malware.    Is it because the actions are performed within a VM?  It seems like it would be great to know if a disk/medium has infected files before doing a lot more work with the disk.

What do the BitCurator team folks think?

Kari Smith

 

Message sent by Kari S. 
Save our in-boxes!   http://emailcharter.org  for great tips on email etiquette.

[Matthew Kirschenbaum]

Hi Kari,

It's not the VM per se but rather the fact that nothing in/on (choose your preposition!) the disk image is actually executing, at least until such time as the image is mounted on a host system. Best, Matt

--
You received this message because you are subscribed to the Google Groups "BitCurator Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcurator-use...@googlegroups.com.
To post to this group, send email to bitcurat...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bitcurator-users/1392302925.17355.YahooMailNeo%40web121904.mail.ne1.yahoo.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
Matthew Kirschenbaum
Associate Professor of English
Associate Director, Maryland Institute for Technology in the Humanities (MITH)
University of Maryland
301-405-8505 or 301-314-7111 (fax)
http://mkirschenbaum.net and @mkirschenbaum on Twitter

Track Changes tumblr: http://trackchangesbook.tumblr.com/

[Kam Woods]

BitCurator includes a number of tools to scan disk images before any actions are performed (even mounting them). TSK provides a script and configuration file to scan the contents of a disk image using fiwalk's plugin system, by firing off an instance of the ClamAV daemon (https://github.com/sleuthkit/sleuthkit/tree/master/tools/fiwalk/plugins). Unfortunately, that script is missing from the current distributed release (4.1.3), so it's not in 0.7.0. I'm about to go find out why.

BitCurator does also include ClamTK, which can be used to scan any mounted image or directory of files (you can start up ClamTK by simply typing its name in the Unity launcher).

Kam

On Thu, Feb 13, 2014 at 9:48 AM, K Smith <kari...@yahoo.com> wrote:

--

[K Smith]

Thanks Kam and Mark,
I did notice ClamAV in the list of included tools and wasn't sure how it fit into the other tasks that BitCurator runs.  Since I'm trying out the feature to Export Files from the disk image into a folder I was wondering if that's a point to virus scan, before moving the files out of the VM. 
As I'm thinking through our larger digital curation workflow, I'm looking for tasks that don't need to be repeated as I move files and metadata through the human-tool chain.

Kari

---

From: Kam Woods <kamw...@gmail.com>
To: bitcurat...@googlegroups.com
Sent: Thursday, February 13, 2014 12:20 PM
Subject: Re: Question about disk images / BitCurator / and malware

To view this discussion on the web visit https://groups.google.com/d/msgid/bitcurator-users/CAAOjFxCWw-g-MdMRz%2B2uh3msK3TFxfmYc6rMDRqaoQ6ZsAie%2BA%40mail.gmail.com.

[Christie Peterson]

Hi Kam,

I was wondering if you could follow up on this with an update. It looks like from the BC documentation that this script was included in 0.9.12, correct? I was curious what you found out about why it was not in the distributed release of TSK.

I also wanted to make sure I understand the capacities of ClamTK and the TSK script. ClamTK can only scan a disk image if the image is mounted, but the TSK script can scan for viruses within a disk image without actually mounting it?

So, for example, if I had a floppy disk with a boot sector virus and I created a raw image of the disk, running ClamTK over the unmounted disk image file would not catch the virus, but running the TSK script over it would?

Thanks,

Christie Peterson

[Kam Woods]

Hi Christie,

I have not followed up on this yet. I'll try and get back to you soon...

Kam

To view this discussion on the web visit https://groups.google.com/d/msgid/bitcurator-users/596dccaf-3917-4525-a628-e6a341f2fede%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Christie Peterson]

Hi Kam,

I downloaded 0.9.13 and found it incorporated ficlam (even got it to work!), so I guess I've answered my own question at this point.

If you're looking for wishlist items to add to BitCurator, I've got a few related to this :)

Best,

Christie

To view this discussion on the web visit https://groups.google.com/d/msgid/bitcurator-users/CAAOjFxAZQqPxv4u4cX-HMJkcDjBpWHtDnMTFAzUq%3Di7EKD1zRQ%40mail.gmail.com.

[Jess Whyte]

Hi,

Is ficlam included in the latest version of BitCurator (v 1.6.0)? I feel a bit silly, but I can't find it/the clamconfig.txt file (tried running a locate search). 

Also, on a related note, do others run a scan on both the image file and then also on its contents? Or is this something I would only need to do for, say, HFS disks (and other non-fiwalk-supported filesystem types)? 

Thank you,

Jess