The Rosewill bridge I have came with it's own PSU & can be attached w/o removing the
drive, very nice.
I'm writing a powershell script to get file details, launch md5deep to calc the md5,
and then store the results in CSV file to have a DB for this type of testing. There
are some degree of checksum databases available from the government sites but they
lack file details like path, date & version. The most common use for the government
DB seems to excluding known files from an image for forensics.
Foreign registry .dat's can easily be mounted on a test system, negating the need to
test on a suspect box IMHO.
On 5/26/2010 4:34 AM, Thane Sherrington wrote:
At 07:25 PM 25/05/2010, Christopher Fisk wrote:
Yank drive: Plug in USB HDD converter (I have one that does SATA, IDE
and Laptop IDE size plug in one) and scan in a known clean machine.
That way you can have a known clean system doing the scan and won't
have to worry that a rootkit is hiding itself.
I do a variant of this myself, but then I do a secondary scan inside the
actual OS to deal with registry entries and so that programs like
Malwarebytes will work more reliably (MWB) requires the OS to be live to
best scanning, according to the writers.)
I've run into virus's recently that usurp winlogon in win.ini as well
as the explorer.exe shell in the registry.
Oh that happens all the time these days. I have that fix pretty much
automated now.
Hell, once recently even replaced the keyboard driver. Once a machine
is infected it is faster just to yank the drive and scan it externally
to a known good machine.
Have you tried using an MD5 hash on the files in the Windows folder and
subfolders and compared it to a known good hash to try to find
infections? I've been playing with that.
I never trust a virus scan run on a machine that is already infected.
I do run a Malware scan once I get the machine cleared of virus's on
another machine to finalize the registry portion of the scan.
You're absolutely right on this.
T
