If I suspect that my machine (win 10) is pwn’d and want to copy just some important files/folders to an external hdd connected to another machine (mac), would doing an ssh and copying just the selected files be safe? Is there any chance of infection spreading to the new machine through ssh connection? If yes what is the best way of dealing with the situations like this?
I would pull the drive and mount it read only on a different machine to get the files. A USB to SATA adapter can be had for under $20 at Tanner Electronics.
2 Likes
Assume that any file may be infected.
Microsoft data files (Word, Excel, etc.) can contain malware in the form of scripts.
.PDF files can be infected.
Run a virus scan on the copied files before trying to open them.
Turn off the hiding of file name extensions in Windows. Some people think they are ugly, but is is very useful to be able to tell between
- picture.jpg
and
- picture.jpg.exe
1 Like
You could also use a live CD. You can scan your drive and copy files.
There is some danger in plugging in a virus infected drive into a clean PC. Normally it is okay, if the system is configured right to not run autorun and it has good virus software installed.
Or is running a different OS. ie: Win 10 drive in a Mac, or in a Linux box… but yeah a live cd is a good idea too.
I have scanned all the drives with McAfee Total Protection (if you call it a good AV software) and found couple of viruses which it deleted. I could be bit paranoid which is why somehow I doubt there could be more that didn’t get identified. I have heard these AVs are not good to scan .pdf based malware.
Pull the hard drive. Set up a Windows VM on a known clean machine and check the hard drive on the Windows VM. If it’s clean, copy the files, if it’s not, clean it first then copy the files.
Everyone has the right idea here and my solution is to pull the drive, image it as an ISO then deep level format and reinstall the os.
From there one can then carve out the files as needed from the ISO inside a virtual machine.
The added benefit here is lower chances of secondary infections and one has hard evidence for court.
Of course one should still scan the recovered files, ones daily backup deltas, and consider them still infected afterwards.
But at least one can get the more valuable data that was not already in an automatic backup this way.
1 Like
I take regular backup of important folders in my external HDD. The issue that I see with the ISO is that I have my laptop SSD encrypted. Can I read the encrypted SSD from a VM.
when you say clean, is it running a AV scan? I already did that. Now if I am expected to run the AV (McAfee Total Protection) again on the disks, i better keep it the current OS??
That’s the key. Mount as read only and do a virus scan before copying things elsewhere.
3 questions
- Do I need to decrypt the disk?
- How to scan for virus/malware etc… from Linux (assuming you are referring to mount as read only in linux)?
- Given you want me to scan for virus, I already did that on all the disks, so it would be redundant to do all this exercise?
My number one concerns is about the any keylogger software running on my PC? Any idea how to scan for those?
- Yes.
- ClamAV.
- Your call.
I’d mount it via USB and Windows - just because I know my tools better there.
-
Autorun must be off.
-
Scan with multiple tools: Trend Micro House Call, McAfee Stinger, Kaspersky’s Rootkit Killer, Immunet.com’s protection (Powered by Cisco’s Advanced Malware Protection software - Sourcefire acquisition), Malwarebytes, and more.
-
Pull off data to be kept to a CD image and burn to CD.
-
Boot the computer containing the drive with a DBAN CD and zero out the whole hard drive.
-
Reload the machine OS, drivers, and software.
-
Rescan the CD with those tools again to see if newer data definitions catch any new threats… or upload each file slowly from the CD to virustotal.com.
Once you’re sure the data is clean, copy it down to the PC to be used again.
1 Like
decrypt the disk
Depends on how it was encrypted. Usually cryptfs can do most implementation but if its something highly proprietary then not likely to happen. Which software did you use to encrypt the drive?
Bitlocker for Win 10. Both internal SSD and External HDD are encrypted using it.
https://www.systutorials.com/docs/linux/man/1-dislocker-fuse/
Basically boot into a livecd, install dislocker then:
dislocker -V encrypted.bitlocker -f /path/to/usb/file.BEK -- /mnt/ntfs
mount -o loop /mnt/ntfs/dislocker-file /mnt/clear