Q&A Setup for Analyzing Potentially Infected Devices?

Stretch_

Level 1
Sep 25, 2021
15
38
What type of software and hardware would be recommended for a setup that is used to analyze potentially infected devices?

On a software level I am familiar with virtualization and imaging software that would likely be good to use in such an application. I am less familiar with what a good hardware recommendation would be for such an application.

In particular, preventing devices that are being analyzed from writing to the system they are connected to would be a priority. Beyond that, hardware level issues such as BadUSB represent another threat that I am unsure of how to avoid.
 

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,272
42,725
There are many tools, for example:
  1. AV Rescue Disk (like Kaspersky Rescue Disk).
  2. Sysinternals tools (like Autoruns, Process Monitor, Sysmon).
  3. Wireshark.
Also using Windows Defender Application Control (Device Guard) in Audit Mode can be very helpful:
https://posts.specterops.io/threat-...ntrol-device-guard-in-audit-mode-602b48cd1c11

For testing potentially infected devices like USB devices, it is recommended to use a special hardware environment or a separate testing computer.
 
Last edited:

Stretch_

Level 1
Sep 25, 2021
15
38
There are many tools, for example:
  1. AV Rescue Disk (like Kaspersky Rescue Disk).
  2. Sysinternals tools (like Autoruns, Process Monitor, Sysmon).
  3. Wireshark.
Also using Windows Defender Application Control (Device Guard) in Audit Mode can be very helpful:
https://posts.specterops.io/threat-...ntrol-device-guard-in-audit-mode-602b48cd1c11

For testing potentially infected devices like USB devices, it is recommended to use a special hardware environment or a separate testing computer.
Nice suggestions.

Has anyone developed a robust solution to testing potentially infected USB devices? In particular, something hardware-based that could add write protection and help protect against hardware level concerns such as BadUSB?
 

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,272
42,725
Nice suggestions.

Has anyone developed a robust solution to testing potentially infected USB devices? In particular, something hardware-based that could add write protection and help protect against hardware level concerns such as BadUSB?
I am not sure if you look at the problem from the right side. If someone will perform Bad USB attack on your computer, then the USB device will be intentionally prepared for it. Here is an example of such an attack:
The write protection of USB drive is not related to such attacks.

Typical USB drive infections are of another type. You can use a flash drive with physical write protect switch to prevent flash drive infection when connecting it to the unsafe machine.
 
Top