forensicate.cloud

Open Source Resources for Forensics in the Cloud

EC2 DFIR Workshop

Lab 12: Perform Virus Scans

GOAL:

Determine if there are any viruses in the file system or the files recovered from unallocated space.

SUMMARY OF STEPS:

  1. Scan the mounted evidence volume
  2. Scan the unallocated space
  3. Research any malware discovered by the scans

Step 1: Scan the mounted evidence volume

To scan the mounted evidence volume with ClamAV, use:

nohup clamscan -i -r --log=/cases/clam-fs.log /mnt/linux_mount/ &


VIDEO: Lab 12 Step 1 - Scan the mounted evidence volume

Step 2: Scan the unallocated space

To scan the files recovered from the unallocated space, use:

nohup clamscan -i -r --log=/cases/clam-us.log /cases/recovered/ &


VIDEO: Lab 12 Step 2 - Scan the unallocated space

Step 3: Research any malware discovered by the scans

Run jobs to monitor the status of the scan and use the tail command to see findings as they occur. For example:

tail -f /cases/clam-fs.log

Perform a web search to learn more about any known malware found.