EC2 DFIR Workshop
Lab 12: Perform Virus Scans
GOAL:
Determine if there are any viruses in the file system or the files recovered from unallocated space.
SUMMARY OF STEPS:
- Scan the mounted evidence volume
- Scan the unallocated space
- Research any malware discovered by the scans
Step 1: Scan the mounted evidence volume
To scan the mounted evidence volume with ClamAV, use:
nohup clamscan -i -r --log=/cases/clam-fs.log /mnt/linux_mount/ &
VIDEO: Lab 12 Step 1 - Scan the mounted evidence volume
Step 2: Scan the unallocated space
To scan the files recovered from the unallocated space, use:
nohup clamscan -i -r --log=/cases/clam-us.log /cases/recovered/ &
VIDEO: Lab 12 Step 2 - Scan the unallocated space
Step 3: Research any malware discovered by the scans
Run jobs to monitor the status of the scan and use the tail command to see findings
as they occur. For example:
tail -f /cases/clam-fs.log
Perform a web search to learn more about any known malware found.