I wondered for your forensics PC’s, or the PC’s you use to do your investigation work. I assume you keep them “offline”, i.e. no internet access, wireless access, domain access.

If so – do you keep your OS up to date in terms of security updates. And what about AV and stuff. How are you doing this if they are offline? Is there a real need to keep them up to date on such PC’s – if so – wheres the risk in not doing it?

asked 11/21/2011 09:09

pma111's gravatar image

pma111 ♦♦

7 Answers:
Personally speaking, I try to keep one updated and one in a 'virgin' state.  The updated one - I download the patches to memory stick and then install them manually.


rapid-blue's gravatar image


I agree with rapid-blue on updating through a memory stick. To address the risk in not doing it, say someone plugs in a USB drive that is infected, with no AV or updates on the PC, you are more likely to get infected. Even if this does not result in a data loss because of no network access, it can result in down time for the PC, which is still a problem.

answered 2011-11-22 at 05:21:03

washburnma's gravatar image


I was wondering for stuff like AV and windows patches - if a PC was orignially on the network, but then was orphaned off to become an investigation machines - are there any liscence issues? Id imagine with AV you can only download updates if you have some sort of liscence agreement. I dont know how that would work if you take it out its "natural habitat" and make it an offline PC? I know in corporate environments you arent getting updates direct from t'internet, but does the central server that pushes the updates out verify valid clients in terms of liscences etc?

answered 2011-11-22 at 08:11:35

pma111's gravatar image


Licensing is vendor specific. So that is hard to answer.

Lets say you use AVG with Business licensing. They sell you a block of licenses, and how you use them is up to you. As long as the PC has a valid license key, it will accept updates as an offline PC.

A network managed AV such as GFI VIPRE will not really work when offline.

answered 2011-11-22 at 08:26:10

washburnma's gravatar image


What is the reasoning behind keeping one machine in a virgin state?

Where do I download ms patches in a usb freindly format and what sort of schedules should be download and patch? Are they culmative or are we going to have check daily for new ones?

answered 2011-11-22 at 08:32:34

pma111's gravatar image


I keep one PC in a 'virgin'state (and a ghost clone for an easy restore) more to see what will happen on an unpatched machine.  Usually it gets used to show - look here this is what happens when you DONT patch!  Then I end up restoring it from the backup.  As I use ghost with Bart PE on CD and a removable disk with the image I can restore rapidly!

To get the patches I use  If you go to security and patches you can get all the updates here.  It is tedious to do the patches one by one.

The patched machine does need an antivirus.  The corporate managed systems will sometimes have an 'offline' install that you can download patches and updates for.  Like Washburnma said - depends on the vendor.  I have been using a separate single user Kaspersky Licence bought for this task.

The risk without patches or AV - the machine will infect or be compromised so easily that you have no  base to work from and if it is your investigation workstation.  It would become a liability.

You could orphan a domain PC - as yet I havnt had too many problems with building the PC, connecting on a separate internet link and doing microsoft updates.  This is when I have to recreate a safe pc quickly.

When I am running my own PC then I have taken periodic backups of a clean machine with each batch of updates installed.  I check the pc and if I am happy, I take a ghost image as a base to work from.

You end up with quite a few ghost images but it has saved me a lot of time although they are very hardware specific!

answered 2011-11-22 at 09:42:59

rapid-blue's gravatar image


Typically for forensic machine that is the one with all your tools and the one with the updated patches  to security software as well as the forensic software. They are isolated and properly licensed individually as they are the official working clean machine dealing with your cloned image stored in the nas etc. Tight licensing on themas they maybe tied down by hardware token for certain.forensic software like encase. The findings will also be held in the nas. centralised mgmt of those machines are desired but typically as they needed to be isolated, they are more of manual pulling to keep them updated.

Having said that test machine for bootup test, vm image to simulate malicious and event chain are not as updated. But mostly updated to be close to the original environment for triggering off event esp in malware analysis.

Importantly, high integrity and segregation is needed btw corporate lan and forensic lan. Hence they are never really connected. Even if so there will be gateaay and diode to ensure clean ons way data transfer. But secure by default, even device media need to be sanitise before use in the forensic machine. At best there is only dedicated licenses media for the lab. The gateway will be routed to authorised personnel for transfer if need be. Log of all actikns are done and centrally audit if possible.

overall, it really depend how secure your setup is and one guidancw is the sensitive and clearnace level for those critical data to be process. It is definitely different as compared to school lab which has access to student....also auditing and compliance requirement also play a big factor.

answered 2011-11-22 at 10:33:25

breadtan's gravatar image


Your answer
[hide preview]

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments


Asked: 11/21/2011 09:09

Seen: 241 times

Last updated: 11/27/2011 08:49

Related questions