TLDR; Can I make data backups to my NAS without worrying about infecting my other machines?
Full question:
I recently started getting some side work doing break/fix work, mostly replacing old HDDs with SSDs. I have been using Macrium Reflect to create an image of a drive if I want to check for OS stability in a VM, and I also use the File and Folder backup option, which simply copies select directories.
After creating the disk image, Windows Defender immediately started yelling at me that there was a backdoor trojan on my system and wanted me to Quarantine it or remove it altogether. Unfortunately, Windows Defender could not remove the infection, so I resolved to restore the PC to an earlier point.
The main question is: How can I make data backups without putting my PC at risk? Is it possible? My main concern on this is that I use a local pc to connect drives and run the software, but the backups are stored on shares on a NAS that other PCs in my home access. Is there a safe solution to this?
My only thought was to create an airtight setup similar to what I have now, but with no connectivity to my home network. This isn’t really ideal as I want to access this data as conveniently as possible.
Yes, there certainly are ways to safely handling disk images and backups containing malware but honestly that wouldn’t be my primary concern. Have you considered the possibly that the customer’s data might contain CSAM or other illegal files? And if you’re storing those files on your NAS you’re putting yourself at risk. Best case scenario, your NAS gets seized and you might get the enclosure back without drives when the customer’s criminal case is disposed of in a year or two. More realistically the whole unit goes to the incinerator. Consider using dedicated storage hardware for customer images and don’t commingle your data.
When I deal with data that doesn’t belong to me, I choose to boot from USB and then make encrypted backup to my NAS. In my case I like Acronis True Image, but that is no longer available as pay once own forever, so I’m stuck with the 2019. version.
You can do the same thing with CloneZilla or any live distro, most have the tools to create disk images (dd, Gnome Disks, etc.).
After I do the work, backup gets deleted and keys incinerated.
I test the stability on the machine in question, not connected to my network, or if that is not an option I would create a VM, boot Acronis, do the restore, cut the network on VM, make sure that host BIOS is up to date, make sure hypervisor is up to date, and only then boot the guest.
If necessary any antivirus scans go the same way, boot Kasperky Rescue Disk or ESET SysRescue Live and be done with it if the client insists. I always recommend going nuclear on it’s ass if any virus is detected.
These are outstanding concerns that I had not taken into account yet. I did have a chilling thought AFTER taking the image about CSAM, at which point it was too late anyway. The best practice sounds like it would be to have a dedicated device; as you said, are there any other concerns to consider? Anyways to mitigate risk when performing this kind of work?
Doesn’t even have to be CSAM, here you can have naked pictures of your children - totally fine (to a point of course, not if they are 15), but if you have someone else’s you have some explaining to do.
Well, I have 0 plans to hold onto the data past the point of work anyway. Keeping the data around locally on NAS is really just a protection mechanism in case of drive failure, me doing something stupid/fat fingering the mouse, etc. I haven’t had the type of clientele that I have had to worry about YET, but hopefully business continues to grow and I don’t want this to be a concern.
Maybe I need a disclaimer for data? “I’m not responsible for what you have on here” kind of thing?
Absolutely, in writing. May not hold up in court if it comes to that, so encrypted backups and nuke the keys after you are done. And if you use a bootable backup solution your chances of infection drop to almost 0.
As your business continues to grow people will ask you to to more things, such as recover their SD card form a camera or Android phone, and you can do that with TestDisk / PhotoRec but your client will not think “oh, that will also recover my nude selfies that I deleted intentionally.” - you have to point that out BEFORE handing them a USB with their recovered photos that also include that nude selfies.
You don’t care to look trough their photos - but they can’t be sure of that.
Not trying to scare you away but THINK LONG AND HARD ABOUT THE CONSEQUENCES!
Sorry, I probably should had clarified a little further. I really wasn’t trying to scare you or imply that you would be held criminally responsible if you discover illegal content on a customer’s PC. But rather that your NAS could be tied up and lost in an investigation when you report the crime. Obviously they customer’s PC will be seized but the investigator may (and should) also ask if there are any additional backups. It doesn’t matter if you tell them you’ve used a FIPS 140-2 validated algorithm to encrypt the image, they’re still going to take your NAS as evidence if there is a copy of the data stored there.
Encrypting the images will prevent any forensic artifacts from being left in your storage, but will also prevent you from easily attaching a VHD to a VM booting it for testing. Sure you could nuke the encrypted VHD prior to calling the cops. But for the potential hassle, I really think buying a few high capacity SATA SSDs is the easiest route. You can then slave them into your PC boot the VHD directly from that drive. In a worse case scenario where you need to report a crime, you only surrender that SSD to an investigation.
So I keep seeing people talking about “encrypting the images,” and I hate to sound like such a noob (cryptography is something I am still a novice in right now), but what does that look like in practice? Is there software that I run on an OS that encrypts it with a specific algorithm I choose? Is there encryption built into backup software like Macrium Reflect or others? How do you encrypt data for storage?
I am asking a lot with this one. If you know good sources of information to study from, I will also be delighted with that.
Acronis, the thing that I use, has a simple checkbox to encrypt the backup image using a passphrase. Possibly Macrium Raflect has it too. If you just copy/paste a folder you could instead zip with encryption. If you create an image/archive like this you can relatively safely save to any disk. I say relatively because Macrum, Acronis or anyone else could mess up their encryption implementation, you could choose a poor passphrase and so on…
Other than this, there is also full disk encryption, for Linux systems typically LUKS, for Windows BitLocker, for MacOS FileVault… You should look into these too, they help protect your system when you are not watching, for example if your laptop gets stolen.
None of these solutions are perfect but will prevent most casual wannabe hackers from snooping trough your stuff.
Fun fact: You can use Windows disk manager to create VHDX image, attach it to your system, initialize it, turn on BitLocker and you have yourself an encrypted container for your stuff. You’ll need Pro edition of Windows to create it, but you can use it even on Home versions after.
First rule of forensics.
Your working machine (the one you make duplicates with) must be completely isolated from a network.
Hash files must match on both the original and the work copy to be admissible in court.
Let me put it this way, this is a case of cover your @$$.
Convenience be damned here!
Failure to cya can easily turn into a legal case against you.
Here is the risk of doing tech work for someone else.
If your asking for safe ways to backup an infected drive first scan with a good anti-virus.
But know this if the virus/malware signature is not recognized, it will not be detected.
D-ban worked wonders on ide and eide
Drives but would flag sata drive as bad.
These drives you would wipe and re-partition multiple times.
Ssd drives posed a problem due to write cycles
I haven’t tried d-ban on ssd’s yet if it could even detect them.
So I’ll repeat it again
A working machine for duplicating must never be connected to a network or Nas storage system.
So for anyone who finds this thread later, it seems the closest thing to a complete answer is…
Separate work and personal data with separate hardware due to legal/custody/privacy concerns.
Create backups in a pre-boot environment, use encryption.
Set expectations with clients about privacy/expected results of data recovery.
Use encryption.
Delete backups as soon as work is delivered.
Use encryption.
ENCRYPTION! USE IT!
I think I will go ahead and create a separate network for my backups. Just stand up a router and switch to connect it all up with no WAN connectivity, just enough to get a PC, NAS, and a couple of VMs talking to each other.
Don’t. You fuck up the drive, and you don’t wipe it 100% due to wear leveling. Manufacturer secure erase is probably the best you can do. Or encrypt.
I know that!
I’ve been doing forensic work for about 8 years now.
Mostly just letting the op know that to prevent any possible problems like infected or illegality issues they should have a separate secured/isolated machine .
Talk to your client. Explain that their data is safe from prying eyes, let them know that there may be an embarrassing situation like in the photos example above. Sure some may give up, but everyone will feel more comfortable knowing that you are open about how you do things, and will be more inclined to trust you when you say you are not looking at their stuff. Right… that’s 3 already.