2

I am currently trying to review an e-mail sent to myself, that could be malicious, or it could not. I would like to create a sandbox environment to review this kind of message (it's more than likely this will be more than a one off activity), and want to know the safest / best way to create this.

I've read some other threads that suggest a VM environment with no network connectivity (How do I safely inspect a suspicious email attachment?) but unsure of how I would then get access to the e-mail in question without downloading it?

Any help much appreciated.

EDIT After the responses below, I implemented the tools mentioned and followed the steps to good effect. I have however found a tool that seems to allow for sandboxing within a browser, allowing me to quickly reviewing suspicious attachments within a safe environment. I run it within a disconnected VM. The tool is called Sandboxie (https://www.sandboxie.com/).

Chri3
  • 327
  • 1
  • 11

1 Answers1

2

Considering browser download is a safe download, according to my knowledge there is no problem in downloading mail attachment but opening is.

Since it is coming via email, there aren't any windows hooks that are attached with mail attachment download that could lead to auto initialization, unless you explicitly open the attachment.

So,

  1. Download the attachment. (Just don't open it)
  2. Create Virtual Environment using Virtual Box.
  3. Move your attachment to virtual environment.
  4. Disconnect the Virtual Machine network.
  5. Make sure to turn off any "integrations" in the VM, such as shared mouse, clipboard, files/folders, etc. Otherwise a bug in one of those sharing systems could give access to your machine from within the VM. (suggested by Moshe Katz)
  6. Enjoy playing with Viruses.
rummykhan
  • 176
  • 1
  • 6
  • I would say to do the download in the VM itself to be extra careful. – Moshe Katz May 23 '17 at 13:17
  • In step 4, also, make sure to turn off any "integrations" in the VM, such as shared mouse, clipboard, files/folders, etc. Otherwise a bug in one of those sharing systems could give access to your machine from within the VM. – Moshe Katz May 23 '17 at 13:18
  • Thank you all for the suggestions, @moshekatz how would I go about downloading within the VM if it's disconnected? Would it be viable to disable any integrations before downloading, download, then switch off networking? – Chri3 May 25 '17 at 13:26
  • @Chri3 Networking is not the same as the "Integrations", which are primarily: USB Port Sharing, Mouse Focus Detection, Keyboard Focus Detection, Folder Sharing, etc. I would disable all of those things I listed but keep networking connected, do the download, and then disconnect the network. – Moshe Katz May 25 '17 at 13:29
  • @MosheKatz Thanks for coming back so quickly, I appreciate the help :) – Chri3 May 25 '17 at 13:35