Dealing with infected HDDs without getting infected

I'm doing some PC maintenance/repair for some clients, sometimes I have to deal with HDDs to recover lost data, or even backup. The problem is that most of them are infected with different malware types. Now how to deal with a HDD without getting my PC infected?

Because no Antivirus is 100% effective, I thought about:

1- Disabling any autorun

2- Using Sandboxie to explore the HDD (open it sandboxed)

3- If running a recovery software, run that software sandboxed

I even thought about running the HDD on a Linux machine, but no good Antivirus for Linux, and the software I use for recovery is only available for Windows.

Now is that the right way to prevent infection?

mohamed87

Posted 2015-05-31T02:47:26.560

Reputation: 241

1You could always put the drive into a read-only state and disallow any executions from it (freeze it) – Jon – 2015-05-31T02:49:23.817

2as long as you don't execute or copy anything from the drive the infection is not likely to hop to another drive or system, I always disable autorun on all my PC's. Best bet is to have a stand alone PC that is only used for disinfecting drives, keep a known clean image of the OS for your bench PC, so you can re-image it if it does get infected, I did PC disinfection for over 10 years and never had a virus hop over to my bench machine while scanning/cleaning drives. – Moab – 2015-05-31T02:53:42.453

1Sandboxie isn't 100% malware can still escape, there are known vulerabilities, to say there are not good anti-virus software for linux isn't true. Furthermore you can scan the hdd using boot solutions of Windows programs before you do anything. – Ramhound – 2015-05-31T03:14:04.400

Answers

Most Linux LiveCD/LiveUSB disks will boot and not even mount a hard drive without you explicitly telling it to. Even after mounting, the live environment won't run any executables (where virii exist) without you explicitly running them. Then, within that live environment, you can install ClamAV, mount the disk, and run a scan on the data.

From the live environment, you can also copy data from almost any kind of filesystem (some minor exceptions) to another system on the network or to an attached external drive, or whatnot.

Been there. Done that. Easy.

killermist

Posted 2015-05-31T02:47:26.560

Reputation: 1 886

The best thing to do is have a separate physical system for this type of task, and either maintain a recovery environment on it or use boot CDs. If you install an OS on a hard drive in this system, make an image of it and restore from that image (or just reinstall the OS) if you think things are compromised - this is obviously much easier if you use virtualization software (a VM will be a far better "sandbox" than anything else.)

Or, use boot CDs, but it'd be best to do it on a separate system away from any hard drive containing personal data.

If all you are doing is recovering data from HDDs, you don't need a very powerful system to do it and can probably get by on an older desktop or laptop.

LawrenceC

Posted 2015-05-31T02:47:26.560

Reputation: 63 487

I have a Raspi 2 mounted with sticky tape on top of one of those slide-in HDD docking stations for exactly this. Uses a read-only filesystem and isn't connected to the network. Once a week I'll drop new virus definitions to it via a USB drive then format the thing before I pull it.

Cost effective, but not the most scalable thing in the world.

Arthur Kay

Posted 2015-05-31T02:47:26.560

Reputation: 505