Safety of the owner of the device is paramount.
Before even beginning the engagement, it is important we considered possible negative consequences for the device owner's safety. Firstly, we need to properly assess the risk the owner of the device is currently exposed to. Secondly, we need to determine whether the assistance we are going to provide could cause further exposure. Despite the best intentions, and the owner's likely desire to be reassured and feel comfortable using their devices free of spyware, the activities we are about to perform could, for example, cause retaliation or expedite a response on the attacker's part. We need to be prepared for such eventuality: in some cases, it might be even more prudent to not continue with the engagement at all if it would be too risky.
In order to help you estimate the level of risk faced by the owner of the device, and to prepare an appropriate action plan, following are some important questions you should try to answer in advance:
- Is it safe for the owner to bring the device to you? If the device is monitored, would any location tracking further jeopardize the owner?
- If you find an infection, you almost always would not want to let the owner continue using the device. Do you have a plan for replacement? Attackers might notice that the victim has suddenly disappeared.
- If the device is replaced, would the attacker losing access to the victim cause further retaliation?
- Is the owner in immediate danger? If we wrongly determine that the device is clean, how could this negatively affect the owner?
Answering these questions will hopefully help you decide if and how to proceed with the quick forensics of the devices.
Should the device connect online?
If you decide to proceed with the inspection, you most likely also want to plan to have the device to be completely disconnected from any WiFi or mobile Internet connection.
In the case of a laptop, ideally you should ask the owner to disable the WiFi before turning it off and bringing the device to you. Either way, make sure no connection is available before starting. In the case of a mobile phone, you might want to ask the owner to turn the device off and remove the SIM card before bringing it to you.
Keep your tools on an external USB drive. Limit transfer of files, and clean leftovers once you are done.
Bear in mind, even with all these precautions, if the triaging is mistakenly concluded with nothing found and the owner resumes using it, it is still quite likely the attacker will notice. A trojan might take screenshots of the desktop while you are operating, or even record the audio from the microphone. In case something is found, you do not want to let it send such data to the attacker.