Can a worm replicate from a mounted image?
Hello fellow nerds,
I’m a DFIR analyst and I need to perform a forensic analysis of a Windows SSD. The host is confirmed to be infected with malware, and based on my observations during the incident response, I suspect it may be a worm.
I’ll be working from an E01 image created during acquisition. My usual workflow is to mount the image inside a Windows Sandbox and perform triage with KAPE.
I’ll also need to reverse engineer the malware, but I’ve never analyzed a worm before. Is there any realistic risk that it could replicate itself within the sandbox when the image will be mounted ? I’d rather not have to rebuild my analysis environment.