Retrieving data from infected drive

Suppose I have a hard drive that's infected with serious malware (like a rootkit) and I need to retrieve some files off of it. Would it  be safe to plug it into another PC as a secondary drive? After all, if its not going to be the boot drive, the malware won't become active. Is that a correct assumption?
     P.S. this is just for future reference. I currently do not need to access anything off of an infected drive.
Who is Participating?
Dave HoweConnect With a Mentor Software and Hardware EngineerCommented:
Rootkits can't infect machines by being mounted as a secondary drive *BUT* that doesn't mean the drive doesn't have something else nasty on it that could autorun if mounted on a windows pc.

I usually recommend instead booting from a linux live-cd and copying to a freshly formatted usb stick, then disinfecting said stick on a machine with decent AV before looking at anything (or using viewers other than the standard; for example, using openoffice to read ms office documents, most linux live cds come with that already available)
Yes. It is a working-safe assumption.
Daniel HelgenbergerCommented:
If it is a well coded root kit or virus I would not say this is safe at all.

I suggest this procedure:

- Install a working virus scanner on your Windows OS
- Boot your PC from any Linux live system.
- Make sure your local (windows) drive is not mounted
- mount the infected drive, copy over the files you need on a USB stick.
- wipe the partition table of the infected drive
- start your Windows again, scan plug in the Stick and scan it.

IMHO chances are really slim your virus/rootkit is on this USB stick in the first place; if so it was in one of the files you copied.
WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

Of course it's inactive no matter how good it is coded. The only possible way to become infected now is to activate autorun-on-connect, but that is off by default.
Dave HoweSoftware and Hardware EngineerCommented:
or by opening an infected document that has scripting capabilities (such as pdf)
john8217Author Commented:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.