Full Disclosure mailing list archives
Re: Imaging Operating Systems
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Fri, 28 May 2004 02:09:04 +1200
Michael Schaefer <mbs () mistrealm com> wrote:
We are building a Windows test system, to try out tool bars, spy ware, malware and trojans on. Once we learn what we need to know, we obviously want to get rid of the junk quickly and cleanly. I keep hearing suggestions about having a "clean image" to transfer onto the computer. Can anyone send some details?
The most common approaches to this are the use of virtual machines (VMWare, Virtual PC, etc) and drive image backups (Ghost, etc). There are pros and cons to each and common pitfalls and issues to consider carefully when setting this all up... Depending on the Windows OS version(s) you wish to use and the number of "identical" machines you may want to run at once, using imaging software and multiple PCs will likely run into issues with software activation because although you may use machines with "identical" hardware configurations, the activation system will still detect the differences (e.g. IDE drive serial numbers) and complain, may stop running after the grace period, etc. With emulation, multiple virtual machines using the same image should actually seem to be the same to the activation system and thus avoid these kinds of problems (at least, that is, until an upgrade to the VM product also "upgrades" the emulated hardware...). Of course, virtualization has a performance penalty, so unless you have reasonably hefty machines on which to run your test VMs, you may find it all a bit clunky. Virtualization is also detectable (much like running the code under a debugger is) and some of the stuff you may want to look at is now detecting at least VMWare and acting differently if it detects it is running under VMWare.
Is there an official Microsoft way to do this?
Offhand I don't recall any MS drive imaging backup software, but MS recently (in the last year?) bought Connectix (makers of Virtual PC) so if the pros and cons of both approaches do not prevent you considering virtual machine technology, I guess Virtual PC is the "official" MS way for doing this stuff. (From a very recent demonstration I saw at a conference, I'd say it is a fair bet that PSS analysts use Virtual PC for a lot of their diagnosis of customer problems involving spyware, adware and other suspect-ware.)
Is some sort of over the network OS installation script in order here?
This is another option I did not specifically consider above as it will almost always (especially with Windows!) result in slower "re-imaging" times than copying "clean" VM image files or restoring a compressed image backup (even over the network. Further, it does not give you "the same disk image" as the starting point for your next analysis or for starting over if you scr*w something up. PCs "re-imaged" this way should be functionally equivalent, but the actual location of stuff on disk and some of the starting config values and so on will be subtly different. In fact, the latter may even be advisable as two machine re- imaged from the same image backup will have certain registry values the same which would normally not happen. This approach also side-steps the "activation dance" (for OSes affected by such) that true imaging approaches can suffer. Regardless of which way you decide to go, carefully consider bandwidth and image/install directory storage issues and network connectivity.
Are there other vendors that do a better job?
Than MS? Do you really have to ask?? 8-) (Actually, I've not done comparative tests of VMWare -- which I use -- against Virtual PC and the latter was originally not developed by MS...) -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Imaging Operating Systems, (continued)
- Re: Imaging Operating Systems S G Masood (May 26)
- Re: Imaging Operating Systems defiance (May 26)
- Re: Imaging Operating Systems Ondrej Krajicek (May 27)
- Re: Imaging Operating Systems Curt Purdy (May 28)
- Re: Imaging Operating Systems Frank Knobbe (May 28)
- Re: Imaging Operating Systems Epic (May 27)
- Re: Imaging Operating Systems James Riden (May 26)
- RE: Imaging Operating Systems Lionel Hendricks (May 26)
- Re: Imaging Operating Systems Sam Sharpe (May 26)
- Re: Imaging Operating Systems vertex (May 26)
- Re: Imaging Operating Systems Nick FitzGerald (May 27)
- Re: Imaging Operating Systems Maarten (May 27)
- Re: Imaging Operating Systems Kevin Connolly (May 27)
- Re: Imaging Operating Systems Maarten (May 27)
- Re: Imaging Operating Systems Ondrej Krajicek (May 27)
- Re: Imaging Operating Systems Maarten (May 27)
- Re: Imaging Operating Systems Volker Tanger (May 28)
- RE: Imaging Operating Systems Phillip R. Paradis (May 28)
- Re: Imaging Operating Systems Nick FitzGerald (May 28)
- Re: Imaging Operating Systems Maarten (May 27)