Re: [Full-Disclosure] Imaging Operating Systems

From: Nick FitzGerald (
Date: 05/27/04

  • Next message: "Re: [Full-Disclosure] Re: Cisco's stolen code"
    To: Full-Disclosure <>
    Date: Fri, 28 May 2004 02:09:04 +1200

    Michael Schaefer <> wrote:

    > We are building a Windows test system, to try out tool bars, spy ware,
    > malware and trojans on.
    > Once we learn what we need to know, we obviously want to get rid of the
    > junk quickly and cleanly.
    > I keep hearing suggestions about having a "clean image" to transfer onto
    > the computer.
    > Can anyone send some details?

    The most common approaches to this are the use of virtual machines
    (VMWare, Virtual PC, etc) and drive image backups (Ghost, etc). There
    are pros and cons to each and common pitfalls and issues to consider
    carefully when setting this all up...

    Depending on the Windows OS version(s) you wish to use and the number
    of "identical" machines you may want to run at once, using imaging
    software and multiple PCs will likely run into issues with software
    activation because although you may use machines with "identical"
    hardware configurations, the activation system will still detect the
    differences (e.g. IDE drive serial numbers) and complain, may stop
    running after the grace period, etc. With emulation, multiple virtual
    machines using the same image should actually seem to be the same to
    the activation system and thus avoid these kinds of problems (at least,
    that is, until an upgrade to the VM product also "upgrades" the
    emulated hardware...).

    Of course, virtualization has a performance penalty, so unless you have
    reasonably hefty machines on which to run your test VMs, you may find
    it all a bit clunky. Virtualization is also detectable (much like
    running the code under a debugger is) and some of the stuff you may
    want to look at is now detecting at least VMWare and acting differently
    if it detects it is running under VMWare.

    > Is there an official Microsoft way to do this?

    Offhand I don't recall any MS drive imaging backup software, but MS
    recently (in the last year?) bought Connectix (makers of Virtual PC) so
    if the pros and cons of both approaches do not prevent you considering
    virtual machine technology, I guess Virtual PC is the "official" MS way
    for doing this stuff. (From a very recent demonstration I saw at a
    conference, I'd say it is a fair bet that PSS analysts use Virtual PC
    for a lot of their diagnosis of customer problems involving spyware,
    adware and other suspect-ware.)

    > Is some sort of over the network OS installation script in order here?

    This is another option I did not specifically consider above as it will
    almost always (especially with Windows!) result in slower "re-imaging"
    times than copying "clean" VM image files or restoring a compressed
    image backup (even over the network. Further, it does not give you
    "the same disk image" as the starting point for your next analysis or
    for starting over if you scr*w something up. PCs "re-imaged" this way
    should be functionally equivalent, but the actual location of stuff on
    disk and some of the starting config values and so on will be subtly
    different. In fact, the latter may even be advisable as two machine re-
    imaged from the same image backup will have certain registry values the
    same which would normally not happen. This approach also side-steps
    the "activation dance" (for OSes affected by such) that true imaging
    approaches can suffer.

    Regardless of which way you decide to go, carefully consider bandwidth
    and image/install directory storage issues and network connectivity.

    > Are there other vendors that do a better job?

    Than MS? Do you really have to ask?? 8-)

    (Actually, I've not done comparative tests of VMWare -- which I use --
    against Virtual PC and the latter was originally not developed by

    Nick FitzGerald
    Computer Virus Consulting Ltd.
    Ph/FAX: +64 3 3529854
    Full-Disclosure - We believe in it.

  • Next message: "Re: [Full-Disclosure] Re: Cisco's stolen code"