Re: [Full-Disclosure] Imaging Operating Systems

From: Nick FitzGerald (
Date: 05/27/04

  • Next message: "Re: [Full-Disclosure] Re: Cisco's stolen code"
    To: Full-Disclosure <>
    Date: Fri, 28 May 2004 02:09:04 +1200

    Michael Schaefer <> wrote:

    > We are building a Windows test system, to try out tool bars, spy ware,
    > malware and trojans on.
    > Once we learn what we need to know, we obviously want to get rid of the
    > junk quickly and cleanly.
    > I keep hearing suggestions about having a "clean image" to transfer onto
    > the computer.
    > Can anyone send some details?

    The most common approaches to this are the use of virtual machines
    (VMWare, Virtual PC, etc) and drive image backups (Ghost, etc). There
    are pros and cons to each and common pitfalls and issues to consider
    carefully when setting this all up...

    Depending on the Windows OS version(s) you wish to use and the number
    of "identical" machines you may want to run at once, using imaging
    software and multiple PCs will likely run into issues with software
    activation because although you may use machines with "identical"
    hardware configurations, the activation system will still detect the
    differences (e.g. IDE drive serial numbers) and complain, may stop
    running after the grace period, etc. With emulation, multiple virtual
    machines using the same image should actually seem to be the same to
    the activation system and thus avoid these kinds of problems (at least,
    that is, until an upgrade to the VM product also "upgrades" the
    emulated hardware...).

    Of course, virtualization has a performance penalty, so unless you have
    reasonably hefty machines on which to run your test VMs, you may find
    it all a bit clunky. Virtualization is also detectable (much like
    running the code under a debugger is) and some of the stuff you may
    want to look at is now detecting at least VMWare and acting differently
    if it detects it is running under VMWare.

    > Is there an official Microsoft way to do this?

    Offhand I don't recall any MS drive imaging backup software, but MS
    recently (in the last year?) bought Connectix (makers of Virtual PC) so
    if the pros and cons of both approaches do not prevent you considering
    virtual machine technology, I guess Virtual PC is the "official" MS way
    for doing this stuff. (From a very recent demonstration I saw at a
    conference, I'd say it is a fair bet that PSS analysts use Virtual PC
    for a lot of their diagnosis of customer problems involving spyware,
    adware and other suspect-ware.)

    > Is some sort of over the network OS installation script in order here?

    This is another option I did not specifically consider above as it will
    almost always (especially with Windows!) result in slower "re-imaging"
    times than copying "clean" VM image files or restoring a compressed
    image backup (even over the network. Further, it does not give you
    "the same disk image" as the starting point for your next analysis or
    for starting over if you scr*w something up. PCs "re-imaged" this way
    should be functionally equivalent, but the actual location of stuff on
    disk and some of the starting config values and so on will be subtly
    different. In fact, the latter may even be advisable as two machine re-
    imaged from the same image backup will have certain registry values the
    same which would normally not happen. This approach also side-steps
    the "activation dance" (for OSes affected by such) that true imaging
    approaches can suffer.

    Regardless of which way you decide to go, carefully consider bandwidth
    and image/install directory storage issues and network connectivity.

    > Are there other vendors that do a better job?

    Than MS? Do you really have to ask?? 8-)

    (Actually, I've not done comparative tests of VMWare -- which I use --
    against Virtual PC and the latter was originally not developed by

    Nick FitzGerald
    Computer Virus Consulting Ltd.
    Ph/FAX: +64 3 3529854
    Full-Disclosure - We believe in it.

  • Next message: "Re: [Full-Disclosure] Re: Cisco's stolen code"

    Relevant Pages

    • Re: Whats the big deal with cross-platform?
      ... Virtualization may be the key. ... For Windows the HAL might be the base, upon which either a NT or a .NET kernel can be implemented. ... In a few years we may have something like an extended BIOS, which provides *all* low level services for running *all* kinds of systems on any physical machine. ... As soon as multiple systems can be installed concurrently on a machine, there is no more way to bind these machines, users etc. to Windows, as the primary system. ...
    • Re: Adding a first 2008 R2 64 bit DC into 2003 R2 Domain
      ... some other thoughts about DC on Virtual Machines: ... The images or snapshots problems occur in replication situations, ... party company is doing the virtualization and installation of 2008. ... But with Windows server 2003 R2 as DC ...
    • Re: Merge Xen (the hypervisor) into Linux
      ... virtualization limp along. ... Dropping PVM is, to me, pretty much saying "let's merge Xen ... I have only two large machines I control. ... why does Linux have code for x86_32? ...
    • Re: new laptop... virtualizating the installed vista
      ... Normally when I get new machines I keep windows in about as ... Everyone seems to be keen on virtualization these days, ... That depends on whether Dell are supplying a "recoveryCD" or a full ... You can clone the hard disk install into vmware ...