Re: [Full-Disclosure] Imaging Operating Systems
From: Nick FitzGerald (nick_at_virus-l.demon.co.uk)
To: Full-Disclosure <firstname.lastname@example.org> Date: Fri, 28 May 2004 02:09:04 +1200
Michael Schaefer <email@example.com> wrote:
> We are building a Windows test system, to try out tool bars, spy ware,
> malware and trojans on.
> Once we learn what we need to know, we obviously want to get rid of the
> junk quickly and cleanly.
> I keep hearing suggestions about having a "clean image" to transfer onto
> the computer.
> Can anyone send some details?
The most common approaches to this are the use of virtual machines
(VMWare, Virtual PC, etc) and drive image backups (Ghost, etc). There
are pros and cons to each and common pitfalls and issues to consider
carefully when setting this all up...
Depending on the Windows OS version(s) you wish to use and the number
of "identical" machines you may want to run at once, using imaging
software and multiple PCs will likely run into issues with software
activation because although you may use machines with "identical"
hardware configurations, the activation system will still detect the
differences (e.g. IDE drive serial numbers) and complain, may stop
running after the grace period, etc. With emulation, multiple virtual
machines using the same image should actually seem to be the same to
the activation system and thus avoid these kinds of problems (at least,
that is, until an upgrade to the VM product also "upgrades" the
Of course, virtualization has a performance penalty, so unless you have
reasonably hefty machines on which to run your test VMs, you may find
it all a bit clunky. Virtualization is also detectable (much like
running the code under a debugger is) and some of the stuff you may
want to look at is now detecting at least VMWare and acting differently
if it detects it is running under VMWare.
> Is there an official Microsoft way to do this?
Offhand I don't recall any MS drive imaging backup software, but MS
recently (in the last year?) bought Connectix (makers of Virtual PC) so
if the pros and cons of both approaches do not prevent you considering
virtual machine technology, I guess Virtual PC is the "official" MS way
for doing this stuff. (From a very recent demonstration I saw at a
conference, I'd say it is a fair bet that PSS analysts use Virtual PC
for a lot of their diagnosis of customer problems involving spyware,
adware and other suspect-ware.)
> Is some sort of over the network OS installation script in order here?
This is another option I did not specifically consider above as it will
almost always (especially with Windows!) result in slower "re-imaging"
times than copying "clean" VM image files or restoring a compressed
image backup (even over the network. Further, it does not give you
"the same disk image" as the starting point for your next analysis or
for starting over if you scr*w something up. PCs "re-imaged" this way
should be functionally equivalent, but the actual location of stuff on
disk and some of the starting config values and so on will be subtly
different. In fact, the latter may even be advisable as two machine re-
imaged from the same image backup will have certain registry values the
same which would normally not happen. This approach also side-steps
the "activation dance" (for OSes affected by such) that true imaging
approaches can suffer.
Regardless of which way you decide to go, carefully consider bandwidth
and image/install directory storage issues and network connectivity.
> Are there other vendors that do a better job?
Than MS? Do you really have to ask?? 8-)
(Actually, I've not done comparative tests of VMWare -- which I use --
against Virtual PC and the latter was originally not developed by
-- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html