Re: [Full-Disclosure] Imaging Operating Systems
Greetings! On Thu, 27 May 2004 19:27:09 +0200 Maarten [EMAIL PROTECTED] wrote: Mmmm... answered my own question with a bit of googling, sorry... But it may be helpful or useful in this thread too, so here goes: [...] Surely not comparable to Ghost, but with no extra effort or cost... Ghost won't work (IIRC) on unknown OS types as it ony copies used data blocks. Netcat does a binary copy and does not care what OS or data... see http://wyae.de/docs/img_dd.php Bye Volker Tanger ITK Security ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Imaging Operating Systems
Ghost won't work (IIRC) on unknown OS types as it ony copies used data blocks. Netcat does a binary copy and does not care what OS or data... Not sure about newer versions of Ghost, but I know some older versions will copy unknown partition types just fine; it merely does a bitwise copy of the partition/drive, including empty space. The downside being that the disk geometry of the target disk must be identical, since the copied partition/disk cannot be adjusted due to Ghost being unaware of it's internal structure. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Imaging Operating Systems
Volker Tanger [EMAIL PROTECTED] wrote: Ghost won't work (IIRC) on unknown OS types as it ony copies used data blocks. Netcat does a binary copy and does not care what OS or data... That just might be a limitation if you are GUI-bound, but I'm sure there are (or, at least were on the most recent version of Ghost I've looked at and used, which may not be quite the newest) switches for commandline use for creating raw image backups. Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Imaging Operating Systems
On Fri, 2004-05-28 at 10:14, Curt Purdy wrote: You are right about vmWare. It is THE most usefull tool for lab work I've found. When you are through trashing a virtual OS, just delete it and copy over the original folder that you initially backed up and you're good to go again. Why so complicated? Just configure the vmWare virtual disk as undoable and discard the changes when you're done trashing the OS. Instant reset to where you started. :) Regards, Frank signature.asc Description: This is a digitally signed message part
Re: [Full-Disclosure] Imaging Operating Systems
Microsoft is currently offering VirtualPC (formerly Connectix, similar to VMWare) and they have a beta programme for their upcoming Virtual Server (server-oriented VirtualPC). Also, for servers, they have a Advanced Deployment Services. Ondra On Wed, May 26, 2004 at 03:53:03PM -0500, Shawn Cox wrote: Norton/Symantec Ghost PowerQuest Drive Image(I think Norton gobbled this one up) Or for the truly crafty vmWare. --S - Original Message - From: Michael Schaefer [EMAIL PROTECTED] To: Full-Disclosure [EMAIL PROTECTED] Sent: Wednesday, May 26, 2004 1:55 PM Subject: [Full-Disclosure] Imaging Operating Systems Hi all We are building a Windows test system, to try out tool bars, spy ware, malware and trojans on. Once we learn what we need to know, we obviously want to get rid of the junk quickly and cleanly. I keep hearing suggestions about having a clean image to transfer onto the computer. Can anyone send some details? Is there an official Microsoft way to do this? Is some sort of over the network OS installation script in order here? Are there other vendors that do a better job? Thanks ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html +-+ |Ondrej Krajicek (-KO| |Institute of Computer Science, Masaryk University Brno, CR | |http://isildur.ics.muni.cz/~ondra [EMAIL PROTECTED]| ++ pgpg37pCRqebV.pgp Description: PGP signature
Re: [Full-Disclosure] Imaging Operating Systems
Michael Schaefer [EMAIL PROTECTED] wrote: We are building a Windows test system, to try out tool bars, spy ware, malware and trojans on. Once we learn what we need to know, we obviously want to get rid of the junk quickly and cleanly. I keep hearing suggestions about having a clean image to transfer onto the computer. Can anyone send some details? The most common approaches to this are the use of virtual machines (VMWare, Virtual PC, etc) and drive image backups (Ghost, etc). There are pros and cons to each and common pitfalls and issues to consider carefully when setting this all up... Depending on the Windows OS version(s) you wish to use and the number of identical machines you may want to run at once, using imaging software and multiple PCs will likely run into issues with software activation because although you may use machines with identical hardware configurations, the activation system will still detect the differences (e.g. IDE drive serial numbers) and complain, may stop running after the grace period, etc. With emulation, multiple virtual machines using the same image should actually seem to be the same to the activation system and thus avoid these kinds of problems (at least, that is, until an upgrade to the VM product also upgrades the emulated hardware...). Of course, virtualization has a performance penalty, so unless you have reasonably hefty machines on which to run your test VMs, you may find it all a bit clunky. Virtualization is also detectable (much like running the code under a debugger is) and some of the stuff you may want to look at is now detecting at least VMWare and acting differently if it detects it is running under VMWare. Is there an official Microsoft way to do this? Offhand I don't recall any MS drive imaging backup software, but MS recently (in the last year?) bought Connectix (makers of Virtual PC) so if the pros and cons of both approaches do not prevent you considering virtual machine technology, I guess Virtual PC is the official MS way for doing this stuff. (From a very recent demonstration I saw at a conference, I'd say it is a fair bet that PSS analysts use Virtual PC for a lot of their diagnosis of customer problems involving spyware, adware and other suspect-ware.) Is some sort of over the network OS installation script in order here? This is another option I did not specifically consider above as it will almost always (especially with Windows!) result in slower re-imaging times than copying clean VM image files or restoring a compressed image backup (even over the network. Further, it does not give you the same disk image as the starting point for your next analysis or for starting over if you scr*w something up. PCs re-imaged this way should be functionally equivalent, but the actual location of stuff on disk and some of the starting config values and so on will be subtly different. In fact, the latter may even be advisable as two machine re- imaged from the same image backup will have certain registry values the same which would normally not happen. This approach also side-steps the activation dance (for OSes affected by such) that true imaging approaches can suffer. Regardless of which way you decide to go, carefully consider bandwidth and image/install directory storage issues and network connectivity. Are there other vendors that do a better job? Than MS? Do you really have to ask?? 8-) (Actually, I've not done comparative tests of VMWare -- which I use -- against Virtual PC and the latter was originally not developed by MS...) -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Imaging Operating Systems
VMWare is a great way to go. You get a quarantined guest OS that you can restore by simply replacing a file. You can also take a snapshot of the OS and then just revert to that snapshot anytime you like. You can also set up a private LAN that is isolated to your test computer for multiple guest Oses - lets you watch how the applications want to communicate. Baseline system - Snapshot - Do Bad Thing - Rebaseline - Revert to snapshot and Compare baselines - Repeat as needed - Tom Chmielarski -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Riden Sent: Wednesday, May 26, 2004 4:24 PM To: [EMAIL PROTECTED] Cc: Full-Disclosure Subject: Re: [Full-Disclosure] Imaging Operating Systems Michael Schaefer [EMAIL PROTECTED] writes: Hi all We are building a Windows test system, to try out tool bars, spy ware, malware and trojans on. Once we learn what we need to know, we obviously want to get rid of the junk quickly and cleanly. I keep hearing suggestions about having a clean image to transfer onto the computer. Can anyone send some details? Ghost or Altiris can do this for you. -- James Riden / [EMAIL PROTECTED] / Systems Security Engineer Information Technology Services, Massey University, NZ. GPG public key available at: http://www.massey.ac.nz/~jriden/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Imaging Operating Systems
On Thursday 27 May 2004 16:09, Nick FitzGerald wrote: Michael Schaefer [EMAIL PROTECTED] wrote: We are building a Windows test system, to try out tool bars, spy ware, malware and trojans on. Once we learn what we need to know, we obviously want to get rid of the junk quickly and cleanly. I keep hearing suggestions about having a clean image to transfer onto the computer. Can anyone send some details? The most common approaches to this are the use of virtual machines (VMWare, Virtual PC, etc) and drive image backups (Ghost, etc). There are pros and cons to each and common pitfalls and issues to consider carefully when setting this all up... This is an interesting thread... But out of curiosity, is it also possible to do backup / restores using readily available linux tools? I'd like to be able to do something like running dd over a network connection, or tar, or whatever other tool. In that case, a bootable CD is all you need. But I'm unsure how to do that... Maarten -- Yes of course I'm sure it's the red cable. I guarante[^%!/+)F#0c|'NO CARRIER ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Imaging Operating Systems
On Thursday 27 May 2004 18:30, Kevin Connolly wrote: Maarten wrote: This is an interesting thread... But out of curiosity, is it also possible to do backup / restores using readily available linux tools? I'd like to be able to do something like running dd over a network connection, or tar, or whatever other tool. In that case, a bootable CD is all you need. But I'm unsure how to do that... Maarten one suggestion make the PC dual boot: Windows and Linux with the Linux partition larger. Yes, I know. I did that at the time when I still needed dual-boot. No, what I want is more generic (and it is slightly offtopic since it is not specifically meant to tryout malware). Suppose I visit a friend who has a botched system, and I carry with me my linux laptop and a knoppix CD. Now if there would be a way to backup his entire HDD with just the tools on the CD (and the laptop as receiving host) that would be fantastic. I was thinking of something like using {tar | dd | cpio} and netcat but I'm unsure if it can be done, much less how to proceed. boot Linux and dd the raw Windows partition to a Linux file boot Windows and play with malware boot Linux and dd the file back out to the Windows partition rince and repeat... This works just fine for one or two drawbacks: You need to plan this in advance, and malicious code that randomly overwrites disks will kill linux + imagefile then, too. Maarten -- Yes of course I'm sure it's the red cable. I guarante[^%!/+)F#0c|'NO CARRIER ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Imaging Operating Systems
Maarten wrote: This is an interesting thread... But out of curiosity, is it also possible to do backup / restores using readily available linux tools? I'd like to be able to do something like running dd over a network connection, or tar, or whatever other tool. In that case, a bootable CD is all you need. But I'm unsure how to do that... Maarten one suggestion make the PC dual boot: Windows and Linux with the Linux partition larger. boot Linux and dd the raw Windows partition to a Linux file boot Windows and play with malware boot Linux and dd the file back out to the Windows partition rince and repeat... I used this method some years back with Win95 and FreeBSD but I had a very small Win95 partition. See also: www.feyrer.de/g4u/Ghost for Unix ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Imaging Operating Systems
This is an interesting thread... But out of curiosity, is it also possible to do backup / restores using readily available linux tools? I'd like to be able to do something like running dd over a network connection, or tar, or whatever other tool. In that case, a bootable CD is all you need. But I'm unsure how to do that... Knoppix + tar + bzip2 + netcat, but beware... it is REALLY FAST :). On slower lines (up to 100Mbit/s incl.), the line will be the bottleneck (98% avg. usage), on faster ones (we tested on 1Gbit/s fiber optics ethernet and 2GBit/s Fiber Channel) the ATA disks used on the client were the limiting factor :). on client/source: $tar c / | bzip2 -9 | nc server port on server: nc -l port | bunzip2 | tar x Please note, that netcat has also UDP option. Using it this way leads to having lost of fun... ;-. Netcat is also available on Windows under CygWin. With Knoppix able to mount NTFS read-only, this has some interesting-to-explore implications... :). Have a nice day... Ondra +-+ |Ondrej Krajicek (-KO| |Institute of Computer Science, Masaryk University Brno, CR | |http://isildur.ics.muni.cz/~ondra [EMAIL PROTECTED]| ++ pgpUBCfSOsoyb.pgp Description: PGP signature
RE: [Full-Disclosure] Imaging Operating Systems
BTW, beware setting double boot with a Linux 2.6 kernel and Windows just now. Apparently there is some bug in the way windows computes geometry and adding Linux 2.6 has hosed some folks' ability to boot Windows. Supposedly if you can force the BIOS to use LBN mode this gets around the problem. This was reported for Fedora, but sounds like a more generic issue. I have recovered systems by booting CDs with Linux though. That worked rather well. The Fedora release 2 of 2-3 days ago has been reported still to have this disk geometry problem. Doesn't affect all systems, but apparently even if you create partitions in Windows (or maybe an old Linux off CD) the partition table gets written somehow. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Maarten Sent: Thursday, May 27, 2004 12:59 PM To: Full-Disclosure Subject: Re: [Full-Disclosure] Imaging Operating Systems On Thursday 27 May 2004 18:30, Kevin Connolly wrote: Maarten wrote: This is an interesting thread... But out of curiosity, is it also possible to do backup / restores using readily available linux tools? I'd like to be able to do something like running dd over a network connection, or tar, or whatever other tool. In that case, a bootable CD is all you need. But I'm unsure how to do that... Maarten one suggestion make the PC dual boot: Windows and Linux with the Linux partition larger. Yes, I know. I did that at the time when I still needed dual-boot. No, what I want is more generic (and it is slightly offtopic since it is not specifically meant to tryout malware). Suppose I visit a friend who has a botched system, and I carry with me my linux laptop and a knoppix CD. Now if there would be a way to backup his entire HDD with just the tools on the CD (and the laptop as receiving host) that would be fantastic. I was thinking of something like using {tar | dd | cpio} and netcat but I'm unsure if it can be done, much less how to proceed. boot Linux and dd the raw Windows partition to a Linux file boot Windows and play with malware boot Linux and dd the file back out to the Windows partition rince and repeat... This works just fine for one or two drawbacks: You need to plan this in advance, and malicious code that randomly overwrites disks will kill linux + imagefile then, too. Maarten -- Yes of course I'm sure it's the red cable. I guarante[^%!/+)F#0c|'NO CARRIER ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ** This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you ** ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Imaging Operating Systems
While not specifically designed for backups, you could use the Helix cd (http://www.e-fense.com/helix/), which has netcat and dd, which make a great combination for grabbing the contents of a file (or partition, or drive) and dumping them across the network to another computer. Since Helix is Knoppix-based, this might do what I think you're looking for. Jon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Maarten Sent: Thursday, May 27, 2004 11:59 AM To: Full-Disclosure Subject: Re: [Full-Disclosure] Imaging Operating Systems On Thursday 27 May 2004 18:30, Kevin Connolly wrote: Maarten wrote: This is an interesting thread... But out of curiosity, is it also possible to do backup / restores using readily available linux tools? I'd like to be able to do something like running dd over a network connection, or tar, or whatever other tool. In that case, a bootable CD is all you need. But I'm unsure how to do that... Maarten one suggestion make the PC dual boot: Windows and Linux with the Linux partition larger. Yes, I know. I did that at the time when I still needed dual-boot. No, what I want is more generic (and it is slightly offtopic since it is not specifically meant to tryout malware). Suppose I visit a friend who has a botched system, and I carry with me my linux laptop and a knoppix CD. Now if there would be a way to backup his entire HDD with just the tools on the CD (and the laptop as receiving host) that would be fantastic. I was thinking of something like using {tar | dd | cpio} and netcat but I'm unsure if it can be done, much less how to proceed. boot Linux and dd the raw Windows partition to a Linux file boot Windows and play with malware boot Linux and dd the file back out to the Windows partition rince and repeat... This works just fine for one or two drawbacks: You need to plan this in advance, and malicious code that randomly overwrites disks will kill linux + imagefile then, too. Maarten -- Yes of course I'm sure it's the red cable. I guarante[^%!/+)F#0c|'NO CARRIER ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Imaging Operating Systems
In a large telemarketing company I used to I.T. for, we ran across Deep Freeze. (http://www.faronics.com/) This product allowed pretty much any changes to be made to the machine including customizations, deletions, and propagation of virus / worms, without harm to the machine. In fact all it took was a simple reboot to clear what changed had been made, and have the machine back to its frozen state. Simple, Effective. * 100% complete recovery on every restart * Full access to all computer functions * Guaranteed compatibility with all applications * Single install for Windows 95, 98 ME, 2000, XP * Operates in any user mode, including Administrator * Protects more than one physical hard disk * Password protected and completely secure * Supports multiple hard drives partitions * SCSI, ATA IDE hard drive support * Fully compatible with daylight savings time * FAT, FAT32, NTFS, basic and dynamic disks * Deploy on multiple workstations as part of a master image * Protects CMOS * Protects master boot record * Supports multi-boot environments * Select specific partitions to be thawed * Set the number of thawed restarts with boot control * Uses only 2MB of Disk Space * Silent install for rapid network deployment * Fully Compatible with Fast User Switching * * *I hope this is what you are looking for. * *Robert * Shawn Cox wrote: Norton/Symantec Ghost PowerQuest Drive Image(I think Norton gobbled this one up) Or for the truly crafty vmWare. --S - Original Message - From: Michael Schaefer [EMAIL PROTECTED] To: Full-Disclosure [EMAIL PROTECTED] Sent: Wednesday, May 26, 2004 1:55 PM Subject: [Full-Disclosure] Imaging Operating Systems Hi all We are building a Windows test system, to try out tool bars, spy ware, malware and trojans on. Once we learn what we need to know, we obviously want to get rid of the junk quickly and cleanly. I keep hearing suggestions about having a clean image to transfer onto the computer. Can anyone send some details? Is there an official Microsoft way to do this? Is some sort of over the network OS installation script in order here? Are there other vendors that do a better job? Thanks ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Imaging Operating Systems
Hi Michael, there are a number ways to create testing environments with clean images. I have built a few corporate test labs and would be happy to help you build one. Microsoft's sysprep used to be the only working way to reproduce clean automated installs (and the only supported). Lately I have been using Altiris and Ghost and then storing the images on a network share. With Altiris, you can use a web page to restore the images. Both products will change the sid, computer name, network settings and run 3rd party applications after the restore. -Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Schaefer Sent: Wednesday, May 26, 2004 11:55 AM To: Full-Disclosure Subject: [Full-Disclosure] Imaging Operating Systems Hi all We are building a Windows test system, to try out tool bars, spy ware, malware and trojans on. Once we learn what we need to know, we obviously want to get rid of the junk quickly and cleanly. I keep hearing suggestions about having a clean image to transfer onto the computer. Can anyone send some details? Is there an official Microsoft way to do this? Is some sort of over the network OS installation script in order here? Are there other vendors that do a better job? Thanks ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Imaging Operating Systems
Norton/Symantec Ghost PowerQuest Drive Image(I think Norton gobbled this one up) Or for the truly crafty vmWare. --S - Original Message - From: Michael Schaefer [EMAIL PROTECTED] To: Full-Disclosure [EMAIL PROTECTED] Sent: Wednesday, May 26, 2004 1:55 PM Subject: [Full-Disclosure] Imaging Operating Systems Hi all We are building a Windows test system, to try out tool bars, spy ware, malware and trojans on. Once we learn what we need to know, we obviously want to get rid of the junk quickly and cleanly. I keep hearing suggestions about having a clean image to transfer onto the computer. Can anyone send some details? Is there an official Microsoft way to do this? Is some sort of over the network OS installation script in order here? Are there other vendors that do a better job? Thanks ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Imaging Operating Systems
Michael Schaefer [EMAIL PROTECTED] writes: Hi all We are building a Windows test system, to try out tool bars, spy ware, malware and trojans on. Once we learn what we need to know, we obviously want to get rid of the junk quickly and cleanly. I keep hearing suggestions about having a clean image to transfer onto the computer. Can anyone send some details? Ghost or Altiris can do this for you. -- James Riden / [EMAIL PROTECTED] / Systems Security Engineer Information Technology Services, Massey University, NZ. GPG public key available at: http://www.massey.ac.nz/~jriden/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Imaging Operating Systems
--- Shawn Cox [EMAIL PROTECTED] wrote: Norton/Symantec Ghost PowerQuest Drive Image(I think Norton gobbled this one up) Or for the truly crafty vmWare. Yeah. And do remember that though VMware is the platform of choice for many testlabs, malware can change its behaviour when it detects that it is being run in a VMware virtual machine. For example, see this short but interesting article about how to detect a Virtual OS from a VXers point of view - http://29a.host.sk/29a-7/Articles/29A-7.011 I personally have not come across any malware which changes its behaviour when it detects VMWare, but, since it's relatively trivial, it may become standard practice in the near future. -- S.G.Masood -- Fools ignore complexity; pragmatists suffer it; experts avoid it; geniuses remove it. --S - Original Message - From: Michael Schaefer [EMAIL PROTECTED] To: Full-Disclosure [EMAIL PROTECTED] Sent: Wednesday, May 26, 2004 1:55 PM Subject: [Full-Disclosure] Imaging Operating Systems Hi all We are building a Windows test system, to try out tool bars, spy ware, malware and trojans on. Once we learn what we need to know, we obviously want to get rid of the junk quickly and cleanly. I keep hearing suggestions about having a clean image to transfer onto the computer. Can anyone send some details? Is there an official Microsoft way to do this? Is some sort of over the network OS installation script in order here? Are there other vendors that do a better job? Thanks ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Imaging Operating Systems
Any reason not to just use Ghost? Also, some people use VMWARE, and make a clean VMWARE image, copy it, load the suspicious stuff, and then delete it afterwards. If you have your virtual network interfaces disabled, it may be a fairly safe sandbox to work in. Mark Lachniet -Original Message- From: Michael Schaefer [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 26, 2004 2:55 PM To: Full-Disclosure Subject: [Full-Disclosure] Imaging Operating Systems Hi all We are building a Windows test system, to try out tool bars, spy ware, malware and trojans on. Once we learn what we need to know, we obviously want to get rid of the junk quickly and cleanly. I keep hearing suggestions about having a clean image to transfer onto the computer. Can anyone send some details? Is there an official Microsoft way to do this? Is some sort of over the network OS installation script in order here? Are there other vendors that do a better job? Thanks ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Imaging Operating Systems
Build the system out from a blank drive. Make sure its totally 100% disconnected from any internet source. Install your Service Packs and hotfixes from a trusted CD. Trusted meaning - one that you know isn't infected with anything. Afterward - pick up on the advice of the other peeps and either Ghost or just image the drive. ||-Original Message- ||From: [EMAIL PROTECTED] [mailto:full-disclosure- ||[EMAIL PROTECTED] On Behalf Of James Riden ||Sent: Wednesday, May 26, 2004 5:24 PM ||To: [EMAIL PROTECTED] ||Cc: Full-Disclosure ||Subject: Re: [Full-Disclosure] Imaging Operating Systems || ||Michael Schaefer [EMAIL PROTECTED] writes: || || Hi all || || We are building a Windows test system, to try out tool bars, spy ware, || malware and trojans on. || || Once we learn what we need to know, we obviously want to get rid of || the junk quickly and cleanly. || || I keep hearing suggestions about having a clean image to transfer || onto the computer. || || Can anyone send some details? || ||Ghost or Altiris can do this for you. || ||-- ||James Riden / [EMAIL PROTECTED] / Systems Security Engineer ||Information Technology Services, Massey University, NZ. ||GPG public key available at: http://www.massey.ac.nz/~jriden/ || ||___ ||Full-Disclosure - We believe in it. ||Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Imaging Operating Systems
How about using VMWARE, building your windows system in a virtual machine, then using the snapshot to snapshot your initial clean system, then you can install the malware etc and test, while you want the clean system, just revert it to the clean system. -vertex On Wed, May 26, 2004 at 02:55:17PM -0400, Michael Schaefer wrote: Hi all We are building a Windows test system, to try out tool bars, spy ware, malware and trojans on. Once we learn what we need to know, we obviously want to get rid of the junk quickly and cleanly. I keep hearing suggestions about having a clean image to transfer onto the computer. Can anyone send some details? Is there an official Microsoft way to do this? Is some sort of over the network OS installation script in order here? Are there other vendors that do a better job? Thanks -- Security News Portal http://www.securitytrap.com Security by full disclosure ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Imaging Operating Systems
I agree with Shawn: VMWare is the weapon of choice for this. I have a couple boxes setup in my lab w/ VMWare and have several OS's on there. I just crashed on today messing with windows permission and just reverted to a saved copy in a matter minutes. In fact- I'm testing a VMWare right now- I setup syslog client ( sabernet.net ) on it and have it going to a freeBSD box ( syslog )- I'm tailing /var/log/messages with swatch looking for logon failures/ success and emailing that to me. My 2 marks worth :) JP -Original Message- From: James Riden [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 26, 2004 4:24 PM To: [EMAIL PROTECTED] Cc: Full-Disclosure Subject: Re: [Full-Disclosure] Imaging Operating Systems Michael Schaefer [EMAIL PROTECTED] writes: Hi all We are building a Windows test system, to try out tool bars, spy ware, malware and trojans on. Once we learn what we need to know, we obviously want to get rid of the junk quickly and cleanly. I keep hearing suggestions about having a clean image to transfer onto the computer. Can anyone send some details? Ghost or Altiris can do this for you. -- James Riden / [EMAIL PROTECTED] / Systems Security Engineer Information Technology Services, Massey University, NZ. GPG public key available at: http://www.massey.ac.nz/~jriden/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Imaging Operating Systems
On 26 May 2004, at 19:55, Michael Schaefer wrote: I keep hearing suggestions about having a clean image to transfer onto the computer. Is there an official Microsoft way to do this? two methods: 1) Unattended Install (link is for a CD based version, we do it from a network install server) http://www.pureperformance.com/js/showtip.asp?id=136 2) Install the machine, ghost it with Symantec Ghost, install spyware trojans etc and then when you've finished, write over it with a clean Ghost image again. http://www.symantec.com/ghost/ Is some sort of over the network OS installation script in order here? We have a complete unattended installation setup for Windows 2000/XP that will install every piece of standard software, based on some info in our central db about the machine. Walk up to the machine, PXE boot it, hit yes a couple of times and then walk away for an hour. Come back and you have a complete system. We have something like 17000 machines. You probably don't. Are there other vendors that do a better job? For a single machine, Ghost is easier (or for multiple identical machines you can use ghost multicast) for a wide variety of hardware and installs, the network installation method is better. -- Sam [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Imaging Operating Systems
I believe all of Powerquest was acquired by symantec. Perhaps look at symantec v2i protector which does an amazing job of administrating and creating images and restoring them. It is more server based, but it would make a very nice tool for a lab environment if you could afford the expense. As an alternative there is a product called Acronis True Image, which looks almost like a copy of v2i protector. The cost for this is a measly US$69 or something. It allows full and incremental image creation. Live image creation whilst within windows. Boots off a CD etc. etc. It has replaced ghost in my arsenal for simple imaging tasks. I don't think it will be around for long as I am sure they are stepping on symantecs toes :) Suffice to say Vmware still rocks for testing as well. Cheers Zach -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shawn Cox Sent: Thursday, 27 May 2004 6:53 AM To: [EMAIL PROTECTED]; Full-Disclosure Subject: Re: [Full-Disclosure] Imaging Operating Systems Norton/Symantec Ghost PowerQuest Drive Image(I think Norton gobbled this one up) Or for the truly crafty vmWare. --S - Original Message - From: Michael Schaefer [EMAIL PROTECTED] To: Full-Disclosure [EMAIL PROTECTED] Sent: Wednesday, May 26, 2004 1:55 PM Subject: [Full-Disclosure] Imaging Operating Systems Hi all We are building a Windows test system, to try out tool bars, spy ware, malware and trojans on. Once we learn what we need to know, we obviously want to get rid of the junk quickly and cleanly. I keep hearing suggestions about having a clean image to transfer onto the computer. Can anyone send some details? Is there an official Microsoft way to do this? Is some sort of over the network OS installation script in order here? Are there other vendors that do a better job? Thanks ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Imaging Operating Systems
There are also some open source alternatives, mondo/mindi udpcast I use a modified version of udpcast put on a knoppix disk to do big network installs.We keep a small 6gb image on a image server and then the knoppix disk will transfer the image and resize the partitions based upon the size of the hard drive. Works great, broadcasts over the network so we can do alot of machines at the same time and it only takes about 20 minutes. Chris Locke http://stageofbattle.org On Wed, 2004-05-26 at 15:53, Shawn Cox wrote: Norton/Symantec Ghost PowerQuest Drive Image(I think Norton gobbled this one up) Or for the truly crafty vmWare. --S - Original Message - From: Michael Schaefer [EMAIL PROTECTED] To: Full-Disclosure [EMAIL PROTECTED] Sent: Wednesday, May 26, 2004 1:55 PM Subject: [Full-Disclosure] Imaging Operating Systems Hi all We are building a Windows test system, to try out tool bars, spy ware, malware and trojans on. Once we learn what we need to know, we obviously want to get rid of the junk quickly and cleanly. I keep hearing suggestions about having a clean image to transfer onto the computer. Can anyone send some details? Is there an official Microsoft way to do this? Is some sort of over the network OS installation script in order here? Are there other vendors that do a better job? Thanks ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html