IT Phone Home: PC Auditing to Go

This will be a slam-down post. As in, I’m slamming down in the pan, frying it up and tossing it on the plate.  Got a busy schedule this weekend, time is a luxury, and I’m a short-order cook.

At work we’ve had an anomaly crop up.  A number of our newest systems have been found to be strangely missing system RAM.   Down to 1 GB from 2 GB according to the factory specs and build information based on system number.

I’m no PI but a roundup of the particulars leads us to a single conclusion.  Unfortunately, because our installation process does not actually involve base-lining every system we install (I know, I know…) I can’t say with 100% certainty that the system put on the desk definitely had all the RAM ordered when it was placed on the desk.  So loss could have occurred anywhere from the factory, through the delivery chain, to the install, to post-install period.

So (being the bright folks we are) we got together and figured out that we needed to document what each and every system we install contained when we touched it and walked away from it. And it needed to be done by the installer.  That way we could be certain what every system had when we put in on the desk, and if something came up missing, what it was and that it happened after the installation.  It would be golden if we could also extract serial numbers of RAM DIMMS, chassis, hard-drives, and other elements without cracking the case open.

Now I can’t speak for all shops, but our install techs are very busy and time is of the essence.  Opening every case and inventorying all the key components could really slow down the process of deploying to staff.

We needed a fast way to make like a panda and eat, shoot and leaf.

The Solution

After a lot of research, we appear to have settled on the retired AIDA32 project software.  A bit more testing and validation is required but we are feeling pretty good with this first-round draft pick for the team.

There are two versions, AIDA32 - 3.93 and AIDA32 –3.94.2.  The biggest difference between them is that the second one supports a server mode that when configured will accept Audit auto-sends from systems when AIDA32 has been set up to run in “client-mode”.  The second one also seems to have slightly better hardware support.

We like this one because it is highly customizable to the degree of specific hardware and Operating System components that can be selected or excluded for reporting.  After much work I configured a custom report that will provide us with a system summary, user account information, motherboard identifiers, system chassis type, RAM DIMM size, counts, and serial numbers, hard drive SMART information, hard drive model and serial number, label of hard drive, workgroup information,  AV information, monitor type and serial number, and network IP configuration info.

That lets us know exactly how the installer configured the system, who it was configured for, where it was configured, and what all was specifically on the system when it was deployed.

Now, to make things even more fun, I’ve been able to package it all up in a single folder that each technician can carry and run from their USB stick.

Then I used it’s batch-file, command-line, custom reporting, and email actions support to allow them to click a single batch file.  That file runs a system audit based on my parameters, packs it up in a text-file, attaches it to an email message and sends it to three of us.  All in the space of about a minute.

So the tech can click it, allow it, and forget it.  We get our reports and audit documentation and the techs suffer through negligible time-loss.

One of the bonus finds was this AIDA32 User Guide (zip) which has great details on configuring the tool as well as all the command-line parameter support.

Bonus Trick

I wanted the batch-file process to be almost seamless, and I found this great tip on how to (kinda) run a batch-file to launch in a minimized/hidden CMD window.

• zoombody » Run a Windows (”DOS”) batch/cmd script minimized.

It was a clever trick and some background on what exactly it does can be found in this chock-full-o-nuts post: Antimail : Script recipe of the week: how to copy an opened file.

Between this trick and some AIDA32 command-line fu, it looks to be a perfect match with system auditing information capture at time of installation and a 1-minute drill to the goalposts.

First Runners Up

Here are more free “system auditing” tools that I was familiar with and considered.

However they either provided too much information, or not enough control over the information in the report.  Plus they didn’t have a way to auto-transmit the data, so collection was a bit more involved and technician-dependent.

Belarc Advisor - Free Personal PC Audit – This was the first PC Audit software I ever used at home, years ago.  It still is great but isn’t free for business usage.

SIW | System Information for Windows by Gabriel Topala – Great information. Beautiful GUI. High degree of information provided.  Reporting is good and can be run in batch-modes. Wonderfully versatile but not free for business usage and I couldn’t quite get the granularity of reporting I wanted.

SIV - System Information Viewer – free and provides an insane amount of detailed hardware information. Simply insane in the membrane. A beautiful product that makes the hardware geeks cry.  However it was too much info for our needs.

System Spec- Portable System Information Utility – Really, really nice portable product to audit your system.  Beautiful reports and easy to use.  Completely free.  Probably would have been my choice but didn’t quite allow me the reporting item selection flexibility I was looking for.  It was so close to being perfect it hurt.  Highly recommended, particularly for mom-n-pop system builders and home users.

WinAudit v2.27 - Free Computer Audit Software – Fast fully free (commercial/personal usage) and portable tool that provides nice reports.  I can’t complain much about it.  It does a great job and has a variety of options for outputting reports and getting them to where they need to go.  Email is supported.  I had to pass because I couldn’t quite get the selection of report item includes/excludes nailed down perfectly for my purposes.  Really worth looking into for home users.

Windows System Information Utility by HeidiR -(Download.com) – I’m offering this link at it seems to contain more information on the product than the developer’s own website page.  Pick either one for your download.  I liked this one as well

Network inventory software - Free PC Audit – Free, small, and single exe file portable app.  Sure you can keep the help file and read-me if you want as well.  System scan is a bit slower than some of the other tools.  Reporting is pretty detailed.  You can export the report and

There are some other free and many, many commercial/enterprise system auditing applications out there, but if you are looking for a small, flexible, and portable tool to quickly scan and audit systems either at deployment or post deployment, there is a good chance at least one of these tools will fit your need perfectly.

Cheers.

--Claus

 

 

 

Windows FE “Live CD” Posts Followup

To get up to speed, please make yourself familiar with these two previous GSD posts:

• Windows FE – Details Teased out of the Web – Grand Stream Dreams
• Windows FE: Forensically Sound? – Grand Stream Dreams

The first one highlights a Win PE version build that offers forensic folks an alternative to the many Linux forensics “LiveCD” builds.  It contains background information as well as a link for instructions on building.

The second post was an amateur’s attempt to investigate claims that the Win FE disk isn’t, in fact, forensically sound.  I couldn’t find any actual documentation or commentary on the Web that examined this claim at all, so I set about doing my own experiment.  My admittedly limited testing found that booting a particular non-Windows system installation with Win FE did not change the drive hash.

It also allowed me an opportunity (fun excuse) to explore and detail the specific storage-mounting controls as found in the registry which prevented writing to the examined storage volumes.

Feedback from the Forensic Pros

Since then I have received a number of comments from the real forensics pros that have provided additional clarification and explanation about what is going on, along with gentle suggestions for improved validation methods.

I appreciate them deeply as my intention is to understand and document accurately what is going on with the Windows FE build in particular and Windows PE systems in general.

In the interest of sharing this great information, and to accept their honorably offered criticisms (in the sense of the act or art of analyzing and evaluating…) of my Win FE posts, I felt it was my duty to highlight them specifically in this followup post starting with Troy Larson a senior forensics investigator in Microsoft’s IT Security group who left this first of two comments.

Thanks for the write up. I am the creator of Windows FE, and I very much appreciate your testing and write up.

I have tried to document instances where Windows FE might right to disk, as well as why. Basically, Windows FE will write a disk signature to any disk that does not already have a disk signature--that is, generally, non-Windows disks (disks that have not been attached to Windows systems). Windows disks have disk signatures, so that is why you don't see a write activity.

Troy also kindly left this more detailed comment:

… ForensicSoft is quite correct. In fact, I believe I have shared more than a few emails with a person at ForensicSoft. However, I don't consider the issue as fatal to the forensic soundness of Windows FE, but then I take the position that it's how tools are used and not the tool itself that makes for forensic soundness. Windows FE can be used in a forensically sound manner.

Windows FE will write a disk signature to a non-Windows disk. Windows FE writes a disk signature to any disk that doesn't have a disk signature. This is a well documented behavior of Windows, and, as such, is predictable. As predictable, the behavior can be expected and explained by the forensic investigator. Thus, one could use Windows FE on non-Windows disk, and have forensically sound findings--as long as the four bytes at the disk signature location are not at issue. I have seen nothing that indicates that Windows FE writes to any partitioned space--Windows or non-Windows.

I have a great deal of respect for the people at ForensicSoft. I appreciate that they have taken the time to advise the forensic community of a potential issue in Windows FE. Windows FE is a tool that came out of Microsoft's forensics team. It is not a product. As you note, it is a customization of Windows PE v.2.1.

So Troy provides an explanation from his considerable testing work for cases where the disk hash has been observed to change with use of the Windows PF disk.

This is in line with the information suggestion previously by forensics specialist DC1743 over at his Forensics from the sausage factory: Windows FE saves the day with a Dell Inspiron 530 post made a much more focused response:

Windows FE may write a disk signature to a partitioned disk, if the disk does not already have a signature. The disk signature starts at 0x01B8. The partitioned space—volumes—are not written to.

The read-only switch in Diskpart also writes a byte to the hard drive that makes that hard drive read-only to Windows.

For these reasons the whole device hashing approach may result in differing hash values - however this behavior does not necessarily make the use of Windows FE forensically unsound.

DC1743 also posted a follow-up comment on one of my Windows FE posts:

In respect to the non windows testing I was not sure exactly what was going on with the conv=noerror option. Are you saying that the drive you were testing had read errors?

I guess you may not have access to a hardware write blocker, but if you did, hashing the disk with the installed linux OS whilst connected to one may have given you a better base line. As things stand we are trying to validate one form of software write blocking by using another form of software write blocking in our testing. I appreciate that the methodology may still be sound but it gives the critics more to aim at.

TinyApps Blog author and kind friend Miles offered his knowledgeable perspective as well saying

I would recommend using a hardware write-blocker, especially in forensic cases. I use WiebeTech's Forensic ComboDock:

http://www.wiebetech.com/products/ForensicComboDock.php

I haven't trusted software-only solutions ever since being unpleasantly surprised by disk changes Winternals Administrator's Pak (a Windows-based bootable rescue CD) made to a system without warning.

Lessons Learned

Number One

It seems clear that Windows PE / FE disks will, under particular circumstances, assign (write) a disk signature to a storage device if none is found.  That is the case when non-Windows OS systems are installed on the storage device.

That said, I still have the feeling that more work needs to be done to define and/or provide examples of when those particular circumstances do occur.  For instance, after the above comments were made, I went back to my original test-bed system and after booting it with the Win FE disk, verified that no Windows disk signature was present or assigned despite repeated accessing of the disk from the Win FE disk.  It never showed up.  That would be in line with my hashing matches observed.

Now in this case, my actions were only related to accessing and “off-line” viewing of the disk/contents.  I could see where if Win FE was used to capture an image, then write the image to a sanitized device, Win FE might indeed need to apply a disk signature to the cloned storage device in order to mount it in read/write mode as it put the image on the disk.  Maybe that is where the hashing difference comes in that is being talked about?  Not on the original “suspect” disk being viewed, but when “put” on the duplicate disk.  Maybe not?  I’m still unclear and hope this can be better explained.

Here are some more great links about Windows disk signatures with XP and Vista systems for background information:

• Win2k [and XP] Master Boot Record (MBR) Revealed! - by Daniel B. Sedory.  Great and while technical, quite readable exploration of the Windows 2000 and XP MBR structure.
• Multibooters – Vista’s MBR Disk Signature – Short but detailed examination of the Vista (and hence Windows 7 to a large degree) MBR structure and functions.  Bit different than XP/2000.
• Disk Administrator Corrupts Partitions – Microsoft Help and Support ID 134308
• A Description of the Diskpart Command-Line Utility -- Microsoft Help and Support ID 300415.

Number Two

It is clear to me that probably the only “professionally forensically sound manner” that exists in ensuring that a hard-disk drive (or other storage media) is not corrupted or changed when accessing it by an examiner is to use a physical write-block device attached to said device.

While software-based “write-protected” boot disks have their place, they still take a second-chair to the purpose-specific hardware-based write-blockers.

• Software Write Block – NIST IT Lab Computer Forensics Tool Testing Program reviews.

To respond to a few of the comments, no, I do not have access to a write-block device.  I’m hoping to include one in the supply and material budget for next year along with an updated SATA-drive supported disk-duplicator.  Our slot/bay-based ATA-drive duplicator is gathering dust as most all of our new systems are SATA hardware now.  Use of one in my tests would certainly have provided a greater measure of reliability with testing and results.

• Forensic disk controller - Wikipedia, the free encyclopedia
• Write Blockers - Forensics Wiki
• WiebeTech Micro Storage Solutions - Forensic ComboDock™ v4 Government and Law Enforcment Drive Imaging Docking Station, IDE to FireWire Drive Dock
• Hardware Write Block – NIST IT Lab Computer Forensics Tool Testing Program reviews.

Number Three

DC1743’s comment also pointed out another “issue” with my methodology that I hadn’t even considered: did the hard-drive of my test system have sector errors?  I’m not sure, but based on my limited understanding of the different results I saw from the dd MD5 hashing of the drive with and without use of the “conv=noerror” option it appears that could be the case.

Curiously, and not noted in the test, was the fact that I tried local installation of Helix, RAPTOR, and DEFT forensic Linux builds on the test system’s hard drive. All three balked during the drive preparation process, despite my successful manual creation of the ext3 and swap partitions manually in their installers.  Only the CAINE Live CD allowed me to install itself locally with no issues or complaints.   Maybe it is more fault-tolerant somehow.  So something indeed may be going on with that particular hard-drive.  Windows has never complained about accepting an installation.  I’ve added a hard-disk deep sector scan test to my “to-do” list for the coming week, just out of curiosity….and because I hate loose ends!

This highlights the importance of pre-checking and thoroughly testing and certifying the storage media to be used to place a captured image on is free of errors and problems.  It probably is part of the normal forensics procedure to understand if the “evidence” drive also contains any physical surface errors.  Certainly both of these things could, in theory, lead to differences between image hashing which must be accounted for.

The forensic professionals know this already but for sysadmins and the curious this is probably one key part that isn’t nearly as “sexy” as image capture and content analysis itself.  It must however be kept in mind.

I also found that the NIST IT Lab Computer Forensics Tool Testing Program has issued a January 2009 draft paper on Forensic Media Preparation.  While no results are present, it does provide an introduction to one stage of this, drive sanitization, but doesn’t seem to comment regarding verification of drive health and sector errors in particular.  That particular PDF contains some additional links to other papers on media preparation and sanitization that might be worth looking into.

Maybe it isn’t as practical an issue as it seems, but to my unlearned perspective I’m thinking it is something that is addressed at some point in forensic media preparation and usage.

Closing Comments

I still really like the idea of what Windows FE disk builds bring to the table.

Aside from their use to forensic investigators, they could also be deployed by system administrators in mission-critical responses where undisturbed capture of information/data off a target disk must be done delicately and in place without risk of over-writing said information, servers for example.  I can think of a number of cases where this application would be perfect for a Win FE disk and where removal of the target drive or use of a physical write-blocker would be impractical. And “forensic soundness” would be a non-issue.

I’ve learned very early on in IT, that one can never have enough tools, utilities, or options when serving and supporting systems.  Familiarity with the tools and how they work brings more options in responding to particular events and scenarios.

That gets back, full-circle, to the idea that everyone, sysadmins and forensic examiners alike, need to fully understand and validate just what the tools they depend on are doing.  Only in this manner can they successfully defend positions on observations made and actions performed with those same tools.

Most of my Win PE building disks will still be set to allow read/write access to attached storage devices, but now I am well versed in the options that my (now also always present) Win FE disk offers me, and how to make Win FE disks in particular.

Special words of thanks to the friends and professionals who have taken the time to elaborate and expand on my questions and Win FE posts.  You have my gratitude and respect.

--Claus V.

Blocking IE 8 "InPrivate" Mode – Updated

It’s been a while since my post Blocking IE 8 "InPrivate" Mode.

In that post I looked at how IE’8 “InPrivate” web-browsing mode could be blocked or disabled.

It could either via Active Directory policy, or via a registry key.

The registry key technique should work fine for both home and business users interested in it.

I had tested it with a beta version of IE8 in XP, and surmised it should work on Vista, but never got around to validating.

Then a got the following comment the other week on that post:

Hi Claus, we use Vista Home Premium 32 bit and I cannot locate group policy. If I want to disable Inprivate browsing, can I do that by editing thw Windows Registry alone?

Yes.  This registry key “fix” does successfully work on Windows Vista as well as Windows 7 just fine to prevent access (block) InPrivate mode in Internet Explorer 8.

"InPrivate" Enabled

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Privacy]
"EnableInPrivateBrowsing"=dword:00000001

"InPrivate" Disabled

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Privacy]
"EnableInPrivateBrowsing"=dword:00000000

In case it isn't clear, I exported the "Computer Configuration" registry key as shown above to indicate the specific key and value needed.

Note that on most home systems the Registry key I mentioned might not exist. So here is the quick and (fairly) safe way to do it.

Right-click on your desktop and select "New"..."Text Document".

You should see one appear on your desktop.

Rename it to something like "IE8SafeMode.reg"  (Note I changed the file extension from .txt to .reg)

Save the change and tell Windows you know you changed the file extension name. OK.

Right-click on the file you just made and select "Edit".

It should open in notepad.

Copy the following text (all three lines) and paste it into that Notepad file:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Privacy]
"EnableInPrivateBrowsing"=dword:00000000

Save the file and then close it.

When you double-click the file it will ask you if you want to add those changes into the Registry. Select Yes.

Then reopen IE8 and you should now have InPrivate mode disabled.

To enable it again, just re-modify your file so the last number on the last line is a "1" and not a "0".

Save the file and run it and say "Yes" to add the info to the registry again.

If this doesn't work, then it is likely your account doesn't have sufficient administrator level permissions to make those changes...

As always, making changes in the Windows Registry carries risks, up to and including nuking your system. However these steps do works on my system fine. Proceed at your own discretion.

Note that InPrivate browsing is disabled by default on systems where Windows One-Care or Windows Family One-Care has been installed.  Or if application of “Parental Controls” settings have been applied to the account.  In those cases, use of the registry keys to “enable” blocked InPrivate mode will be ignored and InPrivate mode can not be enabled.  Conversely, parents wanted to harden the blocking of this mode in IE8 may want to look into those products.

--Claus V.

A “Suddenly it’s Sunday” Linkfest

Been a chill weekend.

Lavie has been lovingly concerned that I’ve been burning the candle at both ends at work this past week.  She’s pretty correct on that front.

So this weekend I was told in no uncertain terms that I had better relax.  So, uncharacteristically, Saturday found me in my jammies all day long, and mostly in bed; cranking out the past two blog posts and Jonesing on Turner Classic Movies.

Sweet.

Today I paid the price a bit having more catch-up work on the regular household chores, but even Alvis said she hadn’t seen me acting so embarrassing for a long time. (That’s a good thing for me, a bad thing for her.)

So as the girls close out the night (and Spring break) with a round of Jeff Dunham on Comedy Central (they haven’t stopped laughing yet)…I’ve got one more post of assorted links culled from the past two weeks.

Enjoy:

• Springboard Series Virtual Roundtable: Windows 7 - To the Beta and Beyond – Microsoft hosts a Q&A session with a number of their pros, including Mark Russinovich.  If you don’t have time to spare, read this abbreviated transcript that covers all the major points of the Windows 7 discourse.

• Engineering Windows 7 : Designing Aero Snap – I found this Microsoft post fascinating as it showed the degree of research and design in conceptualizing and working to delivery of this feature.  Neat stuff and really hard to ‘get right’.

• Network Monitor 3.3 Beta Available – New version (beta) has been released of Microsoft’s network capture and monitoring tool. Jump the link to get the details on the improvements. While it isn’t near the top of my network capture tool list, I still keep it installed in case I need a “second opinion” on captures.

• NetworkMiner follow up « SANS Computer Forensics, Investigation, and Response – I do like NetworkMiner for capture analysis and this post highlights an odd (but logical) issue; that sometimes network captures could be filtered by your A/V product and provide an incomplete picture of what is going on.  It’s good to know your tools and what to expect them to provide. This way you can spot when something deviates and needs to be examined more closely.

• 4sysops - Windows 7 multiple active firewall profiles – Michael drops a great find: Windows 7 firewall brings more granularity to rules.  Specifically he has found that you can assign a different firewall rule to each NIC device on a system.

• A sneak peek at the Windows 7 Release Candidate | Ed Bott’s Windows Expertise – More Windows 7 feature and screen-shot p0rn.

• Windows 7 to officially support logon UI background customization - Within Windows – Finally, (almost) native support for changing the Logon background graphics.  Yes you can already do this with Vista and XP but you have to go on the down-low to pull it off.  Windows 7 looks to be much easier to do this.  Prepare for corporate logos on Windows 7 business deployments!

• Sysinternals Site Discussion : Updates: Process Monitor v2.04, TCPView v2.54, VMMap v1.02, Testlimit v5.01, and Notmyfault – Updates, get ur updates! My picks below:

  Process Monitor v2.04: This update shows file mapping operations in basic mode, adds more translations of error numbers to text, fixes a bug that limited support for more boot log files larger than 4GB, and displays version numbers using the same formatting as Windows.

  TCPView v2.54: Fixes bugs that prevented the display of IPv6 TCP endpoints and the correct display of IPv6 UDP endpoints

  VMMap v1.02: Now shows all image subsections, even if they reside within the same allocation region. It also fixes a bug in image name sorting and makes the UAC elevation smoother on 64-bit Windows.

• I don’t know what I would do without Nir Sofer and his wonderfully targeted utilities.  He has been hard at work updating oldies-n-goodies, as well has delivered a new tool that has now created a load of reorganizing work on my business system.

• NirBlog: Utilities updates for this week
  • RegDllView, InstalledCodec, IECacheView: Added 'Explorer Copy' option - Allows you to copy the selected files and then paste them into a folder in Explorer.
  • FileTypesMan: Added support for creating and deleting file extensions.
  • WirelessKeyView: New and safer method to extract the wireless keys of the local machine. Starting from this version, WirelessKeyView uses a new method that extract the wireless keys without any code injection. and Fixed bug - In Vista, if WPA-PSK key contained 32 characters, the key was not displayed in Ascii form.

• NirBlog: Latest utilities updates in NirSoft
  • AlternateStreamView and ResourcesExtract: Added support for choosing SubFolders depth in scanning.
  • SearchMyFiles:
    • Fixed bug: Base folder combo-box limited the number of characters that you could type.
    • Added option to save/load all search option to .cfg file.
    • Added 'Explorer Copy' option - Allows you to copy the selected files and then paste them inside a folder of Windows Explorer.
    • Added 'Open With' option.
    • Added option to choose the subfolders depth to scan.

• NirBlog: Extracting multiple attachments from Outlook with OutlookAttachView
  • OutlookAttachView utility can help you do that. It displays the list of attached files in your Outlook's mailbox, and allows you to easily select all attachments that you need, and then extract them into a folder that you choose.  A fast update brought with it a bug fix “that caused OutlookAttachView to fail on scanning sub-folders under main Outlook folders.
    Also added 'Folder Path' column that displays the full path of the folder (For example: Personal Folders\Inbox\Bug Reports).

When I ran the last tool, Outlook Attach View against my Outlook PST file, it found over 6,000 attachments embedded in there.  Despite my efforts over the past two years to strip out all attachments and file them in “real” system folders, there obviously were lots that pre-dated that period.  It works fantastically. Nir has outdone himself with this one!  In addition, Nir has fixed some key bugs in his Outlook .NK2 viewer to now properly handle some unusual field populations.

• Mark Minasi’s Newsletter #76:  Solving Windows "driver is not signed" problems – Mark outlines how to “sign your own drivers” for Windows 64-bit OS systems.

• FizzBin - The Technical Support Secret Handshake - Scott Hanselman’s Computer Zen – Scott ponders a “secret codeword” that lets on-line tech support staff know you are a member of the professional IT geek society and can dispense with the “noobie” level of conversation.  The comments are almost better than the post.  Just last week we had a tanked wireless card.  We had troubleshooted it on the user’s system, on a “clean” test-bed system, and then finally repeated on both systems (successfully) with a “known-good-device” that worked perfectly on both systems.  The trouble followed the card.  When we finally got to the company’s tech-support, they wanted to follow the flowchart all over again from square one.  We wasted almost an hour patiently re-working our days of efforts.  Eventually he decided the card must be bad and then authorized a RMA.  Sheesh.

• On my XP systems I swear by the file-copy performance Supercopier brings.  It lets me jockey files all over the place with speed much higher than Windows offers natively.  However it doesn’t seem to work on my Vista systems.  So I have been playing with TeraCopy and FastCopy. While neither one seems to offer the integration I get from Supercopier in XP systems, they both seem moderately better than Vista’s file-movement native speeds.  Anybody have any other recommendations for a replacement high-speed file copy/move tool on Vista?

• 300447 Computer Forensics Workshop - Media Preparation And Copying ... (PDF) – Great lecture presentation from a Down Under Aussie Derek Bem on computer forensics.  I found this while digging up tips on using dd for an earlier post.  It’s great stuff and provides a very good overview of tools and techniques specifically in dealing with media.  Download and file this gem away after reading it carefully. Plan to spend some time poking around the Computer Forensics page for the University of Western Sydney that hosts this material. Of particular note are the Interesting Links page and the Online Materials.  Both are chock full of wonderful material.  I so wish my university had offered a degree plan like the one offered there.  Oh how things could have been different…   See also: Lecture 01-Computer-Forensics 30047 notes.  Additional lecture notes can be found here.

• Forensic Investigation, Analysis, Documentation, and Law – (PDF) - Great SANS paper that covers more ground in the forensics field.  Again, probably nothing that forensics specialists don’t already know for good stuff for sysadmins who need to interface with them. 

• Microsoft PowerPoint - DD in Windows Forensic - (PowerPoint) – Another good source of material I found while working on my “dd” usage.  Download this one and tuck it away! I also found more useful material on this firewall forensics.pdf page.

This should keep you busy for a bit!

Cheers!

Claus V.

Windows FE: Forensically Sound?

Do mine ears hear a challenge?

Windows FE has been gaining a bit of attention lately across the forensic blog-o-sphere.

My interest primarily in Windows PE, as well a secondary interest in Windows forensics (as applied to sysadmin tasks) got me digging for more details on the rare object.

Eventually I pulled out enough information to make the following GSD post:

• Windows FE – Details Teased out of the Web – Grand Stream Dreams

Turns out it has become popular in its own right and has been cross-linked at a number of other blogs.

As I have been reading these other posts with enjoyment, I’ve noticed the following comment made on many of them, including on my own post.

Windows FE is not a "forensically sound" Windows boot disk. You can prove this by booting any non-Windows system with Windows FE and take a hash of the drive(s) before and after booting with Windows FE.

At the time I didn’t have the opportunity to test this statement out, or research what was going on that made Windows FE builds not able to write to the booted system’s physical storage devices.

My response to the comment was open and respectful:

@ ForensicSoft - No, I was not aware of the claim that Windows FE still modifies the system even when "read-blocked" with the required registry tweaks.

Is this only for "non-Windows" system off-line booting or does it apply also to Windows system off-line booting?

I haven't had the time to build my own Win FE boot disk, but it's on my considerable "to-do" list.

I'll have to take your advice and run a hash test as you suggest.

Thank you for sharing.

Forensics specialist DC1743 over at his Forensics from the sausage factory: Windows FE saves the day with a Dell Inspiron 530 post made a much more focused response:

It is easy to take issue with sweeping statements.

Windows FE may write a disk signature to a partitioned disk, if the disk does not already have a signature. The disk signature starts at 0x01B8. The partitioned space—volumes—are not written to.

The read-only switch in Diskpart also writes a byte to the hard drive that makes that hard drive read-only to Windows.

For these reasons the whole device hashing approach may result in differing hash values - however this behavior does not necessarily make the use of Windows FE forensically unsound.

Finally, John Sawyer posted a followup article an earlier Windows FE post also expressing some openness to the idea that maybe Windows FE might not be as forensically sound as claimed:

Tool Validation: Trust, But Verify - Evil Bytes Blog - Dark Reading

I received a lot of great feedback after my Friday post about WinFE, the bootable Windows Forensic Environment. The biggest question was whether it really is treating the drive as read-only. In my closing, I said I'd do more testing than just building the CD and making sure it booted up in my virtual machine environment. As security professionals and forensic investigators, don't you all validate your tools before using them?

By this time I was sufficiently in enough doubt that Windows FE (when properly built) didn’t change the physical drive it was used on I actually posted a comment about that doubt on a fresh Windows FE blog post by Liquidmatrix Security Digest: Shattered Dreams… and a welcome community.

As soon as I hit “Comment” I knew I had to stop and validate, or risk the error of spreading false information if not borne out.

So I decided to do an admittedly limited pair of tests to see if I could validate the original claims.

The Claim and Test Methodology

The claim itself against Windows FE easily defines the tested goal:

Windows FE is not a "forensically sound" Windows boot disk. You can prove this by booting any non-Windows system with Windows FE and take a hash of the drive(s) before and after booting with Windows FE.

So here were my goals:

1. Build my very own Windows FE “forensic environment” boot disk based on Win PE 2.0.
2. Prep a target Windows system to be used as the focus of my “incident” test.
3. Use a forensic (non-Windows based) LiveBoot CD to “off-line” boot the target system and obtain an MD5 hash of the physical hard-disk.
4. Use the Windows FE boot disk to “off-line” boot the target system and obtain an MD5 hash of the physical hard-disk.
5. Reuse the same boot-disk in Step 3 to re-hash the target system one more time (to see if the Win FE boot changed the drive).
6. Compare results.
7. Sanitize (zero-out all sectors) of the target physical system used in Step 2.
8. Install a “non-Windows” operating system on the target system’s physical drive.
9. Use a forensic (non-Windows based) LiveBoot CD to “off-line” boot the target system and obtain an MD5 hash of the physical hard-disk.
10. Use the Windows FE boot disk to “off-line” boot the target system and obtain an MD5 hash of the physical hard-disk.
11. Reuse the same boot-disk in Step 3 to re-hash the target system one more time (to see if the Win FE boot changed the drive).
12. Compare results.

If at the end of steps 6 or 12 I find that a different MD5 hash has been generated, then Windows FE fails and the claim that “booting any non-Windows system with Windows FE” is correct.

If they pass, that, to the extent of these particular tests, the statement is false.

The Test: Step 1

Following the information exactly on building a Windows FE disk that I found and posted in my previous Windows FE post, in no time flat I had quickly and easily prepared and burned my Windows FE disk.  Note: my version was build on the Vista SP1 WAIK version.  Use of a different version may provide different test results.

In preparing the disk, I also included George M Garner Jr.’s Forensic Acquisition Utilities as I would need a tool on there (dd.exe) to calculate the MD5 hash off Windows FE booting.

As an fairly experienced Win PE builder, this was simple to build, including making the two registry changes needed (as claimed) to prevent write-back access to the physical drives of the booted system.

5. In regedit, go to the HKEY_LOCAL_MACHINE\winfesystem\ControlSet001\Services\MountMgr key, and if the NoAutoMount dword does not exist, create a dword named "NoAutoMount" with a setting of 1. If the key already exists, change the setting to 1 if it is any other value.

6. Next, go to HKEY_LOCAL_MACHINE\winfesystem\ControlSet001\Services\partmgr\Parameters and change the SanPolicy setting to 3. (If the Parameters key does not exist, create it.) At this point, the registry in the mounted .wim file is set to boot and operate without mounting volumes or modifying media.

The rest is just standard Win PE building stuff.  More on why those two registry tweaks are so critical later…

Disk in hand I was ready for the next steps.

Target System Prep: Windows OS

I selected a standard Dell Optiplex 745 business-class system that has dual cores, 1 GB RAM, and a single SATA 80 GB drive.

I booted the system with one of my many Win PE boot disks.

I then ran DISKPART, selected DISK 0, and ran the CLEAN ALL command which as documented, zeros out all the sectors of the focus drive.

For good measure, I then used one of my many sector viewers to inspect the disk to verify there was nothing left and it was zeroed out.

I then used DISKPART to create a primary partition, set it active, assign a drive letter and format it under NTFS.

I then applied a standard machine XP Professional image using ImageX, booted the system when done, completed the sysprep process and got it in a “usable” state.

I shut the system down.

Ready for Windows OS system hashing! 

I next needed to take a MD5 hash of the Windows system using a non Windows FE boot disk.

There are lots of great and freely available Linux forensic-focused boot CD’s to use for this task. In the end I chose to play with DEFT (Digital Evidence & Forensic Toolkit) which is a Xubuntu Linux-based Computer Forensics live CD.  The more I use it the more I find stuff to like.  I used the DEFT version 4 beta build for my tests.

Using a CD-tray needle, I opened the CD tray door and placed the DEFT boot CD in it (to avoid any possibility of accidently getting the Windows OS loaded) and booted the system.

Once booted and the DEFT-GUI loaded, I used their Dhash GUI tool to generate a MD5 hash of the physical hard drive, reported by DEFT as sda.  (Dhash reference links: Dhash - DEFT wiki, Dhash - DEFT Linux, and Dhash 1.1 DEFT Linux)

I captured the following MD5 hash:

4e3efe13706b83007770035d0829589e

I shut the system down, inserted the Windows FE disk and rebooted the system.

Once up on the CMD window, I used DISKPART to verify I could see the physical drive (I could) and then browsed into the Win FE disk’s \WinFE folder I created and put the FAU tools into.

I used the dd.exe tool with the following command: (Note: both George M Garner Jr.’s FAU documentation as well as these dd.exe tips from Alexander Geschonneck helped me.)

dd.exe –v if=\\.\PhysicalDrive0 of=NUL –cryptsum MD5

When completed it outputted the following MD5 hash:

4e3efe13706b83007770035d0829589e

I then shut down the system and again rebooted with DEFT LiveCD and used Dhash to rehash the drive one more time to verify Win FE hadn’t changed/modified the physical drive.

4e3efe13706b83007770035d0829589e

It had not.

Test Observation #1

Based on this test, it appeared clear to me that when properly built, a Windows FE boot disk did not modify the physical hard-drive contents of a Windows-based OS system on that drive.

So far so good, but that isn’t being challenged in the comments.

Recall, the comment poster claimed that the non-forensics issue is found “…by booting any non-Windows system with Windows FE…” (emphasis mine).

On to test challenge stage 2.

Target System Prep: Windows OS

Using the same test system Windows was loaded onto, I booted the system with one of my many Win PE boot disks.

I then ran DISKPART, selected DISK 0, and ran the CLEAN ALL command which as documented, zeros out all the sectors of the focus drive.

For good measure, I then used one of my many sector viewers to inspect the disk to verify there was nothing left and it was fully zeroed out.

This time I needed to install a non-Windows system on the drive.  For this I chose the Linux-based forensic CAINE Live CD.  I’m also finding a lot to like in this forensics distro as well.

It has an option to do a local install which I selected.  During the setup process I created a ex3 partition as well as a swap partition.

When done I booted into the system proper, off the hard-disk, mucked around a bit to generate hard-drive changes, and then shut the system down.

Ready for non-Windows OS system hashing! 

I next needed to take a MD5 hash of the CAINE non-Windows (Linux) system using a non Windows FE boot disk.

I again used the same DEFT live CD.  

Using a CD-tray needle, I opened the CD tray door and placed the DEFT boot CD in it (to avoid any possibility of accidently getting the CAINE system loaded) and booted the system.

Once booted and the DEFT-GUI loaded, I used their Dhash GUI tool to generate a MD5 hash of the physical hard drive, reported by DEFT as sda. 

I captured the following MD5 hash:

71649687fa1f7b64462da2d6ac6c7bee

I shut the system down, inserted the Windows FE disk and rebooted the system.

Once up on the CMD window, I used DISKPART to verify I could see the physical drive (I could) and then browsed into the Win FE disk’s \WinFE folder I created and put the FAU tools into.

I quickly used the dd.exe tool with the following command:

dd.exe –v if=\\.\PhysicalDrive0 of=NUL –cryptsum MD5

When completed it outputted the following MD5 hash:

99de7237675a4f61ee529e3d74173391

Oh my gosh!

The Windows FE disk did appear to now issue a different hash on the drive by booting a non-Windows OS with it.

Could it be true after all?

A Pregnant Pause of Silence and Study

I then shut down the system and again carefully rebooted with DEFT LiveCD and used Dhash to rehash the drive one more time to verify Win FE had indeed changed/modified the physical drive.

71649687fa1f7b64462da2d6ac6c7bee

Amazingly, that was the same MD5 that I captured from DEFT pre Windows FE boot.

I shouldn’t have gotten that if Windows FE had changed the disk.

Something was up.

I shut down and rebooted again with Windows FE.

I paid closer attention this time as I re-ran the dd.exe MD5 hash.

dd.exe –v if=\\.\PhysicalDrive0 of=NUL –cryptsum MD5

This time, I noted that before it started the Hashing, it was waiting for a response from me if I wanted (Y/N) to apply the “conv=noerror” parameter first.

I have to confess I didn’t notice that before.

I referred back to George M Garner Jr.’s Forensic Acquisition Utilities documentation page and specifically the part about dd.exe as follows below under “Specific Remarks #7”:

The default block size for DD is 1 MiB.  The handling of “bad blocks” (“conv=noerror”) is new.  Traditional versions of DD skip “bad blocks” in increments equal to the block size.  If the block size is larger than the sector size of the device, data will be lost.  The alternative is to set the block size equal to the device sector size.  But that is usually quite slow.  The new version of DD uses the specified block size until a “bad sector” is encountered, at which point the block size drops back to a value equal to the device sector size.  The larger blocks size is resumed once the “bad block” is passed, until the next “bad block” is encountered.

Ah!

The first time on the non-Windows OS test in Win FE I now recall answering “N” and thus got the hash 99de7237675a4f61ee529e3d74173391.

This time I answered “Y” to the use “conv=noerror” option.

I captured the following MD5 hash:

71649687fa1f7b64462da2d6ac6c7bee

Same as the original pre- Windows FE boot using DEFT.

For good measure I then shut down Windows FE, and rebooted with the DEFT LiveCD one more time and Dhashed sda one more time.

And I captured the following MD5 hash:

71649687fa1f7b64462da2d6ac6c7bee

Windows FE Experiment Conclusions

Based on my specific system and configuration testing validation, I can comfortably make the following statements:

1. When properly booted and used, the DEFT forensic LiveCD does not appear to modify or change the physical hard-drive of a Windows-based OS.
2. When properly created, booted, and used, a Windows FE (PE 2.0 Vista SP1 base) forensics LiveCD does not appear to modify or change the physical hard-drive of a Windows-based OS.
3. When properly created, booted, and used, a Windows FE (PE 2.0 Vista SP1 base) forensics LiveCD does not appear to modify or change the physical hard-drive of a Linux-based non-Windows OS.
4. When properly booted and used, the DEFT forensic LiveCD does not appear to modify or change the physical hard-drive of a Linux-based non-Windows OS.

Granted, this was one series of tests, on one particular hardware system configuration using XP professional and Linux OS’s.  Other non-Windows OS’s and/or hardware configurations might produce different results.

But it looked good for me.

While not a forensics investigator and just a sysadmin in the trenches, Windows FE seems to sufficiently answer my questions on whether or not it can off-line boot a system without making changes to the storage media (hard-drive) of the system.  It can.

Forensics examiners and investigators who have give legal testimony when using Windows FE could and should perform similar independent testing to validate their particular system/OS combinations first.

The Rest of the Story.

All this was a lot of geeky fun for me.

I haven’t used the commercial forensics tool in question noted in the comments as being “..the only forensically sound write-blocked Windows boot disk in existence.”

It might indeed be a great and fantastic product.  I haven’t used it so I can’t say, particularly for real forensics usage.  I can understand why they would be proud of their product and all the efforts they have put into development.  I can’t blame them for wanting to share their pride with others, and differentiate it from other forensics products.

But like forensics specialist DC1743 said, the comment claim was a pretty sweeping one.  And it didn’t hold true in my test.

The commentor issued a challenge to test their statement for accuracy.  I did and found it a bit wanting after test validation.

As I mentioned before, John Sawyer hit it on the head when he reminded all forensics experts (and lowly sysadmins as well) that we all have a duty to test the tools we use. Tool Validation: Trust, But Verify - Evil Bytes Blog - Dark Reading

Fortunately for all of us, there are a lot of fantastic forensic tools out there to pick from. Commercial ones and non-commercial ones alike.  Each have their own sets of strengths and weaknesses.

The Two Keys of Windows FE

This whole exercise wasn’t enough, however.

I wanted to see if I could find a bit more information on the particular (and only) registry keys that were modified in building the Windows FE disk and what differentiated them from a regular Windows PE disk.

Turns out there just isn’t a lot of public documentation on these keys, but I did find some juicy bits anyway.

(Note: SAN stands for “storage area network” in these cases.)

HKEY_LOCAL_MACHINE\winfesystem\ControlSet001\Services\MountMgr key, and if the NoAutoMount dword does not exist, create a dword named "NoAutoMount" with a setting of 1

• Program Cannot Access a Raw Partition on Your Computer’s Hard Disk – Microsoft Help and Support Article ID: 822653
• VDS_SAN_POLICY Enumeration (Windows) – Microsoft Developer Network Library
• Mountvol /N and diskpart automount disable : File Services and Storage : Windows Server -  Microsoft TechNet Forums

This control setting (under default) tells the storage mounting manager (when booting a system) to add and automount storage disks to the system. From the second link noted above.

The SAN policy determines whether a newly discovered disk is brought online or remains offline, and whether it is made read/write or remains read-only. When a disk is offline, the disk layout can be read, but no volume devices are surfaced through Plug and Play (PnP). This means that no file system can be mounted on the disk. When a disk is online, one or more volume devices are installed for the disk.

This enumeration supersedes the NoAutoMount registry key, which can be found under the following registry path:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Mountmgr\NoAutoMount

The value of this key is a REG_DWORD value that is set to 0x00000000 to enable the Windows automount feature or a nonzero value to disable it. If the automount feature is enabled, Windows automatically mounts the file system for a new basic volume when it is added to the system and then assigns a drive letter to the volume. In system area network configurations, disabling automount prevents Windows from automatically mounting or assigning drive letters to any new basic volumes that are added to the system.

…and as described in “normal language” as provided by David Shen –MSFT in the third link above:

We can verify the status of Automatic mounting of new volumes by looking at the value of the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MountMgr\NoAutoMount

If the value is set to 1: This indicates that Automatic mounting of new volumes is Disabled.

If the value is set to 0: This indicates that Automatic mounting of new volumes is Enabled.

Now for the second key.

HKEY_LOCAL_MACHINE\winfesystem\ControlSet001\Services\partmgr\Parameters and change the SanPolicy setting to 3

• When I try to assign a drive letter to a hard disk drive in Windows Server 2003, I receive an error message: "The path cannot be used for creating a drive path" – Microsoft Help and Support Article ID: 939320
• Configure the SAN policy – Microsoft TechNet

This key appears to control how the Windows system processes the partition manager configuration when loading the system and any SAN (storage area network) devices it finds while booting.

From the first link:

1. Locate and then click the following registry subkey:

   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PartMgr

2. In the details pane, examine the value of the Start registry entry. To start PartMgr when the computer starts, this value must be 0x00000000.
3. Exit all programs, and then restart the computer.

Note The following table lists the service startup types that are available in Windows.

Startup type
Hexadecimal value

Boot
0x00000000

System
0x00000001

Automatic
0x00000002

Manual
0x00000003

Disabled
0x00000004

Typically, device drivers are set to use a startup type of Boot or System. Typical Windows services are set to use a startup type of Automatic or Manual.

And from the second link:

The functionality of Storage Area Network (SAN) enables a server to mount disks and other storage devices automatically from other computers.

By configuring the SAN policy on a Windows image, you can control whether or not disks are automatically mounted, which disks can be mounted, and you can disable automatically mounting disks.

Configure the SAN policy on Windows PE

For Windows PE images that are available in the Windows OPK and the Windows AIK, the default SAN policy is to mount available disks automatically. This might reduce the performance of Windows PE if there are many available disks in the SAN environment.

SAN policy number     Description

1   Mounts all available storage devices. This is the default value.

2   Mounts all storage devices except those on a shared bus.

3   Does not mount storage devices.

This is getting deeper than the typical Windows OS sysadmin waters I swim in, so I’m open to hard-core Windows OS registry pros to correct me or provide additional supportive explanation on what’s going on here.

But basically, it seems based on these links, that by making the registry changes specified when building the Windows FE disk, it prevents the automounting of attached storage media (disks) to a system during the Windows (PE/FE) boot process, and forces any mounting that needs to occur to be done manually (by the system operator).

If this is correct, and these two Windows Registry keys are set correctly, then it seems that in most cases, the Windows PE (FE) OS boot shouldn’t care what OS is loaded on the system and the drives remain unmounted and unattached from the Win PE (FE) boot OS system.

You can see them and browse them, but they remain “unmounted” devices and not accessible unless manually attached and mounted to the Win PE (FE) system using DISKPART.

Or so it seems.

Whew.

Who knew testing and validation could be so educational and fun!

Cheers and best regards to all computer forensics developers and expert examiners alike!  My late grandfather (retired F.B.I. Special Agent) would be proud of your collective efforts.

I know I sure am.

--Claus V.

GSD How To: Dual Boot Windows 7 on Vista via VHD file

I love and depend on virtual machines to test software and system configurations.

In most cases, it is sufficient for my testing purposes.

One drawback of this is that it isn’t a “true” test of the operating system’s performance since the hardware used is being virtualized via software.

There are lots of guides around the net as well as utilities that can assist you in configuring a system to “multi-boot” different OS versions off the hardware, but these can be a bit challenging to set up for average folks.

Recently, while I’ve been playing with Windows 7 Beta in Virtual PC 2007 sessions, I’ve been itching a bit more to try the performance on real hardware, but I haven’t wanted to commit to wiping one of my systems entirely clean first.  Nor did I want to fuss with a pure Vista/W7 “dual-boot” configuration as they traditionally are done.

Instead, I knew that Windows 7 brings with it an exciting new feature, that is perfect for this particular case; it supports booting a system from a VHD file.

However, I’ve got a slight issue.  Windows 7 uses updated bootloader files to make that happen.  Windows Vista uses similar files, but those versions don’t support VHD booting.

I don’t want to install Windows 7 to be able to boot a VHD of Windows 7; that kind of defeats the intended purpose for me.  Most all the guides on doing this only describe how to pull it off that way. No, what I want to do is to keep my local Vista install intact, and somehow boot into a VHD of Windows 7…thus running it “live” on the real system hardware instead of on virtualized hardware.

Can it be done?

Yep.

I’ve had to pick at a number of posts to spin this thing together.  Credits for source material in all their fantastic goodness at the post end but up front, prime props and hat tips go to Aviraj Ajgekar and Adrian Kingsley-Hughes. I’ve copied some of their steps because they were so good, I had little to add.

You will need a couple of things first:

Ensure you have a copy of a Windows 7 beta setup DVD handy. You can use the ISO file itself to get started however you will need the burned DVD at some point.

I also found it helpful to use my WinPE 3.0 custom boot disk.  This is optional, but could be handy.

And you will need a Vista-installed system.

Warning: proceed at your own risk. You might tank your Vista system if not performed correctly.  I recommend practicing on a Virtual PC VHD with a Vista install first a few times.  What has worked fine for my on my system might be an issue for you. The screen shots included in this post were obtained from a walkthrough of these steps as performed in a Virtual PC session with the free Microsoft Vista IE App Compat VHD as the primary OS.

Step One: Extract the key Windows 7 system boot files.

We need two key files from a Windows 7 system to get things started on our Vista system.

They are the BootMgr file located on the root of the Windows 7 system as well as the BCDEdit.exe file from the Windows 7 Windows\System32 folder.

There are a couple methods you can use to get them:

• from an already installed Windows 7 system,
• from a virtual Windows 7 installed system,
• extract them from the Windows 7 DVD/ISO.

The first one is easy, assuming you are running as an “administrator” and have enabled the ability to show hidden and system files, you could just copy them to a USB stick.

The second method is a bit more tricky.  Virtual PC does not support USB devices, so you will have to change the settings to allow it to mount a local “real” system folder, then copy them into there so you can off-load them to a USB stick.

For both of these options you basically can follow the following steps:

From the Windows 7 desktop, open an elevated command prompt with Administrator Privileges and type the following commands.

C:\windows\system32>xcopy /h /y bcdedit.exe f:\   

(Note: In this case, F: is the external USB stick.  /H - Copies hidden and system files.  /Y  suppresses prompting to confirm you want to overwrite an existing destination file.)

C:\>cd\

C:\>xcopy /h /y bootmgr f:\

If you can’t find the second file,even as an elevated admin, you will have to use a Vista or Windows 7 boot DVD to boot the system and then do a Shift-F10 to get a sufficiently elevated command prompt to access it.

The third option is involved, but I found it easy as well.  On your Vista system, use an application that allows you to mount the Windows 7 beta setup DVD ISO as a drive letter.  I used SlySoft Virtual CloneDrive as it is a free and stable tool.

Once the ISO is mounted, you will find the bootmgr file on the root of the drive. Copy it to your USB drive and you should be able to do so using a file manager that has been set to show hidden/system files.

Then using ImageX, go into the mounted ISO directory structure and mount the \sources\install.wim file. 

Once mounted, browse into the folder you set as your mounting folder and look in the Windows\System32 folder for the BCDEdit.exe file.  Copy it to your USB drive.

Then go back and dismount both the WIM file and the ISO file in turn.

Got em both?  Good.

Step Two: Back up the original Vista boot file versions

Now it gets a bit scary.

First you want to make backup copies of the Vista versions on your Vista system:

Boot your Vista system and once on your desktop, open an elevated command prompt with Administrator Privileges and type the following commands.

C:\windows\system32>cd\

C:\>xcopy /y /h bootmgr bootmgr.sav

Press f after prompted

C:\>cd Windows\System32

C:\windows\system32>xcopy /y /h bcdedit.exe bcdedit.sav

Press f after prompted

Step Three: Replace the original Vista boot file versions with Windows 7 versions

Now it gets a bit scary.

We must replace the Vista versions of BootMgr and BCDEdit.exe which do not support VHD based booting source with the Windows 7 ones we copied earlier, which do. 

You may use a WinPE 3.0 boot disk or your Windows 7 Boot DVD and Boot into Windows Recovery Environment.  This is important as WinPE 2.0 and the Vista setup DVD don’t have the updated Windows 7 version of DiskPart that we will need. 

Insert the USB drive you have copied the Windows 7 versioned files onto into the system as well.

If you use a standard WinPE 3.0 disk, you should be greeted with the CMD window.

If you are using a Windows 7 setup disk then boot the system from the chosen disc. Once the Windows installer is up and running, choose your language and once you’re on the Install now screen, press SHIFT+F10 to bring up a Command Prompt.

Open the Elevated Command Prompt and type the following commands.

C:\>attrib bootmgr –s –h –r                    

(Note:  in this case C: is the local Windows Vista OS Partition and the attribute command with –s –h –r changes the System, Hidden and Read Only attributes of our target file.)

C:\>e: 

(Note:  in this case E: is our USB stick.  You might need to check to make sure what your USB stick is showing up as.  Note as well that depending on where you copied it onto the USB stick, you might have to add additional file directory information.  The examples below assume both Windows 7 files were copied to the root of the USB stick.)

E:\>xcopy /y /h bootmgr c:\bootmgr

E:\>xcopy /y /h bcdedit.exe c:\windows\system32

(Note: in the above screen-shot I took, I made a slight change in the instructions above and had pre-copied the Win7 boot files to a C:\win7 folder on my Vista system.  That’s why those commands vary slightly from the ones provided above.  Adjust accordingly.)

Step Four: Create the VHD file we will be installing Windows 7 into

We are committed now!

Note: Adjust the MAXIMUM value as needed but note, you better have enough free space on your local hard drive to support it!  I would recommend somewhere between 15000 and 25000 to create an (approximately) 15 GB to 20 GB VHD partition to install Windows 7 into.  Choose your VHD location wisely.  I put mine on the local system hard-drive root.

We should still be in the Windows 7 CMD prompt box so type the following commands.

DISKPART

CREATE VDISK FILE = "c:\win7.vhd" MAXIMUM = 20000

SELECT VDISK FILE = "c:\win7.vhd"

ATTACH VDISK

CREATE PARTITION PRIMARY

ASSIGN LETTER = G

FORMAT QUICK LABEL = Windows7

EXIT

This just created the VHD file of primary partition into which we will next install Windows 7.

(Note:  In the above example I first tried to assign drive letter = X but that would not work as X was already assigned as the RAM disk used by the Windows 7 Setup DVD boot.  That’s why I switched to “G” instead"!)

Step Five: Install Windows 7 into the VHD file

Type Exit again to get out of the command prompt and return to the Windows 7 installer Wizard.

Continue with the installation steps as normal and when prompted, choose “Custom install” so we can tell it where to place it.

When prompted by the “Where do you want to install Windows” if all is well, you should now find a Disk1 reporting in as Windows7 free space = to approximately what you selected for the MAXIMUM amount in the preceding step.

Select that one and continue on.

You may see a warning of sorts about Windows7 not being able to be installed to (or boot from) that disk.  Just ignore it and after selection, hit “next” and continue with the installation process.

Step Six: Boot Windows Vista or Windows 7

After you reboot, you should see the Windows Boot Manager prompt you to select Windows Vista or Windows 7 to boot into.

Select Windows 7 to boot into your Windows 7 VHD and run off the real hardware.

Select Windows Vista to boot into your original Windows Vista installation.

Cool!

Note in the above screen shot, the “primary” hard-disk shows up as drive letter D: with all the files\folders accessible while the Windows 7 VHD file “win7.vhd” becomes the “new” drive C:.

Remediation

I haven’t had to “roll back” to Vista only, but basically you will use the techniques listed here to simply restore the original Vista versions of the boot files you made (you did follow that step right?) over the Windows 7 versions after rebooting the system with the Windows 7 DVD again.  You shouldn’t have to reuse diskpart to detach the VHD.

Note also that even though you replace the bootmgr and bcdedit.exe files back to the original Vista versions, a reboot will still show that Windows7 is listed along side the original Vista install.

To remove that out, you will have to also (from the Shift-F10 elevated command prompt with either a Vista Setup DVD, Windows 7 Setup DVD, or a Win PE 2.0/3.0 boot disk, run a bcdedit.exe command.

This is what I did on mine, but you need to be careful it is accurate for yours.

Run bcdedit.exe first to list the boot stores and figure out which one Windows7 is reporting as.  In my case it was {default}.

So to remove Windows7 from the boot configuration data store list I issued the following command:

bcdedit /delete {default}

Rerunning the bcdedit command showed all was back to normal and the Vista boot store information had been updated as the default (and only) OS boot choice again.

A reboot and all was restored to the normal Vista only booting.

Then once you are up and running Vista alone again, delete (if desired) the Windows 7 VHD file you created if you feel you no longer need it.

For more tips on Vista/Windows7 boot configuration management tool BCDEDIT (as well as an incredible GUI alternative EasyBCD) see these links:

• BCDEdit Command-Line Options – Microsoft TechNet

• Remove boot menu item ,bcdedit – TechArena Community - Operating Systems forum

• EasyBCD 1.7.2 - NeoSmart Technologies

Additional Reading and Credits

I found the following posts very informative about both the VHD booting support feature of Windows 7 as well as how to apply this to a Vista installed system.  I recommend reading and understanding them first before you set off to follow this post.

They also contain great screen-shots of much of this process, as well as few variants of the technique I outlined here.  You might find things more clear after reviewing them as homework before life-fire application of this hack.

• Boot Windows 7 from a VHD – 4sysops blog

• Mount, attach and create VHD files in Windows Vista and Windows 7 – 4sysops blog

• Windows 7: Boot from VHD First Impression: Part 3 (Booting VHD from Vista SP1 or later) - Aviraj Ajgekar’s Blog

• Windows 7: Boot from VHD First Impression: Part 1 - Aviraj Ajgekar’s Blog

• Windows 7: Boot from VHD First Impression: Part 2 - Aviraj Ajgekar’s Blog

• How-to: Getting started with .VHD files in Windows 7 - Adrian Kingsley-Hughes Hardware 2.0 ZDNet

• Virtual Hard Drive VHD File - Create and Start with at Boot – “Brink” at Windows 7 Forums

• Boot from VHD and WDS – The Development Guys

• Installing Windows 7 using usb thumb drive - Aviraj Ajgekar’s Blog

And once again, I strongly encourage you to try this out on a Vista VHD file in Virtual PC first, to make sure you can follow and successfully pull off these steps.  It’s easy to practice until you are sure of yourself before taking on your “real” Vista installation.

Now get out there and have some fun, and see the difference in system performance between Vista and Windows 7 on your real desktop or laptop system!

Cheers.

--Claus V.

Custom WinPE Building: Post-Script and PE 3.0

I hope everyone enjoyed and found something of interest in the recent custom PE boot-disk building series I posted recently.

The purpose of that project was to build a Win PE 2.0 based boot-disk, that has a great VistaPE GUI interface (instead of the standard CLI shell) and the PGP WDE drivers injected so I could “liveCD-boot” a PGP WDE system (assuming we have the user’s passphrase).  And it had to handle the Dell GX 7xx series USB keyboard drivers.

• Custom Win PE Boot Disk Building Saga: Introduction
• Custom Win PE Boot Disk Building: Step One – WAIK up
• Custom Win PE Boot Disk Building: Step Two – PGP Injection
• Custom Win PE Boot Disk Building: Step Three – VistaPE 12 RC1 Walkthrough
• Custom Win PE Boot Disk Building: Dead Ends Ahead!
• Custom Win PE Boot Disk Building: Driver Dead Ends
• Custom Win PE Boot Disk Building: Start me Up! 
• Custom Win PE Boot Disk Building: Step Four – Pulling it all together.

However, there were a few extra links and tips that didn’t directly pertain to my focus and I decided to leave out.  You might want to be aware of them so I’m sharing them now.

• Standard USB Keyboard and Mouse in VistaPE 12 - Boot Land forums.

This thread has a tip in it offered by “ctmag” that claims when followed, it resolves the USB keyboard pickup issue in VistaPE builds.

add the following lines at the end of the [Process] section of 04-additional.script

CODE

DirCopy,"%BootSRC%\Windows\inf","%TargetDir%\Windows"
DirCopy,"%BootSRC%\Windows\system32\drivers","%TargetDir%\Windows\system32"
DirCopy,"%BootSRC%\Windows\system32\driverstore","%TargetDir%\Windows\system32"
FileDelete,"%TargetDir%\Windows\inf\*.pnf"
DirDelete,"%TargetDir%\Windows\inf\BITS"
DirDelete,"%TargetDir%\Windows\inf\RemoteAccess"

it will need some more space on the disc and also in RAM, but it fixes the USB Mouse/Keyboard issue and it also fixes a bug where when you booted from an USB drive the USB drive was not visible (only the X drive was visisble..)

Because I was able to get my USB keyboard issues going with my custom method, and had to do the extra work for PGP driver injection, I never went back to try this out.  If you aren’t messing with PGP drivers and only doing VistaPE building, it might be a faster fix.

• tip: PE boot directly from cd (remove prompt) – The CD Forums

Another thing I didn’t do (but aggravates others) is to take out the “"Press a key to boot from CD” prompt with the PE boot disk.  I leave it in, as from time to time a technician will leave a boot disk behind in a user’s system and leave the site.  Next time the user boots (if this is removed) they end up on a WinPE or Linux desktop and it confuses the fire out of them.  This check allows the system to continue booting to the main OS if a key isn’t pressed.

However, if it annoys you and you want to just boot directly from the CD to the WinPE environment, then do this:

if you don't want to be prompted to boot from the WinPE 2.0 CD or DVD, delete the bootfix.bin file from the \ISO\boot folder before creating your WinPE 2.0 CD/DVD.

Easy enough.

• New VPELDR.exe - testers wanted - Boot Land Forums

This new VPELDR file seeks to get around some of the hardware detection and pickup issues the “stock” VPELDR has.  With the exception of the USB keyboard, I’ve not had any issues so I haven’t tried it.  Swapping out the stock for the new one seems to cause other potential issues.  However, if you have a driver that is giving you the blues in WinBuilder/VistaPE building, you might want to try it. Note, VistaPE/WinBuilder 12 will have some new tricks that will surpass this interim tweak, so if things are good-enough, just make a note and leave it alone for now.

• Windows 7 PE - Boot Land Forums
• Windows PE 3.0 - Boot Land Forums

Yes.  If you haven’t figured it out by now, WinPE 3.0 is based on the Windows 7 WAIK.  Just like WinPE 2.0 was/is based on the Vista WAIK.

• Automated Installation Kit (AIK) for Windows Vista SP1 and Windows Server 2008 – Microsoft Download Center
• WAIK Windows 7 Beta – Microsoft Download Center

So what I did (being the curious dude I am) was to re-follow all the steps in my custom WinPE building project, even down to the PGP WDE driver injections.

Only this time I used the WIM source file from the Win7 WAIK kit instead.

Everything went smoothly.  No errors at all.

When I was done, I created my Custom WinPE 3.0, PGP WDE injected driver and VistaPE enhanced ISO file.

Worked absolutely-fricken-perfect!

So now instead of a Vista SP1-based WinPE 2.0 custom boot disk tool, I’m now using a Windows 7 (beta)-based WinPE 3.0 custom boot disk tool.

Wicked cool!

How I got the key guts needed for the Windows 7 WAIK PE 3.0 building work and am using them on my XP/Vista systems under the Windows Vista RC1 WAIK install…well it’s not rocket-science, but it will have to remain a post for another day.

Cheers!

--Claus V.

GSD’s Weekly Briefs…the clean ones

cc photo credit Augapfel on flickr

This “Spring Forward” time change is going to eat my lunch tomorrow morning.

OK kiddo’s  Here you go.  The GSD Link Briefs of the Week.

Light on comments.  Maybe that will keep em from riding up too much in the tender places…

• Windows Incident Response: Looking for "Bad Stuff", pt III (Malware Detection)

• Windows Incident Response: Malware Characteristics - An Example

• Windows Incident Response: Malware for Incident Responders – FakeXPA

All must reads for folks doing incident response due to suspected malware.  Lots of great tips and techniques to use.  Each case is different, but having an organized response plan makes these things easier to take apart.

• Microsoft Malware Protection Center : FakeXPA – The Journey Continues – As noted by Harlan this baddie is pretty interesting.  The Microsoft team pick it apart pretty good with technical information.

• Ask the Performance Team : Netbooks and Windows 7 – I’ve heard that a PC maker is suing Intel over the “netbook” term as trademarked.  But it does look like W7 design bodes well for good performance even in the hardware challenged arena of netbooks and micro-laptops.  That’s a good thing for older system performance as well.  I like Vista and it seems to run OK on our laptops, but I’m really feeling performance could be much snappier still.  I might get bold and try to dual-boot it with a VHD boot of Windows 7 so I can really get a sense of the true hardware performance it could offer.

• Ask the Performance Team : The Case of the Unsigned Printer Drivers and .NET 3.5 Service Pack 1 – Not quite as good as a Mark Russinovich special, but still good troubleshooting information.

• 4sysops - Windows 7’s Problem Steps Recorder – Good peek into this helpful tool for remote troubleshooters.

• 4sysops - Windows 7 new manageability features – Michael’s got a nice rundown of some more advanced features of W7 that system administrators may be curious to know.

• NK2View - (freeware) – Nirsoft utility update - View/Delete/Edit Outlook .NK2 AutoComplete Information.  New version supports backup/restore of the file itself.  Something previously not quite possible.

• Panda USB and AutoRun Vaccine - (freeware) - Panda Research Blog provides a two-stage tool.  Stage one locks down your entire system from auto-run exploit.  Stage two renders any USB drive that the tool is applied to “inoculated” against infection by an auto-play vectoring malware infection.  Read carefully before applying.  Some could be “permanent” (at least without reformatting the removable device).  See also these related AutoRun security posts: Grand Stream Dreams: USB Security: AutoRunGuard, Encryption ..., Microsoft Security Advisory (967940): Update for Windows Autorun (fixes the not-quite working completely patch), as well as AutoRun Eater - (freeware) – This neat security utility provides a different take.  It runs in the system tray full-time and monitors execution of autorun files when devices are inserted or executed.  Upon discovery it first performs an analysis. If a suspicious pattern is found, it blocks execution, tosses up a dialog window, and presents the suspicious code.  Then it allows the user to block or ignore execution.  Amazingly clever.  Certainly not a cure-all, but it might very well provide a first and easy to use line of defense for non-technical users as well as experienced system administrators who don’t want to use some of the tougher/lock-down methods against blocking all autorun executions.

• Quickpost: /JBIG2Decode Trigger Trio « Didier Stevens blog, and Sûnnet Beskerming - An Interesting Result for JBIG2 PDF Vulnerability, followed up by Inside Exploited PDF from the Threat Researcher’s blog.  These are primarily discussing the latest Adobe Reader vulnerability - This has been simmering for a while but security researcher Didier Stevens (who specializes in PDF formats) found something very serious.  Quoting from Didier’s first link: "Under the right circumstances, a Windows Explorer Shell Extension will read the PDF document to provide extra information, and in doing so, it will execute the buggy code and trigger the vulnerability. Just like it would when you would explicitly open the document. In fact, we could say that the document is opened implictly, because of your actions with Windows Explorer."  That could be a biggie considering the pervasiveness of PDF documents.  Malicious PDF's as a vector attack have been around for a long time, as readers of Didier's blog know. However this one seems to be particularly potent as the mal-crafted file doesn't need to even be launched.  Furthermore, many have moved to the great (and free) Adobe Reader alternative Foxit Reader. However, if Adobe Reader is installed on the system also, the vulnerability still actively exists. You currently appear to have to entirely uninstall the Adobe Reader from your system...

I'm not suggesting folks should run out and do that...but at least for now, keep a close eye out on these developments as many AV vendors still are not detecting this new threat. Hopefully Adobe will be responding with a fix soon.

Didier suggests using Nir Sofer’s freeware Shell Extension manager to disable this feature for now.  Or you could also use Sysinternals Autoruns to display and disable this handler. For this PDF handler, look in the tab “Explorer” under the following section:

“HKLM\Software\Classes\Folder\Shellex\ColumnHandlers”.

Search for the PDF Shell Extension and disable it.

Finally, you might want to take a look at the advice in the Do you use Adobe Reader? post also at the awesomely good Threat Researcher blog.  Good stuff to know for Adobe Reader fans.  I’ve walked away impressed enough to add this blog to my RSS feed list.

• PortableApps.com Platform 1.5 Released - (freeware) – New app launcher build from the first-place I go to find portable tools that work flawlessly on my Windows USB stick.  Many new features and tweaks.  Check it out.

• FreeCommander - (freeware) – The very best-est (IMHO) freeware multi-paned file manager there is, hands down.  Period.  No more discussion.  The only file manager I use at work and home on my personal systems.  Anyway, new version release came out for some enhancements, feature adds, and stability fixes.  2009.02.  You can get in in an installer based setup file, or if you know where to look, portable versions are available as well.  Scroll that page to the very bottom to find the simple zip file versions.

• Mozilla rethinks the behavior of new browser tabs – download squad – You think?  What with the new Safari 4 beta favorites page, Chrome’s favorite page, Opera’s favorites page, all these multipage pages makes Firefox look a bit late to the party.  So Mozilla thinks it needs to the bloat-creep by doing one as well.  See next link…

• New Tab Page: Proposed design principles and prototype – Mozilla Labs.  Bloat-creep/feature-creep.  I’m wondering if it isn’t all the same thing…

• NewTabURL :: Firefox Add-ons – This is my response.  I use this Add on and love it.  It is perfect with customizing new-tab content launching.  While I do feel Mozilla should provide just a bit more default customization options to new tab handling, too much is a bad thing.  NewTabURL  allows you to set new tabs to open to your home page, blank page, or current page, it also allows you to specify your own default URL to open up to. Want to go even more custom? Create your own HTML page, image or other stuff and point to it instead! For example I can use the format file:///%drive-letter%:/filename.whatever and open that in blank tabs. On my system, I have it set to use the following link: http://bighugelabs.com/flickr/random.php . I have coupled that with some editing (redaction) of page elements with the Remove It Permanently :: Firefox Add-on and now each time I open up a blank page, I am gifted with a random selection of images from flickr.  Of course….that is on my home machine only.  I end up getting some NSFW images from time to time that I couldn’t tolerate at work.  So for there I have to go with something a bit different.  Finally, NewTabURL can be set to open up a URL if it finds one in the clipboard contents. Very handy when you find a non-hyperlinked address browsing and copy it. Instead of manually opening a blank tab, pasting it into the address bar and launching it, this extension can handle it automagically!

• Next Firefox version bumped to 3.5, another beta to come - Mozilla Links.  OK.  Get a move on.  I’m still waiting for the next 3.1 beta release 3 to come out.  I tried the nightly version in a testing package I use, but it didn’t render the NewsFox RSS feed reader extension I use very nicely.  So I’m sticking with the stable 3.1 beta 2 release still for now.

I had hoped to get through a number of additional posts this weekend, but it was too sunny, Alvis was at her Grandparent’s house, and the chores and quality time spent with Lavie were just too important to pass up camped out on the laptop all weekend long.  Had some Apple Safari issues as well as a rouge VIPRE definitions update that locked up our desktop system until resolved.  Those took an unexpected amount of time.

Lavie and I even managed to escape on a “date-night” Saturday.  Sure it was just down to the local Chick-Fil-A, but we did score a bar-height table complete with fresh flowers and a view over the sparking and romantic lights of the local Lowe’s store in the strip center.

Romance is where you make it happen for yourselves kids….

Cheers!

--Claus V.

WIM tool enhancements and Fiddling with VHD’s

Lighter posting this weekend.  I’m cleaning up the back yard for Spring and other assorted house-cleaning chores I’ve been putting off for a while.

Michael Pietroforte at his awesome 4sysops blog has one of the best sysadmin sites I just can’t wait to see a new post from.

Michael’s skill is taking those tools and utilities that many might pass over and not only drawing our attention to them, but identifying those elements that show their usefulness.

I know few others who actually will crawl through the pages of a MS beta release help file looking for leads and hints of newer and greater features.

So with respect to Michael, most all of these links come from his site.  Give him the props.

I’m drawing attention to them as a heavy ImageX, WIM, VHD user.  If these aren’t your things, then there is little to get excited about here.

New Developments in Microsoft Imaging

ImageX for Windows 7 - new features – 4sysops blog – Windows 7 (specifically the Windows 7 WAIK) will introduce a new and improved version of Microsoft’s image capture, application, and management tool ImageX. 

It is currently available in a beta stage in the WAIK Windows 7 Beta download.  Michael points out two primary observations of the new ImageX tool. 

First it supports mounting multiple WIM files at the same time for management work.  Like Michael I was a bit confused because I have already been doing this in the Vista/SP1 WAIK ImageX tool. 

Secondly, it does appear that mounting/dismounting WIM files with the new ImageX file takes much longer to execute.  I suppose the new ImageX tool brings additional service to the WIM file that was not present in the original versions. 

For now I am keeping the new and old version side-by-side with slightly modded file names.  For quick mounting and file exploring/extracting, I use the original.  For production WIM changes, I’m using the newer version.  For comparison, the Vista SP1 WAIK ImageX.exe file is 373 kB; the Windows 7 Beta WAIK ImageX.exe file is 463 kB in size.

ImageX for Windows 7 - new command-line options – 4sysops blog – Michael then follows up with a post outlining the new/improved ImageX commands and possible usages.

• imagex /cleanup – deletes abandoned resources in the WIM
• imagex /commit {/append image name} – This tweak now allows you to save changes to a mounted WIM without having to unmount it as was previously required.
• imagex /command_line option /logfile – Now you can create a logfile of all activity done in an ImageX session.  Great for troubleshooting WIM maintenance issues.
• imagex /command_line option /temp – Michael supposes that this lets you manually specify a custom location on the “host” system where ImageX uses for temp location need in mounted WIM servicing.
• imagex /cleanup – This one is a bit murky.  Looks like it cleans up the host system’s association of mounted WIM’s that were not cleanly unmounted (say unexpected system reboot).

What I did was to install the Windows 7 beta WAIK in a virtual system, then I extracted the program folder that was created back out to my Host system.  This allows me to not only read the help file to my heart’s content, but also gave me access to both the new W7 PE 3.0 WIM files and the new ImageX file version as well.

I also found that I could also manually build a working folder/contents for the W7 WAIK PE 3.0 structure with all the W7 WAIK PE 3.0 files and then still use the Vista SP1 WAIK command line tools to build PE 3.0 boot disks just fine.  I’ve not attempted to try installing multiple versions of the WAIK on a single system so since this seems to work, I’m enjoying the very best of both Win PE 2.0 and Win PE 3.0 (beta) building now!

FREE: GImageX - a GUI for ImageX –  – 4sysops blog – Based on these posts, I advised Michael that he might want to check out the ImageX GUI (GImageX) utility that makes intense work with ImageX much more user friendly and intuitive.  He did and this is his review.

DISM - WIM image configuration for Windows 7 and Vista – 4sysops blog – All my work is with ImageX so I hadn’t heard of DISM before.  Turns out is is new to Windows 7 WAIK.  DISM stands for  “Deployment Image Servicing and Management”.  From Michael’s post:

DISM replaces the Package Manager (pkgmgr.exe), PEimg and Intlcfg in the Vista WAIK. Package Manager is a command-line tool that allows you to install and configure OS updates, packages and drivers on an offline OS image. PEimg is for creating and modifying Windows PE 2.0 images offline and Intlcfg is used to change the language and locale, fonts and input settings on a Windows image.

You can install the Windows 7 WAIK, including DISM, on Vista SP1. <snip> DISM works only with Vista SP1, Server 2008, Windows 7, and Server 2008 R2.

...it seems to me that none of the so-called management tasks works with Vista images. Management tasks are used to gather information about images. For instance, you can use DISM to enumerate all drivers or hotfixes that are available in a Windows 7 image, but this wouldn’t work with a Vista SP1 image.

<snip>

DISM and imageX have in common that you can mount WIM images with both tools. Once you have mounted an image with imageX, you can use other WAIK tools, or simply Windows Explorer, to manipulate the image. DISM, on the other hand, not only allows you to mount an image; you also can use it to apply changes. Therefore, for Windows 7, DISM is the appropriate tool to configure OS images. The main purpose of imageX is to capture and deploy images, features that DISM lacks.

For more information see Michael’s examples of DISM commands

Playing with Virtual Hard Drives

Windows 7 DISM - how to mount, manage, and service WIM images – 4sysops blog – Michael picks up where he left off on the previous post and now dives into examples of DISM commands to work with WIM files.  From my perspective, it looks like it will be a useful tool in getting additional information on WIM files and internal structures.  Michael also shares how it can be used to service the host OS.  I think we will be seeing more about this tool as Windows 7 matures in the sysadmin world.

Mount, attach and create VHD files in Windows Vista and Windows 7 – 4sysops blog – Turns out that Windows 7’s (and Vista) built-in backup tools operate by creating VHD format files.  Mounting them in VPC 2007 is pretty easy, but doing it without that tool so you can explore or extract a few files is a pain. 

Windows 7 allows you to mount a VHD file using the Computer Management console.  You can also you (my favorite friend) DISKPART to attach a VHD file and mount it to the system.  How cool is that?!!

You can also mount a VHD file in scripts using diskpart: Create a text file with this content:

SELECT VDISK FILE=”file path and name of the vhd file”
ATTACH VDISK

To attach the VHD image in a script, you have to use “diskpart -s text file name”

Michael didn’t specify but I suspect there is likely a new DiskPart version in Windows 7 as well.  I’m going to have to go back and extract that one from my W7 install and do a comparison.

This might be of worthy note for sysadmins to explore as a “evidence source” if backups were turned on in Vista or Windows 7 and you are trying to find out the source of malware or other bad-system (or user) behavior.

FREE: WIM2VHD - Convert a WIM image to a VHD image – 4sysops blog – Neat tool, but limited to Windows 7 and Server 2008 R2 WIM files.  Vista/XP WIMS not supported.  Basically the tool/process allows you to take a sysprepped WIM file you captured with ImageX, then convert it to a VHD file, for testing in a supported virtual environment before physical deployments.  I really could use this tool for my imaging and system deployment work.  But we aren’t quite up to W7 OS just yet.  Eventually….

FREE: VMware DiskMount GUI - Mount VMDK files – 4sysops blog – I don’t (currently) use VMWare as a virtualization source, instead using VirtualPC 2007 as well as Virtual Box. However, this tool would allow you to mount a VMDK file disk to your host system.  Good to know.

FREE: Vmdk2Vhd - Convert VMware VMDK to Hyper-V VHD – 4sysops blog –  Good tips and information if you get a hold of a VMDK file and need to move it into VHD format.

Enlarge a VHD – 4sysops blog – Making a VHD file larger can be done but isn’t very intuitive.  Michael has done his homework and shows us how to use this tool to expand an existing VHD file to a large size.  Kinda-like replacing a 100-GB drive to 250 GB hardware size by adding more platters; but virtually.  Michael points out that this isn’t enough, you then have to “extend” the partition size so the system can use this added space.  Diskpart to the rescue!

The Deployment Guys : Deploying Win 7 to Boot From VHD with MDT 2010 – Configuring a system to multi-boot different OS’s is the realm of hard core system hackers and OS addicts.  It is cool and there are many good utilities that can help noobies out there do this.  Windows 7 has a new ability to actually boot alternative OS systems from VHD’s to the physical hardware of the system.  This is pretty cool.  The Deployment Guys show how to make it happen.

Related Bonus

Windows 7 Boot from VHD | TechNet Edge

This is good for multi-boot environment where you want to run multiple operating systems on same machine without losing the performance. This is possible by VHD booting. As every VHD is like a Hard disk with primary partition; so you can create multiple VHDs with operating systems installed onto it.

I have prepared 3 parts series on Boot from VHD

Part 1 Create/Mount VHD files in Windows 7
Part 2 Boot from VHD in Windows 7
Part 3 Boot from VHD in Windows Vista

Digital Forensic SIFT’ing: How to perform a read-only mount of filesystem evidence - SANS Computer Forensics, Investigation, and Response – Since we were on an image and mounting kick, thought some might find this post technically interesting as well.

Cheers.

--Claus V.

Last Gasp Linkpost: Security/Forensics, Microsoft, and Freeware Utilities Galore

Last major collection of links.

Alvis has a TAKS test tomorrow so we are going retro and watching some Azumanga Daioh anime DVD’s to melt our brain cells before heading off to an early bedtime.

I’ll try to section it up a bit.

Lots of neat finds and worthy candidates for your attention.  Don’t be stingy with your time!

Security and Forensics

CAINE Live CD spotted via Security Database Tools Watch.  Another new and promising forensics bootCD based on Linux. Appears to have a Windows auto-run utility side as well.  Looks intriguing and I will be downloading it this week to take a spin.  Does get a few votes down due to the “CSI” theme graphics.  Poking around on the website home page did get my interest and curiosity stirred up quite a bit.

CAINE offers a complete forensic environment that is organized to integrate existing software tools as software modules and to provide a friendly graphical interface. The main design objectives that CAINE aims to guarantee are the following:

an interoperable environment that supports the digital investigator during the four phases of the digital investigation
a user friendly graphical interface
a semi-automated compilation of the final report

Main features:
WinTaylor, forensic frontend for Windows environment
Html page IE-compatible to run the forensic tools in Windows
Ntfs-3g updated to 2009.1.1 (resolve a ntfs-3g bug)
New boot option: text mode.
Ubuntu 8.04 packages updated
Firefox 3.0.6
Gtkhash, frontend for hashing files
New reporting features: investigators and case name added
Multi-language report: italian, english, german, french and portuguese
Firefox starts with the list of tools and a brief utilization manual

WinTaylor is the new forensic interface built for Windows and included in CAINE Live CD. It is written in Visual Basic 6 to maximize compatibility with older Windows systems, and provides an internal set of well-known forensic programs.

Features

Report creation tool, that saves in a plain and portable text file the list of used programs with time-stamps .
Tabbed structure that gives a logical schema to the investigation process.
Command-line tools that print their output inside WinTaylor.
Updated Sysinternals tools
Versatile hashing tool
Snapshot tool

RAPTOR - Forensic Acquisition Simplified – Just uncovered this LiveCD tool for both Intel and PowerPC flavored systems. Details are thin but I’ve read a number of positive.  Adding to my growing download list.

Raptor is a modified Live Linux CD used to forensically image digital media.  Two versions of Raptor exist.  One for Intel based computers and the other for the older Macintosh PowerPC architecture.  Raptor allows the user to mount, image, hash, format and sterilize digital media in a forensically sound manner.  Raptor can image to FAT32, NTFS, HFS+ and EXT3 file systems as either a .E01, DD (raw image), .dmg (Macintosh disk image file) format or even physical device (clone).  Raptor also allows for two forensic images to be created simultaneously.  Best of all . . . no need to access the command-line or know complicated Linux commands or switches.

Related GSD Posts: Helix3: Thanks for the memories… which provides some other alternative LiveCD based forensics type tools as well as this GSD Windows FE post to roll your own.

WinFE: Windows Bootable Forensic CD - Evil Bytes Blog - Dark Reading – Found a blog write-up that linked back to my Windows FE post. I’ve seen that post get linked up in a couple for forensics forums as well recently.  It’s pretty cool considering the work it took me to track that information down.

L0phtCrack 6 – Coming soon!  This seminal password cracking tool has been reborn like a phoenix from the ashes of Symantec.  The security world waits with baited breath!  Wish I could be there at the release party.  Sample love-fest post: L0phtCrack 6 Release At SOURCE Boston : Liquidmatrix Security Digest.

Ophcrack – One of the current Windows password crackers currently sitting pretty due to the hiatus of L0phtCrack from the scene.  I’ve used it a few times and it worked as promised.  Related: LCP, SID&User, John the Ripper, and Cain & Abel.

Windows Incident Response: Looking for "Bad Stuff", pt II – Harlan offers a thoughtful post continuing the theme of tools AND techniques matter when tracing down suspicious files and activities on a system.  There are no cure-alls. It takes skill, experience and flexibility in using all of those coupled with appropriate tools to carve up a system and identify the malignancies.  Well recommended reading. 

Did Mandiant’s Audit Viewer find something in Conficker? – Security Ripcord Blog – Don hammers home Harlan’s point in this great post showing how not just familiarity with the target malware, but the tools at hand and a good eye appears to have captured some new behavioral data on the Conficker malware.  Good read and malware analysis writeup.

Windows {Microsoft}

VMMap – Brand spanking new Microsoft Sysinternals tool that is way neater than one might think.  Besides mapping running process memory in detail, it also allows capture and reloading of that captured data for later analysis.  Not probably useful for forensics guys and gals who already have an extensive arsenal of tools for that, but for malware hunters and investigators, it might be a really great and (relatively) easy to use tool to dig deeper into suspicious processes found running on a system.

VMMap is a process virtual and physical memory analysis utility. It shows a breakdown of a process's committed virtual memory types as well as the amount of physical memory (working set) assigned by the operating system to those types. Besides graphical representations of memory usage, VMMap also shows summary information and a detailed process memory map. Powerful filtering and refresh capabilities allow you to identify the sources of process memory usage and the memory cost of application features.

Besides flexible views for analyzing live processes, VMMap supports the export of data in multiple forms, including a native format that preserves all the information so that you can load back in.

Ask the Performance Team : Windows 7, Zune and the Case of the Mysterious Debugger – Ask the Performance Team blog.  Mark Russinovich might have some competition.  Wonderful takedown of a Zune software issue.  Great techniques.

Some Changes Since Beta for the RC – Engineering Windows blog – Way too detailed for me to list all here, it is a deep listing of all the major changes made to Windows 7 since the Beta release.  Most all of them sound like they are pretty solid moves and based on customer feedback.  While most people focus on the big things, I keep finding the small things in Vista still causing me the biggest headaches. Particularly when I continue to switch between XP Pro on my work system, XP Home on our desktop unit, and Vista Premium on our laptop which is slowly taking over as my primary computing and blogging platform at home (uggg!  Must…have…my…dual…monitors…back!)

Microsoft fixes AutoRun disable option – The H Security – Almost unnoticed by all but a few autorun fixated security folks, Microsoft updated its update to the patch to truly and selectively disable Autorun activity. See all these for more information:

• Microsoft Security Advisory (967940): Update for Windows Autorun – Microsoft TechNet details
• How to correct "disable Autorun registry key" enforcement in Windows – Microsoft Help and Support Article ID 953252.
• USB Security: AutoRunGuard, Encryption options, and Forensics – Grand Stream Dreams blog post
• Security and Forensics Roundup: Heavy Version #2 – Grand Stream Dreams blog post

New or Improved Software

Important Flash Player Updates Released - Firefox Extension Guru’s Blog – Gentle and timely reminder that Adobe Flash has been updated.  Get the new version at the Adobe Flash Page.  On my Vista system I just had to browse to it in Firefox, download and install.  In IE I had to browse to the link, install it via a series of ActiveX prompts. Then I went to the Vista Programs item in Control Panel and uninstalled the older versions (one each for Firefox and IE).  No reboot needed. Guru’s tips work well also

chml and regil: tools to control Windows Integrity Levels – Mark Minasi – Mark has updated his chml tool and released a new registry counterpart called regil.  I’m going to oversimplify, but just like user accounts have permissions, files, folders, and registry items in Windows (Vista and 7) also have things called integrity levels.  Actions by lower WIL’s cannot be applied to higher WIL’s. But higher WIL’s can control lower WIL’s. The link explains this more clearly.  Anyway, Microsoft had a tool called icalcs which allows some manipulation, but it wasn’t enough for Mark.  He coded up a more powerful version called chml.exe some time ago and now has a registry related manipulator called regil.exe.  He offers both free.  Both are command-line tools. Not a regular tool, but might be useful for folks dealing with nasty file-rights changing malware.  At first blush it seems like a fairly impractical tool, but as a system administrator it’s like bringing a pump-action shotgun to a barroom fight, it gets everyone’s attention and can do a lot of damage to shut the party down fast.

USBDeview  v1.35 - (freeware) – NirSoft - “USBDeview is a small utility that lists all USB devices that currently connected to your computer, as well as all USB devices that you previously used.
For each USB device, extended information is displayed: Device name/description, device type, serial number (for mass storage devices), the date/time that device was added, VendorID, ProductID, and more...  USBDeview also allows you to uninstall USB devices that you previously used, and disconnect USB devices that are currently connected to your computer.” But what makes this version update SO COOL is that it now adds the 'Vendor Name' and 'Product Name' columns and displays these great items automatically. To “enable” separately download an external USB IDs file and save it in the same folder.  Easy as that.  Try it.  It is way cool.  More details on this NirBlog post.

SearchMyFiles - (freeware) – New program release. This is an alternative file/folder search program and is way powerful.  Not only can you search by folders/subfolders/drives, but you can also filter the search based on file attributes, file times, file size, or a range thereof.  If you have to jockey around files and root for them, this seems like a great compliment.  More info on the product link and this NirBlog post.

Everything Search Engine - (freeware) – an alternative system file indexer and searcher.  It reminds me a bit of Windows Search 4.0 but it only indexes files and folders and doesn’t search within them for results (like a particular word in a Doc file or inside your Outlook PST).  In that regard it is a bit weaker.  On the other hand it will provide a list of “everything” searched for then you can filter down from there. Worthy alternatives (also freeware) are Locate32, Agent Ransack, and DK Finder. Search away my friends!

SoftPerfect Network Scanner v.3.9.190 - (freeware) – Great and very powerful single exe network scanner. Regularly updated this release contains a number of feature and bug fixes.  Highly recommended.

USB Image Tool - (freeware) – Dead-useful tool to create/restore images of USB flash drives. It also provides USB device info.  Makes quick-swapping setups and file/folder builds of USB drives a piece of cake.  Alex is working hard at updating this tool. Check back often for newer versions. 

DiskXS - (freeware) – Tool that allows creation/restoration of floppy disk images.  We still use a few specialized floppy boot disks and this tool allows me to take images of them to keep on a CD along with this tool.  When technicians need to deploy one, they just find a Windows system, pop the disk in, run the application, and with a single floppy, write the image they need to it.  Added coolness with this app is the ability to extract files from floppy image files, delete files in images, view files in images, and import/export the bootsector and boot code from floppies.  In the past I used (and still also recommend) the freeware floppy imaging tool FlopImager.  The features and recent developments in this one are making me reconsider.

Recuva - v1.24.399 – (freeware) – This great file-recovery program got an update last week.  iPod support has been added to the wizard,  improved virtual machine support, and some other miscellaneous fixes and tweaks.

CCleaner – v2.17.853 - (freeware) – This build now adds wiping of free disk space, mods to the progress bar, improved Apple Safari history cleaning, speeding up the uninstaller tool, and misc. tweaks and bug fixes.  Other recent version bumps addressed Firefox and Chrome cleaning, and GUI interface improvements.  You really need to check often to see what new enhancements are making their way into both of these great Piriform applications. Add the Piriform – Blog RSS feed to your reader and you will be able to keep on top of things easily.

Looking forward

I certainly haven’t yet reached the bottom of Claus’s link barrel and have several more posting subjects waiting in the wings, but I think it is the end of this extended weekend’s posting blitz.

Coming soon at GSD, Win PE 3.0 boot disk building goodness, more VistaPE tricks and goodies, a bazillion links on ImageX, DISM, and virtual VHD file mounting and manipulations.

Stay tuned…

--Claus V.

File and Registry Change Watchers

Another quick post.

Inspired by Raymond.cc’s blog post Tracking Registry and Files Changes When Installing Software in Windows I figured I needed to list some of his new finds and some of my old-standbys.  I refer readers and the curious to that post for more in-depth reviews and details of some of these programs.

These tools are very useful when monitoring a system’s registry and file structure for changes created by captured malware droppers and/or legitimate installer programs.

RegShot 2.0 (translated version) - (freeware) – Take a system “snapshot” run the installer, then take a followup “snapshot” and let it compare the results.

SpyMe Tools - Monitor Registry & File System Changes - (freeware) – Supports both real-time monitoring of system changes as well as capture dump comparisons.  I like this one as it provides a directory view of changed files.

SystemSherlock Lite - (freeware) – CLI based tool.  Run a dump. Run another dump. Compare the dumps.  Lots more CLI goodness but that’s the basics.  See also the SystemSherlock GUI developed by Martin Zugec for all you CLI-adverse freaks.

WhatChanged v1.06 - (freeware) – scroll to the bottom of the page to find it.  Same concept.  Take a snapshot, do your business, take another snapshot and compare.

InstallWatch Pro v2.5c - (freeware) – long time favorite of portable software fans, I’ve used this many time in the past to look for any special files written to system32 folder(s) that I need to copy when making a “portable” version.  Not updated for a while.

SourceForge.net: reg-runner - (freeware) – Reg-runner watches a system for registry changes made by a program.  Provides additional tools and helps for searching out just what they are.  Neat little project.

Change Analysis Diagnostic tool for Windows XP – Microsoft tool.

The Change Analysis Diagnostic tool scans the computer and displays recent changes to the following areas:

• Software programs: The software programs that are listed in the Add or Remove Programs item in Control Panel.
• Operating system components: Hotfixes and downloads from Windows Update.
• Browser Helper Objects (BHOs): COM components that Internet Explorer loads when it starts. BHOs can intercept browser events, access Internet Explorer controls, create windows, and install add-ins that monitor messages and actions.
• Drivers: Kernel-mode device drivers and file system drivers.
• ActiveX controls: COM controls that have been downloaded by Internet Explorer or that are used in some Web pages.
• Other Auto-Start Extensibility Points (ASEPs): ASEPs let programs start without action from the user. An ASEP may accept one or more ASEP hooks, each of which is associated with a program.

The tool also displays changes to loaded applications and startup objects.
The Change Analysis Diagnostic tool queries the System Restore data for the number of days that the user selects. The tool finds the changes to the registry and to the file system that are relevant to these categories. Then, the tool presents the changes together with contextual information. Finally, the tool lists the changes in an XML file that can be sent to a support professional.

RegFromApp - (freeware) – Nice NirSoft application so you know it’s good!  Fire it up, run it, select a process to monitor, halt when done, view the report.  Great way to capture/log live changes to the registry.  Lots more features.  Quick and easy to use.

Process Monitor - (freeware) – Microsoft Sysinternals tool that will capture all registry and file calls while running.  Launch it before things get started, then stop it when the dust has settled.  You will have to be skilled in created filters to hide all the non-related system activity during your monitoring period, but with a bit of work you can drill down to the installer process as well as create events and start analyzing the data.

WinPatrol 2008 Free and WinPatrolToGo Portable Edition both seem to help in the monitoring/alerting/logging of changes made to the file system and registry, though they may be a bit more limited it feature than some of the other task-specific tools noted here.  Also, as cdman83 has pointed out in this post the mechanisms used sometimes take a while to be picked up and registered with the program.

--Claus V.

System Stress Testing Suites

Quick post. Just the facts ma’am.

Before deploying a new system (server usage) it is always good advice to stress out the system to ensure that if any hardware components could fail, they are found and fail pre-production service.

To that end there are a few utilities I use to do that and some neat new ones I just discovered last week.

Bart’s Stuff Test 5 – (freeware) -- Great application that does long-term heavy stress testing of storage devices.

Memtest86 - (freeware) – Freshly updated (v3.5 released Jan 09) allows for off-line booting of a system and memory checking of installed RAM. Create your boot media as either a CD, floppy, or USB boot device.  Nice and easy to use.

Memtest86+ - (freeware) – The other bootable memory tester system.  Also recently updated (Dec 08).  Available in a boot cd ISO, a boot floppy file, or a pre-compiled EXE file to run from DOS.

Inquisitor – New find:

Inquisitor is an open-source hardware testing and certification system, suitable for both enterprise and home use, customizable, modular and available in both serverless Live CD/DVD format and server-controlled network boot production system.

It can analyse and test your hardware from top to the bottom and assure that it won’t fail easily under the production stress.

Download as a LiveCD ISO file.  The screenshots make it seem not very sexy, but for stress testing, it appears to have the muscle needed to fully beat up a system and tenderize it before deployment.

See also Inquisitor (hardware testing software) - Wikipedia, the free encyclopedia

Phoronix Test Suite - Linux Testing & Benchmarking Platform - (freeware) – This IS sexy.

The Phoronix Test Suite is the most comprehensive testing and benchmarking platform available for the Linux operating system. This software is designed to effectively carry out both qualitative and quantitative benchmarks in a clean, reproducible, and easy-to-use manner. This software is based upon the extensive Linux benchmarking work and internal tools developed by Phoronix.com since 2004 along with input from leading tier-one computer hardware vendors. This software is open-source and licensed under the GNU GPLv3. The Phoronix Test Suite consists of a lightweight processing core (pts-core) with each benchmark consisting of an XML-based profile with related resource scripts. The process from the benchmark installation, to the actual benchmarking, to the parsing of important hardware and software components is heavily automated and completely repeatable, asking users only for confirmation of actions.

• 80+ Test Profiles
• 30+ Test Suites
• Extensible (XML-based) Testing Architecture
• Automated Test Installation
• Dependency Management Support
• Module-based Plug-In Architecture
• Integrated Results Viewer
• PNG, JPG, Adobe SWF, SVG Graph Rendering Support
• Autonomous Batch Mode Supported
• Global Database For Result Uploads, Benchmark Comparisons
• HTML Documentation Covering Test Profiles, Module Framework
• Installed Software, Hardware Detection
• System Monitoring Support
• Runs On Linux, OpenSolaris, Mac OS X, & FreeBSD Operating Systems

The only drawback is that it appears the applicaiton package needs to be installed under a Linux system…something server builders or Windows OS users wouldn’t find terribly useful or easy to do. Although I image that folks who would be using this in the first place wouldn’t have any issue installing a Linux build locally on a system, then this package and running tests, then wiping the drive clean before final OS installation and deployments.

However, after a bit of digging I did find this.

Phoronix Test Suite LiveCD – Still a work in progress and may not match the current release version of Phoronix proper.  Should allow the curious to experiment with the features safely before deciding if they want to go to the full local installed package.

FYI,

--Claus V.

Partition and Disk Management: Part V – HDD Sector Spying

So much material, so little time.

• Partition and Disk Management: Part I – Dancing with Diskpart
• Partition and Disk Management: Part II – Free and Useful Tools
• Partition and Disk Management: Part III – Pesky Dell Partitions 
• Partition and Disk Management: Part IV – Secure Wiping

In many of these prior posts, I alluded to or specifically mentioned the actual data (or lack thereof) on the drives.

All these posts have been born out of a recent round of conversations and events in system image work and system drive preparations.

This post builds on all of those posts and hopefully ties things up a bit.

Why play Peeping Tom?

What I would like to do is present a number of freeware (most all at least) utilities that allow one to view hard disk drive or flash “drive” media at the sector level.

Why?  Well a number of reasons come to mind, though certainly not all inclusive:

1. As I mentioned before, Heartland’s grief began apparently, because of a sophisticated trojan that hid (in portion) in unallocated space on servers.
2. Some software could be used in an attempt to hide data from prying eyes (or law enforcement) by placing data in sections of a disk not normally accessible under the OS.
3. Data from a prior owner may be present in that space and create headaches for a new owner.
4. Confidential data remnants could be present (related to #3 above).
5. Efficacy of “secure-wipe”, data-destruction software, or products that “sanitize” or “zero-out” drives or files can be tested and measured.
6. File recovery and capture from a boot-damaged OS.
7. It’s cool to do.
8. Verification of whole-disk-encryption software.

Though this post is based on a combination of those things, primarily it comes from a combination of reasons #5 and #8 above.

Encrypting and Wiping

Last week l33t network analyst Mr. No was working on a field project.  Part of that assignment meant shuffling a number of desktop systems previously assigned to new owners.

Our policy is to do (at least) a one-pass secure wipe of the system prior to redeployment to a new users.

(A Probie asked me why this policy was and I explained that it ensured that anything found on the drive after issuance had to be answered to by the assigned owner.  It helps to baseline a system and discourage (but not prevent) claiming, say after a forensics review, that any non-approved data on the drive was a carryover and not theirs.  Yes, malware or other hacks or methods could get data on someone’s pc around the owner’s knowledge, but this at least sets a standard. It also prevents carryover of any “inherited” system issues that could occur because of a previous owners use of the system.  We just like giving everyone a fresh start.)

Mr. No was using a particular commercial application to secure-wipe the systems (3-pass if I recall) and though they were new and fast system, it was still taking over an hour to pre-prep the drive before he could apply the image and finish the deployment process.  What should have been a one-hour or less process was actually taking close to two-hours.

Compounding this, the drives were whole disk encrypted, and there was some confusion by the probies that they had to decrypt the drive entirely, before secure erasing the disk, then formatting and reimaging it.  (Sheesh, the whole drive-decrypt process alone can take anywhere from four to eight hours!)

Mr. No understood that was pretty lame, but did feel that a whole-disk wipe was still required.  He referred to some yet produced post explaining (as I understood his concerns) that our particular whole-disk encryption solution only was a boot-overlay protection. That it only served like an overlay to the boot process to prevent unauthorized access to the OS boot loader. If you could bypass that, then the data on the drive was free and clear like normal.  That’s why a full disk wipe was still required.

That didn’t make any sense to me based on my understanding of the product in question.  I felt that the based on what I had read, the entire physical drive (under our policy settings) was encrypted, that the encryption loader was located at the “front end” of the drive, that the rest of the drive contents would be fully encrypted and appear as “random garbage”, and that to effectively “secure-wipe” the drive, one only needed to zero-out the “front end” of the drive for about a minute’s secure-wipe run.  That would destroy all the data to potentially reload/decrypt the drive, and thus rendered all the remaining sector patterns as “randomized” patterns.

We discussed this for a while and in the end, the proof was in the pudding.  I had to off-line boot two systems—one WDE and one not—and take a tour of them at the sector level.

What I found was indeed, that on a non-encrypted system, there was a lot of data that was in a “clear-text” format that I could see across the drive. If I used one of many file recovery programs I could probably recover all the data.

On the encrypted system, I could indeed view a lot of data from the whole-disk encryption pre-boot loader configuration files at the beginning, but after that, the rest of the drive sectors was fully filled with what appeared to be random garbage noise.  No file recovery program would be able to extract anything from that mess.

So, based on previous posts and “clinical-studies” a full-single-pass sector overwrite should be sufficient to sanitize a drive, and if the system is whole-disk encrypted (at least with our deployed product), a single-pass sector overwrite of the front hundred or so sectors should also be sufficient.  What was taking hours to “wipe” now takes just a few minutes.

Sector-viewing tools

I already had two “portable” freeware tools that allowed me to view the sector data on hard-drives but I wanted to be sure I wasn’t missing out on any new ones that might be fuller featured or more portable to run off a USB stick from a WinPE booted OS.

My faves were still there, and there were a lot more guest to invite to my party.

So this list is dedicated to all the hard-drive jockeys out there, be you sysadmins, forensics gurus, or just curious.

As usual, a few words of caution are in order:

Some tools do not offer to mount the media in “read-only” mode.  Therefore if you aren’t careful you do run the risk of directly changing file data on the drive-sector level.  That could could cause strange or systemic issues leading to corrupted files, data, or a non-booting system.

M’kay?

The list is not necessarily presented in any particular order, but I will try to list the ones I’m most likely to use first.

HxD - (freeware) - mh-nexus’s application was a new-to-me find and quickly made it to the top of my go-to list.  Not only is it fast, it allows mounting of entire disks and system processes running in memory into the viewer.  When you mount a disk to view, it defaults to open as “read-only” (bypassable) to ensure no accidental overwriting occurs as you inspect them. Copy, export, compare, search, view, analyze, and many more functions are supported.  It works great under WinPE 2.0 and3.0 boot disks.  Total size is just under 2 MB.  For fast and focused sector viewing, this is a shining star. Download in either a full-installer or “portable” file configuration.

Frhed - Free hex editor - (freeware) – I linked to the new project page, but the original frhed Homepage also has some useful information.  Super-tiny, the entire application folder weighs in at just 447 kB in total.  It allows opening drives (only in a read-only mode) as well as files in both read-only (enabled by default) or read/write mode.  For quick, fast, and portable viewing of sector data, it’s a great pick.  For those programming pros who need to do file manipulations at the sector level, it has enough of the basics to make it a worthy backup tool.

Roadkil's Sector Editor - (freeware) – Super-tiny (92 kB) and portable, this is the probably the best “all-in-one” sector viewing application out there from a size and portability perspective.  It does seem to mount the drive in “read/write” mode, but does have an “undo changes” feature.  You can search, print, save and copy sector information, as well as change it.  The navigation controls are pretty sparse.  Jump to a particular sector or use the forward/back buttons to scroll.

Disk Investigator - (freeware) – I still like this application a lot, but one drawback is that while it is portable on running XP/Vista systems (say via USB stick) it does not work under WinPE and is grouchy under Vista.  Several things still lead me keep it handy.  First it is very small (383 kB) for the whole folder contents.  It allows either a disk-based sector view or a file/directory based browsing view for file/sector location.  It has an “undelete” function as well as the ability to search sectors for text strings. For use on XP systems, it is worth looking into

Tiny Hexer - (freeware) - mirkes.de’s website is sparse and most users would probably pass it up. However, a look at some screenshots convinced me I had better download it and take it for a spin.  I wasn’t disappointed.  Turns out “Tiny” is a bit of an exaggeration.  The program is portable but definitely not tiny either in program size nor features!   Unpacked, the program folder weighs in at 7.29 MB.  Open a drive or image file. By default it is not read-only, but it can be selected so easily.  You can open a running process in memory and view it’s hex information as well as files proper. Read, write, copy, paste, and print options are all supported. Character translations are many as well as advanced scripts, ADS management, structure viewing, comparisons, and bookmarking.  It reminds me a bit of HxD in the layout, but it seems much fuller featured.

NT Disk Viewer - (freeware) – Low on my list due to the funky GUI interface and what could be some character translation issues, it nevertheless performs well and at a single-file size of 273 kB isn’t a large house-guest.  It works well on WinPE boot disks.  I would probably only use it if I needed to take a first-pass look at a system and didn’t have any of my other tools at hand.

Not Free but Recommended

These are big-guns.  Generally they are much more full-featured for professional usage by programmers and application hackers.

I provide them as they were recommended by folks who’s opinions I trust, or they might be worth looking at for heavy lifting.  They might be “portable” but I really can’t say.

WinHex - (free to try) – Positioned clearly as a forensics-grade examination tool, this is one of two recommended to me by forensics guru Harlan Carvey.  It really did knock my socks off.  While the previously mentioned freeware applications are great for system administration work, review and exploration of drives and USB media, and general sector review, if you are interested in forensics class work, this seems to be probably the best of the best.  No installation was required. I downloaded the offered zip file, unpacked, and was on my way running the winhex.exe file.  Upon launch I first had to note if I wanted to enable “write protection by default” (awesome) as well as select a “computer forensics interface” (allows creation of case-file and notes) as well as a “reduced user interface” mode if the forensics interface was enabled.  I’m not nearly sophisticated in my knowledge to go through all the amazing details and items this tool provides.  Needless to say it is incredible and will likely require lots of reading of the User manual (PDF) and time spent to familiarize oneself with the things possible.  Must be checked out by forensics pros and sysadmins alike! Highly recommended for a reason! I haven’t tried running under WinPE environment and the application folder size is a very light 2.57 MB for such a full-featured program.

Hex Workshop - (free to try) – Multi-paned application that not only provides direct disk-based sector viewing, copying, and searching, but a whole lot more.  By default drives can be opened and viewed, but are not done so in read-only mode.  Like other programs noted here, it is easy to select to do so just before you open up the disk.

Free Hex Editor Neo - (free to try/limited features) – I like the GUI interface which is kinda “roundy”. It allows mounting of disks and also processes running in memory.  These are opened in “read-only” mode by default which is nice.  However, you have to registry/buy the product to unlock those features.  As such I really couldn’t test the advanced features it offers in comparison to many features I am interested and already available in the free ones listed here.

UltraEdit - (free to try – trial time-limited) – Another app recommended by forensics expert Harlan Carvey.  I spent a short amount of time with it and it indeed has a lot of features. Unfortunately I couldn’t quickly find any way to actually use it mount a drive and view the sectors themselves.  That may be a feature but I couldn’t work it out quickly enough.

Related Hex Editor (or not) programs

These are programs I use or uncovered that are related to sector-based drive viewing or manipulation, but not necessarily in the same class as those previously mentioned.

Hex Editor XVI32 - (freeware) – Awesome and dangerous tool to open files on a hex-level and modify them.  Useful for viewing file hex code in a small and fast program, but very easy to make unintended changes.  Not for cowards.

Victoria - (freeware) – OK. Unless you are a hard-drive professional or system administrator, I’d advise you to quickly move on.  If you are one of the elite few, this is a wicked-cool application that will allow you to view raw sector information on drives. It also does almost a bazillion other hard drive configuration tweaks, changes, tests and stuff.  Not for amateurs.  Not something you are just going to download, unpack, run and use out of the box.  Heavy duty but really, really neat tool for spindle-heads.  Before considering downloading, read this Victoria For Windows Detailed English Manual first before making sure this is what you really want to play with.  I bet you do anyway!

HDDGURU: MHDD - (freeware) – Yes it is DOS GUI based.  Yes it doesn’t seem to have been updated recently.  Yes there probably are many other tools worth looking into.  Yes it might be handy to keep around just in case all else fails. MHDD documentation.

ZeroView - (freeware) – Scroll just past midway down the page to find this tool.  “"Ever worry that the system you are seizing uses whole disk encryption? Use ZeroViewTM freeware to find out." Burn ZeroView to a CD then pop it into the CD drive of the suspect machine and it will load into memory only and display the contents of Sector 0 allowing you to determine if whole disk encryption is employed on the suspect system. Once you know, then you can take the appropriate steps to capture and preserve the data you need.”  It’s a single GUI-based tool to explore the 0-sector to see if it contains any whole-disk encryption clues.

Dimio's HDHacker -  (freeware) - “HDHacker is a stand-alone micro-utility that saves, visualizes, and restores the MBR (from a physical drive), the BootSector (from a logical drive) or any specified sector from any disk (even removable disks).”  Won’t let you view the entire drive sectors but if you are just interested in viewing or backing up the MBR, this is the tool for your.  20 KB big.

Boot Sector Explorer – DiamondCS - (freeware) – like HDHacker, this GUI-based tool “…allows you to quickly and easily read and write to both the boot sectors of your logical drives such as PhysicalDrive0 and the Master Boot Records (MBRs) of physical drives such as C:, D: etc. It can even examine drives that aren't hard drives, including CD-ROMs, DVDs, USB sticks and more.”

HexDump - (freeware) – CLI tool that dumps the hex/text from a passed filename.

BinText - (freeware) – Foundstone tool that allows you to load a file into the application, then examine it for strings.  I use this one to quickly look at suspicious malware-related files to see if any easy clues can be gleaned.

Cygnus Hex Editor - (freeware) – Strictly a file hex editor/viewer.  Not for disk-sector viewing However it is just 436 kB in a single executable.  Figured it was worth mentioning.  Nice GUI.

Sector Inspector (SecInspect.exe) – Microsoft command-line utility.  Could provide some useful information in file and system inspection.  See these related posts from forensics gurus for recipe ideas: Interesting Tool – SecInspect (Windows Incident Response blog) and Forensic Incident Response: Sector Inspector (from HogFly’s blog).

Pocket Hard-Drive Utilities – Grand Stream Dreams post roundup of various other hard-drive tools not related to sector viewing but neat to know anyway.

Whew!

Hope folks find this roundup useful!

My USB stick is much fuller from the work.

Cheers!

--Claus V.

Partition and Disk Management: Part IV – Secure Wiping

Previously posted in this series:

• Partition and Disk Management: Part I – Dancing with Diskpart
• Partition and Disk Management: Part II – Free and Useful Tools 
• Partition and Disk Management: Part III – Pesky Dell Partitions

It doesn’t seem that long ago that I was making this post:

• Secure Disk-wiping Software – Grand Stream Dreams blog

In that post I outlined how we were doing a systems refresh across our area and we were formatting, then fdisking the recovered drives.

Degaussing FAIL

Then we would apply a big portable A/C plug-in “degaussing” unit to the sides of the systems to “wipe” the drive data.

Only I got curious after a while and decided to off-line boot the system and peer at the sectors to see what a degaussed drive looked like.

Turns out it looked just like a standard Windows drive that had been reformatted and fdisked.  Which is to say I could see all the data right there untouched and recoverable.

Hogfly made a similar observation: Forensic Incident Response: Tales from the field - the degausser

I’m sure that with a big enough and powerful enough degausser, that once could theoretically “secure wipe” a drive.  But it seems to be pretty impractical for most IT shops when using modern drives.

I still laugh when I overhear end user managers (and some IT staff) fussing at end users because they stuck a refrigerator magnet on the side of a case.  How it could destroy the user’s data and is a big no-no. Unless it was a Wondermark-grade fridge magnet, perhaps…I doubt there is no issue.

How many wipes does it take to get to the center of a….securely wiped disk?

We now use a number of DoD class (3-pass or greater) wipe software tools to truly scrub the data off our drives before we trash them or return systems that have expired leases.

As a recent series of posts in the security world have stated, it appears that a full and complete single-pass overwrite of drive data is sufficiently secure to prevent recovery…as long as all the sectors are overwritten.  This could be “zero” or an alternating pattern or even randomized data.  Doesn’t really matter so much as long as all sectors get overwritten.  Once now appears to be for all practical purposes, wholly sufficient to prevent recovery.

For treatment on this subject consider these recent posts in the field by Dr. Craig Wright at the SANS Computer Forensics, Investigation, and Response Blog

• Overwriting Hard Drive Data
• What happens when you overwrite data?
• Overwriting can occur anytime, as long as it is done once after
• Spin-Stand Microscopy of Hard Disk Data

If this is sufficient and your company policy support it, there are a few very simple command-line tools at your disposal that can assist you with quick at-hand secure wiping of systems before releasing them.

As most GSD readers know, I prefer using a Win PE boot disk to off-line boot our Windows systems for service and system processing.

If you also use them, there are two tools right at hand to assist you with secure drive wiping, as well as a third you can freely download and use as well if you put it on your Win PE disk during building.

Yes, there are lots and lots of great tools and utilities (Win and Linux) that can securely wipe a drive. These are some that are dead-simple and do the job.  They are not all inclusive, but should be available for most advanced users looking to do down-n-dirty disk prepping.

Word of warning…improper or accidental use of any of these tools on your (or your buddy’s) system could accidentally or purposefully render some, most, or all of the data irrevocably un-recoverable.  Be sure you understand them and “practice” on a safe and otherwise useless drive/system before using in real-fire situations.

M’kay?

Cipher.exe

I wasn’t aware of this tool that is on all XP/Vista systems in the Windows/System32 folder until just this weekend as I was working on a post about sector-viewers.

Cipher.exe does a lot of things, but in this application it can secure-wipe unallocated free space from a drive via the command-line.  Be clear, this doesn’t secure-wipe the entire drive as allocated file space remains untouched (hopefully!) after the process completed.

How To Use Cipher.exe to Overwrite Deleted Data in Windows – Microsoft Help and Support Article ID: 315672.

Administrators can use Cipher.exe to encrypt and decrypt data on drives that use the NTFS file system and to view the encryption status of files and folders from a command prompt. An updated version of the Cipher tool has been released for Windows 2000, and is included with Windows XP. The updated version adds another security option. This new option is the ability to overwrite data that you have deleted so that it cannot be recovered and accessed.

When you delete files or folders, the data is not initially removed from the hard disk. Instead, the space on the disk that was occupied by the deleted data is "deallocated." After it is deallocated, the space is available for use when new data is written to the disk. Until the space is overwritten, it is possible to recover the deleted data by using a low-level disk editor or data-recovery software.

The Cipher.exe utility that is included with Windows XP provides the ability to overwrite deleted data.

How to Use the Cipher Security Tool to Overwrite Deleted Data

To overwrite deleted data on a volume by using Cipher.exe, use the /w switch with the cipher command. Use the following steps:

1. Quit all programs.
2. Click Start, click Run, type cmd, and then press ENTER.
3. Type cipher /w:driveletter:\foldername, and then press ENTER. Specify the drive and the folder that identifies the volume that contains the deleted data that you want to overwrite. Data that is not allocated to files or folders will be overwritten. This permanently removes the data. This can take a long time if you are overwriting a large space.
   Note With mount points in Windows 2000, you can mount a volume on any empty folder on an NTFS volume. When you do this, the mounted volume does not have a drive letter of its own. The only way to address that volume is by using the path where you created the mount point. Therefore, the /w switch requests a path of a folder, and from that, it determines the associated volume to wipe. Because of the way the file system works, the whole volume must be wiped. A file can be written anywhere on the volume at any time. A folder does not address a specific physical location on disk but is a logical container for file entries in the volume's table of contents (MFT or FAT). To make sure that there is no leftover data in unallocated space, all unallocated space on the volume must be wiped.

Appendix A: Using Cipher.exe to Wipe a Used Hard Disk Clean – Microsoft TechNet technical details about this tool and command line argument.  Must read before using.

Cipher.exe Security Tool for the Encrypting File System – Microsoft Help and Support Article ID: 298009

Wipe your Deleted Data Away: Using cipher.exe – WindowsSecurity article with screenshots.

Use cipher.exe for command line encryption – TechRepublic article with all kinds of details and screenshots.  Section about overwriting data is at the way-bottom of the post

Now I know some folks aren’t CLI enthusiasts.  Luckily I found a free, simple, and tiny GUI interface that might help.

Cipher GUi  - Fileforum

Why even worry about zeroing out unallocated drive space?  Well it prevents baddies and malware from hiding in there, but it also makes file recovery easier in an emergency situation if the mission-critical drive is both un-fragmented frequently as well as wiped of free space.  That makes it (generally) easier for file recovery programs to find whole and complete files after they have been deleted.

Diskpart.exe and the “clean all” command

Use of the DiskPart tool and the “clean all” command securely wipes the entire drive (unless interrupted by power-off of the system before activity completion).

DiskPart Command-Line Options – Microsoft TechNet article

clean

Removes any and all partition or volume formatting from the disk with focus. On master boot record (MBR) disks, only the MBR partitioning information and hidden sector information are overwritten. On GUID partition table (GPT) disks, the GPT partitioning information, including the Protective MBR, is overwritten; there is no hidden sector information.

clean [all]

Specifies that each and every sector on the disk is zeroed, which completely deletes all data contained on the disk.

So to securely wipe (zero-out) a drive, boot the system with a Win PE boot disk, and run the following commands (assuming that the drive to be wiped in this case is disk 0  Change accordingly to your needs:

1. Diskpart
2. select disk 0
3. clean all
4. exit

Note the time that passes between steps 3 and 4 is dependent on many factors including the hardware of the system, drive speed, and your patience level.

Be patient and let it run.  Eventually it will return to the diskpart prompt and you can exit out.

In my tests of a hard-drive and this process, followed by a sector-level pre/post reviews of the drive, the drive was indeed fully zeroed out and no information was found on any sectors across the entire drive.

Again it is CLI based and may scare some folks off.

Luckily Claus has done all the digging and found two GUI based tools that might just be the cat’s meow!

Diskpartitioner V1.2 - The CD Forum – As best I could tell, this was the ending link of the original WinPE 1.0 supported DiskPart GUI tool discussion.  There are a few more in the CD Forum posts.

PE Part - The CD Forum – This seems to be the latest forum thread for a newer version that works for WinPE 2.0.  I tested this one on my running Vista system and it seemed to work pretty well.  I still prefer the CLI myself but it seems to do the job.  Haven’t tried it yet under Win PE 2.0 itself or Win PE 3.0.

PE Part - The CD Forum – Link to post #28 which still has a live-link to the XP/Vista compatible DiskPartitioner GUI application zip-file download link.  It calls the diskpart.exe file from the %systemdrive%\Windows\System32 folder automatically.

It’s pretty cool and a neat effort to make a CLI-based tool more approachable for the masses.  I’m going to spend more time with it in the coming weeks.

wipe.exe

This one isn’t a native Windows tool.  So you will need to download it and place it in your PE building structure prior to making a Win PE boot disk.  Or else copy it to a USB bootable WinPE boot stick and run it off there.

It is included as part of the Forensic Acquisition Utilities package offered by George M. Garner Jr.

According to page notes it is “…an original utility to sterilize media prior to forensic duplication.”

I have not used it on a real test system yet, so I can’t yet say how well it performs in comparison to diskpart.exe’s “clean all” command.

The idea here is that to ensure no cross-contamination of data results, the forensics examiner should first wipe the drive on which they will be placing the captured duplicate image from the evidential drive.  This should (theoretically) allow the hash-files for both drives to be identical when the image restoration is completed.  Thereby ensuring that any data on the duplicated drive is only that from the evidential drive and was not present originally on the drive used for examination work.

I’m not quite sure what output it provides (zeroed, 1/0’ed, or random-patterned), how many passes it makes, or other details.  I would image it would zero out all sectors.

I’ll update after I have played with it a bit.

--Claus V.

Partition and Disk Management: Part III – Pesky Dell Partitions

Previously posted here at Grand Stream Dreams:

• Partition and Disk Management: Part I – Dancing with Diskpart

• Partition and Disk Management: Part II – Free and Useful Tools

In “Part I – Dancing with Diskpart” I was working with some Dell systems and in using GParted noted some strange things with the drives that I hadn’t picked up before in using the CLI DiskPart tool.

Note: these were captured pre “clean all” which would have removed the MBR information as well as zeroed out the drives.

I captured a few screenshots for posterity from two different systems.

First there was this dual-partitioned system.

And on this other example system…

Notice in both that “unallocated” 7.84 MiB space at the front?

Yeah, I did as well.

I also had a third laptop system from Dell that also contained that same leader section of unallocated space, the primary partition space, then an additional trailing section of unallocated space about 1 MiB in size.

What I want to see on our desktop and laptop systems is this before I create a single partition on the drive.

Dangerous Space

There are a number of reasons why I don’t like unallocated space.  First and foremost it could be a potential hiding place for sophisticated baddies or data.

While the Hartland processor fallout is still being reviewed and understood, these are great posts to familiarize yourself with the danger of unallocated space on a system.

• Don’t let what Happened to Heartland Happen to You– Part One – Ascension Blog
• Don’t let what Happened to Heartland Happen to You - Part Two  – Ascension Blog
• Heartland Sniffer Hid In Unallocated Portion Of Disk – StorefrontBacktalk Blog

It’s a sophisticated threat but still one that system administrators (and forensics folks) still need to be aware of.  If space is unallocated on a system, stuff can be hidden there.  You need to identify it, assess it, and if not required, remove it.  It’s not the most common threat or hiding-hole, but still, old-school is becoming popular again in threat vectoring.

Also, we are paying for use of the whole drive, and while it is tiny, that space can’t be used by the user/system.  Every bit counts!

Finally, it could conceivably through disk partitioning activity out of whack a bit. So having it all allocated is a good thing.

If someone brings me a (non-whole-disk encrypted) system and I find such unallocated space sitting around, I have a number of techniques to use.

If it is a new system with fast hardware, I will just use GParted to merge the space into the existing partition. Easy and fairly fast.

If it is an older system with slow hardware, I will take an ImageX image of the partition(s) and dump the WIM file to a USB disk.  Then I will do a full DiskPart series of commands to blow out the entire drive settings and re-create a single (or two) partition using all the space on the drive.  Then after formatting, I will restore the image WIM back to the system.

But what about that “unallocated space” on those Dells?

Yes, what about them.

Dell seems to prep its drives with one or both of these spaces.  These really aren’t “unallocated” but specially allocated by Dell for system recovery and diagnostic tool partitions, not normally accessible except from the BIOS.

Here are some posts that might help clear things up with this.

Inside the Dell PC Restore Partition - Dan Goodell’s awesomely detailed exploration and exposition of all things Dell partitions.  Turns out there could be up to three separate and distinct Dell specialized partitions you might encounter.  The first is the Dell Utility partition which contains diagnostic tools accessible from BIOS.  The second could be the “Dell PC Restore by Symantec" utility--colloquially referred to as DSR ("Dell System Restore")” partition.  The third might be the Dell MediaDirect Partition which allows some Dell notebooks to boot for some media-enjoyment routines without needing to bring up the full XP OS system.  Dan has all the information needed to understand and work with all things Dell partition.  It is THE resource on this area.

Delete and Remove to Unlock EISA Hidden Recovery or Diagnostic Partition in Vista - My Digital Life. Being a DiskPart guy, this was good information to know:

1. Open a command prompt as administrator.
2. Run Diskpart application by typing Diskpart in the command prompt.
3. In the “Diskpart” prompt, enter rescan command and press Enter key to re-scan all partitions, volumes and drives available.
4. Then type in list disk and press Enter key to show all hard disk drive available.
5. Select the disk that contains the partition you want to remove. Normally, with just 1 hard disk, it will be disk 0. So the command will be:

   select disk 0

   Finish by Enter key.

6. Type list partition and press Enter key to show all available and created partition in the disk selected.
7. Select the partition that wanted to be deleted by using the following command, followed by Enter key:

   select partition x

   where x is the number of the EISA based recovery partition to be removed and unlocked its space. Be careful with the number of this partition, as wrong number may get data wipes off.

8. Finally, type in delete partition override and press Enter key.

Once the partition has been deleted, exit from Diskpart, and now users can use the much familiar and much easier Disk Management tool in Windows (diskmgmt.msc) to manipulate the freed unallocated partition. Users can create a new volume (partition) with this space, or simply merge it to existing partition by extending the size of the existing partition.

Sometimes you will have to use the “override” argument when you delete a partition so it doesn’t error out due to special flagging.

Partitioning problems - [H]ard|Forum – More DiskPart tips and helps.

Guide: How to Delete Hidden Recovery Partition on Vista - Notebook Forums and Laptop Discussion – Picks up and expands the tip offered by “My Digital Life” noted above  Forum threads are usually informative and this one really is.

How to delete Dell Service Partition - UBCD4Win Forums –and  HAL: "ACPI Uniprocessor PC" vs. "Advanced Configuration and Power Interface PC"? - arsTechnica Forum.  Users come to realize they needed to update the boot.ini file after removing a Dell Service Partition as it changed the volumes listed and used by the boot.ini file. Be aware of this.

Dell Utility Partition Restoration – Great Grand Stream Dreams post (IMHO) that explains how to rebuild the Dell Utility Partition if you regret dumping it (not for the feint of heart), as well as just using a Dell Diagnostics boot CD to accomplish the same thing (much better IMHO).

Removing Dell partition - NotebookForums.com – After all this, I come to find out that some Dell systems have a file under the directory Dell\Utilities\DSR on some hard drives called DSRIRRemv2.exe.  Double click on this and then click the OK button to remove the Dell PC Restore partition.  However, despite looking on all our Dell systems, CD’s, and the Googles, I have been unable to find and obtain a copy of this file (or DSR folder) to test and find if it is fast or effective.

Important Considerations

A few things to keep in mind before you start whacking away these Dell partitions.

1. If you are a PC system noobie or average home user, you probably don’t want to mess with them.  They don’t take up that much drive space and may contain critical files needed to restore your system to an operational state if it hard-crashes and you have to OEM system-restore it.  If key files there are gone and you don’t have your OEM system restore disks, you are out of luck.

2. Advanced or pc-building enthusiasts are probably sophisticated and knowledgeable enough to strike out on their own and dump these “unallocated” spaces.  Be careful and know what you are doing.

3. Many other OEM laptop and system builders also seem to use similar partitions and structures as Dell does.  You might want to take a look to see what is there.

4. As a system administrator, we have a lot more tools, resources, and knowledge at our disposal and having these spaces actually presents more of a problem and issue with security and service of systems than it provides benefit for system recovery and diagnostics.  We want them cleared and gone.  That is probably not a very common scenario for most users.

You have been warned.

Bonus Tip: Taking and Saving a Screenshot in GParted

I’m a screenshot pro.

I’m also pretty good about mounting portable drives in Linux and copying files back and forth.

For some reason this was giving me fits to get those GParted screenshots over to my USB stick.

GPARTED DOCUMENTATION - SAVE_DETAILS – One method

and

GParted forum / Gparted GUI disappears  From “cmdr”

1. Run "GPartedLive CD"
2. Take screenshot of "GParted" window
3. Start "Terminal" (by Desktop icon)
4. Attach USB stick, wait until LED flickered.
5. Type (first parameter is a lowercase L)

fdisk –l

6. Note device name of logical USB drive, e. g. /dev/sda1
7. Type (replace "sda1" with your USB stick's device name !) and confirm one line after the other.

    mkdir /mnt/usb
    mount /dev/sda1 /mnt/usb
    mkdir /mnt/usb/gpdebug
    cp /root/gparted.jpeg /mnt/usb/gpdebug/shot1.jpeg

8. Repeat last line as often as you need, giving the target file (shot1.jpeg) a different name, if you want to take more than one screenshot.
9. Unmounting is not necessary, if you shut down "GParted" afterwards (nothing stays from your session).

Only in my case, every time I tried the copy action it failed, even though the USB stick was seen and I could browse the folder structure just fine.

Turns out my USB stick was NTFS formatted and GParted couldn’t natively mount and read to that disk format using the regular commands.

In my case, I had to just switch over to a FAT32 formatted USB stick and I could copy to my heart’s content.

I doubt most folks use NTFS on their primary USB drives but I need to due to the size of files that I work with, particularly with imaging, as well as it improves copy performance a bit under WinPE boot work.

Cheers.

--Claus V.

Partition and Disk Management: Part II – Free and Useful Tools

In my previous post Partition and Disk Management: Part I – Dancing with Diskpart, I mentioned that I prefer to use Microsoft’s DiskPart Command-Line Options as my primary tool.

I do this for a number of reasons,

• As I use WinPE 2.0 boot disks for primary system maintenance it is always at hand,
• Our desktop/laptop systems are almost exclusively a single logical partition on a single system drive,
• It’s fast and flexible for a variety of disk-prepping needs I have, and
• because it is CLI, I look a lot smarter in front of customers than I really am.

Seriously, like I found out in the last post, sometimes when you get stuck in working with drives, volumes, formatting, and general partitioning, having an alternative tool or two is great in a pinch.

It’s even better when they are all free.

Power Reserves

When DiskPart just can’t deliver, or if I need to go to a backup plan, these are the partitioning tools I reach for first.

GParted (Linux LiveCD) 

From the project page: “GParted is an industrial-strength package for creating, destroying, resizing, moving, checking and copying partitions, and the file systems on them. This is useful for creating space for new operating systems, reorganizing disk usage, copying data residing on hard disks and mirroring one partition with another (disk imaging). See Features, before using it.

I extolled its virtues in a previous GSD post Drive Prep Made Simple: GParted.

It has a very simple purpose, a simple interface, nice GUI support, and is very powerful for most all disk-servicing jobs out there.

Take a look at these helpful how-to’s for more of its features.

• Using GParted - Parted Magic
• Using GParted to Resize Your Windows Vista Partition :: the How-To Geek

Probably coming in at 2nd place for easy Linux partitioning solutions is

PartedMagic (Linux LiveCD),

Parted Magic is a Linux LiveCD/USB/PXE with its elemental purpose being to partition hard drives.

Optimized at approximately 30MB, the Parted Magic OS employs core programs of GParted and Parted to handle partitioning tasks with ease, while featuring other useful programs (e.g. Partition Image, TestDisk, fdisk, sfdisk, dd, ddrescue, etc.) and an excellent set of documentation to benefit the user. An extensive collection of fileystem tools are also included, as Parted Magic supports the following: aufs, ext2, ext3, ext4, fat16, fat32, hfs, hfs+, jfs, linux-swap, ntfs, ocfs2, reiserfs, reiser4, xfs, and zfs.

It’s juiced up with a number of additional applications and utilities that might make this a more convenient package than GParted offers.  Although that is what attracts me most to GParted.

Best of the Rest

Since I never know when and why a partitioning failure may occur, I always like to have additional options in my system administrator’s toolbox.  While I don’t use any of these regularly, they bring a lot of knuckle to a good hard-disk management rumble.

TestDisk – CGSecurity 

TestDisk is a powerful free data recovery software! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software, certain types of viruses or human error (such as accidentally deleting a Partition Table). Partition table recovery using TestDisk is really easy.  TestDisk can

• Fix partition table, recover deleted partition
• Recover FAT32 boot sector from its backup
• Rebuild FAT12/FAT16/FAT32 boot sector
• Fix FAT tables
• Rebuild NTFS boot sector
• Recover NTFS boot sector from its backup
• Fix MFT using MFT mirror
• Locate ext2/ext3 Backup SuperBlock
• Undelete files from FAT, NTFS and ext2 filesystem
• Copy files from deleted FAT, NTFS and ext2/ext3 partitions.

HDAT2/CBL Hard Disk Repair Utility

This is a pretty advanced tool with a ream of bells and whistles.  I keep secretly waiting for a massive HDD failure on a system to occur so I can really put this utility through the paces.  Particularly with Host Protected Areas (HPA’s) and security overlay features of the drives themselves.

HDAT2 is program for test or diagnostics of ATA/ATAPI/SATA, SSD and SCSI/USB devices.

It will not execute in a DOS session under Windows. You should make a DOS boot floppy disk or CD-ROM and boot your system for it and execute this program from that floppy disk or CD-ROM.

HDAT2 program has 2 levels:

• Drive level testing

  - main function is testing and repair (to regenerate) bad sectors for detected devices
  - you get many information about detected devices

• File level testing

  - read/find/check items (MBR, boot, directories, etc.) of file system FAT12/16/32
  - check/remove (regenerates) bad sectors records, flags in FAT table

---

Features:

• fully implemented commands: SET MAX, SET SECURITY, Device Configuration Overlay
• device access with interrupt 13h, direct via ATA ports, with ASPI drivers
• detects ATA/ATAPI/SATA devices with on-board and add-on controllers
• detects USB devices via USB ASPI driver only
• detects SCSI hard drives via INT13h or ASPI drivers
• other SCSI devices are detected via ASPI drivers only (must be loaded before);
  with ASPI drivers you will get more information about SCSI devices
• test and repair device for bad sectors
• many different test-functions for hard drives
• resize hard drives which supports SET MAX ADDRESS/EXT
  (supports 28/48-bits LBA addressing modes)
• drive lock detection via security feature (Security Menu)
• S.M.A.R.T. functions for ATA/SATA and SCSI drives only
• information about devices (ATA/ATAPI, INT13h, ASPI)
• sector viewer for devices (also for USB, ZIP, CD-data discs)
• to access ATA/SATA CD-ROM drive you don't need any driver or MSCDEX
• enable/disable some features for direct-access devices
• Device Configuration Overlay (DCO) feature set
  (you can restore a full capacity or allow/disallow some feature sets of hard drive)

Partition Find and Mount – A neat and sweet GUI tool that allows you to scan drives for lost partitions.  Once you find them, you can them mount them to view/recover the contents.  What is also very cool is that create both binary drive images as well as volume images, and also mount images as a “virtual-drive.” Great options for data-recovery specialists as well as forensics types.

Cute Partition Manager

Partition Manager is an advanced hard disk partition management utility. Using Partition Manager, you can easily add, edit, delete and manage the partitions in your computer. Most of the hard disks have plenty of space and can store plenty of data and easily accommodate more than one operating system. In order to efficiently store large amount of data or install multiple operating systems, you need to partition your hard disk with a partition management utility like Partition Manager.

EASEUS Partition Manager Home Edition.  Latest version now also contains wizards for disk copying and volume/partition copying.  The only “drawback” is that the free version doesn’t seem to support off-line booting and operation of the system hard-drive(s).  Therefore you seem to have to install it on your live Windows system, and perform the disk operation changes.  To some disk-busters, this can be a bit risky.  Be sure you read the manual and understand it, then follow the guide carefully to avoid data loss.

As Partition Magic alternative, EASEUS Partition Master Home Edition is a FREE disk partitioning utility that offers a powerful range of functions such as resizing partitions, formatting partitions, copying partitions, creating new partitions, deleting partitions, hiding partitions, changing drive letters, setting active partitions, and a handful other functions.

Ranish Partition Manager

…is a boot manager and hard disk partitioning tool. It gives users high level of control for running multiple operating systems, such as Linux, FreeDOS, FreeBSD, and Windows 98/2k/XP on a single disk. It could create, format, copy, move, and resize up to 32 primary and extended partitions. It has command line interface similar to gdisk and a simulation mode that works with the large files instead of messing with the real disks.

Partition Logic

Partition Logic is a free hard disk partitioning and data management tool.  It can create, delete, erase, format, defragment, resize, copy, and move partitions and modify their attributes.  It can copy entire hard disks from one to another.

Partition Logic is free software, available under the terms of the GNU General Public License.  It is based on the Visopsys operating system.  It boots from a CD or floppy disk and runs as a standalone system, independent of your regular operating system.

Partition Logic is intended to become a free alternative to such commercial programs as Partition Magic, Drive Image, and Norton Ghost.

Terabyte's BootIt Next Generation (NG) (not free but too good not to be included)

BootIt NG is a partition and multi-boot manager with a powerful and simple-to-use set of tools for partitioning, imaging, and multi-booting your computer. It combines the features of several standalone products costing hundreds of dollars more.

Take a look at the product page and see all the tricks it can handle.  Well worth considering.

Trinity Rescue Kit (Linux LiveCD) because one can never ever have too many specialty Linux boot disks at hand…

Ultimate Boot CD (UBCD) – So many tools and utilities…so few disks to use it on….

Partition Resizer – Hasn’t been updated for quite along time, but might be useful for folks with older and simpler systems who don’t need all the bells and whistles.  I felt compelled to share it anyway.

Roadkil's Boot Builder – Small and tiny application.

Boot builder allows you to create your own custom boot sector from scratch. This utility allows you to recreate or restore boot sectors lost due to virus or other damage to a drive. Boot sectors can be imported/exported to a disk or created from a template. This program supports FAT and NTFS boot sector types.

Dimio's HDHacker – Another classic tiny application dead useful in a pinch.

a stand-alone micro-utility that saves, visualizes, and restores the MBR (from a physical drive), the BootSector (from a logical drive) or any specified sector from any disk (even removable disks).

HDHacker can be used, for example, to save and restore a particular boot manager (such as LILO, for example) before a new Windows setup (which, obviously, overwrites it).

An MBR and BootSector backup can also be useful for simple precautionary purposes too, since sometimes viruses or other OS setup (like Linux) could overwrite and/or alter the MBR/Boot Sectors, making it impossible to start up previous OS and/or access datas stored on the disk. HDHacker can provide "insurance" against all these types of loss.

Be aware, that depending on what volume/partition manipulations you do, you might render an otherwise working system non-bootable.

A common issue is that the boot.ini file is no longer valid as it points the boot loader to a (now) incorrect partition reference.

For additional NTFS and partition homework reading:

• NTFS.com NTFS File System. - Data Recovery Software – Amazingly detailed documentation and exploration all about NTFS and the various MBR and MFT information. Great refresher info.
• Description of the Windows XP Recovery Console for advanced users – Yes, then there is that Microsoft Recovery Console command “FIXMBR”.  Know it before you use it!
• The purpose of the Boot.ini file in Windows XP – Examines the architecture of the boot.ini file and how it relates to controllers, logical units, physical disks, and finally, volumes.
• How to edit the Boot.ini file in Windows XP – Know it before you change it!

--Claus V.

Partition and Disk Management: Part I – Dancing with Diskpart

Sometimes I find myself on a technical issue and end up puzzling it out.

The aftermath finds me overwhelmed with linkage.  Sometimes due to the interrelatedness of the issues, I struggle a bit to get it all organized in a logical manner.

I’m having to “punt” this time and do another multi-part post.

This isn’t intended to be a end-all post series regarding Windows hard disk partitioning, but the deeper I become involved at work with disk-image deployments, whole-disk encryption, and secure data-wiping, I also seem to come back to partition and disk-management.

In the Beginning…

As part of the workplace response to Hurricane Ike smashing into our region some time ago, our disaster response was to obtain and deploy a large number of laptops for mobile data-processing support.

When their need had passed, the laptops were returned and needed to be secure wiped, repartitioned, imaged, and returned to their original owners.

That should have been a fairly easy process.  The only “complication” was that I had to deal with mass-quantities of them.

So to save time, I used my custom Win PE 2.0 boot USB stick, fired up DiskPart.exe (part of the Win2K/XP/Vista System32 components) and planned on following my usual routine:

        1. Diskpart
        2. select disk 0
        3. clean all
        4. create partition primary
        5. select partition 1
        6. active
        7. assign letter = C
        8. exit

Followed up by a final

format C: /fs:ntfs /q /y

And then an ImageX session dumping a sysprepped WIM image on them.

Only this time when I got to step 6 I got the following error:

DISKPART> assign letter = c

DiskPart has encountered an error: The directory is not empty.
See the System Event Log for more information.

I kept going back and forth deleting the partition, re-cleaning the disk, recreating the partitions but got nowhere.  That same crazy error.  I was completely stumped as no data should be on the disk/partition. 

As far as I knew, that “clean all” command should have zero’ed out the disk.

Granted, in the past I normally did only a “clean” command and not a “clean all” but I wanted to zero-out these drives as they were leaving our purview and I wanted to be be sure any confidential customer data was scrubbed and irrecoverable.

I really like using DiskPart for these tasks, even though it is CLI since it is fast and always at hand as part of the WinPE system files.

I had a quick turnaround required on these systems so I just pulled my GParted boot cd, booted each system, made some notes and observations, then used it to successfully recreate my NTFS partitions and move on to the imaging phase.  GParted made it a piece of cake and seemed to care less about any issues I was having in DiskPart with rebuilding the partition information and formatting them in NTFS.

I set the issue aside figuring it must be something strange with Dell system drives and the “clean all” command.

Months later….

Time allowed me last week to go back and try to study this issue some more due to concerns I had noted on the Dell drives related to the GParted work.  More on that in Part II.

I was servicing another laptop and going through the wipe, re-partition, and re-image process when I ran into the error yet again.

This time I had more time (and patience) to try to understand what was going wrong.

Let’s pick up after I had cleaned the sole system hard-drive (Disk 0) following steps 1-3 listed previously.  Note: Disk 1 is my bootable WinPE 2.0 boot USB flash drive, and Disk 2 is a USB portable hard-drive that contains my various system images.  Disk 0 was already selected and the focus (as noted by the asterisk in DISKPART output).

DISKPART> list disk

  Disk ###  Status      Size     Free     Dyn  Gpt
  --------  ----------  -------  -------  ---  ---
* Disk 0    Online        56 GB    56 GB
  Disk 1    Online      7872 MB      0 B
  Disk 2    Online       298 GB      0 B

DISKPART> create partition primary

DiskPart succeeded in creating the specified partition.

DISKPART> active

DiskPart marked the current partition as active.

DISKPART> assign letter = c

DiskPart has encountered an error: The directory is not empty.
See the System Event Log for more information.

DISKPART> select disk 0

Disk 0 is now the selected disk.

DISKPART> select volume 1

Volume 1 is the selected volume.

DISKPART> detail partition

Partition 1
Type  : 06
Hidden: No
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1                      RAW    Partition     56 GB  Healthy

DISKPART> select volume

Volume 1 is the selected volume.

DISKPART> detail volume

  Disk ###  Status      Size     Free     Dyn  Gpt
  --------  ----------  -------  -------  ---  ---
* Disk 0    Online        56 GB      0 B

Read-only              : No
Hidden                 : No
No Default Drive Letter: No
Shadow Copy            : No
Dismounted             : No
BitLocker Encrypted    : No

Volume Capacity        :   56 GB
Volume Free Space      :   56 GB

DISKPART> delete volume

DiskPart successfully deleted the volume.

DISKPART> list disk

  Disk ###  Status      Size     Free     Dyn  Gpt
  --------  ----------  -------  -------  ---  ---
* Disk 0    Online        56 GB    56 GB
  Disk 1    Online      7872 MB      0 B
  Disk 2    Online       298 GB      0 B

DISKPART> list partition

There are no partitions on this disk to show.

DISKPART> list volume

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
  Volume 0     D                       DVD-ROM         0 B  No Media
  Volume 2     C   USBBOOTSTICK   NTFS   Removable   7872 MB  Healthy
  Volume 3     E   MYIMAGESUSB  NTFS   Partition    298 GB  Healthy

DISKPART> list disk

  Disk ###  Status      Size     Free     Dyn  Gpt
  --------  ----------  -------  -------  ---  ---
* Disk 0    Online        56 GB    56 GB
  Disk 1    Online      7872 MB      0 B
  Disk 2    Online       298 GB      0 B

(At this point I realized what was happening, why the error was happening, and took a very simple action.)

DISKPART> rescan

Please wait while DiskPart scans your configuration...

DiskPart has finished scanning your configuration.

DISKPART> list disk

  Disk ###  Status      Size     Free     Dyn  Gpt
  --------  ----------  -------  -------  ---  ---
  Disk 0    Online        56 GB    56 GB
  Disk 2    Online       298 GB      0 B

DISKPART> select disk 0

Disk 0 is now the selected disk.

DISKPART> create partition primary

DiskPart succeeded in creating the specified partition.

DISKPART> active

DiskPart marked the current partition as active.

DISKPART> assign letter = c

DiskPart successfully assigned the drive letter or mount point.

DISKPART> exit

Leaving DiskPart...

X:\windows\system32>format c: /fs:ntfs /v:system /q /y

The type of the file system is RAW.
The new file system is NTFS.
QuickFormatting 57229M
Creating file system structures.
Format complete.
  58602492 KB total disk space.
  58534964 KB are available.

Mission Accomplished!

The Solution?

I’m embarrassed to confess, but I wasn’t keeping track of my letters.

See, when I made the decision to boot the system from a bootable USB drive, a RAM disk was created "drive X” from which the WinPE system runs.

It also configured the system to recognized the hosting USB drive as drive letter (volume) “C”, the portable USB hard-drive containing my images as drive letter (volume) “E”, and the system’s internal DVD-ROM drive letter (volume) as “D”.

Note another important lesson in working with DiskPart: when you “list volume” it will output all the volumes that it picks up across found disks, but it will not tell you which volume is associated with which disk.  In the output I captured you can see that.  Even though Disk 0 was my focus, when I ran the command, it listed all volumes.  I’m not sure of a good way to work around that except that in my case, all my disks were of different sizes and thus I “knew” which one went with which drive.

By puzzling on that I realized that drive C: was already claimed.  Since I was working on the RAM disk “X” I didn’t have a need (or so I thought) to care about what the other drive letters were.

I could create a primary partition on the system Disk 0, even set it to “active” all I wanted, however, since I already had a volume labeled “C” DiskPart wouldn’t let me, reporting that the (C) directory wasn’t empty, and confusing the fire out of me with the cryptic message, even though my focus disk was Disk 0.

Since I knew that the WinPE OS was running in memory off the RAM disk, my solution was to just yank the USB flash drive out of the system, rescan for drives (so the “C” would show dropped and available for assignment), then set the drive letter for Disk 0 to “C”.

Problem solved.

A simple format command and I was good to go with the image application.

Had I not been previously in a hurry using my USB drive to boot the systems, and used a WinPE bootCD instead, I might not have had this issue.  I need to go back and test that out.

Regardless, lesson learned here was to keep track of your drive/volume letters at all times when working with DiskPart.

Now, on to those notes I had taken regarding the Dell drives…I still had unfinished business with them…

--Claus V.