All,
Vista is here, and I'm seeing questions about it left and right. I've
got a copy of Vista Ultimate and I'm looking to upgrade my VMWare
Workstation 5.5.2 to 6.x when it's available, because I have some of
the same questions and would like to answer them, at least for myself.
However, I got to thinking…my personal system at home is a Dell
D820, and I use it for everything…writing, coding, etc. I'm told by
folks who know that the Vista on a D820 with at least 2GB of RAM r0xx0rs!
Does anyone have input, thoughts, ideas, etc., on how I could go about
getting a separate platform for Vista, aside from a VMWare session,
for doing full-out forensic testing? I'm talking extracting the
contents of physical memory, imaging (both live and post-mortem),
testing of various scenarios, etc.?
I'm asking this because I can't afford to purchase another system, and
I would like to provide tools, processes, methodologies, etc., to the
community, so my thought is to see if the community can come together
to provide the necessary testing platform.
This idea comes from something I ran into as soon as I started
presenting material on tracking USB devices across Windows systems.
Hearing what I found, some folks started to ask "what about this
device", or "what about that device"…iPods, Firewire, etc. Folks, I
can't afford to run down to the store, buy all this stuff, and then
provide the fruits of my research for free to everyone…particularly
when someone's going to come back yet again, asking for other things.
I offered to do the research if someone was willing to loan me the
equipment (I'd return it afterward), but I got no takers.
I can do testing on my own systems and VMWare platform, no problem.
However, there's going to be an upper limit to what can be done, and
people are going to be asking "yeah, okay, but what happens if it's
*not* in VMWare…??" So, in an effort to keep this sort of thing
going, I thought I'd reach out to at least this part of the community
and see if we can come together and accomplish something as a community.
Thanks,
Harlan
I'd be interested in participating.
Let's spec out a machine and see what direction we need to go in.
Harlan,
Which edition of Vista do you want to test? At last count I saw that there were five of them.
We tried Vista Home Premium as a forensic platform but it didn't work out for us. Aquisition through EnCase on a Vista Home Premium did not see physical disk only logical, so forensic imaging using that version was out.
Is it hardware, OS or both you are needing? We could provide both to a certian degree. One of our guys will be in London in May. Is that where you are at?
Nate
All,
Thanks for your posts.
I have a copy of Vista Ultimate via my own personal involvement in the beta program (ie, separated from the MSDN subscription I have via my employer).
Robert Hensing told me that a Dell D820 w/ 2GB RAM smokes Vista!
For me to do the research, all I need is the hardware…I have all of the software that I would need at this point, at least to get started (ie, VMWare, ProDiscover, etc., etc.)
Thanks,
Harlan
Yeah, I know, but we're talking Vista here, and not just Vista…Ultimate.
All I'm trying to do is answer the questions everyone has and will have about Vista when it comes to forensics. You'd think that if everyone who's looking for free info and tools would just contribute like $0.10, we'd pretty soon have enough to buy a couple of these systems…the Dell Refurbished shelf has some great values.
Harlan
> You dont need to run aero just to do some memory dumps.
No, you don't…but what happens when someone asks if there are any artifacts from the use of Aero? Remember, the shell actually handles a lot of "logging" (after a fashion) via the UserAssist key, etc. Aero is new, and I'm sure folks are going to be asking about artifacts associated with it.
> How much do they go for on the refurb site?
I bought my current D820 off the refurbished site for $2k last year, and it has 4GB of RAM.
Going to the site, and searching on just D820s with 2GB RAM, I'm finding prices ranging from around $1K to just under $1700.
Keep in mind that things that will need be tested include BitLocker, ReadyBoost, etc.
Harlan
Half would still leave half to be covered.
The reason that there is a lot of research that never makes it into public view is because someone pays for it and owns it. I've done network exploitation research before, and all of that was ultimately owned by the client who payed for it.
What I still don't understand is the number of people in this field who do this work but don't do any original research of their own, or if they do, they don't publish any of it. I look at the USB device stuff I published…Cory and I did all of that research on our own, and it's pretty hot, even today! I see it brought up on the EnCase user forums all the time.
We published that research and have provided it for free.
I have written tools for parsing Window 2000 RAM dumps and provided them for free to the entire community. I not only did all of the research and coding, but I purchased a product that would allow me to create standalone executables of the Perl scripts so that an even wider range of analysts had access to the tools and functionality. I've provided all of this for free, even though it has cost me money from my own pocket to do so.
Even with my new book available, I'm still getting requests for the code I've written, and those requests include the compiled executables….and I am providing them, for free.
So now I'm getting questions like, "what research have you done into Vista?" and "do your tools work on Vista images?" With all of the folks who are interested in getting credible, researched information for free, there seem to be a lot of folks also expecting me to continue forking out my own money just to get the basic materials required. I just thought that if all of those folks who want this information for free were to put in like $5 or so, surely there'd be enough to purchase a couple of systems (not that I'm asking for that…)…
Guess maybe I was wrong, guys. Sorry.
Harlan
Harlan,
Perhaps this is a matter of presentation.
What precisely are you asking for?
I've been doing a reasonable amount of vista research already - I've covered a number of things on my blog. Currently I'm looking at tagging and saved searches, and I'm ready to post about tags. I haven't tested your tools - I don't have the dvd from the new book yet.
I can give you remote access (a box just for you infact - with admin rights) to a vista box running business or enterprise or whatever license you want - 3ghz, 1gb ram, but I can't give it to you even though I know it wouldn't be a waste of resources.
> What precisely are you asking for?
A suitable system for testing Vista Ultimate (IR and CF research) in a manner that will be pertinent to what we're going to see in the real world.
"Robert Hensing told me that a Dell D820 w/ 2GB RAM smokes Vista!"
"…searching on just D820s with 2GB RAM"
As I have already stated, I have Vista Ultimate, and VMWare, but I'm waiting for the upgrade.
Unfortunately, I can't give what I don't have and I've offered what I do have. I can donate a few bucks, but I and others have certainly supported your work by buying your books. If this method of obtaining a system doesn't work for you, perhaps a grant or going after vendors for help would be the next best thing?