Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Wipe, rinse and repeat

Published: 2011-03-18
Last Updated: 2011-03-18 13:43:13 UTC
by Chris Mohan (Version: 1)
12 comment(s)

Most of us have faced a time when a machine gets compromised with malware. In some cases it gets to the point where cleaning the infected computer is too time consuming or too difficult to clean, so the easy option is to wipe the machine and rebuild it.

Just before the forensic community (or some of my fellow handlers) lynch me for making this over generalised, evidence eliminating statement, allow me to elaborate.

“Nuke it from orbit”*

The format and rebuild statement normally comes from the following groups:

  • Management
  • Over worked IT staff
  • The owner who’s just spent the last hour on search engines on how to fix their “slow” (utterly infected) PC
  • The security team

The first three can be grouped as those that are not interested in analysing, understanding or knowing what happened on the particular machine. They just want their machine(s) back to normal ASAP as they can go about their business.

The security team, in contrast, have made this call as part of a calculated decision, after collecting the evident they need to get the business running safely again.

The decision to rebuild is considerably easier for those with a standard operating environment (SOE) or managed operating environment (MOE). This allows for a rapid deployment of a fully functional operation system with all the previous applications. This is a thing of beauty, bringing tears of joy to the most harden PC tech, as it’s a fast, reliable and easy completely re-deployment with a simple press of a few buttons. The assumption is - and I want to be very clear on this - that any user data is safely saved elsewhere, not on the PC about to be formatted and rebuilt.

The problem child

So what happens when you are confronted with a machine that needs to be wiped and re-built but no-one has a clue what’s on it and if it’s ever been backed up?

I like to call this the friend/family pc scenario or the forgotten machine, out back, that runs the company disaster-in-waiting issue.

Before even thinking about nuking this type of PC, there are normally two distinct areas to be worried about on these systems: data and applications

For the very wise or very paranoid amongst us, a full image of the troublesome system is the way to go. This provides a working image of the machine to refer back to quickly and avoids a great deal of painful conversations along the lines of “but you never mention that”.  Tools such as Sysinternals' Disk2vhd [1] makes a complete on line virtual image of the problem system. For those that run other virtualisation software it’s pretty easy to convert the Disk2vhd's .vhd file to other formats using your favourite virtualisation technology.

Close encounters

You have a backup, whether it is a virtual image, a standard backup or a copy of the PC's entire contents on an external drive; the next step is to know what you’re getting into.

An audit of all the known software on the machine, with first a verbal interrogation of the owner followed by a physical examination of the machine, provides a solid picture what needs to be on the clean system.  This is where recording your findings, conversation with the owner and processes to rebuild the machine can help in the future, should this happen again.

Dude, where’s my data?

Losing data doesn’t sound too bad until that data is someone’s child first steps or the company payroll. As a suggested list of files and folders to be sure you have:

  • Browser favourites and configuration files
  • Microsoft Office configuration
  • Email folders (.pst files and the like)
  • The entire My Documents folders
  • Game files
  • User profiles
  • File and folders saved in weird location only know to the owner or application

To alleviate some of the pain of manually hunting for these files, Microsoft offers a number of tools to export data off and these are well worth reviewing:

  • Office Save My Settings Wizard [2]
  • File and Settings Transfer Wizard [3]
  • User State Migration Tool [4]
  • Windows Easy Transfer [5]

Game over man, game over


Applications are just as important for any system, so ensuring you can get copies of the installation media the license keys for software, including the original operating system is a must.

For lost license keys, software such as The Magical Jelly Bean Keyfinder [6] can get back most standard products keys.

For those applications which the original installation media no longer exists and the vendor can’t supply a replacement copy, this may be an opportunity to upgrade or migrate to a new application.

As a final note, be aware that there may be Wacky hardware installed and the drivers for ancient ISDN/video/sound/modem/and so on cards were last seen back in the 90’s. The very of best luck with that.


As always, if you have any better suggestions, insights or tips please feel free to comment.


[1] http://technet.microsoft.com/en-us/sysinternals/ee656415.aspx
[2] http://support.microsoft.com/kb/312978
[3] http://support.microsoft.com/kb/293118
[4] http://technet.microsoft.com/en-us/library/dd560801(WS.10).aspx
[5] http://windows.microsoft.com/en-US/windows7/products/features/windows-easy-transfer
[6] http://www.magicaljellybean.com/keyfinder

*This frequently used phrase is taken from the movie Aliens and the actual quote from the character Ripley is: "I say we take off and nuke the entire site from orbit. It’s the only way to be sure."

Who knew James Cameron was really making a movie about the folly of poor incident response? Ripley is the lead incident handler dealing with this infection outbreak and she’s decided that Step 4 of the incident handling process [7], eradication, is the only real way forward. The business owner, Burke, disagrees; he later discovers he should have really taken Ripley expert advice to save him from, what is certainly, a very painful way to go.

[7] http://www.giac.org/resources/whitepaper/network/17.php

 

 

Chris Mohan --- Internet Storm Center Handler on Duty

Keywords:
12 comment(s)
Diary Archives