Re: Windows HD image for forensics testing

• Previous message: Gary Kessler: "Re: Creation / modification / access dates"
• In reply to: Brian Carrier: "Re: Windows HD image for forensics testing"
• Next in thread: Jason Powell: "Re: Windows HD image for forensics testing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> The people that I know with Windows honeypots aren't sure if is legal 
> to post the images.  It likely violates the Microsoft license since 
> you are basically distributing a free copy of Windows.

Well, there is a way around this problem.

1. Write a program that extracts the Windows DLL's, EXE's, etc, to 
"distfile1" from an existing Windows system.
2. Write a program that takes the Windows Honeypot image and removes 
everything that is in "distfile1"  Call this "distfile2"
3. Distribute "distfile2" and a program that takes "distfile1" and 
produces the honeypot image.

This isn't a novel idea. Think of distfile2 as a patchfile and program 
#3 as "patch"


>
> brian
>
>
> -----------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management and 
> tracking system please see: http://aris.securityfocus.com


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

• Next message: Christine Siedsma: "Re: Creation / modification / access dates"
• Previous message: Gary Kessler: "Re: Creation / modification / access dates"
• In reply to: Brian Carrier: "Re: Windows HD image for forensics testing"
• Next in thread: Jason Powell: "Re: Windows HD image for forensics testing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 15 2003 - 11:45:50 PDT