Thursday, September 29, 2005

My New PowerBook and MS Virtual PC vs Snapshots

I decided to take the plunge and get a new 12" Apple PowerBook when I had the opportunity to choose what to buy after starting my new job. Sarah used to have an iBook when she was teaching and it was definitely fun to play with to see what kind of Unix-fu I could perform on it. Add in my desire to learn more about forensics and incident response for Macs and I couldn't resist the urge. It took almost a week to get feeling productive and efficient with it.

Where am I going with this? Well, I love playing with malware and testing incident response techniques on virtual machines. My first love is VMware but there is no Mac version so I am forced to use MS Virtual PC. Unfortunately, it doesn't do snapshots like VMware...BUMMER! I'm not really a fan of undo disks but it maybe what I am forced to do. One idea was to use a tool like Deep Freeze or ShadowUser to lock the system so that any changes were undone with a reboot which is a bit like a costly version of undo disks. I am going to test each method and see which is the easiest and most efficient. Until I decide, I will be making duplicates of my VPC files, working on the dupe and deleting it after my test.

ADDENDUM: I have settled on Undo Disks. The additional software adds a level of unneeded complexity and that is something I definitely don't desire when doing malware analysis. One feature I found during testing is the ability to carry forward changes during reboots when using Undo Disks. Sometimes it is necessary to reboot during analysis to see how malware will react...nice feature! One thing I did not check was how this affects booting up with Helix and dd'ing the hard drive. That is one more test to check. :-)

No comments: