outside-the-box analysis refers to the practice of examining a suspect system from the outside using a trusted external environment while the suspect system's OS (and everything else installed on it) is inactive...
the primary benefit of this practice is that any malware on the suspect system will be unable to actively hide (using stealth) or actively defend itself against the tools used to perform the analysis because they won't be active in the first place... it is a long held axiom that you cannot trust a suspect system to accurately report it's own integrity because any active malware can force the system to lie or can even attack the software asking the questions... operating in an environment where this can't happen gives you an advantage over such malware...
in common practice there are two main ways of providing a trusted external environment in which to examine a suspect machine... the first is to use a second physical computer which you connect the suspect machine's hard disk to as a so-called 'slave' drive... this is a relatively straight-forward method that most people are able to do assuming they have a second machine available and can be talked through taking the hard disk out of the suspect machine and putting it in the second machine...
the second method is to boot the suspect system from an operating system on a known-clean removable medium like a floppy disk, CD, or USB flash drive... LiveCD's are a familiar concept to linux users, and old-timers will probably remember using known-clean bootable floppies on their old dos machines... for windows there is something similar called a pre-installation environment that provides much the same kind of functionality, but microsoft has been slow in recognizing the need to put that functionality in the hands of users which lead to the development of the BartPE disk (which has been mentioned many times on this blog before both by myself, and recently in a comment by vesselin, but is discussed even more by chris quirke in relation to the utility of a maintenance OS)...
back to index
0 comments:
Post a Comment