- Pre-install Setup Guide – Windows 7
- Pre-Install Setup Guide
- Permissions To be SET prior to SQL Server Installations
- Elevate Current User to SQL Server Admin
- Adding Debug Permissions To User
- Disable DEP and Enable PAE
- Windows Defender Removal in XP and Vista
- Data capture, analysis, investigation and dissemination
- The most advanced imaging solution available
- An easy-to-use interface
- Five built-in, fast and thorough search engines
- Built-in development environment
- Built-in file viewers for hundreds of file types
- The leading salvage engine
- Extremely fast hash engines and automated data reduction techniques
- Built-in e-mail store processing, searching and viewing
- Filesystem, file and e-mail recovery
- Multiple categorization features
- Registry viewing and searching
- Virus/Trojan search and identification
- VMware virtual disk production from devices or images
- Context dictionary production for password cracking
- IVault data store preparation and production
- Support for all common archive file formats
- Deconstruction of evidentially useful file types
- Sorting, grouping and filtering of files and e-mail.
- Advanced analysis functions
- Advanced MS Outlook e-mail recovery
- Password protected file detection
What Our Customers Are Saying:
"He called me with great concern and panic. I advised him to hook the drive up and use the IXImager and try to image the drive before doing anything else with it. IXImager reported a HPA, we (me by phone) chose to disable and proceeded to image the drive with the image sets. He now has an image of the drive he can view and has the ability to copy out the image file sets from his ILook image, etc."
- Federal Computer
Post ILooKIX Install – Mandatory Setup Changes
Step 1. Install – Update for NET Framework 3.5 SP 1
Select your OS from http://support.microsoft.com/kb/959209 and update the NET framework 3.5sp1 if the update is not already installed. (This is an update to Sp1, it is not a new service pack) You can find your current Net framework install version by checking [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\<version>]
Step 2. User Permissions and Login
Before you begin the post install changes, make sure you are logged in as an administrative level user with an account that has a password assigned to it. A password is mandatory.
If you have not done so, at the Root of the Boot drive, reset the permissions to FULL CONTROL for the entire root folder system and all subfolders and files for the current user. This presumes the current user is in the ADMIN group, but not named “Administrator”. Failure to follow this step, will cause a total failure of the supporting SqlServer framework.
Step 3. Disable Indexing (BEGIN WIN 7 CHANGES)
Disable indexing on the system itself, not just individual drives. “Windows Search” service in Vista services in Computer management is the service name. If you disable the service and it returns later due to Service pack updates, remove the service with SC.exe using its service name.
Disable the service in Computer Management of Control Panel. Just issue a stop, then make sure the services for index service, is set to DISABLED type startup.
An example of Vista with Index Service cut off. Indexing Service and Windows search can BOTH be installed and running, so check that neither remains running.
Why ? Among other reasons of equal merit, there is the fact that if you allow the OS index engine to unknowingly extract metadata from Investigated files that are accessible to the OS, it will inextricably cause data contamination of the forensics platform’s local index files. Until ILookIX, detailed examination of those files did not exist in computer forensics at the file system level. The file level view is a radically more revealing analysis than one using Windows API’s for access into the indexes.
Step 4. STOP Automatic Updates in Windows and STOP any Wireless or network connections that depend on Win updates
This section is CRITICAL for users who have the Analysis Pack option in ILookIX.
In particular if you have WIFI connections, you must disable Windows Auto Updates. You can find these in Msinfo32 examinations where the service names are similar to these :
Automatic Updates wuauserv Running Auto Share Process c:\windows\system32\svchost.exe -k netsvcs
Wireless Configuration WZCSVC Running Auto Share Process c:\windows\system32\svchost.exe -k netsvcs
Step 5. Reset network TCPIP parameters
This section is CRITICAL for users who have the Analysis Pack option in ILookIX.
On Windows Vista or Version 7, you must disable Vista TCP/IP parameters that cause the TCP session packets to be compressed. By following these commands at a command prompt you reverse that setting. Run the following bracketed commands – only as Admin.
Note: The ILookIX anti-virus option will NOT function on Windows Vista or 7 unless this change is made !!
Capture the screen, to notepad by doing mark -select -copy -paste into notepad
Now back at the command prompt execute these 4 commands
now run it again :
The output should again be captured to Notepad and maintained for future reference, or to undo the above commands.
Step 6. Disable Hibernation
Stop Hibernation in Vista. ALL Vista installs include the ability to hibernate. There is no windows GUI application to directly disable it. It must be disabled using this command at an ADMIN elevated terminal window, type the following command:
C:\ POWERCFG –H OFF
Step 7. Set Power to no savings
Cancel in the bios — all power saving features for video , cpu power down etc. Any settings of power management that you find that are not set to not power down on time intervals should be left in place.
This can be a serious cpu drain that you will never be aware of once your booted in windows.
Below, is a Vista Power Settings Screen example. If the bios does not provide power savings settings for you to cut off , make certain the current power settings of control panel do not allow for time event slowdowns of either the cpu or the harddrives or monitor. A monitor shutdown has Interrupt calls to the CPU which will in turn stall some threads in SqlServer while it is running, not just while ILookIX is running.
Step 8. Disable Recycle Bin
Disable recycle bin in the registry or on the desktop. There is little positive seen to any forensics \recycle bin usage on any drives used in forensics generally. The CPOINT and main windows SET TEMP locations, if subject to recycle bin, will severely hamper ILookIX operations. They will also cause data infiltration on the forensics machine.
Click on recycler on the desktop and cut it off by drive if necessary otherwise, manage it for all drives by setting it to NOT use recycle bin.
Step 9. If you run Illicit Image Detection as an Option – You may have to remove other applications which interfere with graphics GDI processing.
Application software that diverts file associations on windows from the windows GDI default may cause stoppages in processing illicit images. Usually these applications are CDrom write software. This can also be caused by other GPL based graphic packages. Applications that use device drivers to attach to removable media are also potential issues.
Item 10. STOP Windows Firewall directly and stop any other 3rd party firewall.
Cut off windows firewall in control panel and disable any other firewall software installed.
This is mandatory for using the ILookIX Virus detection option. It will also hamper performance on Win 7 and Vista.
We must presume here that as a Forensics processing machine, there exists no full net active connectivity and a firewall system is therefore not needed. An exception is if the system is virtualized or local port access is used for a specific investigative process. Windows or another Firewall can be cut back on easily when connecting to the internet, and it is advisable for use during any net connected session regardless. But the simple fact remains that the forensics examination of machines with unknown harmful content, needlessly endangers all internet users if the investigation machine itself is connected during such an examination.
Item 11. RESET IE Settings from default
Reset the Windows Internet Explorer (not other browsers) security settings to Medium, reduced from the default of “medium high” per this screen.
Item 12. Using an Admin Cmd prompt, paste into the cmd window, this registry change – it will run at that time :
rem Register dll’s that come with Perlustro ILookIX but which may not otherwise register on install
rem on a Windows 64 installation any Version
set TARGET_DLL1=”C:\Program Files (x86)\Perlustro\ILookIX\dsofile.dll”
set TARGET_DLL2=”C:\Program Files (x86)\Perlustro\ILookIX\dten600.dll”
Additional Performance changes
Please review Changes To Impact Performance.