Post ILooKIX Install – Mandatory Setup Changes

back

03/15/10

Step 1.  Install – Update for NET Framework 3.5 SP 1

Select your OS from http://support.microsoft.com/kb/959209 and update the NET framework 3.5sp1 if the update is not already installed.  (This is an update to Sp1, it is not a new service pack)  You can find your current Net framework install version by checking [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\<version>]

Step 2. User Permissions and Login

Before you begin the post install changes, make sure you are logged in as an administrative level user with an account that has a password assigned to it.   A password is mandatory.

If you have not done so, at the Root of the Boot drive, reset the permissions to FULL CONTROL for the entire root folder system and all subfolders and files for the current user. This presumes the current user is in the ADMIN group, but not named “Administrator”.  Failure to follow this step, will cause a total failure of the supporting SqlServer framework.

Step 3.  Disable Indexing  (BEGIN WIN 7 CHANGES)

Disable indexing on the system itself, not just individual drives. “Windows Search” service in Vista services in Computer management is the service name.  If you disable the service and it returns later due to Service pack updates, remove the service with SC.exe using its service name.

Disable the service in Computer Management of Control Panel.  Just issue a stop, then make sure the services for index service, is set to DISABLED type startup.

An example of Vista with Index Service cut off.   Indexing Service and Windows search can BOTH be installed and running, so check that neither remains running.

indexdisable

Why ? Among other reasons of equal merit, there is the fact that if you allow the OS index engine to unknowingly extract metadata from Investigated files that are  accessible to the OS, it will inextricably cause data contamination of the forensics platform’s local index files.  Until ILookIX, detailed examination of those files did not exist in computer forensics at the file system level.  The file level view is a radically more revealing analysis than one using Windows API’s for access into the indexes.

Step 4.  STOP Automatic Updates in Windows and STOP any Wireless or network connections that depend on Win updates

This section is CRITICAL for users who have the Analysis Pack option in ILookIX.

In particular if you have WIFI connections, you must disable Windows Auto Updates.  You can find these in Msinfo32 examinations where the service names are similar to these :

Automatic Updates wuauserv Running Auto Share Process c:\windows\system32\svchost.exe -k netsvcs
Wireless Configuration WZCSVC Running Auto Share Process c:\windows\system32\svchost.exe -k netsvcs

Step 5.  Reset network TCPIP parameters

This section is CRITICAL for users who have the Analysis Pack option in ILookIX.

On Windows Vista or Version 7, you must disable Vista TCP/IP parameters that cause the TCP session packets to be compressed.  By following these commands at a command prompt you reverse that setting. Run the following  bracketed commands – only as Admin.

Note: The ILookIX anti-virus option will NOT function on Windows Vista or 7 unless this change is made !!

netsh interface tcp show global

Capture the screen, to notepad by doing mark -select -copy -paste into notepad

Now back at the command prompt execute these 4 commands

netsh interface tcp set global autotuning=disabled
netsh interface tcp set global chimney=disabled
netsh interface tcp set global congestionprovider=none
netsh interface tcp set global rss=disabled
netsh interface tcp set global netdma=disabled  (add this line if Win 7)

now run it again :

netsh interface tcp show global

The output should again be captured to Notepad and maintained for future reference, or to undo the above commands.

Step 6.  Disable Hibernation

Stop Hibernation in Vista. ALL Vista installs include the ability to hibernate. There is no windows GUI application to directly disable it. It must be disabled using this command at an ADMIN elevated terminal window, type the following command:

C:\ POWERCFG –H OFF

Step 7.  Set Power to no savings

Cancel in the bios — all power saving features for video , cpu power down etc. Any settings of power management that you find that are not set to not power down on time intervals should be left in place.

This can be a serious cpu drain that you will never be aware of once your booted in windows.

Below, is a Vista Power Settings Screen example. If the bios does not provide power savings settings for you to cut off , make certain the current power settings of control panel do not allow for time event slowdowns of either the cpu or the harddrives or monitor. A monitor shutdown has Interrupt calls to the CPU which will in turn stall some threads in SqlServer while it is running, not just while ILookIX is running.

power_plan

Step 8.  Disable Recycle Bin

Disable recycle bin in the registry or on the desktop. There is little positive seen to any forensics \recycle bin usage on any drives used in forensics generally.  The CPOINT and main windows SET TEMP locations, if subject to recycle bin, will severely hamper ILookIX operations.  They will also cause data infiltration on the forensics machine.

Click on recycler on the desktop and cut it off by drive if necessary otherwise, manage it for all drives by setting it to NOT use recycle bin.

Step 9.  If you run Illicit Image Detection as an Option – You may have to remove other applications which interfere with graphics GDI processing.

Application software that diverts file associations on windows from the windows GDI default may cause stoppages in processing illicit images.   Usually these applications are CDrom write software.  This can also be caused by other GPL based graphic packages.    Applications that use device drivers to attach to removable media are also potential issues.

Item 10.  STOP Windows Firewall directly and stop any other 3rd party firewall.

Cut off windows firewall in control panel and disable any other firewall software installed.
This is mandatory for using the ILookIX Virus detection option.  It will also hamper performance on Win 7 and Vista.

We must presume here that as a Forensics processing machine, there exists no full net active connectivity and a firewall system is therefore not needed. An exception is if the system is virtualized or local port access is used for a specific investigative process. Windows or another Firewall can be cut back on easily when connecting to the internet, and it is advisable for use during any net connected session regardless. But the simple fact remains that the forensics examination of machines with unknown harmful content, needlessly endangers all internet users if the investigation machine itself is connected during such an examination.

Item 11.  RESET IE Settings from default

Reset the Windows Internet Explorer (not other browsers) security settings to Medium, reduced from the default of “medium high” per this screen.

reset

Item 12.  Using an Admin Cmd prompt, paste into the cmd window, this registry change – it will run at that time :

@echo off
rem Register dll’s that come with Perlustro ILookIX but which may not otherwise register on install
rem on a Windows 64 installation any Version
set TARGET_DLL1=”C:\Program Files (x86)\Perlustro\ILookIX\dsofile.dll”
%systemroot%\System32\regsvr32.exe %TARGET_DLL1%
set TARGET_DLL2=”C:\Program Files (x86)\Perlustro\ILookIX\dten600.dll”
%systemroot%\System32\regsvr32.exe %TARGET_DLL2%

Additional Performance changes

Please review Changes To Impact Performance.

back