Pre-Install Setup Guide

back

Forensics Machine Setup + ILookIX and SQL Server 2008 – 32/64 bit Database engine Pre-Install Setup Guide Version 1.04 11/09/09

This guide is now ONLY for NON Windows 7 machines.

Go check the Win 7 guide if you do not know what system to use : For Windows 7, use this guide ==>url http://www.perlustro.com/resources/installation-overview/setupw7

The majority of changes noted in this guide relate to “tuning” a machine to perform basic forensics analysis.  This is also the primary ILookIX setup guide that is used to install SQL Server 2008 Express or our own OEM and its prerequisites.  The SQL installation, on most systems, will usually require other preceding software installs as noted below, but almost none in Win 7.   System updates to the OS may also be further required because of updates that may be contingent on these  changes.   The updates below MUST precede any installation of ILookIX on a non Win 7 machine.  Others in the post install guides, relate specifically to Forensics computing issues that will negatively impact the computer system used in analysis and in particular,  ILookIX.

We also believe this document will be useful as a review guide of issues – that if not addressed – will negatively affect forensics systems generally.  At the conclusion of the preinstallation requirements, and SQL Express install, then you can immediately install ILookIX in only 1 minute.  Note : do not use the Microsoft Web Installer for installing Sql Express, even with Win 7.   Win 7 only requires only two prerequisites both relating to Sql.

On a newly installed OS drive, the time taken to adopt the changes below should be less than 1 hour.    Overall, while this install/setup process  may be generally unfamiliar, it is well documented in Microsoft technology notes and other citations, and for most users, the changes will be insignificant to effect.  Some processes noted here, and other places by reference, are not usually considered to be of primary necessity for forensics machines; however, forensics machines rarely run SQL Server, or include analysis applications which have built in Anti-virus software and advanced mathematical modeling.  That is ILookIX, and it is in fact revolutionary !

Operating Systems Supported :  Apple and Windows Virtual Computing – Including the use of “IXvm ‘s ©, created by ILookIX

Virtual Computing is supported for SUN ©VirtualBox, VMware 6.53 and above in Windows and VMware Fusion 2.0+ and above in Apple OS X (Intel).

  • Microsoft Windows 7 – 64 bit only with 4 GB RAM (2 GB min vm allocated )
  • Microsoft Windows Server 2008 RC2 64 with 6 GB RAM (2 GB min vm allocated )
  • Microsoft Windows Vista 64 bit with 4 GB RAM, 6 GB+ recommended
  • Microsoft Windows XP 64 bit with 4 GB RAM, 6 GB+ recommended (2 GB min vm allocated )
    (VirtualBox supported on VT-x or AMD-V CPU’s from Intel / AMD with 6 GB Ram,  2 G vm)
    Note : NO HOME or STARTER versions are supported on any platform

Physical Machine Computing

  • Microsoft Windows 7 – 64 bit only with 4 GB RAM, Ultimate, Enterprise only
  • Microsoft Windows Vista 32/64 bit with 4 GB RAM  (2 GB Minimum)
  • Microsoft Windows XP 32/64 bit with 4 GB RAM (2 GB Minimum)
  • Microsoft Windows Server 2003 – Current SP, 64 bit only, 6 GB RAM
    Note : NO HOME or STARTER versions are supported on any platform

All commands in RED are Mandatory for ILookIX Installs, without regard to SQL Server installation

No Steps below can be skipped or omitted from consideration

We welcome any suggestions you may have in insuring a highly successful installation and use of ILookIX.  If you have any problems in the installation points noted here, please email ==> installation@perlustro.com .

Step 1.

Make a system restore point or physical image prior to taking any action relative to this memorandum.

Step 2.

Completely remove any Anti-virus software on the machine prior to installing SQL Server – regardless of manufacturer.  Norton© Antivirus:  Please try the norton antivirus removal tool.  If this fails, and assuming you don’t want to buy a new machine, you may wish to attempt removal using these notes and others. (Perlustro is not responsible for the content on these pages)

Step 3.

Cold Boot the machine, and do an in-depth examination of the Event logs after restart.  A failure to use Event viewer to isolate and fix errors relating to the system may cause an egregious waste of effort in the use of these products and/or otherwise prevent proper installation. Mass storage device errors will cause any installation to fail, as will DCOM errors due to an outdated bios. System drivers not compatible to the computer’s motherboard or internal devices, such as Video cards, invariably cause systemic problems if they are left uncorrected at this time.  These are seldom issues in Win 7.

Step 4.

Insure that you will not be installing  any related parts of ILookIX or Sqlserver on NTFS compressed file systems.  You cannot create an ILookIX Control Point working folder on any compressed file system.  ILookIX analysis failures will result if compressed systems are utilized.

Step 5.

Please login now as an administrator level user requiring a password, one who is able to create user accounts and change system settings.  If no pwd is required, you cannot proceed until that is rectified.  GO to 5.b and come back here.

Step 5.a -(Vista + ) REMOVE the UAC control setting on the machine. You may use either of the following methods to achieve this:

Click for larger image

Click for larger image

Control panel method

Windows Vista:

Run Control Panel (Start -> Control Panel), select “User Accounts/Family Safety” then “User Accounts”. Select “Turn User Account Control on or off”. Uncheck the check box, click okay, and then restart your computer.

 

Run Control panel (Start -> Control Panel), select “User Accounts” then “Change User Account Control” settings. Move the slider all the way to the bottom, as shown in the thumbnail. You will then need to restart your computer.

Click for larger image

Click for larger image

Secpol method

From a command prompt, or the “Run” command, run “secpol.msc”, and change the behavior of the UAC prompt itself by changing this user setting :
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode”  to ==> Elevate without prompting.


Step 5.b Create a new user account which has FULL CONTROL permissions over the entire folder root structure of the machine, and is ALSO a member of the administrators group using the URL  ==>  Setup User Permissions guide. If in  doubt as to your current user security settings, check this information :  http://support.microsoft.com/kb/313222

Step 5.c – The  new user account, MUST be a member of the administrators group, and it MUST have a password.  DO NOT use an account with the name “administrator”, although any spelling variant is acceptable.

Step 5.d – This account must also have DEBUG permissions separately assigned from User Security Rights. If you are unsure how to do this use the URL==> Debug Permission guide.

Step 5.e – This account must have FULL CONTROL permissions assigned to the account for any OS installation including Win 7.

Step 5.f – Log off, and then log back on, with the ILookIX specific runtime user account.

Step 5.g – Only if you are running Windows XP, any version 32 or 64 : YOU MUST remove “simple file sharing” activation on the system: See the Microsoft notes on switching off this feature at : http://support.microsoft.com/kb/307874. If you do not see the security tab and individual permissions when you right click a root folder in XP, you have simple sharing switched on instead of off.  This is the default installation setting.  SQL Server will fail to install correctly if this is not switched off.

Step 5.h

1 – At the ROOT of the boot drive  :

a. – ADD “Authenticated User” or add “EVERYONE” to the user account, and give FULL CONTROL, then add the  current USER account as well  :

b. – CASCADE permissions for the Admin account and Authenticated User or Everyone, and CURRENT USER with full control, through the entire boot drive structure.  Additionally, take the same action for your current logged on user name.  Note, you must do this ONLY after making the three accounts FULL CONTROL.

Review the URL==>  File System Permissions guide for information about changing the permissions of the root folder of the boot drive if you are unsure of the method to use.  Some permissions on 64 bit OS’s  will fail to attach to some folders as full control is propagated – such as Program Files –  but these can be individually skipped.

Step 5.i – Of critical importance : Disable DEP and enable PAE using the URL==> Disable DEP guide. Check the BIOS of the computer to ensure DEP  is disabled completely in hardware as well.  If the CPU supports Hyper V technology and it is not enabled, consider enabling it at this time in order to run VirtualBox and Vmware.

Step 5.j – Disable Windows Defender by following the URL==>  Windows Defender guide.

Step 6.

Insure, to the extent possible, that the machine has no mechanical failure points for device connectivity and storage systems . Passmark, a well respected test application software suite of tools, has test software which has been found to greatly assist in the identification of hardware problems that could inhibit a successful installation of ILookIX.

Step 7.

You MUST determine if any version of SQL Server is installed on the computer using the URL==>  SQL Server removal guide.

If any version is installed, it must now be removed using that guide before you continue the install.    The removal MUST presume that there is no network connectivity to the machine at this time.

Step 8.

Place the following  downloads on the desktop of the new ILookIX user that you are currently logged in with, unless you know they are already installed  :

1. Microsoft Windows Installer 4.5 MUST be installed for your operating system from: http://www.microsoft.com/downloads/details.aspx?FamilyID=5a58b56f-60b6-4412-95b9-54d056d6f9f4&displaylang=en. Select the installer at the bottom of the page URL above, that matches your system. See the Introduction on the page for help in choosing your installer version.

2. .NET Framework 3.5 sp1 : If NOT Vista 64 sp1 or Win 7,   http://download.microsoft.com/download/2/0/e/20e90413-712f-438c-988e-fdaa79a8ac3d/dotnetfx35.exe

3. IF NOT Win 7, Version 1 of Powershell from: http://www.microsoft.com/windowsserver2003/technologies/management/powershell/download.mspx

4. SQL Server 2008 Express with Tools (ONLY the TOOLS version) from: http://www.microsoft.com/downloads/details.aspx?familyid=7522A683-4CB2-454E-B908-E805E9BD4E28&displaylang=en [do NOT load any other version of Express]

5. Microsoft Security Update for C++ injection attacks should be installed if you have a NON Version 7 system, either 32 or 64 bit.  Download and install ONLY this version : http://download.microsoft.com/download/6/b/b/6bb661d6-a8ae-4819-b79f-236472f6070c/vcredist_x86.exe

Step 9.

Unplug your network connection and stop your wifi.  In addition, disable all NIC’s for the remainder of the process,  if not already disabled.

Then execute ===>   c:\ipconfig /release

COLD BOOT THE SYSTEM    (IF you do not do this, you may inadvertently install Sqlserver onto a network machine)

Step 10.

Determine if Windows Installer version 4.5 is on the machine ——with the cmd ===>c:\msiexec

If it is not version 4.5, then install by using the link file at Item 8.1 above, else delete the install file.

If newly installed, COLD BOOT THE SYSTEM

Step 11.

Install the .NET framework version 3.5 SP1, using the file from the link at item 8.2 above. Then, COLD BOOT THE SYSTEM.

Step 12.

Determine if Powershell version 1.0, is on the machine by running ===> c:\powershell from a command prompt. If you get the message “‘powershell’ is not recognized…” –then install the file from the link at item 8.3 above.  Now, COLD BOOT THE SYSTEM. Next, type in $Host, it will return the PS version. If the version is not 1.0.0, then install Powershell 1.0 using the file from the link at item 8.3 above , then, COLD BOOT THE SYSTEM

Step 13.

Install the VC++ runtime update that you downloaded in step 8.5 above. This Microsoft installer does not show a final “Completed” screen when it has finished.  You may observe the update using the windows Task Manager. The installation of this Microsoft update takes around 15 seconds to process a progressbar, but it takes a full 5 minutes for complete install.  Let it run 5 minutes before checking the Task Progress and rebooting.

Step 14.

Insure that your video resolution is at least 1024 x 768, 16 bit color. If you do not meet this requirement, you will see this installation error when you attempt to install ILookIX later.  This is particular important if you are in a virtual machine.

resolution message failure

Step 15.  Set the Swap file to equal max- min values

Setup virtual memory to be a fixed amount. Set the swap at 8GB (8192MB) maximum and minimum, however on Windows XP 32 there is a maximum of 4GB (4096MB).

For performance reasons, it is recommended to place the swap file on a permanent drive, separate from the one that hosts the ILookIX Control Point folder (the location where you keep CASE folders).

To set the virtual memory, open the System Properties, select the Advanced tab, and under the Performance section, click the Settings button. Then click the Advanced tab on the new window, and under the Virtual Memory section, click Change. If the automatic control of the page files is enabled, deselect it, and enter the Initial and Maximum values into the text boxes. You must click SET once you have entered the values otherwise they will not become effective.

 

You will then need to reboot your computer.

Step 16.  This is only a re-test to make sure SqlServer is NOT loaded on the system after you removed it.

Determine if any version of SQL Server is visible to the machine with the cmd shell commands as follows : [run as Admin]:

C:\sqlcmd –L …………[if any server name + instance name returns, you have SQL Server installed]

If the instance name does not return, and 30 seconds passes with no response then Open a ADMIN Command Prompt window, and type “sqlcmd -S myServer\instanceName”. Replace “myServer\instanceName” with the name of the computer and the instance of SQL Server that you want to connect to (SQLEXPRESS).   Press ENTER. The sqlcmd prompt (1>) indicates that you are connected to the specified instance of SQL Server and is a successful response.

Then, assuming you determine that SQL Server removal is required ( i.e no Sql Server 2008 installed), remove SQL Server on the machine using the SQL Server removal guide.

Step 17. Install SqlServer Express – Or, using the Install movie on the DVD, load the full Sql64 or 32 version

Using the URL==>  SQL Server Express Installation guide – Install SQL Server 2008 Express, using the file downloaded in item 8.4 or 8.6 above.   When using this guide, pay CRITICAL ATTENTION to the screens with RED circle numbers in the top right corner.  NO steps can be skipped and a failure on any check/test response screen requires that the installation be cancelled and the error corrected in order to continue with the install.

After sql install, be certain to use URL==> http://www.perlustro.com/logcheck/ to test the SQL Server installation Logs per the installation guide (SQL Server Express Installation guide) before continuing.  The logcheck function will check a copy/paste install log, as well as forward it automatically to Perlustro for examination if there is a failure in the process.

Step 18.  Test the SqlServer install as a final check before loading ILookIX

If SQL Server 2008 Express completes a successful installation, it is time to test again the install with the command ==> c:\ Sqlcmd –L
If that cmd returns the server name instance as noted in the installation guide, the process is complete.

ILookIX should now install and run without any further system changes.  Follow your download instructions to complete that installation.

There is one last test to be certain SQL Server is ready for ILookIX use, or any other Database use, which is to CONNECT to the SQL Server using this URL guide ==> Using Management Studio For SQL Server 2008.  If you make a connection to Sqlserver you are finished with all required preinstall changes.

Within the group of related documents noted here, some issues are merely suggestions based on experience accumulated by examining problems before or after an ILookIX installation. Many of the points presented here are well understood by experienced forensics practitioners, but some may not be considerations in your particular setup. They are offered only for the value you might find in using them as a checklist of general forensics issues for a machine to run ILookIX. But, ILookIX will not run without a functional SQL Server installation, and that is a core constraint on the requirements of the application.

Post ILookIX Install changes :

After the installation of ILookIX, you must enact the requirements for Post Installation Mandatory Changes, in order to successfully run ILookIX.

This Mandatory Changes document primarily raises the issues that are encountered on existing hardware / software systems, already in forensics use, and usually more than 1 year old, but which may not be “conditioned” for computer forensics examinations using ILookIX.

We hope this guide and others noted on the Overview page, will allow a smooth transition to SQL Server Express in a cost free method to determine the viability of your base system for installing ILookIX.

ILookIX is a highly complex professional computer forensics application which has been in continuous development since 1996. A computer, whether in 1996, or today, that performs forensics examinations using dozens of components that depend on reliable operating system sub-components, is not an average hardware system, or an average software application setup. Forensics examinations cannot typically be successfully run on an entry-level, or “average” PC, using an out of the box setup.  If there is no conditioning of a system for forensics use, it will invariably portend inefficiency, or worse, it will impact your investigative findings. This does not translate to expensive hardware or system software, but it does clearly require a base software and hardware system which works well together, and which do not otherwise exhibit errors while performing basic required tasks.

The use of Microsoft SQL Server 64 requires a higher threshold base system for several reasons, but it is more reliant on the condition of the system software, than on hardware issues. The immediate problem most often faced in configuring SQL Server is simply the fact that it will NOT reliably install on any computer, without the OS adjustments noted in this memorandum. It is designed for Servers and not for the Workstations most often used in forensics. This document presumes well used systems, in use for a year or more, will form the base installation platform. Systems somewhat older are usually more problematical, but installation issues are not usually severe. Where the issue becomes more difficult to address – but not impossible – is when other VERSIONS of any SQL Server product already exist on the system. SQL Server 2008 is not backward compatible with previous versions, even SQL Server 2005.

In the current hardware based transition from 32 bit to 64 bit, there are trade off effects in using 32 bit Microsoft products. Generally ILookIX, which is the lowest memory threshold DB product we know of in forensics, can utilize 2 times as much effective RAM if you use a 64 bit system. But you have to also look to the future of other issues that impact 32 bit computing. VMware for instance, cannot utilize a 64bit OS image that is created by ILookIX, if the base system is 32 bit. In addition, all of the new MS server systems are ONLY 64 bit, so the future viability of 32 bit computing, even on 64 bit wow systems, will soon be a limiting factor in forensics examinations. ILookIX requirements are no different than SQL Server requirements, since ILookIX requires SQL Server to operate. While both 32 and 64 bit versions are available for use, we recommend the 64 bit version of SQL Server in every case.

back