So the first step is to establish my hypothesis. Here they are:
H1: Installation of Pointsec does not result in changes to the Master Boot Record.
H2: Installation of Pointsec does result in changes to the Volume Boot Sector.
To test my hypothesis, I created a virtual machine using VirtualBox and loaded Windows XP onto the machine. Then I booted to a Helix disk which allows me to do forensic analysis of the disk.
Once inside helix, I opened up a command prompt so that I could gather the Master Boot Record of my Windows machine. For those of you that are not familiar with File System Forensics, the MBR consists of the first 512 bytes on the hard drive for DOS based systems. I wanted to capture the MBR from this virtual machine on my Mac, so I also opened a command prompt on my Macbook and set up a netcat listener with this command: nc -l 8000 > mbr1.txt. Back in the virtual machine I used dd to gather the MBR and copy it over the network to my Mac: dd if=/dev/hda bs=512 count=1 | nc
Now that I have my MBR copied, I want to create an MD5 hash of it so that I can quickly detect any changes. On the Mac I typed md5 mbr1.txt and got b8ce0ea32fdf9706ff7b17eac93d7ea4.
Now let's take a look at that Master Boot Record. I opened up the MBR with a hex editor, in this case xxd, xxd
The next thing I wanted to do was get a copy of the Volume Boot Sector, which is also known as the Partition Boot Record. (PBR). So from my virtual machine that had been booted into Helix, I opened a command prompt. I typed the command fdisk -lu /dev/hda to get a list of partitions, and as expected it came back with one. The partition starts at sector 63, and since my sectors are 512 bytes in size, that means that it begins 32256 bytes into the drive. So I set up my netcat listener again and used the following command on Helix to copy the PBR: dd if=/dev/hda bs=1 count=512 skip 32256 | nc
Alright, so we've established our baselines. The next step in my experiment was to install Pointsec on my virtual machine. I went through the installation, rebooted, logged in and waited for the disk t
So I ba
So let's follow up on my hypothesis:
H1: Proven true in this case by the MD5 hashes. No changes to the MBR.
H2: Proven true in this case by the MD5 hashes. Changes to the jump instructions and possibly other changes.