Using the Microsoft Diagnostics and Recovery Toolset (DaRT) for Incident Response
While building a security program, one of the most important elements to include is what to do when things go wrong. Being able to plan for and implement preventative controls to secure your environment is great. However, let's face it, bad stuff is going to happen. How quickly and effectively an organization responds to a security incident is a critical part of its security strategy. A lot of companies start by evaluating pricey specialized tools for incident response activities, but what if there's a good way to get started with some Incident Response basics with what you may already own?
Microsoft has been making periodic updates to a tool known as the Diagnostics and Recovery Toolset (DaRT). DaRT was originally built to provide corporate desktop recovery services, diagnose poorly behaving machines and quickly making a determination of which devices can be resuscitated and which should be re-imaged. DaRT also has a number of great security capabilities integrated into it, providing your 'first responders' in the desktop support team to clean systems or identify potentially compromised systems that require further analysis back at HQ.
DaRT is also owned by many current Microsoft customers that may not be taking advantage of it. DaRT cannot be licensed as a one-off product; it's one of the tools included in the ever evolving set of products that make up the Microsoft Desktop Optimization Pack (MDOP). MDOP is often sold with Windows Client and is available via the usual Microsoft software channels (TechNet, MSDN, Microsoft Volume Licensing, etc.), so check with your licensing specialist or reseller to see if you may already own access to the tool.
What's in DaRT?
DaRT is a collection of tools that is loaded onto a bootable device, often a USB flash drive. The typical organization that's leveraging DaRT will provide a bootable image for each of their desktop support technicians to carry with them as they make calls to repair or diagnose systems. DaRT is intended to be used locally by a tech-savvy IT person; it's definitely not a 'boot it and forget' end user solution in this author's opinion. It's worth noting that DaRT version 7 (currently in beta and available for download via the Microsoft Connect Site here) can now be used via the network with a new capability called 'Software Based Remoting'. This capability allows an IT Pro or helpdesk analyst to troubleshoot and diagnose a PC without visiting it in person.
Since DaRT 7 is currently in beta, we'll be focusing on the current shipping release from Microsoft - DaRT 6.5. DaRT is built on top of a framework called the Windows Recovery Environment (WinRE). You can read more about WinRE here. If you've ever booted a Windows Vista or Windows 7 system in recovery mode, the WinRE environment is probably familiar to you. This set of tools is used to repair startup issues, perform a full system restore, etc. DaRT also has a pretty minimal hardware footprint requirement as well; a 1GHz x86 or x64 processor with 1GB of RAM and the ability to boot from removable media should suffice.
Once DaRT is built (full instructions available on building the media can be located here), the user is presented with a list of available tools to launch at the root menu, shown in Figure 1.
Figure 1: DaRT tool list at boot.
There are lots of capabilities in the toolkit, but for the purposes of this article we'll focus on what's most useful from an incident response perspective.
Standalone System Sweeper
Standalone System Sweeper is one of the most useful tools in the DaRT arsenal in this author's opinion. One of the most common incidents desktop support technicians tend to come across in the field (both in the consumer space and the enterprise space) is a system that has been thoroughly infested with malware, especially particularly nasty malware that shuts down or otherwise disables the anti-malware software running on the system. Standalone System Sweeper can be used to identify and remove this malicious code from a system.
Malware that infects a system at the kernel level may be able to mask itself while the operating system is booted; being able to scan the system offline often identifies malicious code not visible during a traditional system scan with anti-virus, shown in Figure 2.
Figure 2: Standalone System Sweeper.
During analysis of the DaRT capabilities, the author took a bootable WinRE image loaded up with DaRT 6.5 and Standalone System Sweeper and removed several instances of Fake AV 2011 from a family member's PC that was previously rendered unusable. The identification and removal of the malware was done in less than 10 minutes, a great solution to a messed up system.
During the analysis of an intrusion, system files may be identified that have been modified maliciously to stop the system from booting or stopping other assessment or recovery tools from operating. SFC Scan allows for a quick system repair of corrupted or missing system files. This isn't the greatest option in a scenario where forensic analysis and preservation of the original system image needs to occur, but for quick remediation this is a very handy tool, which is shown in Figure 3.
Figure 3: System File Repair / SFC Scan.
One typical requirement of desktop support teams during the conclusion of an incident or before a device is re-imaged is wiping the disk. Oftentimes, third party tools are used to perform a disk wipe. DaRT is now able to perform either a quick single pass write (good for a quick re-image) or a four pass United States Department of Defense 5220.22-M complaint wipe if the disk needs to be disposed of after being sanitized, shown in Figure 4.
Figure 4: Disk Wipe Tool.
Locksmith is a tool that can be used for password recovery; resetting a local account that may have a password that's been forgotten or the user has since left. Locksmith is very handy in consumer repair scenarios, but not overly useful in the corporate environment due to its inability to perform password reset on domain accounts. If there's an unmanaged device (not domain-joined) that needs a password reset, Locksmith is very handy, shown in Figure 5.
Figure 5: Locksmith Wizard for password reset.
DaRT has a fairly complete set of basic incident response and repair tools. It's a great arrow to load in your desktop support team's quiver; the capabilities in the toolset will not replace a full-fledged incident response suite, but it should cover the basics and it may be something already owned by your organization.
In terms of analyzing and removing malware, resetting passwords, restoring system files that may have been removed, editing the registry or restoring disk volumes DaRT is a great replacement for other tools that your desktop support teams have likely cobbled together on several different boot disks. Consider evaluating DaRT in your environment and integrating it into your support process.