CSIA 310Lab #1

Lab Activity #1: Investigate Restore & Recover Tools for System Integrity1 Title: Creating, Using, Removing System Restore Points for Windows 8.1 Tool Identification: Windows 8.1 System Restore Point utility Descripti ...

Lab Activity #1: Investigate Restore & Recover Tools for System Integrity1 Title: Creating, Using, Removing System Restore Points for Windows 8.1 Tool Identification: Windows 8.1 System Restore Point utility Description of the Tool: Publisher: Windows Features: Restore point is the feature for this tool. A restore point is the saved memory of the system’s files and settings on the computer stored by system restore on a given date and time (Fisher, 2017). Capabilities:  Manually and automatically create system restore point for a Windows 8.1 system  Use a system restore point to revert back the changes that were made to a Windows 8.1 system  Remove system restore points from a Windows 8.1 system  Revert system to previous software, registry, and driver configuration with restore point Typical Uses for Incident Response: The system restore point utility is a great asset for the preparation phase and the recovery phase for the Incident Response Process. The preparation phase is about limiting the number of incidents that will occur by selecting and implementing a set of controls based on the results of risk assessments (Cichonski, Millar, Grance, & Scarfone, 2012). Recovery phase involves2 restoring systems to normal operations. Restore points are made in the preparation phase. They are either manually made or automatically made. If an incident occurs, the recovery phase portion of the restore point starts. The restore point will create a good back-up for the operating system files and data structures to prepare for an incident response. The use of the restore point will be done in the recovery phase. Incident can occurs that will cause unauthorized configuration changes. This can happen after an attack or suspected. The system can run into an issue of not fully operating. Failed software installations and/or unwanted changes to the operating system, applications software, and/or files can occur. All of these incidents can be resolved with restore point. The restore point has the ability to revert the system back to the point where the system did not have those issues. There can be issues where the Operations Systems cannot boot up to the window screen. The restore point can still be accessed and fix the issue. Resources (Further Reading): 1. A detailed step to step instructions in using System Restore in Windows 10, 8, or 8.1 is shown reference listed below. https://www.lifewire.com/how-to-use-system-restore-in-windows-2626131 2. A definition of restore points, when they're created and what they contain can be seen by going to the reference listed below. https://www.lifewire.com/what-is-a-restore-point-2625988 3. Configuring the frequency and time a restore point is automatically made is shown in the reference below.3 https://www.howtogeek.com/278388/how-to-make-windows-automatically-create-asystem-restore-point-at-startup/ How to Use This Tool: There are several ways to get to the correct menu and tab (system properties menu with the system protection tab) to create a restore point. Executing rstrui.exe, using the control panel, searching for restore point on the windows screen, using WIN+X and selecting system after right clicking the start button are the several ways to get to the system properties menu. After getting to that menu, the system protection tab would need to be selected to give the options of using a restore point, creating restore point, and removing a system restore point. To create a restore point, the create button would have to be selected. To delete a restore point, the configure button would have to be selected and then delete button. To do a system restore, the system restore button would have to be selected and then the restore point would have selected. There is another method to activate system restore point in the case that the system cannot boot to the Operation System normally. To perform this, Shift key has to be held down and F8 has to be continuously tapped on during the booting process to get to recovery mode (Fisher, 2017). Once in recovery mode, the advanced options menu will have to be selected to open up the options to system restore.4 Notes / Warnings / Restrictions: Notes: Windows is configured so that restore points are automatically created once every week and before major change to the system (i.e. windows update, app and driver installation). The configuration for when the system to automatically create restore points can be changed. Warnings: Changes made during System Restore from safe mode are irreversible. Restrictions: Non-system files like documents, music, video, email, etc. are not affected when using the Windows System Restore utility.5 References Chichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012). Computer Security Incident Handling Guide. (NIST SP 800-61). Retrieved from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf Fisher, T. (2016, March 16). What is a Restore Point? Retrieved from https://www.lifewire.com/what-is-a-restore-point-2625988 Fisher, T. (2017, March 09). How To Use System Restore in Windows. Retrieved from https://www.lifewire.com/how-to-use-system-restore-in-windows-2626131 Glenn, W. (2016, October 31). How to Make Windows Automatically Create a System Restore Point at Startup. Retrieved from https://www.howtogeek.com/278388/how-to-makewindows-automatically-create-a-system-restore-point-at-startup/6 Title: Managing Programs and Features for Windows 8.1 Tool Identification: Programs and Features tool Description of the Tool: Publisher: Windows Features: Windows feature, Uninstall or change program, and windows updates are the features of the Programs and Features tool. Windows feature gives access to a list of features that windows provide that could be activated or deactivated. Uninstall or change program feature give the user access to modify repair or uninstall a program. Windows update feature allows for update for windows and windows application. Capabilities:  Turn Windows Features On or Off  Modify, Repair, or Uninstall a program from a Windows 8.1 system  Select and Install Updates for Windows and Windows Applications, Find an installed Update, Remove an installed update Typical Uses for Incident Response: Programs and Features tool is used in the preparation phase and containment/recovery phase of an Incident Response Process. Turning off remote access feature and updating Windows or Windows applications are capabilities that can be used for the preparation phase.7 Turning off remote access service disables others to connect remotely to the system. This helps prevent attacks through remote access. There are possible vulnerabilities that could be fixed with updates. Updating Windows and Windows application keeps the system prepared for attackers who are trying to take exploit vulnerabilities of systems that do not have the current updates. The containment phase would involve turning of features to stop the spread and advancement of an attack. WannaCry and Petya are ransomware that exploit the protocol SMBv1 protocol (Hoffman, 2017). This protocol can be turned off using the programs and features tool. Unauthorized programs can be installed after an attack or suspected attack. These unauthorized programs can be causing system issues and can be removed with the tool. The programs and features tool can remove operating system utilities or features, applications software, and/or patches / updates when unwanted changes are made to them that are negatively affecting the system. Resources (Further Reading): 1. More information about manually updating windows application and changing the automatic update settings can be found at the reference below. from https://www.lifewire.com/download-updates-in-windows-8-1-3506864 2. More information about adding or removing (un)wanted Windows features, programs or apps can be found at the reference below. http://www.digitalcitizen.life/how-add-or-remove-unwanted-windows-features-programsor-apps8 3. More information about Windows Features You Can Safely Disable and how to disable those features can be found at the reference below. Retrieved from http://lifehacker.com/this-list-details-all-the-windows-features-you-cansafe-1606731067 How to Use This Tool: Right clicking on the bottom left of the Windows screen will provide the option for programs and features menu. Once the program and features menu is open their will be a Windows Features On or Off option. Selecting that option will bring up the menu to turn on or off a selection of Window Features. Going to Settings, Change PC Settings, Update and Recovery, and then Windows Update will open up the options to install updates for Windows and Windows Application. Searching for install updates on the Windows screen will provide the selection to view installed updates. Clicking on the link will bring up the installed updates menu that will show Windows Application and have the option to remove the updates. Notes / Warnings / Restrictions: Notes: There are Windows features that are active by default that do not have to be activated. Warning:9 Some features are working together with other services. Turning off a feature can disable other services for the system. Restrictions: This tool is cannot be used to install applications that were uninstalled. ‘10 References Hoffman, C. (2017, August 23). How to Disable SMBv1 and Protect Your Windows PC From Attack. Retrieved from https://www.howtogeek.com/321072/how-to-disable-smbv1-andprotect-your-windows-pc-from-attack/ Kingsley, R. (2017, February 1). How to Download Updates in Windows 8.1. Retrieved from https://www.lifewire.com/download-updates-in-windows-8-1-3506864 Ravenscraft, E. (2014, July 18). This List Details All the Windows Features You Can Safely Disable. Retrieved from http://lifehacker.com/this-list-details-all-the-windows-featuresyou-can-safe-1606731067 Rusen, C. A. (2016, February 11). How to add or remove (un)wanted Windows features, programs or apps. Retrieved from http://www.digitalcitizen.life/how-add-or-removeunwanted-windows-features-programs-or-apps