SecurIMAG Live computer forensics - Virtual memory acquisition and exploitation on Windows NT6+
|
|
- Ruth Hines
- 8 years ago
- Views:
Transcription
1 SecurIMAG Live computer forensics - Virtual memory acquisition and exploitation on Windows NT6+ Fabien Duchene 1,2 Guillaume Touron 2 1 Laboratoire d Informatique de Grenoble, VASCO team firstname.name@imag.fr 2 Grenoble Institute of Technology - Grenoble INP - Ensimag firstname.name@ensimag.fr abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 1/ / 51
2 Outline 1 Computer forensics Introduction Talk focus 2 Acquiring Windows x86 virtual memory Some methods Some tools 3 Memory exploiting / analysis The TrueCrypt example Kmode exploration DKOM attacks 4 Conclusion abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 2/ / 51
3 Outline Computer forensics 1 Computer forensics Introduction Talk focus 2 Acquiring Windows x86 virtual memory Some methods Some tools 3 Memory exploiting / analysis The TrueCrypt example Kmode exploration DKOM attacks 4 Conclusion abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 3/ / 51
4 Computer forensics Introduction Computer Forensics? What? Forensic Science: answer questions of interest to a legal system. Digital forensics: digital devices Computer forensics: identifying, preserving, recovering, analyzing, presenting facts and opinions about the digital information abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 4/ / 51
5 Computer forensics Introduction Computer Forensics? What? Forensic Science: answer questions of interest to a legal system. Digital forensics: digital devices Computer forensics: identifying, preserving, recovering, analyzing, presenting facts and opinions about the digital information Basically answer to the question: What happened? abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 4/ / 51
6 Computer forensics Introduction Computer Forensics? Types of computer forensics static / dead: system dump image analysis (eg: unplug the power cord then analyze ) live: analysis of a running system in-between: analyze memory image of a running system Write-blocking reader abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 5/ / 51
7 Forensics... why? Computer forensics Introduction Why? (forensics, live forensics?) abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 6/ / 51
8 Computer forensics Introduction Forensics... why? Why? (forensics, live forensics?) in search of the truth! because they might still be in memory: cryptographic keys credentials abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 6/ / 51
9 Computer forensics Introduction Live forensics Live acquisition: acquiring data and modifying it the less possible, and being aware of the IMPACT! the Ultimate live forensics goal Get a complete picture shot of the system CPU flags, registers, cache.. storage: RAM, HDD,.. motherboard state peripherals: NIC (buffers, own CPU and memory state..) Can we do it? abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 7/ / 51
10 Computer forensics Introduction Live forensics Live acquisition: acquiring data and modifying it the less possible, and being aware of the IMPACT! Only he can! the Ultimate live forensics goal Get a complete picture shot of the system CPU flags, registers, cache.. storage: RAM, HDD,.. motherboard state peripherals: NIC (buffers, own CPU and memory state..) Can we do it? abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 7/ / 51
11 Computer forensics Talk focus Talk topic Live memory acquisition Post-mortem analysis abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 8/ / 51
12 Outline Acquiring Windows x86 virtual memory 1 Computer forensics Introduction Talk focus 2 Acquiring Windows x86 virtual memory Some methods Some tools 3 Memory exploiting / analysis The TrueCrypt example Kmode exploration DKOM attacks 4 Conclusion abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 9/ / 51
13 cold boot attacks Acquiring Windows x86 virtual memory Some methods Works on: any computer using DRAM Requires: physical access DRAM retain their content for several seconds after powered off Attack Freeze them Plug them into a DRAM reader Dump the content.. and enjoy! [ Lest We Remember: Cold Boot Attacks on Encryption Keys 2008] article findings Bit decay increase over time Pulse decay time is longer when temperature is lower abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 10/ / 51
14 Acquiring Windows x86 virtual memory Some methods virtual machine snapshots Hypervisor examples Microsoft Hyper-V, Virtual-PC VMWare ESX Oracle VirtualBox Parallels Desktop VM snapshot What is a VM snapshot? abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 11/ / 51
15 Acquiring Windows x86 virtual memory Some methods virtual machine snapshots Hypervisor examples Microsoft Hyper-V, Virtual-PC VMWare ESX Oracle VirtualBox Parallels Desktop VM snapshot What is a VM snapshot? photo of the state and data of a VM at a given time basically, the ultimate live forensics goal + the VM power state (powered-on, off, suspended) abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 11/ / 51
16 Acquiring Windows x86 virtual memory VM snapshot attack Some methods Attack Works on: any hypervisor having at least one virtualized computer Requires: online: hypervisor snapshot privilege (take, apply).. or a way to subvert the hypervisor (eg: VM peripheral drivers), do it the teach way! offline: take snapshot and read access to the vhd file take a snapshot export the virtual machine on a storage medium import it apply the snapshot (also restores virtual DRAM content) abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 12/ / 51
17 Virtual Hard Disk Acquiring Windows x86 virtual memory Some methods [lucd 2010] [Savill 2008] Virtualized Hard Disk Types: dynamic-sized file: dynamically evolving size (sectors on which data is written) VHD file size virtual disk capacity fixed-sized file: VHD file size virtual disk capacity better performance differential: dynamic that only stores modification from the parent Snapshot operations: take one delete one merge several ones apply one abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 13/ / 51
18 Acquiring Windows x86 virtual memory Some methods random crap about the Hyper-V and VirtualPC VHD abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 14/ / 51
19 Acquiring Windows x86 virtual memory Some methods DMA attacks [ Subverting Windows 7 x64 Kernel with DMA attacks ] Direct Memory Access PCI specifications, for performance any device can issue a read/write DMA request do you spot the problem? abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 15/ / 51
20 Acquiring Windows x86 virtual memory Some methods DMA attacks [ Subverting Windows 7 x64 Kernel with DMA attacks ] Direct Memory Access PCI specifications, for performance any device can issue a read/write DMA request do you spot the problem? bypassing CPU, thus OS abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 15/ / 51
21 Acquiring Windows x86 virtual memory Some methods DMA attacks implementations Attacks implementations (public ones..) Firewire 2004 Maximilian Dornseif (Mac OS X) 2006 Adam Boileau (Windows XP) 2008 Damien Aumaitre (virtual memory reconstruction) PCI Christophe Devine and Guillaume Vissian, custom DMA engine implemented on a FPGA card PCMCIA / CardBus / ExpressCard: 2010 Damien Aumaitre, Christophe Devigne abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 16/ / 51
22 Acquiring Windows x86 virtual memory DMA attack - the PCMCIA case Some methods PCMCIA 32-bit port thus only the 4 GB physical memory are addressable need to identify the structures: not working on virtual memory, but directly on physical one! for more good beef: [ Subverting Windows 7 x64 Kernel with DMA attacks ] abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 17/ / 51
23 Acquiring Windows x86 virtual memory Some methods Hibernate file hiberfil.sys: Hibernation file Since Windows 2000 (NT5) Undocumented format File stored on the disk drive Content: physical memory dump related to pagefile.sys (virtual memory control) abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 18/ / 51
24 Acquiring Windows x86 virtual memory Some methods Sandman: from hibernation to physical memory dump Convert hibernation file hiberfil.sys into a regular memory dump [Matthieu Suiche 2008] abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 19/ / 51
25 Acquiring Windows x86 virtual memory Windows Crash Dump Some methods What is a crash dump? abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 20/ / 51
26 Acquiring Windows x86 virtual memory Windows Crash Dump Some methods What is a crash dump? yep that s it! capture of the state of an application (broad sense, including operating system) when a crash event does occur handled by Kernel emergency functions abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 20/ / 51
27 Acquiring Windows x86 virtual memory Some methods Windows Crash Dump I [Hameed 2008] Complete memory dump 1MB header complete physical memory dump Kernel memory dump 1MB header kernel R/W pages kernel non paged memory: list of running processes, loaded device drivers Fabien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 21/ / 51
28 Acquiring Windows x86 virtual memory Some methods Windows Crash Dump II Small memory dump MiniDump 64KB dump (128 KB 64-bit) stop code, parameters, list of loaded device drivers, kernel stack for the thread that crashed, information about the current process and threat abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 22/ / 51
29 Acquiring Windows x86 virtual memory automatic execution Some methods.. : fake ipod USB token loaded, then automatic mounter and commands running in the background. demo? teensy? abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 23/ / 51
30 x86 VMM Acquiring Windows x86 virtual memory Some methods abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 24/ / 51
31 x64 VMM Acquiring Windows x86 virtual memory Some methods abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 25/ / 51
32 Acquiring Windows x86 virtual memory Some tools Win32dd I Win32dd Matthieu Suiche (now part of Moonsols Memory Toolkit ) Goal: dumping physical memory using different acquisition methods Physical memory dumping on Windows XP (NT 5) \Device \PhysicalMemory... Windows Vista (NT6+) No longer available. Other acquisition methods: PFN database MmMapIoSpace abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 26/ / 51
33 PFN database Acquiring Windows x86 virtual memory Some tools abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 27/ / 51
34 Acquiring Windows x86 virtual memory Some tools Win32dd I We focus on MmMapIoSpace method How does it work? Do some RE on Win32 driver User/Kernel comm in Windows Physical memory access only in kernel mode Win32 extracts its driver and registers it Driver creates a device User-land program opens the device and sends commands DeviceIoControl API, sends IRP to driver abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 28/ / 51
35 Acquiring Windows x86 virtual memory Physical address space layout Some tools abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 29/ / 51
36 Acquiring Windows x86 virtual memory Some tools Win32dd I First: Win32dd retrieves physical memory runs runs are physical memory ranges actually used by the system For >= NT5.1: Get MmPhysicalMemoryBlock in KDDEBUGGER DATA64 Otherwise: Use MmGetPhysicalMemoryRanges Build MmPhysicalMemoryBlock yourself abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 30/ / 51
37 Acquiring Windows x86 virtual memory Some tools Win32dd II Second: Win32dd knows every physical runs, global algo: Iterate each run Map it with MmMapIoSpace Write it into your memory dump file Repeat iterations NumberOfRuns times... abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 31/ / 51
38 Outline Memory exploiting / analysis 1 Computer forensics Introduction Talk focus 2 Acquiring Windows x86 virtual memory Some methods Some tools 3 Memory exploiting / analysis The TrueCrypt example Kmode exploration DKOM attacks 4 Conclusion abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 32/ / 51
39 Memory exploiting / analysis Memory forensics Kernel objects listing See next slides Extracting in-memory cryptographic key material TrueCrypt case User can choose to cache its passphrase Go through kernel structures Fabien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 33/ / 51
40 Memory exploiting / analysis The TrueCrypt example Memory forensics - TrueCrypt example I Hypothesis: user enabled passphrase-caching Passphrase-caching Passsphrase is stored by TrueCrypt kernel driver How to find this material? 1: Find DRIVER OBJECT structure Brute-force approach Look for specific structure patterns and constants OBJECT HEADER, DISPATCH HEADER... Kernel addresses > MmSystemRangeStart (0x ) List walking approach (e.g PsLoadedModuleList) KDDEBUGGER DATA64 abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 34/ / 51
41 Memory exploiting / analysis The TrueCrypt example Memory forensics - TrueCrypt example II 2: Find DEVICE OBJECT structure Check DRIVER OBJECT.DeviceObject Devices list walking: DeviceObject.NextDevice Retrieve DeviceObject.DeviceExtension Used by driver programmer to store device-specific data Persistent data (non-paged pool) DeviceExtension found, then? Then, analyze TrueCrypt-specific structures and extract master keys abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 35/ / 51
42 Memory exploiting / analysis Kmode exploration Volatility I Volatility framework Framework for Windows physical memory dump exploration Useful features: List process (PSLIST, see next slides...) Dump Windows registry... Focus on PSLIST Goal: retrieve list of active processes when snapshot was taken abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 36/ / 51
43 Volatility II Memory exploiting / analysis Kmode exploration abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 37/ / 51
44 Memory exploiting / analysis Kmode exploration Volatility - PSLIST I First goal Retrieve KPCR.ActiveProcessListHead Problem: where is KPCR? (in phy space) We must find a Page Directory Table Take EPROCESS.PageDirectoryTable[0] (== CR3 x86) EACH PROCESS SHARES THE SAME KERNEL SPACE MAPPING (modulo session space, osef) First step Find a EPROCESS structure in memory By recognizing some patterns abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 38/ / 51
45 Memory exploiting / analysis Kmode exploration Volatility - PSLIST II Once CR3 is found, retrieve KPCR KPCR always mapped at FS:[0] in KMODE At fixed virtual address: 0xffdff 000 We are now able to retrieve KPCR.ActiveProcessListHead PSLIST We can list active process and dump them (their whole vspace) abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 39/ / 51
46 Memory exploiting / analysis DKOM attacks Reminders of windows security mechanisms I [Windows Internal 5th Ed. - Vista and 2008 Server] Windows Internal 5th Ed. - Vista and 2008 Server Securable objects Protected with SECURITY DESCRIPTOR Access Control Lists (SIDs ; associated allowed operations on object) eg: Peripherals, Files, Jobs, Shared memory sections, Pipes, LPC ports, Events, Mutexes, Timers, Semaphores, Access tokens, Window stations, Desktops, SMB shares, Services, Registry keys... abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 40/ / 51
47 Memory exploiting / analysis DKOM attacks Reminders of windows security mechanisms II abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 41/ / 51
48 Memory exploiting / analysis DKOM attacks Reminders of windows security mechanisms III Security Token When accessing an object, the Security Reference Monitor checks the TOKEN of the process: Process owner: user SID, groups SIDs Privileges (f(process, user SIDs)) Virtualization state Session abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 42/ / 51
49 Memory exploiting / analysis DKOM attacks Reminders of windows security mechanisms IV abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 43/ / 51
50 Memory exploiting / analysis DKOM attacks DKOM attacks I DKOM Direct Kernel Object Manipulation Example: Hibernate file retrieved with Sandman Snapshot file (virtual machine) Or DKOM on a living machine, with a kernel driver e.g Rootkits abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 44/ / 51
51 Memory exploiting / analysis DKOM attacks DKOM attacks II FULL ACCESS to physical memory (user and kernel!) YOU CAN READ/MODIFY EVERYTHING YOU WANT Hypothesis: you can re-inject your modifications Get Token TOKEN accessed from EPROCESS structure Possible attack: privilege escalation Find approriate EPROCESS structure e.g a process you can exploit and make exec YOUR shellcode Modify your TOKEN SID Be r00t, take NT AUTHORITY/SYSTEM SID Subsequent object access or process creation performed under SYSTEM abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 45/ / 51
52 DKOM attacks III Memory exploiting / analysis DKOM attacks Conclusion Powerful attack but hard to use IRL Similar escalation process used for kernel vuln exploitation abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 46/ / 51
53 Memory exploiting / analysis DKOM attacks DKOM application: unlocking Windows 7 x64 computer Idea: modify the password validation function msv1 0.dll!MsvpPasswordValidate [Boileau 2006] That password validate function will compare hash(inputted password) and the stored hash(user password) then jump to a location if they are not equal (cmp then jnz) How to modify the memory? [ Subverting Windows 7 x64 Kernel with DMA attacks ] abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 47/ / 51
54 Memory exploiting / analysis DKOM attacks DKOM application: unlocking Windows 7 x64 computer Idea: modify the password validation function msv1 0.dll!MsvpPasswordValidate [Boileau 2006] That password validate function will compare hash(inputted password) and the stored hash(user password) then jump to a location if they are not equal (cmp then jnz) How to modify the memory? jnz jmp [ Subverting Windows 7 x64 Kernel with DMA attacks ] abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 47/ / 51
55 Outline Conclusion 1 Computer forensics Introduction Talk focus 2 Acquiring Windows x86 virtual memory Some methods Some tools 3 Memory exploiting / analysis The TrueCrypt example Kmode exploration DKOM attacks 4 Conclusion abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 48/ / 51
56 Conclusion Conclusion many methods for acquiring memory on a live system: OS independant: cold boot, DMA, snapshot dependent: snapshot (if hypervisor evadation), dumping tools, crash regarding exploitation: take care of keeping the kernel structure coherent (or might have a BSOD!) watch out kernel protection such as PatchGuard (basically periodical checks, so the trick has not to last for too long) abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 49/ / 51
57 Conclusion For Further Reading Boileau, Adam (2006). winlockpwn attack (Firewire). In: Damien Aumaitre, Christophe Devine. Subverting Windows 7 x64 Kernel with DMA attacks. In: Sogeti-ESEC 0-hitbamsterdam-dmaattacks.pdf. Hameed, CC (2008). Understanding Crash Dump Files. In: WeblogApp=askperf&y=2008&m=01&d=0 8&WeblogPostName=understanding-crash-dump-files&GroupKeys=. Lest We Remember: Cold Boot Attacks on Encryption Keys (2008). In: J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum and Edward W. Felten abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 50/ / 51
58 Conclusion For Further Reading lucd (2010). yadr A vdisk reporter. In: Mark E. Russinovich David A. Solomon, Alex Ionescu and so many more (incl. Bernard Ourghanlian). Windows Internal 5th Ed. - Vista and 2008 Server. Matthieu Suiche, Nicolas Ruff (@Newsoft) (2008). Sandman. In: Savill, John (2008). Q. I m deleting a Hyper-V virtual machine (VM) that had snapshots. Why is the VM delete taking so long? In: leting-a-hyper-v-virtual-machine-vm-that-had-snapshots-wh y-is-the-vm-delete-taking-so-long-. abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 51/ / 51
Firewire-based Physical Security Attacks on Windows 7, EFS and BitLocker
Firewire-based Physical Security Attacks on Windows 7, EFS and BitLocker With kind support from David Huemer V 1.0, 2009-08-13 Benjamin Böck Security Research Lab Secure Business Austria bboeck@securityresearch.at
More informationFall. Forensic Examination of Encrypted Systems Matthew Postinger COSC 374
Fall 2011 Forensic Examination of Encrypted Systems Matthew Postinger COSC 374 Table of Contents Abstract... 3 File System Encryption... 3 Windows EFS... 3 Apple FileVault... 4 Full Disk Encryption...
More informationDetecting Malware With Memory Forensics. Hal Pomeranz SANS Institute
Detecting Malware With Memory Forensics Hal Pomeranz SANS Institute Why Memory Forensics? Everything in the OS traverses RAM Processes and threads Malware (including rootkit technologies) Network sockets,
More informationAssessing the Security of Hardware-Based vs. Software-Based Encryption on USB Flash Drives
Assessing the Security of Hardware-Based vs. Software-Based Encryption on USB Flash Drives Main Line / Date / Etc. June May 2008 2nd Line 80-11-01583 xx-xx-xxxx Revision 1.0 Tagline Here Table of Contents
More informationWindows security for n00bs part 1 Security architecture & Access Control
Grenoble INP Ensimag _ (in)security we trust _!! SecurIMAG 2011-05-12 Windows security for n00bs part 1 Security architecture & Access Control Description: whether you are in favor or against it, the Windows
More informationCleartext Passwords in Linux Memory
Cleartext Passwords in Linux Memory Sherri Davidoff alien@mit.edu July 26, 2008 Abstract Upon examination, the memory of a popular Linux distribution contained many cleartext passwords, including login,
More informationAdi Hayon Tomer Teller
Adi Hayon Tomer Teller Why are we here? (one of many reasons) A malicious program: Allocates memory in a remote process (and write to it) Executes the code in that memory region Frees the code Memory dump
More informationComparing Free Virtualization Products
A S P E I T Tr a i n i n g Comparing Free Virtualization Products A WHITE PAPER PREPARED FOR ASPE BY TONY UNGRUHE www.aspe-it.com toll-free: 877-800-5221 Comparing Free Virtualization Products In this
More informationUsing a Patched Vulnerability to Bypass Windows 8 x64 Driver Signature Enforcement. MJ0011 th_decoder@126.com
Using a Patched Vulnerability to Bypass Windows 8 x64 Driver Signature Enforcement MJ0011 th_decoder@126.com Agenda Background A Patched Vulnerability: CVE-2010-4398 Bypass DSE on Windows7 x64 Windows8
More informationHypervisor Software and Virtual Machines. Professor Howard Burpee SMCC Computer Technology Dept.
Hypervisor Software and Virtual Machines Learning Objectives Understand the common features of today s desktop virtualization products Select and implement a desktop virtualization option on a Linux, Mac,
More informationAn Introduction to Incident Detection and Response Memory Forensic Analysis
An Introduction to Incident Detection and Response Memory Forensic Analysis Alexandre Dulaunoy - TLP:WHITE a@foo.be February 6, 2015 An overview to incident response Detection Analysis Containment Investigation
More informationWindows8 Internals, Sixth Edition, Part 1
Microsoft Windows8 Internals, Sixth Edition, Part 1 Mark Russinovich David A. Solomon Alex lonescu Windows Internals, Sixth Edition, Part i Introduction xvii Chapter 1 Concepts and Tools 1 Windows Operating
More informationTrusteer Rapport Virtual Implementation Scenarios
Trusteer Rapport Virtual Implementation Scenarios Technical White Paper Version 1.0 October 2012 new threats, new thinking Contents About this Document 1 1. Overview of Virtual Desktop/Machine Environments
More informationWindows NT. Chapter 11 Case Study 2: Windows 2000. Windows 2000 (2) Windows 2000 (1) Different versions of Windows 2000
Chapter 11 Case Study 2: Windows 2000 11.1 History of windows 2000 11.2 Programming windows 2000 11.3 System structure 11.4 Processes and threads in windows 2000 11.5 Memory management 11.6 Input/output
More informationPARALLELS SERVER 4 BARE METAL README
PARALLELS SERVER 4 BARE METAL README This document provides the first-priority information on Parallels Server 4 Bare Metal and supplements the included documentation. TABLE OF CONTENTS 1 About Parallels
More informationIncident Response and Computer Forensics
Incident Response and Computer Forensics James L. Antonakos WhiteHat Forensics Incident Response Topics Why does an organization need a CSIRT? Who s on the team? Initial Steps Detailed Project Plan Incident
More informationPushing the Limits of Windows: Physical Memory Mark Russinovich (From Mark Russinovich Blog)
This is the first blog post in a series I'll write over the coming months called Pushing the Limits of Windows that describes how Windows and applications use a particular resource, the licensing and implementation-derived
More informationVMware Server 2.0 Essentials. Virtualization Deployment and Management
VMware Server 2.0 Essentials Virtualization Deployment and Management . This PDF is provided for personal use only. Unauthorized use, reproduction and/or distribution strictly prohibited. All rights reserved.
More informationVirtualization System Security
Virtualization System Security Bryan Williams, IBM X-Force Advanced Research Tom Cross, Manager, IBM X-Force Security Strategy 2009 IBM Corporation Overview Vulnerability disclosure analysis Vulnerability
More informationVMware/Hyper-V Backup Plug-in User Guide
VMware/Hyper-V Backup Plug-in User Guide COPYRIGHT No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying,
More information13.1 Backup virtual machines running on VMware ESXi / ESX Server
13 Backup / Restore VMware Virtual Machines Tomahawk Pro This chapter describes how to backup and restore virtual machines running on VMware ESX, ESXi Server or VMware Server 2.0. 13.1 Backup virtual machines
More informationQuick Start Guide for VMware and Windows 7
PROPALMS VDI Version 2.1 Quick Start Guide for VMware and Windows 7 Rev. 1.1 Published: JULY-2011 1999-2011 Propalms Ltd. All rights reserved. The information contained in this document represents the
More informationAcronis Backup & Recovery 11.5
Acronis Backup & Recovery 11.5 Update 2 Installation Guide Applies to the following editions: Advanced Server Server for Windows Virtual Edition Server for Linux Advanced Server SBS Edition Workstation
More informationA Comparison of VMware and {Virtual Server}
A Comparison of VMware and {Virtual Server} Kurt Lamoreaux Consultant, MCSE, VCP Computer Networking and Consulting Services A Funny Thing Happened on the Way to HP World 2004 Call for speakers at the
More informationVirtualization and Other Tricks.
Virtualization and Other Tricks. Pavel Parízek, Tomáš Kalibera, Peter Libič DEPARTMENT OF DISTRIBUTED AND DEPENDABLE SYSTEMS http://d3s.mff.cuni.cz CHARLES UNIVERSITY PRAGUE Faculty of Mathematics and
More informationWindows Kernel Internals for Security Researchers
Windows Kernel Internals for Security Researchers Overview This course takes a deep dive into the internals of the Windows kernel from a security perspective. Attendees learn about behind the scenes working
More informationIntroduction to BitLocker FVE
Introduction to BitLocker FVE (Understanding the Steps Required to enable BitLocker) Exploration of Windows 7 Advanced Forensic Topics Day 3 What is BitLocker? BitLocker Drive Encryption is a full disk
More informationThe VHD is separated into a series of WinRar files; they can be downloaded from the following page: http://www.scorpionsoft.com/evaluation/download
Overview This document will serve as a quick setup guide to get the AuthAnvil Password Solutions virtual hard drive setup with Windows Hyper-V and Oracle Virtual Box. Downloading the VHD The VHD is separated
More informationPenetration Testing Windows Vista TM BitLocker TM
Penetration Testing BitLocker TM Drive Encryption Douglas MacIver Penetration Engineer System Integrity Group, Corporation Hack In The Box 2006/09/21 2006 Corporation. All rights reserved. Trustworthy
More informationFORENSIC ARTIFACTS FROM A PASS THE HASH (PTH) ATTACK BY: GERARD LAYGUI
FORENSIC ARTIFACTS FROM A PASS THE HASH (PTH) ATTACK BY: GERARD LAYGUI DISCLAIMER: THE VIEWS AND OPINIONS EXPRESSED IN THIS PRESENTATION ARE THOSE OF THE AUTHOR S AND DOES NOT NECESSARILY REPRESENT THE
More informationParallels Desktop 4 for Windows and Linux Read Me
Parallels Desktop 4 for Windows and Linux Read Me Welcome to Parallels Desktop for Windows and Linux build 4.0.6576. This document contains the information you should know to successfully install Parallels
More informationWindows Security Environment
Motivation Popularity, widespread use of Windows Big surface, big impact Protection via user/kernel architecture and CPU modes Multiple-users environment, same physical resources Easy to install < security
More informationBefore we can talk about virtualization security, we need to delineate the differences between the
1 Before we can talk about virtualization security, we need to delineate the differences between the terms virtualization and cloud. Virtualization, at its core, is the ability to emulate hardware via
More informationFATKit: A Framework for the Extraction and Analysis of Digital Forensic Data from Volatile System Memory p.1/11
FATKit: A Framework for the Extraction and Analysis of Digital Forensic Data from Volatile System Memory DFRWS 2006: Work in Progress (WIP) Aug 16, 2006 AAron Walters 4TΦ Research Nick L. Petroni Jr. University
More informationERNW Newsletter 42 / December 2013
ERNW Newsletter 42 / December 2013 Dangers of Disabled Pre-Boot Authentication in Corporate Environments: Attacking Check Point s Full Disk Encryption with Activated WIL Version: 1.1 Date: 12/16/2013 Author(s):
More informationUSB 2.0 Flash Drive User Manual
USB 2.0 Flash Drive User Manual 1 INDEX Table of Contents Page 1. IMPORTANT NOTICES...3 2. PRODUCT INTRODUCTION...4 3. PRODUCT FEATURES...5 4. DRIVER INSTALLATION GUIDE...6 4.1 WINDOWS 98 / 98 SE... 6
More informationThe virtual safe: A user-focused approach to data encryption
The virtual safe: A user-focused approach to data encryption Steganos GmbH, 2008 1 The hard disk: a snapshot of our lives The personal computer has never been more personal. We routinely trust it with
More informationProduct Brief. it s Backed Up
Product Brief it s Backed Up IT Authorities, Inc. 1/11/2010 Table of Contents Contents Table of Contents... 2 it s Backed Up... 3 Backup... 3 Backup, Continued... 4 Backup, Continued... 5 Application Aware
More informationVirtualization with Windows
Virtualization with Windows at CERN Juraj Sucik, Emmanuel Ormancey Internet Services Group Agenda Current status of IT-IS group virtualization service Server Self Service New virtualization features in
More informationMODULE 3 VIRTUALIZED DATA CENTER COMPUTE
MODULE 3 VIRTUALIZED DATA CENTER COMPUTE Module 3: Virtualized Data Center Compute Upon completion of this module, you should be able to: Describe compute virtualization Discuss the compute virtualization
More informationChapter 14 Virtual Machines
Operating Systems: Internals and Design Principles Chapter 14 Virtual Machines Eighth Edition By William Stallings Virtual Machines (VM) Virtualization technology enables a single PC or server to simultaneously
More informationComputer Security: Principles and Practice
Computer Security: Principles and Practice Chapter 24 Windows and Windows Vista Security First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Windows and Windows Vista Security
More informationQuick Start Guide for Parallels Virtuozzo
PROPALMS VDI Version 2.1 Quick Start Guide for Parallels Virtuozzo Rev. 1.1 Published: JULY-2011 1999-2011 Propalms Ltd. All rights reserved. The information contained in this document represents the current
More informationUses for Virtual Machines. Virtual Machines. There are several uses for virtual machines:
Virtual Machines Uses for Virtual Machines Virtual machine technology, often just called virtualization, makes one computer behave as several computers by sharing the resources of a single computer between
More informationCITRIX 1Y0-A14 EXAM QUESTIONS & ANSWERS
CITRIX 1Y0-A14 EXAM QUESTIONS & ANSWERS Number: 1Y0-A14 Passing Score: 800 Time Limit: 90 min File Version: 42.2 http://www.gratisexam.com/ CITRIX 1Y0-A14 EXAM QUESTIONS & ANSWERS Exam Name: Implementing
More informationChapter 16: Virtual Machines. Operating System Concepts 9 th Edition
Chapter 16: Virtual Machines Silberschatz, Galvin and Gagne 2013 Chapter 16: Virtual Machines Overview History Benefits and Features Building Blocks Types of Virtual Machines and Their Implementations
More informationHP Operations Orchestration Software
HP Operations Orchestration Software Software Version: 9.00 Microsoft Hyper-V Integration Guide Document Release Date: June 2010 Software Release Date: June 2010 Legal Notices Warranty The only warranties
More informationThe Value of Physical Memory for Incident Response
The Value of Physical Memory for Incident Response MCSI 3604 Fair Oaks Blvd Suite 250 Sacramento, CA 95864 www.mcsi.mantech.com 2003-2015 ManTech Cyber Solutions International, All Rights Reserved. Physical
More informationFor Hyper-V Edition Practical Operation Seminar. 4th Edition
For Hyper-V Edition Practical Operation Seminar 4th Edition 3.5 for Hyper-V 1. ActiveImage Protector made available in 8 editions Server Edition Support for backup of server OS s, Windows 2000 or later,
More informationCitrix Training. Course: Citrix Training. Duration: 40 hours. Mode of Training: Classroom (Instructor-Led)
Citrix Training Course: Citrix Training Duration: 40 hours Mode of Training: Classroom (Instructor-Led) Virtualization has redefined the way IT resources are consumed and services are delivered. It offers
More informationKaseya 2. User Guide. Version 7.0. English
Kaseya 2 Backup User Guide Version 7.0 English September 3, 2014 Agreement The purchase and use of all Software and Services is subject to the Agreement as defined in Kaseya s Click-Accept EULATOS as updated
More informationCitrix XenServer 6 Administration
Citrix XenServer 6 Administration CTX-XS06 DESCRIZIONE: In this Citrix XenServer 6.0 training course, you will gain the foundational knowledge necessary to effectively install, configure, administer, and
More informationHDD Password Tool. User s Manual. English
HDD Password Tool User s Manual English 1 Table of Contents Chapter 1: Introduction... 3 Trademarks... 3 Chapter 2: Required Operating System... 5 - HDD Password Tool for Windows... 5 - HDD Password Tool
More informationRecon 2011 - Montreal
How to develop a rootkit for Broadcom NetExtreme network cards Guillaume Delugré Sogeti / ESEC R&D guillaume(at)security-labs.org Recon 2011 - Montreal . Delugré How to develop a rootkit for Broadcom NetExtreme
More informationDesigning and Deploying Connected Device Solutions for Small and Medium Business
Designing and Deploying Connected Device Solutions for Small and Medium Business HPATA Connected Devices Study Guide Rev 1.1 Table of Contents 1.1 Describe and recognize common desktop virtualization technologies
More informationRun-Time Deep Virtual Machine Introspection & Its Applications
Run-Time Deep Virtual Machine Introspection & Its Applications Jennia Hizver Computer Science Department Stony Brook University, NY, USA Tzi-cker Chiueh Cloud Computing Center Industrial Technology Research
More informationWindows XP/Vista/7 Directory Structures
Windows XP/Vista/7 Directory Structures System Partition NTLDR boot.ini ntdetect.com bootsect.dos hiberfil.sys pagefile.sys Boot Partition Boot Documents and Settings (XP) Inetpub PerfLogs Program Files
More information4.1 Introduction 4.2 Explain the purpose of an operating system 4.2.1 Describe characteristics of modern operating systems Control Hardware Access
4.1 Introduction The operating system (OS) controls almost all functions on a computer. In this lecture, you will learn about the components, functions, and terminology related to the Windows 2000, Windows
More informationTimbuktu Pro for Windows, version 8
Timbuktu Pro for Windows, version 8 Release Notes, version 8.6.8 May 2010 This document contains important information about Timbuktu Pro for Windows, version 8. If you have additional questions, consult
More informationA Hypervisor IPS based on Hardware assisted Virtualization Technology
A Hypervisor IPS based on Hardware assisted Virtualization Technology 1. Introduction Junichi Murakami (murakami@fourteenforty.jp) Fourteenforty Research Institute, Inc. Recently malware has become more
More informationReport on virtualisation technology as used at the EPO for Online Filing software testing
Report on virtualisation technology as used at the EPO for Online Filing software testing Virtualisation technology lets one computer do the job of multiple computers, all sharing the resources - including
More informationRelease Notes: NovaBACKUP v16.1
What s new in NovaBACKUP 16.1? Release Notes: NovaBACKUP v16.1 NovaBACKUP 16.1 (August, 2014) Backup for the Rest of Us New Features NovaBACKUP / Central Management Console o Ability to set a Holiday Schedule
More informationEnd-User troubleshooting guide For Sentinel SuperPro/UltraPro and Sentinel Hardware Keys
End-User troubleshooting guide For Sentinel SuperPro/UltraPro and Sentinel Hardware Keys Preface Welcome to Safenet End User Troubleshooting guide! This guide is intended to assist our Distributors, Customers
More informationCXS-203-1 Citrix XenServer 6.0 Administration
Page1 CXS-203-1 Citrix XenServer 6.0 Administration In the Citrix XenServer 6.0 classroom training course, students are provided with the foundation necessary to effectively install, configure, administer,
More informationDisk encryption... (not only) in Linux. Milan Brož mbroz@redhat.com
Disk encryption... (not only) in Linux Milan Brož mbroz@redhat.com FDE - Full Disk Encryption FDE (Full Disk Encryption) whole disk FVE (Full Volume Encryption) just some volumes (dis)advantages? + for
More informationIn order to upload a VM you need to have a VM image in one of the following formats:
What is VM Upload? 1. VM Upload allows you to import your own VM and add it to your environment running on CloudShare. This provides a convenient way to upload VMs and appliances which were already built.
More informationAutodesk Inventor on the Macintosh
Autodesk Inventor on the Macintosh FREQUENTLY ASKED QUESTIONS 1. Can I install Autodesk Inventor on a Mac? 2. What is Boot Camp? 3. What is Parallels? 4. How does Boot Camp differ from Virtualization?
More informationCreated on May 20, 2015
Symantec System Recovery 2013, Symantec System Recovery 2013 Linux Edition, Symantec System Recovery 2013 Management Solution, and Symantec System Recovery 2013 Monitor Software Compatibility List Created
More informationParallels Cloud Server 6.0 Readme
Parallels Cloud Server 6.0 Readme Copyright 1999-2012 Parallels IP Holdings GmbH and its affiliates. All rights reserved. Contents About This Document... 3 About Parallels Cloud Server 6.0... 3 What's
More informationSecurity. Ausgewählte Betriebssysteme Institut Betriebssysteme Fakultät Informatik. Copyright 2001-2004 Hermann Härtig, Ronald Aigner
Ausgewählte Betriebssysteme Institut Betriebssysteme Fakultät Informatik Outline Ratings System Components Logon Object (File) Access Impersonation Auditing 2 Ratings National Computer Center (NCSC) part
More informationRunning Windows on a Mac. Why?
Running Windows on a Mac Why? 1. We still live in a mostly Windows world at work (but that is changing) 2. Because of the abundance of Windows software there are sometimes no valid Mac Equivalents. (Many
More informationUSB Flash Drive User s Manual
USB Flash Drive User s Manual V4.01 Introduction Thank you for your purchasing the USB Drive. This manual will guide you through the usages of the USB Drive and of all management tools coming with it.
More informationChapter 12: Windows XP, Vista, and 7
Chapter 12: Windows XP, Vista, and 7 Complete CompTIA A+ Guide to PCs, 6e To distinguish between the Windows XP, Vista, and 7 operating systems To install, configure, and troubleshoot Windows XP, Vista,
More informationBackupAssist v6 quickstart guide
New features in BackupAssist v6... 2 VSS application backup (Exchange, SQL, SharePoint)... 3 System State backup... 3 Restore files, applications, System State and mailboxes... 4 Fully cloud ready Internet
More informationBackupAssist v6 quickstart guide
Using the new features in BackupAssist v6... 2 VSS application backup (Exchange, SQL, SharePoint)... 2 Backing up VSS applications... 2 Restoring VSS applications... 3 System State backup and restore...
More informationAcronis Backup & Recovery 11.5
Acronis Backup & Recovery 11.5 Installation Guide Applies to the following editions: Advanced Server Virtual Edition Advanced Server SBS Edition Advanced Workstation Server for Linux Server for Windows
More informationAn Introspection-Based Memory Scraper Attack against Virtualized Point of Sale Systems
An Introspection-Based Memory Scraper Attack against Virtualized Point of Sale Systems Jennia Hizver and Tzi-cker Chiueh Department of Computer Science, Stony Brook University, Stony Brook, USA {jhizver,
More informationHow do Users and Processes interact with the Operating System? Services for Processes. OS Structure with Services. Services for the OS Itself
How do Users and Processes interact with the Operating System? Users interact indirectly through a collection of system programs that make up the operating system interface. The interface could be: A GUI,
More informationAcronis Backup & Recovery 11
Acronis Backup & Recovery 11 Update 0 Installation Guide Applies to the following editions: Advanced Server Virtual Edition Advanced Server SBS Edition Advanced Workstation Server for Linux Server for
More informationParallels Cloud Server 6.0
Parallels Cloud Server 6.0 Readme September 25, 2013 Copyright 1999-2013 Parallels IP Holdings GmbH and its affiliates. All rights reserved. Contents About This Document... 3 About Parallels Cloud Server
More informationSecurity Overview for Windows Vista. Bob McCoy, MCSE, CISSP/ISSAP Technical Account Manager Microsoft Corporation
Security Overview for Windows Vista Bob McCoy, MCSE, CISSP/ISSAP Technical Account Manager Microsoft Corporation Agenda User and group changes Encryption changes Audit changes User rights New and modified
More informationIn addition to their professional experience, students who attend this training should have technical knowledge in the following areas.
6422A - Implementing and Managing Windows Server 2008 Hyper-V Course Number: 6422A Course Length: 3 Days Course Overview This three-day instructor-led course teaches students how to implement and manage
More informationPARALLELS SERVER BARE METAL 5.0 README
PARALLELS SERVER BARE METAL 5.0 README 1999-2011 Parallels Holdings, Ltd. and its affiliates. All rights reserved. This document provides the first-priority information on the Parallels Server Bare Metal
More informationAcronis Backup & Recovery 10 Server for Windows. Installation Guide
Acronis Backup & Recovery 10 Server for Windows Installation Guide Table of Contents 1. Installation of Acronis Backup & Recovery 10... 3 1.1. Acronis Backup & Recovery 10 components... 3 1.1.1. Agent
More informationRelease Notes: NovaBACKUP 17.3
What s new in NovaBACKUP 17.3? Release Notes: NovaBACKUP 17.3 NovaBACKUP 17.3.1203 (December, 2015) Backup for the Rest of Us New Features NovaBACKUP o Support of VMware 6.0 o Enhanced "Last Run" column
More informationHow To Install The Safenet-Inc.Com Software On A Pc Or Mac Or Macintosh (For A Powerpoint) With A Powerline (For Windows) Or Ipad (For Mac) With The Safetime (For Pc
End-User troubleshooting guide For Sentinel SuperPro/UltraPro and Sentinel Hardware Keys 1 Preface Welcome to Safenet End User Troubleshooting guide! This guide is intended to assist our Distributors,
More informationIF-FW/DM @# Release Notes
IF-FW/DM @# Release Notes Updates Always ensure that you are running the latest driver software and IF-FW/DMmkII firmware by visiting TASCAM s web site at http://www.tascam.com. How to Update Windows driver
More informationChapter 4. Operating Systems and File Management
Chapter 4 Operating Systems and File Management Chapter Contents Section A: Operating System Basics Section B: Today s Operating Systems Section C: File Basics Section D: File Management Section E: Backup
More informationCMB 207 1I Citrix XenApp and XenDesktop Fast Track
CMB 207 1I Citrix XenApp and XenDesktop Fast Track This fast paced course provides the foundation necessary for students to effectively centralize and manage desktops and applications in the datacenter
More informationVirtualization. Types of Interfaces
Virtualization Virtualization: extend or replace an existing interface to mimic the behavior of another system. Introduced in 1970s: run legacy software on newer mainframe hardware Handle platform diversity
More informationWindows Server 2008 R2 Essentials
Windows Server 2008 R2 Essentials Installation, Deployment and Management 2 First Edition 2010 Payload Media. This ebook is provided for personal use only. Unauthorized use, reproduction and/or distribution
More informationBIOS Update Release Notes
BIOS Update Release Notes PRODUCTS: DG31PR, DG31PRBR (Standard BIOS) BIOS Version 0059 October 24, 2008 PRG3110H.86A.0059.2008.1024.1834 Added Fixed Disk Boot Sector option under Maintenance Mode. Fixed
More informationYale Software Library
e/ Yale Software Library http://www.yale.edu/its/software/ For assistance contact the ITS Help Desk 432-9000 or helpdesk@yale.edu Installation PGP Desktop for Windows Operating Systems Preparing your computer:
More informationOBM / FREQUENTLY ASKED QUESTIONS (FAQs) Can you explain the concept briefly on how the software actually works? What is the recommended bandwidth?
Can you explain the concept briefly on how the software actually works? Leading Edge Provider s Online Backup Suite consists of 3 main modules: 1. The client software Online Backup Manager (OBM) 2. The
More informationCS 356 Lecture 25 and 26 Operating System Security. Spring 2013
CS 356 Lecture 25 and 26 Operating System Security Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control
More informationDistributed System Monitoring and Failure Diagnosis using Cooperative Virtual Backdoors
Distributed System Monitoring and Failure Diagnosis using Cooperative Virtual Backdoors Benoit Boissinot E.N.S Lyon directed by Christine Morin IRISA/INRIA Rennes Liviu Iftode Rutgers University Phenix
More informationWindows Operating Systems. Basic Security
Windows Operating Systems Basic Security Objectives Explain Windows Operating System (OS) common configurations Recognize OS related threats Apply major steps in securing the OS Windows Operating System
More informationSECURITY SUBSYSTEM IN WINDOWS
Operating Systems SECURITY SUBSYSTEM IN WINDOWS Zoltán Micskei http://www.mit.bme.hu/~micskeiz Budapesti Műszaki és Gazdaságtudományi Egyetem Neeraj Suri Méréstechnika és Információs Rendszerek Tanszék
More informationHow to Backup and Restore a VM using Veeam
How to Backup and Restore a VM using Veeam Table of Contents Introduction... 3 Assumptions... 3 Add ESXi Server... 4 Backup a VM... 6 Restore Full VM... 12 Appendix A: Install Veeam Backup & Replication
More informationA+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e. Chapter 3 Installing Windows
: Managing, Maintaining, and Troubleshooting, 5e Chapter 3 Installing Windows Objectives How to plan a Windows installation How to install Windows Vista How to install Windows XP How to install Windows
More information