FOG - system imaging for your (malware) analysis (workstation)
While dealing with nasty malware on some systems, it came to my mind that it would be a good idea to have a chance of recreating your workstation to a former snapshot in case your malware got hold of your analysis machine.
Outstanding is the fact, that I actuall had the idea prior the need to repair a damaged workstation after it was tainted with malware. ;-)
As I had already contact to "fog" during the Cuckoo actions, I gave it a try to solve me that problem as well.
See below my outcome of what I did and how this works.
You can download a pre-packaged tarball of the latest release of FOG Project, v1.5.0, from here.
To install FOG Project, an internet connection is required. During installation, it will download other binaries and install any needed dependencies. More detailed guides can be found in the wiki, however, installation is as simple as extracting the tarball and running the install script:
First I used an Ubuntu 16.03 LTS and installed it as LAMP with ssh.
apt-get -y update
apt-get -y upgrade
apt-get -y autoclean apt-get -y autoremove apt-get -y install git git clone https://github.com/FOGProject/fogproject.git /opt/fogproject cd /opt/fogproject/bin ./installfog.sh
Answer the upcoming question to support below list:
Here are the settings FOG will use:
* Base Linux: Debian
* Detected Linux Distribution: Ubuntu
* Server IP Address: 192.168.xxx.xxx
* Server Subnet Mask: 255.255.255.0
* Interface: ens32
* Installation Type: Normal Server
* Internationalization: 0
* Image Storage Location: /images
* Using FOG DHCP: No
* DHCP will NOT be setup but you must setup your
* current DHCP server to use FOG for PXE services.
* On a Linux DHCP server you must set: next-server and filename
* On a Windows DHCP server you must set options 066 and 067
* Option 066/next-server is the IP of the FOG Server: (e.g. 192.168.178.166)
* Option 067/filename is the bootfile: (e.g. undionly.kpxe)