Installation Media - Verifying Purity.

Discussion in 'Windows 10' started by Bakersfield, May 13, 2016.

  1. Bakersfield

    Bakersfield MDL Junior Member

    Feb 7, 2012
    75
    5
    0
    #1 Bakersfield, May 13, 2016
    Last edited: May 13, 2016
    When we download a file - we can verify its integrity using a MD5 or sha1 check (e.g hastab).

    BUT:

    Between requesting the download of an iso, and it getting burned to DVD (ignore usb) - much can happen.

    Many believe their machine is clean, when it is not. An iso can get infected - then the malware gets burned in too.

    A Root-kit could interfere with any verification process.

    Technically - how can we verify what has been burnt to DVD against an image/hash. How can we thoroughly/expertly verify the purity of what is on a dvd, against the iso file (inc it's hash)? What tools/methods can be used?

    Also, how does Microsoft Media Creator - ensure that there has been no modification (by malware) of the pure image it has downloaded - and what actually ends up on the DVD?

    I have seen that for linux - there seem to be a number of tools to verify a burned dvd against an image byte for byte. What solutions exist for windows systems?

    What tools exist to allow us to check the purity of burned installation images?

    This thread is meant to be an exploratory discussion of this topic - where any relevant insights and comments are welcome - so we can all learn something. Hopefully some of us can discover new thoughts/ideas/concepts and techniques.

    All productive contributions welcome.
     
  2. Enthousiast

    Enthousiast MDL Tester

    Oct 30, 2009
    14,758
    16,987
    340
    Hash the install.xxx (wim/esd/swm) before creating the iso and after.
     
  3. EFA11

    EFA11 Avatar Guru

    Oct 7, 2010
    8,795
    6,762
    270
    #3 EFA11, May 13, 2016
    Last edited by a moderator: Apr 20, 2017
  4. Bakersfield

    Bakersfield MDL Junior Member

    Feb 7, 2012
    75
    5
    0
    Ok - so lets use a practical example - downloaded a Win 8.1 iso (not using media creator tool) on my Pc at home.

    Hash the iso - naturally (e.g hastab).

    Then I burn it.

    Now - how would I check the DVD - byte for byte - against the image or it's original hash, on my neighbours machine?
     
  5. EFA11

    EFA11 Avatar Guru

    Oct 7, 2010
    8,795
    6,762
    270
    look above, I think we post about same time ;)
     
  6. Bakersfield

    Bakersfield MDL Junior Member

    Feb 7, 2012
    75
    5
    0
    Here's the reason I'm asking.

    I remember reading a thread regarding imgburn, where somebody explained that at that time - the image verification process only took random samples from random sectors & compared them against the image (i.e sampling).

    It was not a true bit for bit comparison - which would be needed to ensure total purity of transmission?

    So again - how does the media creation tool overcome this issue? Is there and literature on it anywhere?
     
  7. Enthousiast

    Enthousiast MDL Tester

    Oct 30, 2009
    14,758
    16,987
    340
    Ultraiso checks the checksum from the iso on the burned media, if it checks out it's original.
     
  8. EFA11

    EFA11 Avatar Guru

    Oct 7, 2010
    8,795
    6,762
    270
    you would need to speak to someone at MS, I don't see any info on it. But it verifies its downloaded files prior to creating the media, and although Im uncertain, it verifies the media integrity after creation (or during?) some unknowns on that. But the above with UltraISO will do what you are looking for. I really don't care for the media creation tool, but thats just my preferences.
     
  9. Bakersfield

    Bakersfield MDL Junior Member

    Feb 7, 2012
    75
    5
    0
    UltraIso is certainly one solution to the problem.

    Can I ask how many of you have considered my line of thinking before - regarding the possibility that we burn Iso's, without really going through any rigorous checks to confirm the data actually burned is precisely as offered for download.

    Surely it cannot only be EFA11 that has considered and sought a solution for this problem.

    Can anybody envisage malware, that would be coded to expect a windows iso might be downloaded and burned to rebuild a compromised system at some point, and so is coded to lookout for (and embed itself in) any re-installation images that are downloaded?

    Any verification process could easily be intercepted by serious malware - because it would be expected.

    Is UltraIso the only solution to this - is there no discussion/awareness of this possibility?
     
  10. Enthousiast

    Enthousiast MDL Tester

    Oct 30, 2009
    14,758
    16,987
    340
    #10 Enthousiast, May 13, 2016
    Last edited: May 13, 2016
    I don't get infected so i trust my burn results (i hardly burn any win dvd's lately, last week i needed a dvd for a system which couldn't boot from usb media but it's once a year or so). I always use the Ultraiso verify option but not out of concern for malware changing the burning results only out of habit :)
     
  11. Bakersfield

    Bakersfield MDL Junior Member

    Feb 7, 2012
    75
    5
    0
    #11 Bakersfield, May 13, 2016
    Last edited: May 13, 2016
    (OP)

    I just find it fascinating that as purists, most want some way of validating that the iso's downloaded are genuine originals - unaltered.

    But, once the image has been downloaded - there's little discussion about what can/might happen before the disc gets burnt.

    So far - the only solution mentioned seems to be UltraIso - there must be more that just this one product surely.

    Ensuring image integrity - there must be more possibilities, no?
     
  12. EFA11

    EFA11 Avatar Guru

    Oct 7, 2010
    8,795
    6,762
    270
    #12 EFA11, May 14, 2016
    Last edited: May 14, 2016
    purists would already have a clean system, one less step to purify their dvd they burn :D

    Although possible, I really don't know if there are virus' etc with full intentions of grabbing on to a dvd. Once the dvd is burnt it is read-only (I know re-writable exist) and it really limits its usefulness as a virus who has only one intention in mind and that is to propagate and spread its seed. It would have to make use of the autorun functions and with hopes the autorun feature is actually enabled on the system the dvd is inserted into.

    With that said, any dvd/cd I do burn gets verified with UltraISO, a tool that I have always kept installed and use often. It can also create a perfect iso from the disk keeping the SHA1 the same. Great tool, everyone should buy it :D

    (an actual user of the product. not promoting or associated with ezbsystems or UltraISO in anyway lmao)
     
  13. Enthousiast

    Enthousiast MDL Tester

    Oct 30, 2009
    14,758
    16,987
    340
    Poweriso will have the same option.
     
  14. Bakersfield

    Bakersfield MDL Junior Member

    Feb 7, 2012
    75
    5
    0
    #14 Bakersfield, May 14, 2016
    Last edited: May 14, 2016
    (OP)
    Are there any free products that can do the same?

    I think we are opening up the topic well.

    The ability to technically analyse the MDS/ShA1 of a DVD/Disc in it's entirety - allows for a second independent confirmation.

    There is another situation where this is important. How to check the viability of an old dvd/cd.

    If I have a disc that I burned a Windows 8.1 image too, and I am worried that the disc may be scratched or have degraded over time - how can I check that it is still reading true to the original image.

    I don't want to store gigabytes of iso files, just so I can 'verfiy an image' in the future - this would be a waste of resources.

    What do y'all think?
     
  15. Bakersfield

    Bakersfield MDL Junior Member

    Feb 7, 2012
    75
    5
    0
    Question -

    The sha1 verification tool that is published by MS directly - is there a way of making it produce the md5/sha1 of a burned CD/DVD - so that it can be compared to the downloaded images hash?
     
  16. Enthousiast

    Enthousiast MDL Tester

    Oct 30, 2009
    14,758
    16,987
    340
    You worry way to much ;)
     
  17. Bakersfield

    Bakersfield MDL Junior Member

    Feb 7, 2012
    75
    5
    0
    #17 Bakersfield, May 16, 2016
    Last edited: May 16, 2016
    (OP)
    Hear me out.

    Many rootkits can bypass sophisticated AV suites - developed by teams of industry leading experts. I'm sure they could also intercept or disrupt the verification process when a DVD is burned.

    Even worse - As soon as an iso image download completes, it can get infected. Your DVD burning program burns this image - and compares it to the (infected) image - guess what - it passes.



    For linux - this problem is addressed properly. Defects in the CD/DVD material can exist - that you might not be aware of. Or physical defects can develop over time.

    So let me ask it in a way that forces us to focus on the issue. How can I check my old burned DVD discs, haven't suffered any degradation (heat/plastic degradation/heat damage) - against the original image hash?

    I'm not going to keep terebaytes of images over many years, just for verification purposes. However I do keep the checksums of the original iso's in a notepad document.

    How do I forensically check the integrity of a disc, if I no longer have the actual image file (but I have a copy of the original images checksum hash).