1 00:00:01,240 --> 00:00:06,820 So now the voting machine has rebooted and restarted. 2 00:00:07,850 --> 00:00:11,090 So you can give a user name if you want 3 00:00:13,880 --> 00:00:15,530 and click on next. 4 00:00:17,470 --> 00:00:20,860 And I'm going to leave the password blank. 5 00:00:21,820 --> 00:00:33,580 And yes, you keep your product key and then check this one will not activate and then click next, 6 00:00:34,270 --> 00:00:38,230 if you don't have the product, you can just skip and do it later. 7 00:00:41,020 --> 00:00:45,520 So in this case here, we just skip me just now and just click. 8 00:00:47,630 --> 00:00:53,270 Skip and hear, click on Ask me later. 9 00:00:53,750 --> 00:00:58,370 And here you can set your time zone if you want and click on next. 10 00:00:59,760 --> 00:01:01,800 And anything we do here. 11 00:01:03,590 --> 00:01:04,850 Just the whole. 12 00:01:06,510 --> 00:01:15,360 Now you can install your gas addition CD, so go up to the device here and he said Desolations CD. 13 00:01:18,710 --> 00:01:28,850 Next, open your computer, go to your computer and your gas CDs here, so double click on this to install. 14 00:01:30,260 --> 00:01:38,060 And select the proper one for your system, which is X eighty six, so that will clean this one. 15 00:01:40,220 --> 00:01:41,430 Yes, to run it. 16 00:01:42,500 --> 00:01:45,350 Next, a Kleenex. 17 00:01:47,280 --> 00:01:50,700 So the puppies over here program Philco. 18 00:01:53,630 --> 00:01:54,950 A picnic's. 19 00:02:01,030 --> 00:02:04,360 And check on this inbox and clicking on. 20 00:02:07,970 --> 00:02:11,430 And then click on reboot, now they finish. 21 00:02:12,380 --> 00:02:14,620 So you really put your machine. 22 00:02:20,780 --> 00:02:26,390 Now you can go to full screen, you click on The View full screen. 23 00:02:33,490 --> 00:02:41,620 If your washing machine cannot go to full screen, then shut it down and then come down here selected 24 00:02:42,130 --> 00:02:43,330 click on settings. 25 00:02:44,300 --> 00:02:50,180 And then over here, Saturday display and increases to one to eight. 26 00:02:52,380 --> 00:02:58,440 The maximum and then here and you will see the acceleration and he OK. 27 00:03:01,160 --> 00:03:02,270 And then typing in. 28 00:03:07,290 --> 00:03:09,270 Now you can go to full screen mode. 29 00:03:12,990 --> 00:03:21,120 There you have it, if you want to restore back to Windows, we don't just move your closer to the bottom 30 00:03:21,120 --> 00:03:27,780 of the screen and holy day and this bar will pop up and just click on this icon. 31 00:03:30,870 --> 00:03:38,880 Next thing you want to do is set up the shareholder, so to create a check for the first, you go to 32 00:03:38,880 --> 00:03:40,320 your seed, right? 33 00:03:41,260 --> 00:03:52,390 And then create a new home to renegotiate our Emmy or any other name you prefer, and then you here. 34 00:03:54,880 --> 00:04:10,380 So like the witch machine and then clean settings and the and the chef for this one here at New SHEFFLER. 35 00:04:12,380 --> 00:04:14,960 And if the to select their. 36 00:04:17,000 --> 00:04:25,910 And going to see Father, which you created a photo which you created this one click on Select for the. 37 00:04:27,330 --> 00:04:31,650 So Halterman and click on Make Permanent. 38 00:04:32,950 --> 00:04:33,340 OK. 39 00:04:34,120 --> 00:04:36,460 OK, again, and now go back here. 40 00:04:41,210 --> 00:04:49,070 Click on the file explorer and you should be able to see for the map as a zip drive. 41 00:04:49,850 --> 00:04:56,020 So this is where you can share files between your house and your guest operating system. 42 00:04:56,840 --> 00:05:04,250 So whatever you put in here will also be available in your host and vice versa. 43 00:05:05,420 --> 00:05:10,670 So now the next item is to disable windows. 44 00:05:13,800 --> 00:05:15,210 Disable windows have the. 45 00:05:19,420 --> 00:05:22,180 So to disable the Windows update. 46 00:05:30,940 --> 00:05:38,050 Search for Abdeh and click on the results of the. 47 00:05:40,240 --> 00:05:42,760 And here, let me choose my settings. 48 00:05:43,730 --> 00:05:49,610 So that option, never check for this and then, OK. 49 00:05:54,280 --> 00:06:01,530 Because of this, who detect new viruses and so on, so you're doing your windows to detect the virus 50 00:06:01,540 --> 00:06:02,710 when you doing analysis. 51 00:06:06,450 --> 00:06:16,020 So the next item will be disable windows defender, so to disable Windows Defender, who here? 52 00:06:18,370 --> 00:06:28,870 You search for services that masc click on services, witness, defender, Windows Antivirus. 53 00:06:35,880 --> 00:06:41,160 If you don't disable it, he will prevent you from analyzing malware. 54 00:06:43,050 --> 00:06:46,590 So scroll down and look for Windows Defender. 55 00:06:55,250 --> 00:06:59,330 He's going right, click on it and select properties. 56 00:07:01,330 --> 00:07:12,730 And a woman is set to automatic, so we change it to disable, click, stop, stop the service and apply. 57 00:07:14,640 --> 00:07:17,730 OK, so now you check with the defender disable. 58 00:07:21,140 --> 00:07:24,710 The next thing you want is to disable the extension's. 59 00:07:27,560 --> 00:07:35,900 So open your file, explorer, open any directory and they're here. 60 00:07:37,190 --> 00:07:44,300 Organizers have all the options so they can view and then down here, schoolgoing. 61 00:07:46,670 --> 00:07:50,890 And check this box extension for nonvolatile. 62 00:07:53,760 --> 00:08:00,720 So this one is disabled tension, sure, he didn't file for. 63 00:08:02,790 --> 00:08:05,730 So look for changes to anybody. 64 00:08:05,790 --> 00:08:07,070 They showed it in the file folder. 65 00:08:08,280 --> 00:08:15,840 So now you these two settings, you'll be able to see the file extensions basically apply. 66 00:08:15,870 --> 00:08:24,540 OK, so now if you go to any folder, the file extension will be visible. 67 00:08:30,130 --> 00:08:38,920 You can see how visible this is important because sometimes a mask is too tight. 68 00:08:40,030 --> 00:08:52,000 It could be a foul and you could see and because then you thought a -- is a common trick and 69 00:08:52,000 --> 00:08:54,140 also hidden, false and not invisible. 70 00:08:54,190 --> 00:09:02,890 You want to see hidden files because somehow they put themself make a copy of his having some hidden 71 00:09:02,890 --> 00:09:03,940 file location. 72 00:09:04,450 --> 00:09:10,120 And if it's not disabled, you baby, he won't be able to see the hidden files. 73 00:09:12,860 --> 00:09:21,740 Next is to disable SLR, which stands for address space layout randomisation is a security feature that 74 00:09:21,950 --> 00:09:31,910 randomisation memory addresses used by executable code, including details so that NBC had to analyze 75 00:09:32,210 --> 00:09:33,160 binary files. 76 00:09:34,160 --> 00:09:35,770 So you want to disable that. 77 00:09:35,780 --> 00:09:40,460 So it makes it easy for us to analyze the binary files of the malware. 78 00:09:41,720 --> 00:09:48,350 So to do that, to disable it, we open a program called Registry EDIT. 79 00:09:55,530 --> 00:09:58,470 And then we go to this location. 80 00:10:09,280 --> 00:10:18,220 Hish go and look a machine, so the registry's where Venus gives all these configurations, so just 81 00:10:18,220 --> 00:10:20,260 open this and look for. 82 00:10:21,470 --> 00:10:22,010 Corine. 83 00:10:23,590 --> 00:10:24,520 The system. 84 00:10:26,990 --> 00:10:32,990 And then look for current control set, current control set. 85 00:10:34,400 --> 00:10:35,680 And they look for control. 86 00:10:37,800 --> 00:10:39,300 Noufal session manager. 87 00:10:50,700 --> 00:11:00,710 And then two for memory management, memory management, click on it and you say here we must add a 88 00:11:00,720 --> 00:11:02,100 new key. 89 00:11:05,650 --> 00:11:13,330 So just right click here and I knew and the Kemistry to be fairly. 90 00:11:14,520 --> 00:11:25,440 You and give you the name of more images, the default is zero. 91 00:11:25,460 --> 00:11:31,040 So that is why we want to this tells me there was not two more images and we start to move the process 92 00:11:31,310 --> 00:11:32,850 when it's loaded into memory. 93 00:11:33,320 --> 00:11:40,080 Let me give you Sarteano specify entry point when the programmer loyalty program. 94 00:11:41,120 --> 00:11:41,760 So I see. 95 00:11:42,050 --> 00:11:43,570 So this disable. 96 00:11:43,610 --> 00:11:49,070 So now you need to restart, reboot your computer to have this take effect. 97 00:11:51,140 --> 00:11:53,410 The next thing is disable Windows firewall. 98 00:11:53,780 --> 00:11:54,270 So right. 99 00:11:54,270 --> 00:11:54,830 Click here. 100 00:11:55,340 --> 00:12:00,800 Such for Windows firewall or just like firewall. 101 00:12:02,090 --> 00:12:05,880 And so, like this one, we know the firewall. 102 00:12:08,780 --> 00:12:15,470 The reason is because if you want to analyze malware, malware typically will call a control and command 103 00:12:15,470 --> 00:12:19,190 center and try to connect to a server on the Internet. 104 00:12:19,670 --> 00:12:21,370 And we want to know where it goes. 105 00:12:21,830 --> 00:12:25,160 So you disable Duniya then? 106 00:12:25,160 --> 00:12:27,380 We know Steve King of Iowa of. 107 00:12:29,360 --> 00:12:33,370 And here, select enough for both, OK? 108 00:12:36,200 --> 00:12:38,600 Can you confirm that, Istana? 109 00:12:41,290 --> 00:12:50,500 Next thing you want is snapshot, so to create a snapshot, you can go down to the bottom of your mouth 110 00:12:50,500 --> 00:12:53,920 here and go to your kitchen. 111 00:12:54,370 --> 00:12:55,630 So just hold your mouse. 112 00:12:55,630 --> 00:12:59,770 Head the bottom here, select a machine, take a snapshot. 113 00:13:00,850 --> 00:13:08,410 And here you can see the if you want to go to one, for example, and mount. 114 00:13:11,150 --> 00:13:17,020 And the D and C fresh. 115 00:13:20,000 --> 00:13:21,500 And you hear some description 116 00:13:24,000 --> 00:13:32,090 configured click, OK, and you create a snapshot of the state of the machine. 117 00:13:35,360 --> 00:13:38,360 If you want to restore, you have to shut this down first. 118 00:13:43,010 --> 00:13:43,630 Shut down. 119 00:13:47,110 --> 00:13:57,550 So after shutting down, you can see over here there is a list of all these snapshots, so clearly this 120 00:13:57,550 --> 00:14:01,720 is a snapshot, fresh install, and he changed. 121 00:14:02,290 --> 00:14:09,300 If you want to revert back to freshly histologies selected and he restore and make sure you can check 122 00:14:09,310 --> 00:14:10,780 this and clean restore. 123 00:14:11,320 --> 00:14:18,010 And he goes back to the previous state, as you can see from my earlier machines, some of my machines 124 00:14:18,010 --> 00:14:20,290 has multiple snapshots. 125 00:14:20,800 --> 00:14:26,650 And if I wanted to go back to an earlier snapshot, all I have to do is select the earliest snapshot, 126 00:14:26,950 --> 00:14:27,790 clean restore. 127 00:14:29,810 --> 00:14:37,250 So this is useful form of analysis, because every time you run a mile away, it will corrupt your files 128 00:14:37,250 --> 00:14:44,690 and redistricting and other things, and you always want to restore back to the previous state before 129 00:14:44,690 --> 00:14:46,690 the game was executed. 130 00:14:47,660 --> 00:14:51,620 And this is the workflow for every malware analysis section. 131 00:14:52,740 --> 00:15:03,780 And remember to take a snapshot before you execute any malware and restore it back when you had finished. 132 00:15:04,430 --> 00:15:06,060 That's all for us. 133 00:15:06,080 --> 00:15:07,490 And thank you for watching.