Microsoft: Microsoft Diagnostics and Recovery Toolset (DaRT)

Microsoft has been making periodic updates to a tool known as the Diagnostics and Recovery Toolset (DaRT). DaRT was originally built to provide corporate desktop recovery services, diagnose poorly behaving machines and quickly making a determination of which devices can be resuscitated and which should be re-imaged. DaRT also has a number of great security capabilities integrated into it, providing your ‘first responders’ in the desktop support team to clean systems or identify potentially compromised systems that require further analysis back at HQ.

DaRT is also owned by many current Microsoft customers that may not be taking advantage of it. DaRT cannot be licensed as a one-off product; it’s one of the tools included in the ever evolving set of products that make up the Microsoft Desktop Optimization Pack (MDOP). MDOP is often sold with Windows Client and is available via the usual Microsoft software channels (TechNet, MSDN, Microsoft Volume Licensing, etc.), so check with your licensing specialist or reseller to see if you may already own access to the tool.

<< What is in DaRT? >>
DaRT is a collection of tools that is loaded onto a bootable device, often a USB flash drive. The typical organization that’s leveraging DaRT will provide a bootable image for each of their desktop support technicians to carry with them as they make calls to repair or diagnose systems. DaRT is intended to be used locally by a tech-savvy IT person; it’s definitely not a ‘boot it and forget’ end user solution in this author’s opinion. It’s worth noting that DaRT version 7 (currently in beta and available for download via the Microsoft Connect Site here) can now be used via the network with a new capability called ‘Software Based Remoting’. This capability allows an IT Pro or helpdesk analyst to troubleshoot and diagnose a PC without visiting it in person.

Since DaRT 7 is currently in beta, we’ll be focusing on the current shipping release from Microsoft – DaRT 6.5. DaRT is built on top of a framework called the Windows Recovery Environment (WinRE). You can read more about WinRE here. If you’ve ever booted a Windows Vista or Windows 7 system in recovery mode, the WinRE environment is probably familiar to you. This set of tools is used to repair startup issues, perform a full system restore, etc. DaRT also has a pretty minimal hardware footprint requirement as well; a 1GHz x86 or x64 processor with 1GB of RAM and the ability to boot from removable media should suffice.

There are lots of capabilities in the toolkit, but for the purposes of this article we’ll focus on what’s most useful from an incident response perspective.

<< Standalone System Sweeper >>
Standalone System Sweeper is one of the most useful tools in the DaRT arsenal in this author’s opinion. One of the most common incidents desktop support technicians tend to come across in the field (both in the consumer space and the enterprise space) is a system that has been thoroughly infested with malware, especially particularly nasty malware that shuts down or otherwise disables the anti-malware software running on the system. Standalone System Sweeper can be used to identify and remove this malicious code from a system.

Malware that infects a system at the kernel level may be able to mask itself while the operating system is booted; being able to scan the system offline often identifies malicious code not visible during a traditional system scan with anti-virus.

During analysis of the DaRT capabilities, the author took a bootable WinRE image loaded up with DaRT 6.5 and Standalone System Sweeper and removed several instances of Fake AV 2011 from a family member’s PC that was previously rendered unusable. The identification and removal of the malware was done in less than 10 minutes, a great solution to a messed up system.

<< SFC Scan >>
During the analysis of an intrusion, system files may be identified that have been modified maliciously to stop the system from booting or stopping other assessment or recovery tools from operating. SFC Scan allows for a quick system repair of corrupted or missing system files. This isn’t the greatest option in a scenario where forensic analysis and preservation of the original system image needs to occur, but for quick remediation this is a very handy tool.

<< Disk Wipe >>
One typical requirement of desktop support teams during the conclusion of an incident or before a device is re-imaged is wiping the disk. Oftentimes, third party tools are used to perform a disk wipe. DaRT is now able to perform either a quick single pass write (good for a quick re-image) or a four pass United States Department of Defense 5220.22-M complaint wipe if the disk needs to be disposed of after being sanitized.

<< Locksmith >>
Locksmith is a tool that can be used for password recovery; resetting a local account that may have a password that’s been forgotten or the user has since left. Locksmith is very handy in consumer repair scenarios, but not overly useful in the corporate environment due to its inability to perform password reset on domain accounts. If there’s an unmanaged device (not domain-joined) that needs a password reset, Locksmith is very handy.

In summary, DaRT has a fairly complete set of basic incident response and repair tools. It’s a great arrow to load in your desktop support team’s quiver; the capabilities in the toolset will not replace a full-fledged incident response suite, but it should cover the basics and it may be something already owned by your organization.

In terms of analyzing and removing malware, resetting passwords, restoring system files that may have been removed, editing the registry or restoring disk volumes DaRT is a great replacement for other tools that your desktop support teams have likely cobbled together on several different boot disks. Consider evaluating DaRT in your environment and integrating it into your support process.