Intel AMT is a really great technology for IT administrators – you can push updates even when the box is turned off, get console access via serial over LAN, and a helpdesk tech can view and interact with a user’s active session to help them with issues. AMT comes with an enterprise access model that presents a REST interface, configurable with encryption and Kerberos authentication, for interaction with enterprise IT management tools which is great for central management. It also ships with an embedded web server that would typically be used in small business models. The previous link has some decent screenshots of the web interface.
Michael Herf makes a comment about AMT not only being present on his new Thinkpad, but also having the built-in web server active out of the box. This is kind of scary considering (if I’m reading this correctly) that in some Lenovo boxes the default password was “admin” (check out page 8 in the link). AMT does store logs of activity: “Persistent event logs, stored in dedicated memory (not on the hard drive) so the information is available anytime. IT technicians can now access the list of events that occurred even before a hardware or software problem was noticed, including events that occurred before a PC connected to the network.”
How many IR folks have looked at AMT logs before or even knew they were present? I’d love to know if there’s any useful content for investigations getting recorded in these. Perhaps they require configuration ahead of time to trap relevant data. Please let me know if you’ve had the occasion to use AMT logs in this capacity!