CC photo credit "Inside the Rotunda" by usutexan on flickr
Yep, one more post before I hit the road to Austin for a week of technology education and project planning goodness.
Wish me success and good fortune.
It's always hard leaving Lavie and Alvis behind.
Here are some links to keep you busy
In the Fast Lane For Software
MyEventViewer - (freeware) - Nirsoft's latest software gem. "MyEventViewer is a simple alternative to the standard event viewer of Windows. As oppose to Windows event viewer, MyEventViewer allows you to watch multiple event logs in one list, as well as the event description and data are displayed in the main window, instead of opening a new one. Also, with MyEventViewer you can easily select multiple event items and then save them to HTML/Text/XML file, or copy them to the clipboard (Ctrl+C) and then paste them into Excel." This should be handy for system data collection. Already added to my USB stick.
VideoCacheView - (freeware) - Another updated Nirsoft toy. This one allows you to extract a web-based video file (ie: YouTube) from your cache and save it to another location for later playback. Latest update allows you to manually select another cache folder for Firefox which is very handy if you run multiple Firefox profiles on your system.
Instant Eyedropper - (freeware) - "Identify HTML-color code from any pixel of the screen with single-click and auto paste it to the clipboard." Great for identifying colors you like on screen. See also the ColorZilla Firefox Add-on. FastStone Screen Capture also contains a zoom/color picker feature, and Huey 1.9 (freeware) also is another recommended on-screen color-picker that should support dual-monitors.
Process Explorer v11.11 - (freeware) - In a rapid series of almost daily incremental updates, Microsoft Sysinternal's flagship tool has been updated to add "..'a number of enhancements, including support for high DPI, display of paging and standby list sizes on Vista, and display of cycles consumed on threads tab on Vista. It also reports the COM object running inside of Dllhost processes and the tasks running inside of Vista Taskeng host processes in the process view hover tooltip.(v.11.10). In v11.11, you also got a fix for "a bug in the driver that could cause a crash when viewing the handle table of a process that exits."
Autoruns v9.13 - (freeware) - This Microsoft Sysinternals must-have tool just got another update to fix a bug where it would crash when loading the icon properties of third-party DLL's. Go update.
Wireshark 0.99.8 - (freeware) - This perennial favorite of packet capturing, sniffing, and monitoring has had a number of vulnerabilities discovered in recent versions. Updates have been pushed so if you use this product, please go and get your updated versions. Release Notes. Get your downloads in either the "Full Install", "Portable Apps", or "U3" packages.
heise Security "Offline-Update" - (freeware) - Updated to version 4.72. Incorporating numerous fixes, this tool allows you to download all the patches for Windows XP, 2000, Vista, Server 2003 as well as various versions of Office releases directly from the Microsoft Servers, then roll them up into a single DVD or individual platform CD disks. This allows you to update a system with almost every critical Microsoft patch entirely off-line. Great when dealing with a compromised system, when broadband connections aren't available (Aunt Marge's dial up connection, perhaps?), or when you just want to speed system deployments and haven't build a slip-streamed and/or fully patched image to deploy in your IT shop.
Reading Material for the Trip
Mark Minasi's Newsletter #68 March 2008: Marking things as "from the Internet" in Windows is released. In this episode, a really great in depth review on "How Windows Knows that a File Is from the Internet: Manipulating Alternate Data Streams ." Great informative post for Windows desktop support fans. Lots of good background information here.
SANS-ISC - Holiday/Family Incident Response - This end-of-year Handler's Diary post contains some thoughts on preparing for support of family and friends systems. First there is a methodology provided (Preparation, Detection/Identification, Containment/Eradication, and Lessons Learned/Prevention) followed by a nice (albeit basic) list of tools for working on family's home pc systems.
Windows Incident Response: Getting Started, pt II - Computer forensics author Harlan provides us with some tips and sources in getting started in the world of computer forensics and incident response. In this post he examines how to incorporate some of these skills in an interviewee process for candidates. I must admit, I never considered this angle in interviewing questions for help-desk and field technician staff. I'm going to have to evaluate this more as I like the concept.
Windows Incident Response: When First Responders Attack!! - Harlan then presents some thought and ideas on the damage that "first responders" can do when responding to an incident. Many cases the field-techs tasked with repairing or reviewing a compromised or suspect system can do more harm and mess up existing critical data in their survey, leaving more work, or less evidence for the professional forensic incident responders who might follow them. I fully agree with Harlan then politely suggests that IT staff starting at the upper levels and downward need to be trained and educated in the issues around this subject. If so, they might work harder at preservation and protection rather than knee-jerk response.
Sounds reasonable to me!
Retrieve Shadow Copy Backups in Vista - CyberNet News post by Ryan examines how to go in and use a free application (ShadowExplorer) to review/audit the backups that Windows Vista has made. Good stuff! Full visual walkthrough tutorial for the process over at "How-to Geek": Recover Files with Shadow Copies on Any Version of Windows Vista. Neato!
See you next weekend!