Sunday, November 23, 2008

Security and Forensics Roundup: Heavy Version

I think I need a bigger lorry for this one.

New, Updated, and/or Free Utilities

Security Database Tools Watch - FireCAT 1.4 package released – For those who don’t know, FireCAT is a logical collection of security-auditing/pen-testing Add-on extensions for Mozilla Firefox. It is a really amazing work.  However, up until now, you’ve had to pick and choose, and manually download each one you wanted, one at a time. Now, pop over to Package de plugins FireCAT 1.4 (natively in French so here is the English Version a-la Google) and download the compressed file and install away.  Thanks Hurukan!

ProduKey v1.35 - (freeware) – NirSoft app that extracts the product keys from a Windows system.  Latest version now allows you to “…load the product keys of external Windows installations from all disks currently plugged to your computer. When using this option, ProduKey automatically scan all your hard-drives, find the Windows installation folder in them, and extract all product keys stored in these Windows installations. New Command-Line Option: /external “

ChromePass v1.05 - (freeware) – NirSoft app updated now has “…added support for recovering Chrome passwords from external drive. (In Advanced Options).”

Volatility - (freeware) - Memory forensics tool from Volatile Systems.  I see this as a really great tool not just for forensic investigators but also Windows Internals investigators who are digging deep into very specific troubleshooting and system analysis.


The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibility into the runtime state of the system. <snip>


The Volatility Framework currently provides the following extraction capabilities for memory samples

  • Image date and time
  • Running processes
  • Open network sockets
  • Open network connections
  • DLLs loaded for each process
  • Open files for each process
  • Open registry handles for each process
  • A process' addressable memory
  • OS kernel modules
  • Mapping physical offsets to virtual addresses (strings to process)
  • Virtual Address Descriptor information
  • Scanning examples: processes, threads, sockets, connections,modules
  • Extract executables from memory samples
  • Transparently supports a variety of sample formats (ie, Crash dump, Hibernation, DD)
  • Automated conversion between formats

For some great examples on how it can be used, check out these posts from the MNIN Security Blog:

Spotted via SANS ISC Handler’s Diary post Finding stealth injected DLLs.

NetWitness Investigator - (freeware) – I generally use WireShark for most of my packet-capture work, unless I need something quick and easy for which I turn to one of several other micro-sniffer tools.  However, from what I’ve read, NetWitness has a lot of specialized features that might make WireShark look more like a piranha.

Product Features:

  • Captures raw packets live from most wired or wireless interfaces
  • Imports packets from any open-source, home-grown and commercial packet capture system (e.g. .pcap file import)
  • License supports 25 simultaneous 1GB captures - far exceeding data manipulation capabilities of packet tools like Wireshark
  • Real-time, patented layer 7 analytics
         – Effectively analyze data starting from application layer entities like users, email, address, files , and actions.
         – Infinite, free-form analysis paths
         – Content starting points
         – Patented port agnostic service identification
  • Extensive network and application layer filtering (e.g. MAC, IP, User, Keywords, Etc.)
  • IPv6 support
  • Full content search, with Regex support
  • Exports data in .pcap format
  • Bookmarking & history tracking
  • Integrated GeoIP for resolving IP addresses to city/county, supporting Google® Earth visualization
  • NEW! SSL Decryption (with server certificate)
  • NEW! Interactive time charts, and summary view
  • NEW! Interactive packet view and decode
  • NEW! Hash PCAP on Export
  • NEW! Enhanced content views

The only real issue is that is seems like you have to give a lot of valid and real information to register and use the product (on a per workstation basis), which might turn many otherwise great customers off a bit.  The install file does include a wonderfully detailed documentation guide in PDF format. I also turned up a nice review of it over at Decurity Blog you might want to check out as well.  Spotted over at the SANS-ISC Handler’s Diary post: New Tool: NetWitness Investigator.

Firefox 3 Forensic Examination Tools

It has been a while since I posted More Firefox "Forensics" Tools which outlined a number of NirSoft tools and Firefox browser structure background.

Turns out that Chrome/Chromium also uses a very similar structure in their SQLite files as well.

An anonymous commenter left a heads-up on that post recently which pointed to a new (to me) forensics tool specifically designed for Firefox 3

Firefox 3 Extractor - (freeware) - Firefox 3 Forensics offers this really clever tool which I like for a number of reasons. First, the author states they have worked on UK police force and performed special forensics work. As such it seems to be developed from a real-world application standpoint. Secondly it is very simple to use.  Download the file and extract. Then copy the target SQLite file from Firefox into the same folder and from the command line, run the command.  It executes in a batch-file prompt mode asking you to select a choice depending on what you want to accomplish.

What can f3e do?

f3e presently has the following features:
  • Extract all data from Firefox 3 SQLite databases to CSV.
  • Extract all data from Firefox 3 SQLite databases to CSV and decode dates and times.
  • Create a CSV 'Internet History Usage Report' from 'places.sqlite'.
  • Create a HTML 'Internet History Usage Report' from 'places.sqlite'. example
  • Decode PRTime.
  • Extract all data from Chrome SQLite databases to CSV.
  • Extract all data from Chrome SQLite databases to CSV and decode dates and times.

I played with it using some of my own system’s Firefox 3 SQLite files and it worked very well.  I really liked having a number of different formats to output into.  The Chrome support is a bit “experimental” but seemed to work as promised to me.

Great program and it has been quickly added to my USB disk.

FoxAnalysis - (freeware) - Digital Forensic Software tool I stumbled upon while getting background information on the one listed above.  This is another forensics tool from our UK friends across the pond.  Unlike Firefox 3 Extractor, FoxAnalysis has a GUI format that some users might feel a bit more comfortable working in nowadays.


  • Extract data regarding bookmarks, cookies, downloads, form history and web history

  • Analyse data by filtering and sorting it:
    • Filter by multiple keywords
    • Filter by date range
    • Filter by download status
    • Filter by website visit type
    • Filter by selection
  • Convert UTC timestamps to any time zone (apply custom daylight saving settings)
  • Save and load case files
  • Export activity report to HTML or CSV (Excel) files

I ran out of time this weekend so I didn’t get a chance to go hands-on with this one, but it looks good and I hope to play with it this week if things are slow at work. (Like that will ever happen!)

Looks like they are also developing a Chrome version not yet released.

Anti-Virus News

Some quick points in the AV world:

Microsoft® Malware Protection Center : MSRT Review on Win32/FakeSecSen Rogues – Some interesting statistics on the spread of fake security applications that all all the rage now.

VirusTotal [Sunbelt] += CWSandbox – Notice that VirusTotal upload scan site now includes a tie-in to Sunbelt Software’s CWSandbox.  Basically the way this works is that if you upload a file to VirusTotal, and it comes back with a match to a previously submitted version to CWSandbox, you will be offered a link to view that behavior summary analysis.  How neat is that!

VirusTotal += McAfee+Artemis – Notice that VirusTotal doesn’t just now include McAfee scan engine, but also one that leverages the Artemis technology as well.  I hadn’t heard of Artemis before but some digging turned up interesting information:

Basically (read the above posts for the full-meal-deal) Artemis provides “cloud-based” protection for emerging malware threats.  It runs on the client side and if a file is discovered that meets a certain behavior or heuristic then its fingerprint is uploaded to McAfee which does additional analysis and sends back a “block” or “allow” action order to the client software.  In theory this provides rapid protection where signature-based protection cannot deliver due to morphing or other factors.

Bits and Pieces

.: The Story of a Hack - Part 3. Kung Fu Shopping – SynJunkie concludes his walkthrough on a hack-attack.  It was a nice and clearly written/illustrated example of the challenges sysadmins and CSO’s face keeping things locked down.

I’ve been following the .:Computer Defense:. blog for a long time.  However, lately the posts have been dropping off a bit.

Fortunately they have pointed to a new security-news and commentary aggregation site that I’ve quickly added to my RSS feed list.

I’m constantly amazed at the wealth of fantastic material and work out there by lots of dedicated IT security workers and researchers.  It is almost impossible to canvass them all.  Many I stumble across in the act of researching a specific problem or via cross-links in other posts.

For the two days I’ve been subscribed to the above site, I’ve already collected at least ten new sites and posts that have really added to my understanding and knowledgebase.

Good work guys and gals!


--Claus V.

1 comment:

Anonymous said...

nice blog! thanks!

Top Security and Hacking Tools