Sunday, February 24, 2008

Miscellaneous Computer Forensic Topics

Case Study # 1

This week there was a little bitty paper released by Princeton researchers:

Lest We Remember: Cold Boot Attacks on Encryption Keys

Turns out it caused quite a buzz.

The researchers successfully defeated four popular disk encryption products: BitLocker, which comes with Windows Vista; FileVault, which comes with MacOS X; and dm-crypt, which is used with Linux and even the Open Source program TrueCrypt versions 4.3a and 5.0a running on a Linux system.

At the heart of their attack success is the fact that DRAM chips still tend to retain data when a system is shut down for a brief window of time. If the chips are cooled and/or forensically inspected within the window, methods for recovery of the encryption keys may be applied and the drive unencrypted with the information.

(Literally) cool stuff.

Yes, it is does require a focused attack method as the system must already be up and running (say in a locked "hibernation/sleep" mode or grabbed and immediately applied right after a full system shutdown.

I do find it interesting in light of corporations (and some private users) turning to drive-encryption solutions to deal with data-loss from laptops and other storage devices.

Our research shows that data in DRAM actually fades out gradually over a period of seconds to minutes, enabling an attacker to read the full contents of memory by cutting power and then rebooting into a malicious operating system.

Interestingly, if you cool the DRAM chips, for example by spraying inverted cans of "canned air" dusting spray on them, the chips will retain their contents for much longer. At these temperatures (around -50 °C) you can remove the chips from the computer and let them sit on the table for ten minutes or more, without appreciable loss of data. Cool the chips in liquid nitrogen (-196 °C) and they hold their state for hours at least, without any power. Just put the chips back into a machine and you can read out their contents.

This is deadly for disk encryption products because they rely on keeping master decryption keys in DRAM. This was thought to be safe because the operating system would keep any malicious programs from accessing the keys in memory, and there was no way to get rid of the operating system without cutting power to the machine, which "everybody knew" would cause the keys to be erased.

Our results show that an attacker can cut power to the computer, then power it back up and boot a malicious operating system (from, say, a thumb drive) that copies the contents of memory. Having done that, the attacker can search through the captured memory contents, find any crypto keys that might be there, and use them to start decrypting hard disk contents.

SANS-ISC Handler's Diary picks up with the dramatic-sounding post: In memory of hard disk encryption?

As they point out, disk encryption is but one (though important) layer in the process of securing data on a portable (or non-portable) device.

Now incident responders need to add a few more questions during their pre/post loss assessment. Modifying slightly the list that ISC Handler Swa Frantzen provided:

  1. Was the sensitive data on the laptop/device encrypted?  If no, why not?
  2. Why was that data sensitive?
  3. Are there no better ways to do what that data does?
  4. Why was sensitive data stored on a portable device?
  5. Where was the absolute need to have the sensitive data?
  6. Why was the sensitive data mixed in with less sensitive data?
  7. Why was sensitive data allowed out of the organization that collected it?
  8. Why was a laptop containing sensitive data left unattended?
  9. How long ago was the laptop turned off ?
  10. Was the laptop turned off, or just asleep?
  11. What encryption product was used and does it wipe its keys from RAM upon shutdown or sleep actions?

While it gives the "bad-guys" some new techniques, it also gives forensics investigators the same techniques to consider and use during a seizure event if the target system is suspected to be using drive-encryption and acquisition of the password is suspect or impossible.

Computer forensics author Harlan Carvey mentioned in his post on this study that "...TechPathways provides a tool called ZeroView, which can reportedly be used to detect [whole disk encryption]."

There is also a PDF file from Technology Pathways that address some of the issues related to whole disk encryption detection and capture.

While most will see this as mostly an "academic/forensics" issue, I think it bodes a warning against complacency by corporate and government end-users who might have encrypted devices and let their guard down a few notches.

If an end user say, places their encrypted laptop in a "sleep/hibernation" state (say hanging out at the airport getting ready to go through screening or in a conference setting during a break) and let their guard down thinking "it's encrypted, what's the worry?" the attacker could seize the laptop while still "hot" (although locked) and use these methods to latter attack it at their convenience.

See also these related Princeton project items

Case Study #2

Harlan also posted a great introductory list of freeware forensic software/resource links this week.

Getting started, or forensic analysis on the cheap - The Windows Incident Response Blog

Provided is a nice list of links to Imaging tools, Image/File Integrity Verification, Images/Analysis Challenges, Analysis Applications, Mounting/Booting Images, Analysis Tools, File Analysis, File Carving, Browser History, Archive Utilities, AV and Related Tools, and Packet Capture and Analysis.

As I mentioned in the post comments there, I'm not a forensics guy but I do find as a sysadmin that many of the principles and methods are useful to know from a "foundations" standpoint when I am assessing a response strategy for a malware/virus infection on one of our desktop systems. It also provides me a good perspective for what to do/not do when I encounter "material" on a system that might very well be handed off to our own internal investigations division so I don't accidentally compromise something in my initial response and assessment.  Always good skills for anyone who deals with desktop support to have and be on the lookout for.

Case Study #3

I knew the LiveCD list has a number of Linux distributions that focus on workstation forensics.

These are disks that can "live boot" a target system and perform data inspection, case documentation, and other activities without touching the target system.

They should provide a wealth of good tools and activities for budding and experienced forensics experts alike to become familiar with.

Here are the project items that seem to still be (somewhat) actively maintained:

Plan-B- quoting from the developer - "Plan-B is a bootable Linux environment without the need for a hard drive, it runs entirely in ram or from the cd, based on a basic, stripped installation of Red Hat Linux and the fundamental workings of the SuperRescue CD. A list of tools and utilities are also included for projects such as: Forensics/Data Recovery, System/Network Analysis and Security Scanning, Temporary Network Device/Server, IDS / NIDS System, and Network Status Report Creation." - Security Tools, Forensics Tools, and Audit Tools.

Helix- quoting from the developer - "Helix is a customized distribution of the Knoppix Live Linux CD. Helix is more than just a bootable live CD. You can still boot into a customized Linux environment that includes customized linux kernels, excellent hardware detection and many applications dedicated to Incident Response and Forensics.  Helix has been modified very carefully to NOT touch the host computer in any way and it is forensically sound. Helix wil not auto mount swap space, or auto mount any attached devices. Helix also has a special Windows autorun side for Incident Response and Forensics. Helix focuses on Incident Response & Forensics tools." - CD Contents

FIRE - Forensic and Incident Response Environment - quoting from the developer - "FIRE is a portable bootable cdrom based distribution with the goal of providing an immediate environment to perform forensic analysis, incident response, data recovery, virus scanning and vulnerability assessment. Also provides necessary tools for live forensics/analysis on win32, sparc solaris and x86 linux hosts just by mounting the cdrom and using trusted static binaries available in /statbins." - FIRE FAQ

FCCU GNU/Linux Forensic Boot CD - quoting from the developer - "This CD is based on  KNOPPIX by Klauss Knopper. It is a remaster that I made to use at my work as a computer forensic investigator. Its main purpose is to create images copies of devices before analyse. It does not use a lot of cpu cycles for unnecessary programs, that is why it drops you to a shell right after the boot. It recognizes lots of hardware (Thanks to Klauss Knopper). It leaves the target devices unaltered (It does not use the swap partitions found on the devices). It contains a lot of tools with forensic purpose."

Penguin Sleuth Bootable CD - The boot CD is still available, however the developer is also now working on a new project, a virtualized version of the package that can also master new bootable CD versions of itself. Sounds cool! Stay tuned for more details as they develop. Penguin Sleuth Kit Details and New Penguin Sleuth Kit Statement.

PLAC - Portable Linux Auditing CD - quoting from the developer - "PLAC is a business card sized bootable cdrom running linux. It has network auditing, disk recovery, and forensic analysis tools. ISO will be available and scripts to roll you own cd."

Case Study #4

It's important to be able to clearly and accurately document your case notes during your investigations.  There are many commercial solutions on the market, and these may be intimidating for someone to consider using, both from a cost and complexity standpoint. Some of the LiveCD tools above do contain audit and documentation tools that can be used.

Just this week I became aware of two such case-note applications that can run on Windows:

Technology Pathways ProDiscover Basic Edition - (freeware) - "...a complete GUI based computer forensic software package. It includes the ability to image, preserve, analyze and report on evidence found on a computer disk drive. It is freeware and may be used and shared without charge."  It comes in both a regular system install version as well as a portable USB U3 format installer .

QCC Information Security UK - Casenotes - (freeware) - "The purpose of CaseNotes is to provide a single lightweight application program to run on the Microsoft Windows platform to allow forensic analysts and examiners of any discipline to securely record their contemporaneous notes electronically." For more information download the PDF Quick Start Guide.  The Program does require the Microsoft .NET framework to run.  Note, you might get a registration page to complete before you reach the actual download page.  If this happens, I found that you can just leave all the fields blank and enter the captcha code only, and it will let you pass to the download page.

--QCC Casenotes spotted via the interesting Mobile Telephone Evidence blog.

Case Study #5

Tiny Apps points out that there is now a great tool that can be used to mount VMWare virtual disks and dd images under Windows.

Pretty clever stuff.

And, just by coincidence, the SANS-ISC Handler's Diary reported that VMWare has a flaw that could lead to malware on a virtual system leaking out onto the host system via shared folders. (Never a good idea have enabled in my humble opinion).

Critical VMware security alert for Windows-hosted VMware client versions - SANS-ISC Handler's Diary:

Workaround (from the VMware advisory)

Until VMware releases a patch to fix this issue, users of affected Windows-hosted VMware products should disable shared folders.
To disable shared folders in the Global settings:

  1. From the VMware product's menu, choose Edit > Preferences.

  2. In the Workspace tab, under Virtual Machines, deselect the checkbox for Enable all shared folders by default.

To disable shared folders for the individual virtual machine settings:

  1. From the VMware product's menu, choose VM > Settings.

  2. In the Options tab, select Shared Folders and Disable.

Happy hunting and gathering!


Fabulous February Freeware Finds

First up: Floola

In my previous post I mentioned that we have been hitting the iPods in our home pretty hard.

iTunes is loaded on the desktop system and this is the one we use to hold all our music/videos and manage the devices.

I've installed iTunes on the family laptops as well, but we only use those to listen to listen to streaming music.  I haven't taken the time to figure out if/how to use it to play music from the iPods as they aren't "registered" to those laptops, just the desktop system.

At work it gets even better.  I don't like working and listening to my iPod via headphones.  The phone rings too often and people keep talking to me over the cubicle walls.

In the past I just hooked it up directly to a set of pc speakers/amplifier and played it like a hacked up boom-box.  I don't want to install iTunes on my work machines.

I did try Yet another iPod manager (YAMI Pod) but the hotkey combos kept doing weird things to it when I was working on the laptop so it was a non-starter.

I'm going to try out Floola - (freeware) - which is a feature backed amazement of goodness:

Floola is a freeware application to efficiently manage your iPod or your Motorola mobile phone (any model supporting iTunes). It's a standalone application that can be run directly from your iPod and needs no installation under Linux, Mac OS X and Windows (Windows Vista is supported).

Floola supports all common used iPod features including artwork, podcasts and smart playlists! It's also able to convert audio or video incompatible with the iPod so that you can copy almost any file to it. It even allows adding youtube and myspace videos just entering the page url!

For additional iTunes replacements (fee/$) check out this page: - The BIG list of iTunes alternatives

MiTeC Tools

While working on another issue, I ended up on the MiTeC Homepage.

MiTeC has a great collection of small and useful utilities.

All well worth looking into.

Here's a sampler

DirList 1.1.0 - (freeware) - "This application allows to browse all connected disks like explorer and select folders and files for listing. Files can be listed by content too. Result listing can be saved to CSV file or as HTML with defined layout with preview."

Windows File Analyzer 1.0.0 - (freeware) - "This application decodes and analyzes some special files used by Windows OS. In these files is interesting information for forensic analysis.
Every analysis results can be printed in user-friendly form.  Here are described individual analyzers: Thumbnail Database Analyzer, This analyzer reads Thumbs.db file and displays its content with stored data include image preview.  Prefetch Analyzer It reads files stored usually in Prefetch folder and digs out stored information.  Shortcut Analyzer This tool reads all shortcut files in specified folder and displays data stored in them.  Index.DAT Analyzer This analyzer reads specified Index.Dat file and displays its content. Index.Dat files store usually data of Internet Explorer cookies, temporary files or history. Recycle Bin Analyzer This analyzer decodes and displays Info2 files that hold recycle bin content information."

Windows Registry Recovery 1.3.2 - (freeware) - "This application allows to read files containing Windows 9x,NT,2K,XP,2K3 registry hives. It extracts many useful information about configuration and windows installation settings of host machine. Registry hive can be exported into REGEDIT4 format.  Every topic data can be saved to CSV. Here are described individual explorers: File Information In this explorer you can see basic file properties and checksums. Security Record Explorer Displays all security records used in registry. Usage counter, owner SID, group SID, list of affected keys and list of SACL and DACL is displayed for every record with flags and permissions enumerated. This explorer is available only for NT based system registry hives. SAM Displays Machine SID and part of SYSKEY. Enumerates local user and group accounts and some of their properties. This explorer is available only for NT based system registry SAM hive. Windows Installation Displays Windows name, ID and key, install date and user registration info. Enumerates installed software with descriptions and install date and list of installed hotfixes with description. This explorer is available only SOFTWARE registry hive (Product ID and key are extracted in SYSTEM hive too).  Control Set Displays all configured devices that worked on host machine. They are displayed in "like Device Manager" tree with some properties. This explorer is available for SYSTEM registry hive. User Data Displays user and machine name and tree based Start menu for selected USER hive. This explorer is available for USER registry hive. Startup Applications Enumerates applications that are registered to be run after startup. This explorer is available for SOFTWARE registry hive.  Services and Drivers Enumerates all installed services and drivers with properties. This explorer is available only for NT based system registry SYSTEM hive. Network Configuration Displays all installed network clients, protocols and services. Enumerates all defined network connections with its TCP/IP configuration. This explorer is available only for NT based system registry SYSTEM hive.  Environment Displays all environment variables. This explorer is available only for NT based system registry SYSTEM hive. Shell Folders
Displays shell folders (folders known to system). This explorer is available only for NT based system registry SYSTEM hive.  Raw Data This explorer displays whole registry in known tree format. Contains powerful searching and data interpreter."

Network Meter 1.0.0 - (freeware) - "This application scans for network interfaces and adapters installed in system and their monitoring. Detailed info for every interface is provided.  Every interface monitor has simple statistics view and graphic display with time history."

Network Scanner 1.0.0 - (freeware) - "It is a free multi-threaded IP, NetBIOS and SNMP scanner with many advanced features. It is intended for both system administrators and general users who are interested in computer security. The program performs ping sweep, scans for opened TCP and UDP ports, resource shares and services.  For devices with SNMP capability available interfaces are detected and basic properties displayed. In addition you have to edit results, save/load results to/from CSV and print network device list. It can also resolve host names and auto-detect your local IP range."

HexEdit 4.2.0 - (freeware) - "HexEdit is powerful hexadecimal editor with following features: MDI interface, Data Inspector, Calculator, File Compare, Memory Dumper, Disk Dumper (NT only) ."

PhotoView 1.2.0 - (freeware) - "Image viewer with thumbnail band for fast navigation. Provides EXIF information (based on MiTeC EXIF Reader), RGB/I histogram and some basic image processing tools. It can display [multiple] image formats.  Image can be rotated, flipped, inverted, grayscaled and equalized. Special Magnifier tool is available.

MiTeC PE Reader - (freeware) - "...based on TObject class and contains complete interface for reading It reads and displays executable file properties and structure. It is compatible with PE32 (Portable Executable), PE32+ (64bit), NE (Windows 3.x New Executable) and VxD (Windows 9x Virtual Device Driver) file types. .NET executables are supported too.  It enumerates introduced classes, used units and forms for files compiled by Borland compilers."

EXE Explorer 1.0.0 - (freeware) - "...based on MiTeC Portable Executable Reader. It reads and displays executable file properties and structure. It is compatible with PE32 (Portable Executable), PE32+ (64bit), NE (Windows 3.x New Executable) and VxD (Windows 9x Virtual Device Driver) file types. .NET executables are supported too. It enumerates introduced classes, used units and forms for files compiled by Borland compilers. It contains powerful Resource Viewer that is able to analyze and display al basic resource types and some extra ones as JPEG, AVI, REGISTRY. It contains excellent Type Library viewer that enumerates all objects and creates import interface unit in Object Pascal language. Every type of resource can be saved to file. EXE Explorer produces text report with all important information about selected file. Searching capability is also available. It searches all resources that can be interpreted as text.

InfoDesk - (freeware) - Don't let the Czech language fool you.  An English translation is build into the download application.  Info desk provide a really nice micro-toolbar.  Displayed is the system up-time, CPU utilization rate, Memory utilization rate, a calendar/reminder, and a clock.  However the real "juice" to this tool lies on the right-click menu.  Right-click on the bar and you will be able to quick-launch up to three custom applications, a calculator, a calendar, the Windows Explorer, a notepad, the clipboard history, the event viewer, system information, a Net meter, a CLI console window, a notepad, a Coder Tools utility, and the CPU monitor.  Really handy things!

Additional MiTeC applications are available from the homepage and some more "unlisted" ones from the MiTec direct download page.

All seem to be USB portable in my tests. Small, light and sweet.

Hello Miss Identify!

Harlan pointed me to this useful freeware tool: Miss Identify

It is a program that scans your target system for Win32 executable files.

Normally that would simply mean doing a search for files that end in exe, dll, com, sys, cpl, hxs, hxi, olb, rll, or tlb.

But what if malware (or a user) has changed the file extension to something else?  How can you quickly locate it on a system?

Miss Identify can!

Download the utility and copy to your USB drive (for scans on a target system).

Here are some basic search commands from the developer's site:

Searching for mislabeled executables

C:\> missidentify *

Searching for all executables

C:\> missidentify -a *

Searching for all executables in an unusual place

C:\> missidentify -ar c:\windows\system32

For more information and tips, see The Miss Identify manual page.

This one is going on my sysadmin USB stick immediately!

Mega Anti-Malware Tools

I still use and recommend Spybot Search & Destroy 1.5.2 and LavaSoft Ad-Aware 2007 Free for freeware anti-malware scanning and removal.  Both have long and trusted track-history in the malware-busting circles.

I like Malware Destroyer - (freeware) - from EMCO.  But it does seem to have a few false-positives.

A-Squared Free is a good anti-malware scanner as is AVG Anti-Spyware 7.5, also freeware.

Spyware Terminator - (freeware) - is a good scanner.  It does add a service to your system, however, which I tend to not like for "portability" reasons.  The use of a "whitelist" to help prevent false-positives and speed scans is a nice touch.  It is gaining in popularity.

However, I find that I am turning to two relatively new freeware products for my anti-malware scanning needs.  Both are very full featured, provide frequent updates, and seem to do very thorough scans.

SUPERAntiSpyware - (freeware) - Handles minimal, full, and custom scan configurations, full detection and removal of malware, keyloggers, trojans, rootkits, and other baddies, doesn't use much memory, able to repair damaged internet connections (LSP), real-time protection is supported, and can run micro scans at system bootup and/or shutdown.  The interface is nice and it is easy to view and review scan findings and elements.

Malwarebytes' Anti-Malware - (freeware) - I really like this one as well.  Developed by the "RougeRemover" crew, this very new product is a very amazing product.  It is being updated frequently. Quick and full scans are available, real-time protection available in the "paid" version, items can be quarantined for safety before final deletion from the system (just in case something breaks), generated logs are very good in detail, you can set ignore lists, and as an added bonus, FileASSASSIN has been incorporated with the program to delete "locked" files.

Check out Malwarebytes' full line of malware-busting products, most all are free.

Web-mail MouseTrap

MakeUseOf has a clever method to set up your web-mail account to see if someone uses it unauthorized.

Are you Sure your Email isn’t being Hacked? |

Clever and simple tip.



The DVD to iPod Transfer Two-Step

I've been sitting on this post for quite a while.

Then the MakeUseOf blog beat me to the punch:

Read this post or read Dave's.  Either way, it's all handy.

My search for a workable solution for putting on of our personally purchased DVD's onto an iPod began with Alvis's Christmas gift of a new iPod nano.

Up to this point we have had only shuffles and a Classic iPod so video playback has never been an issue.

However, with the new nano, came Alvis's desire to place one of her favorite movies on the nano.

I had experimented with the process of making a DVD to DVD duplicate before and it was very successful.

But this was new material for me.

There are lots of different options and software choices available to do this, and everyone has their own favorites.

So this is the combination  found which worked very easily for me, almost too easy.

Step One - Rip the DVD

I have tried various free DVD ripping programs.  However the one that I am using now and works best is DVDFab HD Decrypter.  It is free, has a great GUI interface, and seems to work great on the handful of DVD's I've tossed at it.

Launch the program after you have installed it.

Insert a DVD.

Click "Start" to copy the DVD contents (the Video_TS folder) to a specified location on your hard drive (make sure you have the space).

Rip times do vary, but generally take around 15-20 minutes or less depending on the disk size.

When completed you should have a local copy of the video's Video_TS folder on your system.

Now we need to get it prepped for the iPod.

Step Two - Apply the Handbrake

Go get, download and install the freeware utility HandBrake.

In the "Source" section, browse to the location of the Video_TS folder you saved the DVD rip to.

Set your Destination source to place the file you will create.

On the right-hand side under "Presets" select the iPod "low rez" option.  (You can try others, but this seems to work best for the nano's).

Punch the "Encode Video" button and the bottom.

A command-line window will appear and the re-encoding will begin.

Note: Go out and relax, do some errands, watch a movie.  Do something.  This recoding process will usually take up to an hour or two to complete, depending on the speed of your system.  It something just takes a long time to do.

Put it in iTunes

When the conversion process is done, just simply drag the file you created and drop in into iTunes. Then you can add it to your nano (or whatever).

The few that I have done have resulted in very good quality conversions and the video/audio sync is almost always flawless...something that other applications and methods have trouble with.


I ONLY rip our own personal DVD's and realize copying it onto my Apple device could be seen as a copyright usage problem.  I like many others believe that porting a movie (or CD I own) onto a device I also own so that I can enjoy the movie on multiple devices is well within the intent of "fair use" laws.

I DON'T rip movies I rent or borrow.  I DON'T share these files with ANYONE outside of Lavie and Alvis's nanos.  I DON'T upload or offer them for sharing on the Net.  I run quite a few security layers and DON'T keep the original rip files in a shared folder in our network.

I DO strongly recommend you to use these applications appropriately and within the parameters of copyright law and your country/local laws. I am most assuredly not a lawyer and the laws regarding "fair usage" seem to be changing on a daily basis.

Also, iTunes store is offering a weekly "Thursday $.99 rental special" and also has fairly reasonable pricing on general movie downloads as well.  Well worth considering as alternatives.

Unfortunately, many of the older DVD titles we purchased still aren't available anywhere else so this remains the only option to enjoy them "on-the-go".

Additional resources:

How To Put DVD Movies on Your iPod - Helpero

DVDFab HD Decrypter copies DVD's, removes protections - Download Squad

"How do I convert a DVD movie for my iPhone and iPod?" - Ask Dave Taylor! Tech Support Blog

Handbraked! - Random Thoughts of a Random Fellow

How to rip a DVD - A Tutorial by Elliott C. Back

How to copy a DVD-9 using Ripit4Me and DVD Shrink 3.2 -

StaxRip - planetdvb

Shrink DVDs down to size with Amok DVD Shrinker -

DVD Rip Automates One-Click DVD Ripping - Exclusive Lifehacker Download

AVS DVD Player - freeware - alternative DVD player for folks who don't have DVD playback software on their Windows system.  Quite nice.  Site does load pages slowly sometimes.


More Firefox (Minefield/FF3 beta) Tips, Mostly

As my regular readers may remember, I have Firefox loaded up on multiple systems at our home; on the main desktop system as well as both laptops.

Generally I still keep them all "sync'ed" by exporting the bookmarks file to a USB stick and "importing" it back to the system I am using.  I'm usually able to keep it all straight in my mind and the girls don't use bookmarks much at all, so I haven't overwritten anyone (well, not that I know of).

Last weekend, I did a MAJOR cleanup and reorganization of my bookmarks/folders in Minefield (Firefox 3.0 nightlies).  I've been using Minefield/Firefox 3.0 as my primary Firefox browser now that most all of the bugs in Places (the bookmarking system) have been worked out.  I REALLY like Firefox 3.0 now.  Wowzers.  Page rendering is awesome.

Download Firefox 3 Beta 3

Download Firefox "Minefield" - cutting-edge nightly builds of Firefox 3 - for brave idiots only.

Only when I went to do my usual plan of importing the bookmarks from the Vista laptop Minefield build into the desktop Minefield build, it completely blew out Places/bookmarking on my desktop system.  Weird.

I eventually was able to finally get it semi-working, but ended up completely blowing away my previous installation of Minefield and my Minefield associated user profile.  I rebuilt it from scratch.

In doing so I learned some helpful tips.

Extension/Add-on Handling Tip: Bypassing Compatibility & Security checks

More and more Mozilla extension "Add-ons" are being updated to releases compatible with Firefox 3.0(betas).  This generally means great compatibility with Minefield as well.

However, if you are running Minefield versions, just because the Add-on says it is compatible with Firefox 3.0beta3 doesn't mean it will install in the Nightlies.

To suppress the warning that appears when you attempt to use an extension that does not support "secure updates" (new Firefox 3.0 feature), do the following:

  • Type about:config into Firefox's address bar and click the "I'll be careful, I promise!" button.
  • Right-click anywhere. Choose New>Boolean. Make the name of your new config value extensions.checkCompatibility and set it to false.
  • Make another new boolean pair called extensions.checkUpdateSecurity and set the value to false.
  • Restart Firefox.

There you go!   

(tip via Lifehacker's post Firefox 3 Beta: Make Your Extensions Work with the Firefox 3 Beta)

See also this related article: Updating add-ons - MozillaZine Knowledge Base

Once you do this, you may need to use and run the Nightly Tester Tools Add-on to force compatibility on some of the extensions.  You may still see some warnings on associated Add-ons, but they should still work as intended.

Download Statusbar Add-on - Just for Nightly testers

I really like the changes to the Download Manager in Firefox 3.  However, I've been a big fan of the Download Statusbar Firefox Add-on for a long time.  It just doesn't seem natural to not see it going.

So when I installed it in Minefield, it just didn't work like I had expected.

I did a bit of digging and found the developer does have a special version ( just for the nightly Minefield users.

Get it from this page.

More Firefox 3.0 Anti-Malware website blocking fallout

I'm still not satisfied after having gone through the work on my battle with Firefox 3's security blocking mechanism.

Firefox 3 Security Blocker: Going In Deep

I understand it.  I agree with it.  I still want a method to pass through to a blocked site (even if it must first be enabled in about:config to keep average users away from it) without having to disable the "suspected attack site" option in it's entirety.

(By the way, is now no longer being blocked in Firefox 3 any more.  Mischief managed?)

I haven't see this become more of a pubic issue yet, but I think it very well might at more users move to Firefox 3 and encounter the behavior.

Techworld picked it up and determined that the Firebug add-on is the only one of 27 Mozilla "Recommended Add-ons" that is being blocked by Firefox 3.0 at this time. - Popular website falls foul of Firefox 3.0

The main Firebug developer's page hosted at remains blocked. However you can still get to Firebug via this site, Firebug :: Firefox Add-ons or this one Firebug - Web Development Evolved.


Firefox Crash Reporting

I've been crashing Firefox (Minefield) a lot more often lately than used to.

I suspect it is something to do with NewsFox and Minefield.  Seems that it is safest to just let Newsfox run in the background and keep running by itself until all the new feeds have been identified.  If I switch to a new tab and continue browsing, sometimes I crash Minefield.

I also had to reapply many of my NewsFox tweaks in my new Minefield profile.  However the latest version of NewsFox brings many of the options into the GUI Options settings in NewsFox so fewer about:config tweaks are required.

I mention this as I am now seeing the new Mozilla crash-reporting tool.  As a good Firefox citizen I make it a habit of sending on the crash data to Mozilla.  Way I see it, this is my little way of maybe helping out the development and fine-tuning of an awesome product.

Two Important Backup Tips

One lesson I learned through this experience is how to correctly back up and restore my Places bookmarks as well as my NewsFox feed list.

Minefield (Firefox 3) actually has two ways to manage the bookmarks.

On the menu bar to go "Bookmarks" > "Show All Bookmarks"

This will bring up the boomarks/Places management window called "Library".

Notice the "Import and Backup" menu-bar item.

The "Import" and "Export" options allow to you bring a html formatted bookmark file into your current bookmark structure.  Exporting sends your bookmarks out in a html formatted file.  This is useful if you wish to use them in another browser or application.

The real power-toys come in with the second set of options; "Backup" and "Restore".

Use the "Backup" option to create a snap-shot record of your entire Places/bookmark structure.  It will be saved (by default) with the current date in the filename.

If you ever want to revert your Firefox 3.0 bookmarks completely to a prior version, then use the "Restore" feature and point to the location where you saved this manual backup.  (Note: Firefox also seems to perform automatic bookmark library backups as well and you could use one of these also.)

What the restore does is to replace ALL the current bookmarks with the backup set.  It is a complete swap, so you don't have to do any rearranging and deleting of the old ones for the new ones like you would if you used the "Import" feature.

Darn handy!

So now, in my case as I move the bookmarks file between various systems, I always use the "Backup" and "Restore" options from within Firefox 3 instead of manually copying/pasting the profile's bookmark .html file(s).  That is what got me into trouble I believe with one of the newest nightly releases and led to my rebuild of Minefield/profile.

In contrast, making and restoring a backup copy of your NewsFox feeds couldn't be simpler.

Click the little gear looking icon to display the options for NewsFox.

Choose "Export OMPL" and pick the location of your backup file placement.

To restore, just choose the "Import OMPL" > "Start Fresh"  > "from file".  Browse to where your exported OMPL file is and bring it back in.

Using this method you get a full and clean replace of your NewsFox feeds.


NoScript and YouTube (and then some).

I'm a BIG fan of the Firefox Add-on NoScript.  It blocks all JavaScript and other XXS attacks.  Then you can enable scripts on a targeted basis permanently or temporarily depending on your needs.  I'm not comfortable doing any browsing without them.

However, I noticed that in Minefield I wasn't able to see any embedded YouTube videos on any websites.  No matter what I enabled and allowed in NoScript.

I finally got it solved.  Here's how.

I read through all the NoScript release threads in MozillaZine Forums for previous NoScript versions and up to through the current one.

I found the tip about adding "" to the NoScript whitelist and put that in (YouTube scripts now do a call to that web-domain so it must be allowed). Restarted. Nope. YouTube videos still not appearing. Yes, Flash was at the latest version.

I also tried toggling the noscript.forbidActiveContentParentTrustCheck about:config preference to false as found as a suggesting.

Still nothing.

So I disabled NoScript entirely in my Add-ons. Restarted Minefield. Still not getting them.

Just for kicks I installed the latest (beta) version of NoScript (1.4.4) to no improvement.


So I closed out Minefield and popped over to my parallel Firefox build which has an almost identical setup of extensions/settings. YouTube videos displayed just fine. NoScript settings were identical between the Minefield and Firefox 2.x.

At this point I began thinking that maybe NoScript wasn't responsible for the issue I was seeing after all.

So I went back to Minefield and started considering the extensions I have installed (some not yet "officially" supporting Minefield).

The only one I could find that might have an impact was Adblock. So I disabled it. Restarted Minefield. Nope.

Then I uninstalled it completely.

Voilla! YouTubes videos were displaying in pages correctly again!


I ended up switching to Adblock Plus instead (which is way better anyway) in Minefield/Firefox 3 and (along with NoScript) everything is working great and the YouTube embeds are working as well.

My fault for "tweaking" unsupported extensions to work with Minefield. In most cases I've gotten away fine with it, but this time.....

So if anyone else has read all the tips and still can't get YouTube videos to display in Minefield/Firefox 3, AND is running NoScript (and has added to the whitelist), AND has installed the Adblock add-on, well, try uninstalling Adblock and switching to Adblock Plus.



Monday, February 18, 2008

Two More "Lite" SQLite viewers - All good, light, and free

As is often the case when dealing with systems and the Net, you find a solution and it works, then you move on and later end up finding more that might have been useful.

Case in point, these SQLite viewers/editors.

While I was working out the issues in my post Firefox 3 Security Blocker: Going In Deep, I had need for an utility that I could use to peer inside SQLite files that Mozilla uses.

SQLite Database Browser


I discovered SQLite Database Browser, a great Open Source solution.

You can use this utility to visually inspect, create, design and edit database files compatible with SQLite.  You can also import and export records which is really useful when you are working with the information located in the Mozilla database files.

It uses a single exe file and is just over 2.41 MB in size.  Very portable. I like the very simple interface.  Not very complicated and very easy to use to browse SQLite database files.

SQLite Spy

So while I was working on another post, I happened across this utility.


SQLiteSpy [Delphi Inspiration] - (free for personal/educational use) - This application uses a very handy treeview.  I find this much easier to help me understand the structure.  Editing is supported and different data types are displayed with different background coloring. Full Unicode support. Tab-based views for displaying multiple SQL queries and database elements.  There are lots of data and file compression options as well as encryption support. The SQLite engine is built into the single exe file.

No install is required. Download and unzip.  The exe file comes in at a light 1.8 MB filesize. No registry writes.  Options are kept in a self-generated .db3 file in the application's folder when launched.  Nicely portable.

SQLite Administrator

That one led me to this one.


SQLite Administrator - (free for private use) - This utility has the treeview pane that I like so much, as well as a very GUI image-rich interface. Like the others, this utility allows for creation, editing, and deletion of tables, indices, views and triggers. However, it brings to the table some nice wizard based helps for these actions.  It supports SQL code highlighting and error location.  You can import data from CSV files and export data in XLS/CSV/HTML/XML formats.  Internal query storage is possible. Images may be stored in Blob fields.

It appears to be a very full-featured utility for working with SQLite files.

Like the others, this one does not require installation. Download the zip file and decompress.  Application folder size is much larger than the others, coming in at just over 4.53 MB.  If you delete all the language file except for the single one you need,  you can drop it down to 4.35 MB. Not that big a difference.  Aside from the language file(s), there is the main exe file and two supporting dll files.  Although it is larger, it is also remains portable.

So, regardless if you need one of these utilities to quickly and freely manage and view the Mozilla .sqlite files, or do more extensive SQLite database work, there a more options and all are small, fast, and portable.

Unfortunately, my database work is in the realm of Microsoft Access.  As such, beside using these tools to inspect and export data, I can't effectively evaluate their real power and functionality with SQLite database work.

If anyone can provide more rounded comments on any of these products' features, please feel free to leave a comment.



Friday, February 15, 2008

Now See This: Adding Comments to your Blogger sidebar

One of the features I have always enjoyed with TechBlog and other blog sites is being able to see recent comments up front.  In fact, the TechBlog is one of the few places where I actually subscribe to the comments feed along with the main posts.

I have now added a sidebar element to the GSD blog which meets this need.  Scroll down a bit and you should see it along with (at this time) comments from Fird, TxGoodie, Jim and Therion Ravenwing. (Thanks all!)  I feel really fortunate that there are such kind and warm folks who take the time to leave a comment over here.

I think providing recent comments on your main page can work to to illustrate to new visitors that a blog has a good community behind it; "street-cred" if you will.  And faithful readers can quickly catch up on older posts that are still generating interest.

In addition, some of the threads generated in the comments can become a story unto itself, often surpassing the original blog post in information and detail.  I almost always take the time to look for comments on a post I am reading to see what the "vibe" is and if there is any supplemental information provided by readers.

If you are a regular blog reader and are feeding the main page, or dropping in to it directly,  you almost always miss the comments.  Unless you click on the main post, proper, you might never see them.

And, there is always something rewarding and fun when you are able to view your comments along with your name.  And it seems like a fine way to thank your faithful commentors.

Unfortunately, Blogger doesn't have a "ready" widget to use to add recent comments to your layout.

So I went looking.

Blogger Buster "Customize Recent Comments Widget"

This was the first site/solution I located.

Blogger Buster is a fantastic resource for folks looking to understand and enhance their Blogger blogs.  Lots of templates, quite a few tools, and a notebook full of tips.  Great site to bookmark for all you Blogger/Blogspot fans out there.

On the site I found this post

  1. Just insert your widget title,
  2. Add in your blogger/blogspot address,
  3. Set the number of comments to display,
  4. Decide if you want to show comments and post title, and how many characters of the comment.
  5. Apply and add the Widget to your blog.
  6. Done.

I tried it and almost worked great.

For some reason it wasn't formatting the Grand Stream Dreams comment feed correctly in the code.  Once I inspected the code and found the errors, I was able to fix them and it worked and looked very nice.

However there was one drawback.  It works off a .js (JavaScript) file located on the Blogger Buster servers.  That's not a problem in-of-itself, but there are some web users (and site administrators) who don't like that for security reasons.  I'm not saying that there are any problems with this one, but if the remote server were to be compromised (or simply go off-line) and the code was compromised, then that compromise gets spread across all the endpoint blogs using it.

So while I can say the Blogger Buster widget works great, that might be a concern for some folks.

Download Squad actually picked up that post and featured it.  How to add recent comments to your Blogspot blog

What else could I find?

Tips for New Bloggers - Custom JavaScript Solution

I did like the JavaScript solution, but wanted a way I could maintain some control over it (not that I am a JavaScript coder or anything) to ensure I could always inspect it and was "hosting" it myself.

A bit more digging turned up the solution I am now using:

Another simply amazing website filled to the brim with tips, tricks, templates, widgets, javascript and all kinds of other goodies for Blogger users. bizwhiz's detail in going over code elements, how things work together, and why some solutions are better than others is simply invaluable for beginners and pros alike.  Highly recommended website.

Anyway, in this post, bizwhiz first illustrates how to turn on Comment feeds for your Blogger blog.

Next is a discussion on JavaScript and the fact that some folks don't like it due to security concerns.  I was impressed to see this discussion addressed.

Instead of giving you a pre-formatted .js code to link to in your widget, bizwhiz provide you the code directly.  You can inspect it, review it and decide what you think.

If you like it (which I do) using it is very, very simple.

  1. Log into your Blogger Dashboard and go to the Layout section.  Go into the "Page Elements" and select "Add a Page Element".
  2. In the list of items, find the "HTML/JavaScript" widget and add that.
  3. Copy the JavaScript code from the blog-post and paste it into the widget's text-box field.
  4. Adjust the comment.length and comment.substring values up or down from the default value of "100" if you wish. (Just make sure they match).  It's pretty clear in the post where these are located.
  5. If you want more than 5 comments to appear, adjust the variable that controls that in the top of the code.
  6. Finally, insert your blog's comment-feed URL where indicated in red.

Save the changes and refresh your blog homepage.


Other Solutions

There are actually even easier solutions than these if you wish.

David over at eBlogTemplates illustrates a VERY easy solution.

How to Setup Your Recent Posts and Recent Comments Blogger Page Elements - eBlog Templates

  1. Add a Feed widget from within Blogger,
  2. Insert your feed URL  ( http://[yourblognamehere] )
  3. Give it a title: Recent Comments.
  4. Set the options for number of items, show dates (y/n), and show names (y/n).
  5. Save and done!

Whatever solution you go with, it is very easy to recognize the contributions of your blog's commenters.



Monday, February 11, 2008

Last Minute Linkfest: Utilities Rule, Microsoft bits


I'm exhausted.

I've been up since 7 AM.

I did all the dishes and cleaned the kitchen.

I cleaned the house clutter, well most of it.

I dropped a mega Wallpaper Extravaganza post.

I finished up over ten loads of laundry throughout the day.  AND it is all folded away in baskets and on hangers.

I completed the Grand Stream Dreams - Big Blog Update! both technically and in a post.

I got outside in the beautiful outdoors, pulled all the weeds in the backyard.  Then had the fortitude to go ahead and do the season's first grass-cutting.

I broke the lawn-mower by ripping the starter pull-cord completely out of the engine. (I didn't know my own strength!)  I couldn't stop for breaks because if I cut it off, I might not be able to get it repaired and get going again.

Then once the yard was mowed in a single effort, I fixed the lawnmower.  Handy guy that I am, better than before.

Then I re-cleaned the kitchen and vacuumed the house.

Then I hauled Alvis out of the house with me.  We went and picked up some Baskin Robbins ice-cream, and stopped by McD's to bring the family dinner home. I have been burning some major calories today and didn't feel guilty in the least.

Superman ain't got nothing on me!

Now I've got one last post to make, so hold on tight.  I'm tired and looking for bed!

Sysinternals Spectaculars

AutoRuns for Windows - (freeware) - Updated to v9.12.  Not sure what got fixed in this one.  No post update yet to explain the update.  Change notes for the very recent v9.10 and v9.11 indicate work done to add a command-line output to XML as well as the ability to display the MD5, SHA1, and SHA256 hashes of auto-start items to more precisely identify files, especially for forensics.

The Case of the Unexplained…Live! - (SilverLight Webcast) - Mark Russinovich does a presentation on how to use his Sysinternals tools and advanced techniques to troubleshoot Windows issues.

Mark's Blog : Inside Vista SP1 File Copy Improvements - (post) - Mark goes deep into the inner workings and functions of the Vista SP1 file-copy improvements.  Really awesome look at how file-copy works and how it was improved.  Very interesting blog-post. Highly technical but very good.

The Future of Microsoft Backwards Compatibility?

Peek into the future of legacy compatibility in Windows - (post) - Long Zheng provides a very interesting look at how Microsoft might address legacy Windows operating system compatibility as it moves to its next OS release.  This is one of the reasons Microsoft's OS are so large and bloated; legacy support.  Microsoft fans expect to be able to run older applications on newer OS's. 

The solution? At least according to Long's post, loading older OS binaries in a virtualized environment. 

Need to run an XP application on Windows 9? It would detect the application's level, load the binaries needed and a XP>Win9 compatibility module.

Very interesting take.

NirSoft's Utility Watch

Nir Sofer has been hard at work updating old utilities and releasing new ones!

USBDeview - (freeware) - View all installed/connected USB devices on your system that have been previously connected to the system.  Also uninstall USB devices no longer used an disconnect ones that are still connected.  Version 1.15 released this past week allows the option to disable/enable selected USB devices, as well as to start this application in a "hidden" mode.

FileTypesMan - (freeware) - Alternative to "File Types" tab in the Folder Options window of Windows. "It displays the list of all file extensions and types registered on your computer. For each file type, the following information is displayed: Type Name, Description, MIME Type, Perceived Type, Flags, Browser Flags, and more. FileTypesMan also allows you to easily edit the properties and flags of each file type, as well as it allows you to add, edit, and remove actions in a file type."  Runs on Win98 - Vista. Handy little app when working with file association problems or customizations.

ProduKey - (freeware) - My favorite keyfinding application for Windows. And one I can't use at work as Symantec keeps alerting on it as a "potentially unwanted application (PUA)".  Grrrr.  The network analysts don't even bother to tease me about it anymore when my laptop at work shows up on the weekly virus reports.  Recover lost product key (CD-Key) of Windows/MS-Office/SQL Server installed on your computer.  Version 1.20 now allows you to load the product keys from a remote computer or from an external (or target) drive.  Really handy!

TrueCrypt: Now supporting Entire Drive Encryption!

When I saw this on the SANS-ISC Handler's Diary page I was stunned.

This free open source hard-drive encryption software now supports encryption of the entire disk with pre-boot authentication.


Yep. From the TrueCrypt news release:


TrueCrypt 5.0 has been released. Among the new features are the ability to encrypt a system partition or entire system drive (i.e. a drive where Windows is installed) with pre-boot authentication, pipelined operations increasing read/write speed by up to 100%, Mac OS X version, graphical interface for the Linux version, XTS mode, SHA-512, and more.

After four years of development, during which millions of people downloaded a copy of TrueCrypt, it is the only open-source disk encryption software that runs on Windows, Mac OS X, and Linux. The newly implemented ability to encrypt system partitions and system drives provides the highest level of security and privacy, as all files, including any temporary files that Windows and applications create on system drives (typically, without the user's knowledge or consent), swap files, etc., are permanently encrypted. Large amounts of potentially sensitive data that Windows records, such as the names and locations of files opened by the user, applications that the user runs, etc., are always permanently encrypted as well.

Let me just let TrueCrypt's team keep explaining this marvelous release update.

System Encryption

TrueCrypt can on-the-fly encrypt a system partition or entire system drive, i.e. a partition or drive where Windows is installed and from which it boots.

System encryption provides the highest level of security and privacy, because all files, including any temporary files that Windows and applications create on the system partition (typically, without your knowledge or consent), swap files, etc., are permanently encrypted. Windows also records large amounts of potentially sensitive data, such as the names and locations of files you open, applications you run, etc. All such log files and registry entries are always permanently encrypted as well.

System encryption involves pre-boot authentication, which means that anyone who wants to gain access and use the encrypted system, read and write files stored on the system drive, etc., will need to enter the correct password each time before Windows boots (starts). Pre-boot authentication is handled by the TrueCrypt Boot Loader, which resides in the first cylinder of the boot drive.

Note that TrueCrypt can encrypt an existing unencrypted system partition/drive in-place while the operating system is running (while the system is being encrypted, you can use your computer as usual without any restrictions). Likewise, a TrueCrypt-encrypted system partition/drive can be decrypted in-place while the operating system is running. You can interrupt the process of encryption or decryption anytime, leave the partition/drive partially unencrypted, restart or shut down the computer, and then resume the process, which will continue from the point it was stopped.

To encrypt a system partition or entire system drive, select System > Encrypt System Partition/Drive and then follow the instructions of the wizard. To decrypt a system partition/drive, select System > Permanently Decrypt System Partition/Drive.

The mode of operation used for system encryption is XTS (see the section Modes of Operation). For further technical details of system encryption, see the section Encryption Scheme in the chapter Technical Details.

Did  you get all that?

If you use TrueCrypt on your system (notebooks, desktops, portable drives) you can select the option to encrypt a partition or the entire drive.  Additionally, the encryption authentication occurs pre-boot.  So that if you loose your laptop, but it was shut down, NOBODY can access the data on the drive, even if they remove the drive and place it as a slave on another system, or use a "Live" boot-cd.  On top of this, it is able to encrypt/decrypt in place while the system is running, restarted, or shutting down.  It will pick up where it left off when the system is restarted until the drive/partition encryption is completed.  Wow.

While there are a number of very good commercial products on the market, that support file and disk encryption security, TrueCrypt has one extra amazing thing.

It's Open-Source and free!

If you have a laptop and keep any amount of critical and sensitive data on it, not just yours but say, that of your employees, then you need to keep it encrypted. Be it the files, a secure encrypted "virtual folder" that TrueCrypt can handle, or the entire drive.  You simply must.  People are counting on you to keep their information safe.  It just takes a moment to loose your data to someone else, and possibly a lifetime to restore a stolen identity.

TrueCrypt - Free Open-Source On-The-Fly Disk Encryption Software for Windows Vista/XP, Mac OS X and Linux

Enough said.

More Comodo Firewall v3.0 Updates

Comodo Firewall Pro - (freeware) - Comodo continues to work hard to fix issues with its latest firewall version.  Prior problems included tanking some Vista updates.

I really liked Comodo's v3.0 firewall. Free Vista Firewalls: And then there were five.  However it the issues with preventing Vista updates caused me to return to the built-in Microsoft Firewall for Vista for now.  However, I think I am going to give Comodo one last chance.

Version released this week makes some major changes on top of the fixes in version which resolved the Vista updates bug.

  • NEW! Anti-Leak Configuration:
    - A new default configuration is introduced to make D+ show fewer number of popup alerts while still remaning leak proof.
  • NEW! On-Demand Virus Scanning:
    - CFP now provides an option to scan for viruses during the installation and from its graphical user interface
  • NEW! A-VSMART Warranty Program:
    - CFP now provides the users an option to enroll one of the available A-VSMART Warranty programs
  • IMPROVED! Self-Defense:
    - There has been various reports that CFP 3.0 is attacked by some malware to disable its protection.
    The self defense has been modified such that an ungraceful termination of CFP will block every unknown action (i.e. it will function as if "Block all unknown actions if the application is closed" option is selected. This option was not enabled by default).
  • IMPROVED! Default Configuration:
    - Default configuration now protects more registry keys and more COM interfaces.
    - Default Web Browser and FTP Client policies are modified to support passive FTP requests
  • IMPROVED! Handling of known code executing applications:
    - Defense+ has been modified such that some known code executing programs such as rundll32.exe or windows scripting host are not autimatically trusted anymore.
  • IMPROVED! Pending Files:
    - Defense+ has been modified such that it is not going to report any pending files if it is not in clean PC mode.
  • FIXED! Bugs in Defense+ Engine:
    - Fixed numerous bugs that could stop Defense+ to properly handle the suspicious actions(e.g.bugs in registry and file protection, key logging etc).
    - Fixed the bug that could prevent CFP from functioning properly in certain types of hardware configurations(e.g. when a USB harddisk is present etc.).
  • FIXED! Minor Bugs in the Graphical User Interface

[IN]SECURE Magazine - February 2008

Issue 15 - (free download) is now out on the Webstands.

Topics include:

  • Proactive analysis of malware genes holds the key to network security
  • Advanced social engineering and human exploitation
  • Free visualization tools for security analysis and network monitoring
  • Internet terrorist: does such a thing really exist?
  • Weaknesses and protection of your wireless network
  • Fraud mitigation and biometrics following Sarbanes-Oxley
  • Application security matters: deploying enterprise software securely
  • The insider threat: hype vs. reality
  • How B2B gateways affect corporate information security
  • Reputation attacks, a little known Internet threat
  • Data protection and identity management
  • The good, the bad and the ugly of protecting data in a retail environment
  • Malware experts speak: F-Secure, Sophos, Trend Micro

I always enjoy reading this security webzine.  The articles are fresh and insightful and cover a wide range of computer security related issues.

Security guru Didier Stevens has contributed an article in this issue showing how rainbow tables may be used to more effectively steganographically hide larger sized volumes of data than in image files.  Really fascinating stuff!

Rogue Anti-Malware Products Run Rampant!

Be very, very careful on the choices you make downloading anti-malware products.  It seems like every day a new "rogue" product hits the webs.  Do your research carefully before going with a new product.

Looks can be deceiving.  Many look very polished and professional, yet provide only false-positives and heartbreak as they demand $ to register the program to remove the (false) threats, or even worse, actually infect your system worse than before!

For a sample of recent rouge caught:

Two New Rogues: Immunizr, WinSpyKiller - Malwarebytes Blog

Two New Rogues: AntiSpyKit, MalwareCore - Malwarebytes Blog

New Rogue: VirusHeat - Malwarebytes Blog

And if that wasn't shameful enough.  How about this? Legit security software vendors getting product placement through malware!

Sunbelt Blog: Legitimate security companies advertised through malware

I list quite a few effective and trusted tools in my Anti-Malware Tool Roundup - #3 post.  See also these other posts: Anti-Rootkit Tools, Online Scan Tools, and Anti-Virus Tools to get started looking for free and dependable solutions.

ReadyBoost for XP Systems?

ReadyBoost is a solution in Vista that allows for certain cached items to be placed on a USB stick rather than on the hard-disk.  This (theoretically) offers faster system performance.

I've found that more system RAM works even better.  Since upgrading my Vista laptop from 1GB of system RAM to the 2GB max it can handle, its like I have a whole new machine. Vista flies!  We ordered up Dad's new Vista machine with 4GB RAM and it simply rocks the casbah!

However, some XP users feel forgotten and since Microsoft doesn't offer a ReadyBoost solution, leave it to third-party software vendors to come to the rescue.

eBoostr - (free/$) - Note, the free version only works for four-hours after each system reboot. So unless you are willing to reboot periodically, you will have to pony up some cash to speed up your cache!

Supports Windows XP (32/64 bits), Windows 2000, and Windows 2003.  Requires a USB 2.0 port and USB stick.  Curiously, Vista is "not yet supported."

Readyboost technology for Windows XP - Download Squad

Featured Windows Download: Get ReadyBoost Speed on XP with eBoostr - LifeHacker blog.

miniMIZE - Cool Desktop Utility of the Week

Just found this little gem the other day.

miniMIZE - (freeware) - This is a tiny utility that triggers when you minimize an application window.  Instead of just removing it from your desktop and sending it to the Task Bar, it actually places a thumbnail image on your desktop.  Clever!

Screenshot - note that the windows are very small and for reference see the system tray icons in the bottom corner.

Still in beta, and may have some bugs, especially in hotkey handling.  Use with a bit of caution.

However it could be quite handy, especially in a multi-monitor environment.

More Microsoft Mischief

By now you probably know that although Vista SP1 has been released to system manufacturers, (the big ones, not Uncle Earl), you won't be able to get it for your system until March.


However, it seems that this release is the same version that came out under Vista SP1 RC Refresh 2.

There are lots of ways to get it if you dare (I don't, I'll be patient and wait for the "official" release), including torrents or registry hacks which get it flowing directly from Microsoft. I'm not going to post links to these, but you should be able to search them up quickly if you really want it that badly.

Vista SP1 Download Leaked for Weeks - CyberNet News

Windows Vista SP1 RC Refresh 2 = The RTM build -

Windows AIK now Serving Vista SP1

The Windows AIK (Automated Installation Kit) is a standard tool if you don't have access to a Vista setup DVD, and you want to build Win PE 2.0 boot CD's.

Previously, you could only get it in Vista.

Now, although most folks cannot get Vista SP1 yet, you can download the new Windows AIK that has Vista SP1 rolled up nicely in it!

Automated Installation Kit (AIK) for Windows Vista SP1 and Windows Server 2008 - Microsoft Download Center

Super Duper!

You will have to uninstall your previous WAIK installation first and reboot before installing the new one.

Curiously, the older version (non SP1 for Vista) is still available for download from Microsoft.

Windows Automated Installation Kit (AIK) - Microsoft Download Center

Also, to all those VistaPE WinBuilder fans out there, no you cannot use this new WAIK version to build your own VistaPE SP1 boot CD.  Not yet at least.

I tried and got a marvelous BSOD at Vista boot when using VistaPE builder v011, although GRUB4DOS worked flawlessly.

I contacted NightMan who verified WAIK Vista SP1 version is not supported, yet.

It will be in VistaPE builder v012.

So unless you are building bare WinPE 2.0 disks, or have the need for this in your enterprise environment, stay away for now.  Otherwise, you VistaPE builders out there, wait a bit longer for the v012 release then jump over and you'll have VistaPE SP1 running beautifully!

ImagexGUI Updated

If you know what ImageX is, then you might be interested to know there is a new release of ImageX GUI.

If you don't know what I am talking about then read this post first or move on: ImageX - Welcome to the Imaging X-Zone.

Still with me?

ImageX GUI (GImageX) - (freeware) - Version 2.0.11. This non-Microsoft supported command-line utility GUI wrapper for Microsoft's supported command-line imaging tool is getting slicker by the update.  Lots of screenshots on that page.

I still prefer the command-line usage for ImageX myself, but this is getting harder and harder to avoid using.  I always place it on my WinPE 2.0 imaging disk, just for my other techies to use.

Windows Migration Assistant GUI - Almost Here

Dan Cunningham has been hard at work making a GUI wrapper for Microsoft’s User State Migration Tool utility which is a command-line tool.  Dan's work is called the Windows Migration Assistant (GUI) based on that command-line utility.

This tool can be used to migrate Windows user profiles from Windows 2000 to XP or XP to Vista.

He is now looking for beta-testers.

Features will include

  • Migrate via a pre-defined network storage location, external USB drive, or user-specified location. USB drive detection is automatic, and you can decide whether drives below a certain size are ignored (ie, memory sticks).
  • Optional Hard Disk Health Check will run a CHKDSK prior to capture and fix errors if any are found
  • Optional Encryption using a pre-defined company encryption key, or per-user customised encryption (for highly sensitive data that can’t be stored on a server without being encrypted)
  • Use different configurations for a multi-OS, XP > XP and Vista > Vista migrations (useful when on XP to force the /TargetXP switch, and if you’re Vista migration can exclude XP-only obsoleted files)
  • Automatically run pre and post capture/restore scripts (very useful to further configure machine settings)
  • Migrate domain only accounts, or domain and local
  • Automatically exclude certain domain or local accounts from the migration
  • Automatically send log files to an e-mail address via SMTP after the migration
  • On-screen status during every stage of the migration, including ETA
  • Optional Hard Disk Health Check will run a CHKDSK prior to capture and fix errors if any are found
  • Optional Encryption using a pre-defined company encryption key, or per-user customised encryption (for highly sensitive data that can’t be stored on a server without being encrypted)
  • Option to limit migrations to a certain size, i.e. if over 20GB of data to backup, then fail and inform user. This is also overridable
  • Very configurable through configuration file
  • Command-line automation
  • Super-pretty UI
  • Screenshots links of an early beta release are at the bottom of this post.

    Dan has received permission from his employer to publicly release it when it is ready. Good news for all!

    More information here:

    User State Migration in Windows XP - Microsoft TechNet

    Windows User State Migration Tool (USMT) Version 3.0.1 - Microsoft Download Center

    Migrating to Vista using User State Migration Tool 3.0 - Windows Networking

    Firefox Encryption Toy

    FireEncrypter - (Mozilla Add-on) - Fresh from my mad foray into the world of ROT13 and RC4 wackiness, I found this nice little extension that allows you to quickly and easily run encryption hashes for many common encryption schemes.

    Not an everyday tool, but a nice friendly introduction into the world of encryption and decryption.

    Time to sneak into bed.

    Morning comes quickly in the Valca home!

    Good Night!


    Sunday, February 10, 2008

    SysInspector: New System Utility from ESET

    Alex Eckelberry over at Sunbelt Software had a blogpost that brought a new (beta) system inspector utility to my attention: SysInspector

    ESET is a Slovakian computer security company that has a global customer base. One of their most noted mainstream products is their anti-virus product NOD32. They also provide firewall, antispyware, and anti-spam solutions. They also offer a free online scanning service: ESET Online Scanner.

    So being familiar with their security-minded model, I was intrigued what this new product could bring to the table.

    SysInspector - Not What you Think

    SysInspector - (beta - freeware) - is a single-file executable download. It is supported on Microsoft Vista/XP/2003/200 in a 32-bit version. A 64-bit version is also available for all these systems (except 2000).

    Having the program contained in a single executable is a nice feature. This means it should be easily portable on USB drives, and might (yet untested) even work off a CD/DVD-ROM disk. This should make use of the utility handy when sysadmins and desktop responders need to assess a running system and don't want to download the tool from Net.

    Once launched, the program begins an immediate scan of the system it is running on. Depending on the hardware and software of the system, time-to-application window display may take anywhere from under a minute to several minutes.

    Once the scan is complete the main interface window appears.

    I was expecting the tool to be similar to SIW (System Information for Windows) or maybe another Process Explorer like utility.

    I was pleasantly surprised to find it is like both, but neither!

    The Menu Bar

    At the top-right is a menu-bar. Here you can select "File", "Tree", "List", or "Help" options.

    The File list allows to to open or save logs from your scans, generate reports formatted for sending in email or for personal (local) review, the ability to filter results by risk-level, change the report view detail level from Full to Basic, and you can exit the program from here.

    The Tree list simply allows you to quickly expand or collapse the item tree view on the left-hand side of the main window. There is lots of data here so generally I find it helpful to leave it compressed and manually expand the element items as I examine them. Otherwise it is information overload!

    The List options provide navigational aids, history, show parents and nodes of tree items, copy items to clipboard, perform an online search, jump to the item location (file), and jump to the item location (registry).

    The Help option allows you a well filled (for a beta product) help guide to the product. It also links to ESET's online scanner, and has the "About" this program details.

    The Tool Bar

    I'm calling the second line down a "tool bar" but there aren't tools or icons in it in the normal sense.

    You can select the detail level again here (Full, Medium, Basic), set the item threat-filtering level using a color-coded slider bar from Fine (green will display all items) to Risky (only will display high-risk rated items). Lastly, there is a search form where you can search scan results for particular items.

    The Left Tree Window

    On the left hand side is a window that displays the following scanned areas:

    • Running Processes - information about applications and processing running at scan-time.
    • Network Connections - processes and applications communicating on the network
    • Important Registry Entries - areas of the registry that ESET feels are worthy of watching
    • Services - list of files registered as Windows Services
    • Drivers - list of installed drivers on the system
    • Critical Files - list of critical Microsoft operating system files
    • System Information - detailed information on the system's hardware, software and environmental variables and user rights.
    • File Details - specific files located in the Program Files folder as well as system files.
    • About - information about the ESET SysInspector application itself.

    Expanding any of these "nodes" shows details of the items listed.

    Each item is color-coded with a corresponding "risk-level" scale. Green = safe, red = check it out.

    Once a node is expanded, the items show up in the top-right window pane. Here you can examine each item in more detail. Right-clicking an item provides the navigation items or web-search options.

    Clicking on an item in the that pane provide a highly detailed breakdown of the item in the bottom-right pane. You may scroll this section and if you need to, you may right-click to save the information to the clipboard.

    Different nodes provide different information. For the most part, the column heading are the same.

    All items have a "risk-status" rating, as previously mentioned.


    The program runs very quickly and provides an expansive overview of a system. ESET has done well to focus on the major problem points a system might have, and the tool should be well used by desktop support staff.

    While I am not sure what internal methodology ESET has programmed their application to use, it allows a system responder to quickly sort through lots of information and focus on the "high-risk" hits that were found during the scan.

    It does not remove malware. It does not flag virus or malware. I didn't find the application has the ability to even kill or terminate processes, or change registry values. This isn't the type of tool it is.

    Rather, SysInspector is a first-response assessment tool, used to help skilled support staff quickly identify points of interest on a system. Using this information, the responder may be able to plan a more targeted approach to dealing with the results. This isn't a tool for the casual or home-user attempting to fight malware.

    ESET SysInspector is an application that thoroughly inspects your computer and displays gathered data in comprehensive way. Information like installed drivers and applications, network connections or important registry entries can help you to investigate suspicious system behavior be it due to software or hardware incompatibility or malware infection.

    Nor does there currently appear to be any documentation on how ESET calculates the various threat level ratings it gives. I'm sure there is some kind of file entropy calculation going on. But I can't be sure.

    ESET's building of reports and clipboard supported information captures is great. Being able to export information for later review, off-system is a valuable feature.

    What it does remind me of is the excellent MANDIANT's Red Curtain threat assessment system scanner. For more about Red Curtain, see this review I did: Mandiant Red Curtain - Incident Review Software.

    SysInspector is a tool to quickly scan and assess very complex operating systems and the processes and files they contain. From there, response is left up to the skills and training of the responder.

    This product is currently in "beta" status. No word if this version has a time-bomb or not. Nor is it clear if this will be a free security product ESET offers to the security and sysadmin community or if it will later require $ to use.

    Either way, having a fast, small, and single executable system assessment utility is a good thing. ESET has done their homework and I can only expect good things and improvements as this tool makes its way out of the beta process.

    Valca Recommended (and added to my Sysadmin USB stick)!