Sunday, February 22, 2009

Oscar watch Linkpost

Alvis and Lavie are watching the Oscars tonight and I’m along for the ride.

I wasn’t able to come even close to getting out some of the posting I wanted.  Nothing like a short weekend, a bit of weed-pulling in the yard, and the regular mix of loving on the girls to wear a weekend out.

Couple that with my curiosity and dogged determination to note a few problems for research, then spend a few more hours or two researching those things.  Next thing I know I’ve quadrupled the number of links…and post topics....I was planning to work on.

Here are some miscellaneous links I’ve collected this past week.

The nominees this week are…

U3 Removal Tool – The link to remove this enhanced feature from some USB drives has been changed.  This is the new one.  I always keep this handy and remove U3 from our family USB drives if purchased so equipped.

<--InGuardians --> Defensive Intelligence – Great collection of some good cheat-sheets on Windows Command Line Tools, Super Netcat Cheat Sheet , and Useful Attack Tools.  While you are there picking up those PDF’s, take a look around and consider some other pen-testing papers while you are at it.

The Deployment Guys : Working with Crashdumps - Debugger 101 – Really good and approachable post on some basic Windows crashdump information and handling.  Good stuff for sysadmins.

Engineering Windows 7 : Engineering the Windows 7 Boot Animation – Who knew that so much went into the design and engineering of the Windows boot sequences.  There is a lot going on in the process as well as how it has been enhanced and optimized for Windows 7.  Read it and appreciate it.  Then move on.

Sunbelt Blog: New Sunbelt research site – Alex Eckelberry and his team have been hard at work developing a useful portal for researchers of virus/malware related items over at (beta page link)  Research information on current threats, submit a wild threat, submit a false-positive report (for Sunbelt products), upload a suspicious file to their automated sandbox server to see what the system might do on a live system, and much more.  Certainly a site worth bookmarking.

Highlighter v1.0.1 Released – Mandiant M-unition Blog – Miscellaneous fixes and performance gain for Highlighter, a great and cool-featured log-file parser and text file viewer.  They also gave notice they are working towards large file (1GB+) log-file support.  Neat.

MindSniffer, Updated Audit Viewer released – Mandiant M-unition Blog – MindSniffer is “…a tool that will allow the user to translate snort signatures to either XML jobs or python plugins that can be used to identify processes containing strings that match snort signatures.” While Audit Viewer got a large number of strong modifications and feature enhancements including the ability to launch Memorize another free and useful memory image capture tool for system investigators. “Audit Viewer is an open source tool that allows users to examine the results of Memoryze’s analysis. Audit Viewer allows the incident responder or forensic analyst to quickly view complex XML output in an easily readable format.”

And the award for the most cool tools in single post this week goes to….

Harlan Carvey at the Windows Incident Response blog for his post

Looking for "Bad Stuff", part I – Last but not least, Windows forensic expert Harlan Carvey has a great post full of all kinds of awesome links (including a GSD post) for getting starting on looking for baddies on a captured system.  I’ve been heavy on imaging these past weeks so this particular section was very interesting reading!

Mounting The Image
One of the first things we can do to make our analysis somewhat more efficient is to gather some tools. As such, we'd like to mount our image as a read-only file do so, we can look to commercial apps such as ASRData's SmartMount, or you can use freeware tools such as ImDisk or VDKWin. The VDK executable will let you get the partition table information from within the acquired image, as will the GUI-based Partition Find and Mount (discussed at the SANS Forensic Blog)...however, Partition Find and Mount does not appear to have the ability to mount a partition read-only; it will reportedly allow you to mount a potentially corrupted partition, so this may be an order to recover data for analysis, mount the partition, and then acquire an image of it.

Harlan then goes on to targeting the value of Log files, Event logs, Registry analysis, and some very specialized malware hunting and busting tools well worth remembering and becoming familiar with such as missidentify, sigcheck, LADS (see also Nir Sofer’s tool   ), and YARA and Scout Sniper.

Awesome contributions in all fields!

--Claus V.

No comments: