Saturday, July 18, 2009

Rainy-Day Linkfest

I can’t believe it but it is raining!

Good hard rain and thunderstorms.

Haven’t seen measurable rain in almost a month (or so it feels).

Here are some links that caught my eye this past month.

  • Mark’s Blog : Pushing the Limits of Windows: Process and Threads – In-depth look at how processes and threads operate and the factors that limit them.

  • Microsoft® Tech·Ed Online – Case of the Unexplained 3. Video media presenation by Mark Russinovich on Windows issues tracked down and solutioned using Windows Sysinternals tools and an understanding of focused troubleshooting techniques.

  • Sysinternals Site Discussion : New Tools: ProcDump v1.0 | Updates: Autoruns v9.51, VMMap v2.1, PsExec v1.96 new and updated tools to help manage and troubleshoot Windows systems.

  • ProcDump – freeware – New command line tool from Sysinternals “…whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike. ProcDump also includes hung window monitoring (using the same definition of a window hang that Windows and Task Manager use) and unhandled exception monitoring. It also can serve as a general process dump utility that you can embed in other scripts.”

  • How to bypass the web page to save Internet Explorer 7 settings. – Ask the IE Team support blog.   This is a great fix for a “nuisance” issue I deal with in making Windows system images.  When the image is deployed, our techs have to re-do the IE 7 setup for each new user.  This technique prevents the new settings page from launching.  Not sure if it works for IE8 or not, though I don’t see why not at this point.  We are just now deploying IE 7 across our systems but IE 8 will be a while making it to desktops so it really isn’t a big concern yet.

  • Creating Virtual Hard Disks with Windows Virtual PC. – Virtual PC Guy’s WebLog.  Now you know.

  • Vista x86 patch to address 4GB+ of RAM – The Back Room Tech blog.  Julie points us to a technique worked out by Remko Weijnen which is a kernel patch to get x86 versions of Windows Vista to address 4GB + of system RAM; something not supported by Microsoft.  I don’t have any systems with main-boards capable of handling more than 2 GB RAM so I don’t get a chance to try it out.  However if you are curious, Julie kindly provides a link to Remko explaining how his patch works.

  • Upgrading my Lenovo W500 to a OCZ Vertex 250GB SATA II Solid State Disk (SSD). – Scott Hanselman’s Computer Zen brags and rubs hard-disk performance in our faces with his new SSD drive.  Cold boot to desktop in under 20 seconds.  That’s insane!  More on his new laptop rig in this Lenovo W500 post.  I am so jealous.  It’s the human condition to be envious I suppose.

  • Java Portable 6 Update 14 Released – PortableApps.com – Finally, a version of Java that you can keep on your USB stick for running Java needs on a system that Java is-not/cannot be installed on.  I’m thinking it would be useful on Win PE 3.0 USB-booted system for apps that use/depend on Java.

  • LiberKey – freeware – Over 200 applications in a single package to drop on your USB stick (or system) that don’t need “installation”.  It’s one of the most well-rounded “portable-app” packages I’ve yet come across.  Available in “Basic”, “Standard” or “Ultimate” packages depending on the type and number of applications you need.  The only concern I see (and it is a typical one with these packages) is if it satisfies the individual software developer’s rules about redistribution of their applications.  That major issue aside, it is a great option for technicians and troubleshooters to seed their collection of tools and utilities.

  • Malzilla: Exploring scareware and drive-by malware. – HolisticInfoSec.org. – Announcement of a new tool that will help analyze and dissect potential malware.  From the post: “Malzilla is best described as a useful program for use in exploring malicious pages, allowing you to choose your own User Agent and referrer and use proxies. While it downloads Web content, it does not render it, so it is not a browser. Think of it as WGET with a user interface and some very specific talents. In Using Malzilla, we’ll take a close look at rogue AV tactics and exploit sites in order to study the infection process utilized.”

  • EnScript to Export files by extension – Computer Forensics, Malware Analysis & Digital Investigations blog.  Now I am just plain frustrated!  I don’t use EnCase as part of my job functions.  However this EnCase EnScript would be awesome to have as a system administrator!  Simply put it “…will export all the files with matching extensions (case insensitive) to the folder you specify. A subfolder for each extension is made and the corresponding files are placed into their respective folders.”  Golden!  Only I can’t find a similar Windows utility.  Or know of a way to run an EnScript without EnCase.  This feature would be awesome in recovering user-data from a tanked system.  I guess there could be a batch-file solution perhaps.  Any tips or suggestions?  For a tease on an upcoming system recovery post, I do know and have used the incredibly clever PhotoRec Sorter utility, but it doesn’t quite match this script by Lance Mueller  See Lance’s updated post: EnScript to Export files based on Extension v1.1 for an update.

  • eXpress FreshFiles Finder – freeware – Utility I found while looking for a standalone tool to do the features in the above.  This useful “standalone” tool will provide a list of the most recently updated files on your target system.  Good for first-pass analyzing a system in an incident response scenario. Install the application, copy the created program folder to your USB stick, then uninstall.  It ran fast and fine on my Windows 7 x64 bit system and says it is XP/Vista compatible as well. It couldn’t access some normally protected folders, even running as Administrator level.  I’ll try later to see how it works if elevated to System level.  Still useful.

  • FolderWorks – freeware – ShadWorld.  Another related tool that for counting files and categorizing them by extensions or file types.  No files are actually copied or moved.  Solely useful for documentation and assessment work on a system.

  • BareGrep - Free grep for Windows – Bare Metal Software.  Great tool for advanced and complex system and file searching for only 246 kB in size but very fast and very advanced for the most demanding system-inspecting needs.  Simply amazing.  Oh yes. It’s a single non-installing exe file and fully portable. Works great on XP through Windows 7 systems. 

  • Quickpost: TrueCrypt’s Boot Loader Screen Options – Neat tip by Didier Stevens on how to configure TrueCrypt’s boot loader screen to display a “NTLDR is missing” error when booting a TrueCrypt encrypted hard drive.  Should obscure the system from further examination by only the most seasoned techies or investigators.  Of course the thing unravels fast if the actual drive is analyzed at the sector level (or forensically) when the TrueCrypt bootloader is discovered.  That knowledge still won’t help the curious get into the TrueCrypt protected layer, but the gig will be up at that point.  Certainly clever and a reminder to techies and incident response folks that what you see may be deceptive so you need to keep an open mind and be willing to dig a bit deeper.  For the record, the legitimate error message would be “NTLDR is missing.  Press Ctrl+Alt+Del to restart”

Nice being back in the blogging saddle!

Cheers!

--Claus V.

2 comments:

ffextensionguru said...

Nice to see you back! Care to share the rain? El Guru is roasting over here! 116 so far today.

Claus said...

@ El Guru - Thank! You are too kind.

I usually don't complain much about the temp...even though we've had some record-setting runs of 100+ degree temps here in Houston.

I know that others regularly suffer through even worse...even if it is just a "dry-heat" ;)

I've got a few browser-related links coming soon, also touching on that nifty "vacuuming" SQL files trick for Firefox.

That was the best tip I've seen for FF usage in a loooooong time!

Cheers!

-CV