Sunday, October 11, 2009

Mostly for the Forensics Crew: A rapid-fire linkfest

Here’s a collection of links that is 90% + aimed at the Windows forensics crowd.

Got to drop off daughter for pre-Sunday PM service activities and get some groceries bought before it gets too late!

  • ChromeForensics v1.0.1 : woanware. Mark Woan had kindly supported my fumbling foray into ChromeForensics a few weeks ago.  We ended up working my knucklehead-ed-ness out and he ended up updating this with a nice Help file.  I checked it closely and made a suggestion that he added in.  He graciously gave me unneeded credit for the tip.
  • Windows Incident Response: Linkity-Link. Harlan Carvey’s nice well-rounded linkpost regarding some assorted forensic topics including a tease on WiFi geolocation in forensics.
  • Forensics from the sausage factory: Windows Photo Gallery. – In that post, Harlan pointed to this fascinating post by DC1473 on forensics clues from Windows Photo Gallery usage.
  • Windows Incident Response: Where was Waldo?. Then Harlan later came back with an amazingly neat follow-up post on WiFi geolocation and forensic bits extracted from the Registry.  This is really cool stuff and even sysadmins may find it useful.  Suppose you have a policy against WiFi usage of work laptops/systems.  During a system audit you could use RegRipper to discover WiFi connections as well as possible connection point history.  Using Harlan’s technique, you might also be able to discover where it was used at (home, work, public library, etc.).  Not only does this provide great data for the analysis, but it could provide context for system activity observed as well expand the information available for the response.  Really neat stuff.
  • CDP - What Switch Am I Connected To? and Monitoring Traffic with Span Ports – SynJunkie.  Two really great posts out of series of ones touching on network monitoring, and Cisco switch/router configuration techniques.  I’m singling these out in particular as they are of interest to sysadmin troubleshooting on the network as well as traffic captures.
  • Forensically interesting spots in the Windows 7, Vista and XP file system and registry (and anti-forensics). IronGeek.  Useful list of Registry locations worth taking a look into, as well as some background info on them.  Though not nearly as complete as Windows Forensic Analysis DVD Toolkit, Second Edition.
  • JADsoftware’s Internet Evidence Finder. Updated to version 2.0.4.  Change Log
  • Windows Incident Response: Hakin9 articles.  Harlan goes on in this new post to discuss some timeline creation and analysis thoughts.  This is an ongoing theme on his WindowsIR blog.  I recently had to construct just such a thing and am coming to appreciate the issues facing those needing to present highly detailed technical information on incident response in a manner that doesn’t cause non-technical managers’ eyes to glaze over and miss the impact of the information presented.
  • Disk2vhd. Sysinternals has just released a new freeware tool.  This utility could be of great benefit to both sysadmins as well as forensics folks.  I use Virtual PC as my preferred platform for virtualization and while there are many tools that will convert a system image to VMWare machine, this could be a great tool for doing a similar thing for VPC. From the description: “Disk2vhd is a utility that creates VHD (Virtual Hard Disk - Microsoft’s Virtual Machine disk format) versions of physical disks for use in Microsoft Virtual PC or Microsoft Hyper-V virtual machines (VMs). The difference between Disk2vhd and other physical-to-virtual tools is that you can run Disk2vhd on a system that’s online. Disk2vhd uses Windows’ Volume Snapshot capability, introduced in Windows XP, to create consistent point-in-time snapshots of the volumes you want to include in a conversion. You can even have Disk2vhd create the VHDs on local volumes, even ones being converted (though performance is better when the VHD is on a disk different than ones being converted).”
  • 8 bits: Lab FTK Imager: file carving using the MFT.  Neat technique.  I know I’ve got a few utilities that can locate the file location based on a section of sector info, but I need to dig those up again for a refresher.
  • Windd 1.3 Final! (x86 and x64) - Matthieu Suiche’s blog !.  Get it!
  • Beta version of NirLauncher package is available to download. Nir Sofer has released a new tool of his that allows downloading and launching of his tools as a package-manager.  Really cool and neat.  Similar to KLS SOFT’s - WSCC - Windows System Control Center.
  • This Is a Photoshop and It Blew My Mind - Photosketch - Gizmodo.   Not forensics related but clever.  Do a stick-figure sketch of a image scene and feed it to Photosketch.  It will then find the different images and mash them up into a single image it creates/renders.  How cool is this!
  • .PhotoFilmStrip.  A freeware utility that allows you to create “Ken Burns” style panning in/out/across of still images into a video format.  Really neat.  Spotted and reviewed over at this freewaregenius post.

Finally, I really like using Universal Extractor to unpack setup files and examine them for no-install operation.  However, from time to time I encounter some packers that it can’t handle.  Usually related to newer versions of the compression software used.  I recently ran into just that issue with an Inno Setup package.  Fortunately, I just had to go over to innounp, the Inno Setup Unpacker and download this newer version, copying the files into the Universal Extractor folder and overwriting the older ones.  Unpacking working perfectly again.

Special hat-tip of gratitude to Miles over at his TinyApps.Org Blog.  He has been kindly encouraging me behind the scenes on the back-channels in my recent un-plugged state and also tossing me some of the links noted above that I might have missed with the several hundreds of RSS feeds that had accumulated in my feed-reader that I had to cull through to get caught up.  He has had a number of interesting posts of his own lately including Unixy goodness: command compendiums, dd, acronym origins, and a shell stopwatch, dd block size, Wipe MBR / Track 0, and SFK.  If you aren’t RSS feeding TinyApps blog, you need to be or you are missing out! 


Claus V.

No comments: