Sunday, August 23, 2009

Utility & Miscellany

Too many chores this weekend.

Spend last week out of town in a technical conference.

Had a raging bout of the highly contagious and discomforting "Caribou Cold” while there and am still suffering the tail ends of it.

Spent yesterday on my home “workbench” swapping out my system onto a new hard (larger/faster) laptop hard-drive which involved over 14 hours of work (mostly due to having to decrypt the whole-disk encryption prior to imaging it and porting it onto the new drive.

Had hoped to post much more this weekend but was not to be the case.

So here you go, semi-naked linkage.

Utilities

Forensics

“…ptfinder versions for Windows Server 2008 SP1, 2003 SP2 and Windows 7 beta are developed by me, and can be downloaded here.

The details of the technique can be found here.

Semi-Stealth Windows Live Updates

I’ve been waiting for some time for an update to Windows Live Writer, my blogging platform software. After the information below came out that a new version was available (14.0.8089.726 (previous build was 14.0.8064.206)).  I quickly launched my WLW and used the update tool to get the update. Curiously it said I was still using the latest update.  I manually updated it (successfully) to the higher version noted but still have been unable to find a change-log detailing just what got improved/fixed/updated.

And fresh off my Video-Editing Resource Roundup post going over various builds and different downloads to get Windows Movie Maker installed on your XP/Vista/W7 system now there is this:

VHD booting and Virtual PC Stuff

Windows Technical Bits ‘n Pieces

Summer’s over.  Alvis heads back to school tomorrow morning.

Cheers!

--Claus V.

Network Capture Tools and Utilities

At a conference this week, we had quite a section regarding network captures.

The instructor was going on about how you can try to sort out users and what they are doing via Wireshark with the packet captures.  He was really wanting to figure out who the largest users were and what they were doing to saturate the bandwidth.

I politely asked if he was familiar with NetworkMiner Network Forensic Analysis Tool (NFAT) and Packet Sniffer.  He was not.  So I asked if I could come up and demo the one I had stowed on my USB stick.

The rest of the lesson was filled with throwing the packet capture files he had brought at NetworkMiner and carving out the results.  The instructor was amazed and grateful for the power that this tool was going to give him.  I passed the download link around to the class attendees quite liberally afterward.  It is an amazing tool.

It was quite fun and informative for all.

Later I saw (by chance) the Tools for extracting files from pcaps post at the ISC-SANS Handler’s Diary.  It was filled with quite a number of other great suggestions for carving information out of pcap files.

I’ve also downloaded NetWitness Investigator Software (free) which I understand has quite a collection of features as well.  Registration is required to get it working so that will need to wait until tomorrow.

Most of the ISC-SANS items are *nix based.  I’m mostly (with the exception of Linux forensics LiveCD’s) Windows based exclusively.  However, the packet analysis tool Xplico - Internet Traffic Decoder really seems outstanding and up my alley for needs.  Fortunately, it is included in the DEFT Linux - Computer Forensics live cd.

In addition to Wireshark, I generally keep a few other packet capture tools on my laptops, just in case.  Most are pretty tiny and light for super-fast and flexible captures.

One of those other larger tools for packet captures that I have installed is Microsoft Network Monitor 3.3.

I hadn’t realized that it has arrived fairly recently, but that link has some more feature details.

In addition, while reading the Network Monitor development blog I was pleased to find that there are some specialized plug-ins for it that might be darn useful:

The first is a post describing the tool which can analyze and suggest issues with your network based on packet capture data.  The second provides a report on which users are eating up all the bandwidth.

Both are pretty cool.  Check them out.

Of course, you could also try a tool like ZNetWatch 1.01 (freeware) which also specifically sniffs network traffic and rats out who the biggest users are.  While this could be caused by users looking at the latest YouTube videos or streaming radio (against network policy usage perhaps) it could also be caused by virus or malware command and control communications.

As I said, it was a lot of fun tossing Network Miner at the packet capture sample files.  If you don’t have any handy, but want to really test out these (or other) tools that can read and parse that data, here are two great starting places to get some pcap files of your own to play with.

SampleCaptures - The Wireshark Wiki

SourceForge.net: Publicly available PCAP files – networkminer

Cheers.

--Claus V.

Java Silent Install Notes

Just dropping some links from home so I can study them more at work later.

Issue:  Windows Java (JRE) versions frequently offer trialware or other products when ran at install/update time.  End users are frequently seeing these Java Update requests and selecting them, installing the trialware in the process.

Idea is to do a “silent” install from the command line, as darned if I can find a setting in the Java Control Panel item that will allow automatic downloading and installing (without trialware) of fresh Java updates.

Moving on…

--Claus V.

Sunday, August 16, 2009

Utility Gumbo

There’s a lot in this pot.  Probably something everyone can find to enjoy.

I’m serving it up tonight out of the back of the truck on the side of the road.  So it will be short on dialog, full on flavor.

Feel free to pick-around.  Just wash your hands first.

And yes..bring your own bowl because unless noted, it’s all free

RE: Windows Roux

RE: “Prettification”

RE: A Hard Drive to Crack

  • Tableau Disk Monitor – free with registration – nice tool for providing information on hard-disks. Particularly from a forensics perspective.  Interfaces with supported read-write blocker devices as well (it appears).  I registered and downloaded it.  Requires installation. Has some handy extra features when used in conjunction with a Tableau disk bridge device. For more see these Pocket Hard-Drive Utilities post and more newer finds at this Tweak SharePoint and NAS Links post.
  • Atola Insight - ($6990 - $8990) (not free) – I have to confess I wasn’t really sure what to make of this.  From a feature-standpoint it definitely seems to have all the bells-and-whistles for just about any hard-drive servicing needed under the sun including firmware backup/restore and hard-drive password display/recovery/blanking. Atola Technology blog has more information and demos.  Before you run off because of the price, give them credit as they also are the producers of the free/pro versions of Partition Find and Mount — free partition recovery software which is simply an amazing piece of software and something every sysadmin should be familiar with.
  • Acronis® True Image Home 2010 Beta II – TinyApps blog recently brought to my attention that Acronis is accepting beta-tester signups for this application.  I’m mostly an ImageX guy for my imaging needs at work, as well as use a basic backup solution that came with my FreeAgent drive, but I must confess I haven’t really deployed an effective data-backup solution at home.  I hope I have some time to kick the tires on this one.
  • O&O Software - O&O DiskImage 4 Express – free version for home users – More of a real-time imaging/backup solution than a real-time backup solution.  Nonetheless, it still might provide a certain level of ease-of use and recovery for home users.  Version 4 reports some good feature updates.

RE: Other Stuff

  • Java SE 6 Update 16 Is Here – SDN Program News.  Wasn’t auto-picking up on my systems with the Java Control Panel tool.  Manually get the update here..
  • ATI/AMD Catalyst 9.7 - first unified Vista and Windows 7 WHQL driver - Aaron Tiensivu’s Blog.  - I’ve been accepting the default drivers for Windows 7/Vista provided by Microsoft Updates.  However if both our systems did continue to have BSOD issues with the video driver (Catalyst…you would know), I might try this fix.  So far only been having them on Vista.  Win7 x64 bits (RC) is rock-solid stable so far
  • Recuva – file recovery app – lots of updates of late: View full version change history...
  • Paint.NET v3.5 Enhanced for Windows 7 - Windows Experience Blog – I love Paint.NET. Will be designed to use a special Win7 API to enhance some performance and rendering.  You can download an alpha build (build 3509) of Paint.NET v3.5 here.

RE: Browsers

RE: A/V Sweetness

  • hype-free: Basic multi-media (post)processing.  Great tips from cdman83 on post-processing along with some great freeware/OpenSource tools listed in the post as well as below.  Go read it and get better output.  See also this related “hype-free” post No codec packs please!
  • The Levelator – drag-n-drop processor to auto-adjust sound-levels in audio files. Sweet! 
  • VLC Media Player Portable – Who needs Windows Media Player? Not Me!.
  • The KMPlayer – My personal preference.  Seems to have all the codecs I need to play the audio/visual files I regularly encounter at work and home. Nice interface also.
  • ffdshow tryouts -  “ffdshow tryouts is a DirectShow and Video for Windows codec with support for a wide range of audio and video formats, such as Xvid, DivX, and H.264. It includes a powerful filter set that can enhance the video quality - with filters for resizing, deinterlacing, and displaying subtitles - as well as audio quality through normalization, down-/upmixing, and resampling.”  Bleeding edge versions also available that now support x64.

Thanks cdman83!  Great tools all the way round.

Cheers

--Claus V.

Rapid-Fire Security and Response Linkpost

Trying to clear out the “to-blog” hopper so I can have a clean start next week.

  • TaoSecurity: 2009 CDX Data Sets Posted. packet captures generated by NSA Red Team activity, packet captures from West Point defenders, and Snort, DNS, Web server, and host logs all brought to you by the Information Technology Operations Center of the United States Military Academy. That’s West Point to you. Have fun culling though the material for tips and techniques.

  • Two convicted for refusal to decrypt data – The Register.  Just because you can encrypt it, doesn’t mean you don’t have to surrender your passwords to it under legal court order.  Encryption is great for protecting data from physical device loss. However, if you do want to be a hero (or patriot) and try to go down fighting, be aware there may be a penalty to not surrendering your passwords.

  • Update: Win32dd 1.2.2.20090608 (fixes + improvements) - Matthieu Suiche’s blog – Go snag this updated version of a useful memory-capture tool.

  • The Lab Rat – Testing Digital Forensics Tools and Gear – SANS Computer Forensics, Investigation, and Response blog.  Another review I found of the Tableau T35es write-block device that I am trying hard to get appropriations for purchase at work for.

  • A Forensic Analysis Of The Windows Registry – by Derrick Farmer – Computer Forensics forums and Forensic Analysis of the Windows Registry Computer Forensics (PDF) by Peter Davies. Two very good overviews of Windows Registry Forensics.  I’m saving pennies so I can get the gold-standard in Windows Registry Analysis: Windows Forensic Analysis DVD Toolkit, Second Edition by the esteemed Harlan Carvey.  In the meantime, I’m adding these materials to my “study-kit”. Check out this recent Q&A: Windows forensics at Helpnet Security that Harlan responded to.  He has some excellent statements that apply not just to forensic examiners or incident responders, but to system admins and “family-fix-it-geeks” as well.  Quoting from that “interview”:

    Which Windows forensics tools would you recommend to our readers?

    …I tend not to recommend commercial tools, as doing so seems to create an over-reliance on these tools, where the reliance should be on the examiner's ability to understand the goals of the examination, as well as their ability to develop an appropriate analysis plan. The "tool" I recommend is "wet-ware", or your brain. If you don't know what "Registry analysis" consists of and what you're trying to prove or disprove through this activity, then no tool, free or commercial, is going to be of any use. A builder doesn't decide what a building will look like based on the tools that are available, and throughout history, new tools have been developed because a need was recognized and understood. The same should be true for incident response and forensic analysis - understand the need first, then choose the tool. – Harlan Carvey

  • Computer Forensic Guide To Profiling USB Devices on Win7, Vista, and XP -- SANS Computer Forensics, Investigation, and Response blog – Two more excellent take-a-way PDF guides to approaching USB device forensics on XP and Vista systems. As noted in the comments, probably good coupled with Nir Sofer’s freeware utility USBDeview along with the unofficial list of VendorID/ProductID for USB devices, found here.

  • Windows 7 Firewire Attacks and Defense Techniques – SecurityResearch.  Spend some time here!  Using Firewire to attack a Windows system is not new. (more at Firewire, DMA & Windows).  Security Research has done some pen-testing work using this technique against Windows 7 and found it still (generally) comes up lacking. Quoting:

    “Windows 7 systems are susceptible to Firewire-based attacks as well, as the Security Research Lab demonstrates. Besides a description how password authentication can be bypassed through memory manipulation via Firewire ports, the implications on BitLocker, Encrypted File System (EFS) and Windows Domains are described as well.”

Get the Windows 7 Firewire discussion materials from the post above or the links below:

  • Whitepaper (PDF) – Very readable material great for pentesters and sysadmins alike.
  • Whitepaper (PDF) – describing software-based attack blocking technique developed in the process.  Great stuff and quite thought-provoking.
  • After you read both the papers, you might find yourself wanting to apply the researcher’s proposed solution.  Get the free download firewireblocker.zip for the application described above.  Still in development but it is worth looking into and testing on your own if you have some particular high-value needs to secure.

Lock it down or loose it.

--Claus V.

Inspiring Designs #2

Some more really brilliant and inspiring home designs from architectural blog Arch Daily.

Because everyone has to dream and imagine…

I’m leaving these for the girls to look through together.

So, which one do you like best Alvis?  How ‘bout you Lavie?

Which room would be your Alvis?

Where would Brambles hang out?

--Claus V.

Saturday, August 15, 2009

GSD Hurricane Tracking Links – 2009

Hurricane Gordon

CC attribution: Public Domain. NASA via pingnews on flickr.

After all that “Ike Badness” last year I’m not sure I am emotionally ready for this again.  However we have really improved our processes at home and work due to “Lessons Learned” exercises and our business impact and business continuity plans are sharpened and more refined than ever before.

With that in mind, I’ve decided to go back and update my GSD Hurricane Tracking Links – 2008 post

Bookmark ‘em all!  (Or al least this post!)

Gulf Coast Watch List

So here are the hurricane links I am watching at home and work, to track the impending winds. Listed in order of my personal preference…

2008-09-07_164059

  • Stormpulse / Hurricane tracking, mapping - If you like dark-themed, special-op center techno-sites, this is the one for you. The site has a lot of information and can be customized in extra data inclusions on the chart. What really makes this one cool is that it has a “Full-Screen” mode that displays as much detail as you want for the storm-track on your monitor.  It provides a standard storm-track model, but you can select to include a bevy of additional forecast models if you want to really psych yourself out. Loaded up in Google Chrome or Chromium coupled with a nice dark Google Chrome Theme it really stands out projected on the wall of the incident command center.

  • SciGuy Blog – Chon.com’s Eric Berger - Eric has been providing outstanding details, commentary, live chat-sessions, and analysis of all science and  prognostication tropical.  Highly recommended as a filter of reason and temperance in a media-market filled with over-hype, smashing graphics, and fear-factor extremes. Besides that, you can count on Eric to provide great meteorological linkage to excellent source material like this GFS global model or this the European model.  It’s a must-follow/must-RSS feed blog for all Texas Gulf Coast residents. Period.  (see also Jeff Masters’ Wunder Blog : Weather Underground).

  • IBISEYE.com -- Your Atlantic Hurricane Season Tracking Map Source – An awesome site that mashes up tracking data on hurricanes and points of interest, along with Google Maps.  Heavy on the JavaScript but makes up for it in pure visual delight.  Easy enough even the “old-folks” can understand.  Not only are hurricanes and projected paths displayed, but also counties are added as they fall under various storm watches and warnings.  Zoom in/out for more detail.

  • Tropical Atlantic: NHC Model Data for Tropical Storms – TropicalAtlantic beta – For folks who need to have more than one storm-track model presented, this is like going from riding a pony to driving cattle from North Dakota to the Fort Worth Stockyards.  Look at the top of the page to select any current storms.  Then when the Google Map mash-up launches, you can pick from 32 “Early” models and 38 “Late” model storm track models.  Plot one or plot them all! Awesome! Additional NOAA summary of storm-track models. Also, Tropical Atlantic: Information About Atlantic Hurricanes – main-page.

  • Hurricane and Storm Tracking - Terrapin's site remains a dear favorite. It is lean and simple and allows for quick location of information without lots of graphic overkill. The storm-track plots come in two flavors, a simple historical and future projection track that is static as well as a java-based animated one. Loads fast and updated as new forecasts are posted.

  • National Hurricane Center - This website maintained by the National Weather Service is my number two choice. Lots more linkage on the sidebar for hurricane related topics and preparations. The main page has links to a number of graphics and advisories.

  • (NHC's) Atlantic Graphical Tropical Weather Outlook - A "beta" sub-page of the site listed above. This is pretty cool. Any current tropical systems are overlayed on a satellite image with an icon. Hovering over the icon pulls up a quick update view. Clicking on the update popup then takes you to the system's detailed page.

  • Moreweather.com -- Tropical Atlantic Weather Page - T-Storm Terry Faber has created a great hurricane system page here. Not only does it have lots of links to any active systems, but it also contains links to radar and satellite images, many in great details and high resolution. The hurricane tracking maps and projections are there, of course. T-Storm Terry also provides links to other sources of information as well as historical data on previous storm systems.

  • Tropical Weather : Weather Underground - This is a fantastic site that has the widest range of linkages, maps, images, models, and everything. Just about the only thing it doesn't provide is winds blown into your face through the monitor. Which is why I put this at the bottom and not the top: there is just so much information it overwhelms.

  • Oklahoma Weather Lab | Hoot - Models: GFS Model Upper-Level Wind 850mb provided us great forecast models of the high/low pressure zones and ridges leading up to Ike’s eventual landfall and really helped us understand the forces driving its path.

Local Winds

For local Houston area facts and updates, most of the local news stations have their web-sites powered up.

Even More Weather

I have found these additional links pretty cool:

Road Kill

You just don’t want to be caught off guard when one of these comes knocking at your door.

Ike_Bad

Ike radar image captured by Jim Thompson of jimthompson.org

--Claus

Search & Acquire by File Type Solutions

For some time I have been deeply obsessed with the features noted in this post:

It’s a brilliant EnCase script that sorts through a collected image then outputs copies of the files, based on file-type filter, to folders named by those file-types.  Lance Mueller’s more recent script even does some hashing to look for duplicates.

For a system administrator performing incident response on a Windows system, or even a rapid file-recovery, this could be a very useful tool.

Unfortunately I don’t use EnCase nor am I aware of a tool to convert EnCase scripts into a “standalone” tool.

I suppose with time (something in short supply) I am more than up to the task of writing my own Windows script to do the process.  I may still do so.

However, after trawling the InterWeb-al sea-floor I’ve finally been able to identify a few applications that will handle the task, though require a bit of user intervention depending on the tool.

Closest Match: PhotoRec & PhotoRec Sorter

The closest tool I’ve yet found (and already knew about) is using PhotoRec to recover the supported file formats.  Once that collection is built, then you can toss PhotoRec Sorter at the collection and thus re-output the collected files into individual folders based on their type.   Pretty nice.

I suppose you would then have to do manual MD5 checking on any apparent duplicates.

This tool would be particularly useful when working on “static” image captures of a system.

First Runner Up: SMF

It took, me almost a month to find this utility (also created with Auto It). I’m not sure why.

It is am amazingly developed and refined work of love by the developer. It supports advanced filter parameters as well as file-hashing.

The zip download contains a single exe file which when run creates two folders to be used for search result databases and such.  It is “portable” if you keep it all together.

What I like about it is that by feeding it a single or collection of targeted file extensions, it will VERY rapidly search and find them. Delimit the extensions by using the “;” character with no spaces between.

Output will require sorting by extension and then a select-all of that particular file type.  Then you can paste the results into a folder manually named (by you) of that matching extension name.

It also allows you to search based on advanced file attributes including “access time”.  Handy when inspecting a disk image for recently created/accessed/modified time parameters.

Too many options and features to discuss here.  Check it out.

SMF – Search my Files is off the hizzle fo' shizzle dizzle!

Second Runner up: SearchMyFiles-NirSoft edition

Single, very tiny EXE file and highly portable.  Rapid searching of drive, folder, subfolders, etc.

Again, it also supports searching for multiple extensions at once:

Files Wildcard: Specifies the wildcard for scanning the files. You can specify multiple wildcards delimited by semicolon or by comma, for example: *.exe;*.dll;*.ocx or *.exe,*.dll,*.ocx.

It also supports filtering based on file attributes, as well as other advanced combos.

It isn’t as advanced as SMF-Funk edition but for what it lacks in comparable features it more than makes up for in simplicity and ease-of-use.

In the Pack

These additional utilities can also provide searching by multiple file types.  They can get the job done. However I just didn’t find them quite as appealing for various reasons as I did the winners selected above.  You may feel differently and they are all worth downloading and seeing if they could meet your need

  • File Find for Windows – Forensic Innovations, Inc. – (trialware/$) - This is really an amazing program specifically designed to support the searching needs of forensic examiners.  The trial download is limited to 30-days, with a nag-screen, and only will display up to 100 results per search.  That’s enough to prove the value of this tool. You can search for files by their File Type, Contents, Operating System Platform, Data Storage Method, File Attributes, and much, much more.  Check out their highly descriptive/illustrated page for more product data.

  • Everything Search Engine - (freeware) – Really fast and powerful search tool.  Not marked higher as it is “installed” and runs indexing the system or mapped drive. It could be used against a mounted image you are inspecting (or, gasp, “installed” on the target system directly). However, I wouldn’t recommend it in that fashion.  I do have it running on my home XP system in lieu of Windows Search 4.0 and really love it. It also supports searching multiple extension file types at once:
      2.6 How do I search for a file type?

      To search for a file type, type the file extension into the search edit,
      ie to search for the mp3 file type, type *.mp3 into the search edit.
      To search for more than one type of file type use a | to separate file types,
      ie *.bmp|*.jpg will search for files with the extension bmp or jpg.

  • Locate32 - (freeware) – It also is database-based to speed indexing and finding of information.  It also supports searching for multiple file types at once.  Comes in both x64/x32 bit supported versions (nice) and supports almost all known versions of Windows, including CLI support. (handy).

  • Agent Ransack - (freeware) – Can be made “portable” and handles some pretty advanced parameters for searching locations.

  • Finder 2.1-- (freeware) – dkellner – Supports advanced search terms and arguments.  Nice interface. Portable.

In all but the first case (PhotoRec Sorter), you will need to create your own output folders manually, based on extensions you are searching for.  Then (depending on the application’s requirements) make one or more text-files to keep your custom file type lists in. Simply copy/paste them as needed into the application, run your search, then sort, copy, and paste the results into the respective folder.  Not elegant but it could get the job done. Also, some of the applications listed support exporting the results in some kind of report format for documentation needs.

Related file handling tools

These tools are directly related but could provide useful tools for either searching a system during an incident response, or obtaining information that could make a more effective and narrowed search of a system.

  • UserProfilesView v1.00 - (freeware) – NirSoft - “UserProfilesView displays the list of all user profiles that you currently have in your system. For each user profile, the following information is displayed: Domain\User Name, Profile Path, Last Load Time, Registry File Size, User SID, and more.”

  • MyEventViewer v1.22 - (freeware) – NirSoft - “MyEventViewer is a simple alternative to the standard event viewer of Windows. As oppose to Windows event viewer, MyEventViewer allows you to watch multiple event logs in one list, as well as the event description and data are displayed in the main window, instead of opening a new one.”

  • RecentFilesView v1.09 - (freeware) – NirSoft – “Each time that you open a file from Windows Explorer or from a standard open/save dialog-box, the name of the file that you opened is recorded by the operating system. Some of the names are saved into the 'Recent' folder. Other are saved into the Registry.  This utility display the list of all recently opened files, and allows you to delete unwanted filename entries.”

  • eXpress FreshFiles Finder - (freeware) - Provides a list of the most recently updated files on your target system.  Good for first-pass analyzing a system in an incident response scenario. Install the application, copy the created program folder to your USB stick, then uninstall. 

  • FolderWorks - (freeware) - ShadWorld.  Another related tool that for counting files and categorizing them by extensions or file types.  No files are actually copied or moved.  Solely useful for documentation and assessment work on a system.

  • UserAssist - (freeware) – Didier Stevens (see also Update: UserAssist Tool Version 2.4.3) - “The UserAssist utility displays a table of programs executed on a Windows machine, complete with running count and last execution date and time.”

  • RegRipper - (freeware) – Harlan Carvey, Windows forensic expert and Registry digger extraordinaire has created an excellent tool for parsing out various Windows Registry hives. Using information gleaned from the reports, one can then get a better focus on pursuing leads for incident response elements on the target system.

Cheers.

--Claus V.

QuickPost: Bootable USB Stick

I’m preparing to attend a conference where were were asked to bring an 8GB (empty) USB stick.

I’ve got one, but I have configured it to be recognized by most BIOS systems as a “bootable” USB device.  Then I copied all my Custom Win PE Boot Disk files to it.  Now I can use it to quickly boot a system and have all my key portable tools and utilities right at hand in a Win PE 3.0 environment.

So the thought of wiping it out didn’t appeal much to me.

To work around this, I’ve used Alexander Beug's USB Image Tool freeware utility to make an image of it.  Then when the conference is over, I will make an image of that new file-set, then restore my original USB load.

It’s a great and simple tool to use.

The only trick for making images of USB bootable devices is found in the FAQ.

Q: What is the difference between device and volume mode?

In contrast to the volume mode, the device mode copies the whole USB device, including boot sector. So if you want to make a backup of a bootable USB device, or you have created a flash drive with more than one partition, you should use the device mode. The volume mode processes the first volume on an USB flash drive. Windows currently limits removable USB flash drives to only one volume. As long as the partition information on the flash drive doesn’t change and it is not a bootable device, it is ok to use the volume mode.

Q: I restored an image of a bootable USB flash drive. Why does it not boot anymore?

A: Volume images do not contain the boot sector. A boot sector holds the boot loader, which makes the USB flash drive bootable. You can use the device mode to create an image of a bootable USB device.

So, select the “Volume Mode” method option and you should be fine.

Creating the “bootable” USB device.

Most USB devices aren’t “bootable” by default.  You have to perform some voodoo to get it correctly configured.  Then you can copy your actual “booting” system to it.

In my case, since i am using WinBuilder and Win PE as my sources, I simply followed this excellent guide.

However there are several additional tools and techniques that could be used to accomplish a similar thing.

Do Google Search and you will quickly find even more links and resources.

Dead-handy to have for any incident responder and/or system technician.

--Claus V.

Devio: Remote drive access and acquisition

Back when I was writing the Focus on Forensics Linkfest post, I mentioned a handy little freeware tool.

It works on all Windows systems I currently use: XP/Vista/Win7 in both x32/x64 bits along with Windows Server.  (Though UAC must be turned off in both Vista/Win7 or or setup the driver to auto-load on system startup. as explained on the program page. And for 64 bit systems, testsigning must be turned on.)

Anyway…..

I like it as it allows me to mount several different “image” files (including IMG/dd image captures) as physical drives for direct access in Windows Explorer (or other file-managers).  That is SO handy!

I also figured out it adds a “Control Panel” item as well for fine-tuning settings and access. Sweet.

image

Anyway….this post is specifically about the “extra” feature.

While actually reading the page-post for ImDisk I finally caught this part;

The install package also contains a user-mode helper service that enables the virtual disk driver to forward I/O requests to other computers on the network. This makes it possible to boot a machine with NTFS partitions with a *nix Live-CD and use the included  devio tool to let ImDisk on another computer running Windows on the network mount the NTFS partition on the machine you booted with the *nix Live-CD. This way you can recover information and even run chkdsk on drives on machines where Windows does not boot. I am working on a Live CD image with devio and other useful things for this pre-loaded. Will publish that one for download soon.

Devio? 

What’s that and what has it got to do with ImDisk?

From what I could tell from the description above and this devio - read and write block devices *nix page, when executed on a remote system, ImDisk can then be used to connect to the system and mount the indicated volume or physical drive as a local “virtual” drive letter over a network.  OMG!

But, though I am quite comfortable working on Linux systems, particularly LiveCD distros, Win PE 2.0/3.0 is really where my daily grinds occur.

I could have really used this tool to remote mount and access systems that were borked, or if a technician needed particular assistance from the field, or maybe image captures for incident-response.

Too bad.

But Wait! There’s More!

The ImDisk developer (Olof Lagerkvist) actually does have a Windows CLI port of devio!  You just have to know where to look!

You can download devio.exe for Windows here: http://www.ltr-data.se/files/devio.exe

That was actually found on this Boot-Land Forum post where Olof maintains information on devio as well as ImDisk.

Using Devio & ImDisk & Win PE 3.0

I’m using my Custom Win PE Boot Disk but a Win PE 2.0 (Vista) or even Win PE 1.0 (XP / BartPE) should work fine. I also wonder (but haven’t yet tried) if the Windows FE disk would also work. Probably so with a few extra commands.

This assumes that ImDisk has been loaded and installed on the “local/host” Windows system you will be mounting the “remote/target” system running devio on as a local drive-letter.

Also, while I am “off-line” booting a Windows system with my Win PE disk, you could also easily run devio on a normally running (Live) Windows system as well and access accordingly after a few adjustments in the steps below.

  1. Boot the remote system with your Win PE boot disk and/or a USB stick that has devio on it.  In my case, I run Win PE 3.0 from a bootable USB stick for fastest booting and convenience for adding applications such as devio.

  2. Once up, you need to disable the Win PE firewall to open up the port that devio will use to communicate on.

  3. Open up a Command Prompt window and type wpeutil DisableFirewall  then press <enter>

  4. Browse to where your Windows devio.exe file is then figure out what you want to mount.

    1. I run DISKPART and then the command LIST DISK to figure out what the physical drives are. (Type exit to get out of DiskPart.)

  5. You will also need to know the IP address of the system you are running devio on.  I just type "ipconfig” to get that information.

  6. Now, from the command line, type any of the following commands, depending on what you want to accomplish:  (quoting from Post #2)

      If you have a disk D: that you would like to connect to from another machine, type the following on the server-end machine:  
      devio 9000 \\.\D:
      If you want read-only operation so that you don't accidentally destroy anything:
      devio -r 9000 \\.\D:
      If you attach to a PhysicalDriveN object you can enter partition number to use:
      devio -r 9000 \\.\PhysicalDrive1 2
      This will use partition 2 on disk 2

  7. Note: for my systems at work that generally only have a single drive and a single partition, to get the whole drive to access/image (say via a Win PE boot) use:
    devio –r 9000 \\.\PhysicalDrive0

  8. Hopefully it launched correctly and is running as follows.  Just leave this window open as long as you need to access this particular system drive, or minimize it if desired.
    image

  9. Then, to attach to it from the client machine using ImDisk (must be installed), open a command-prompt use the following syntax:
    imdisk -a -t proxy -o ip -f nnn.nnn.nnn.nnn -m R:
    Change nnn.nnn.nnn.nnn to your IP address from step 5 above.

  10. If all goes well, depending on the network connection and/or your system speed, ImDisk will launch, connect to the remote devio session and mount the drive as a local drive letter.

You can now access the drive to copy files from, use ImDisk to grab an IMG format image of the drive, or (if you didn’t use the –r “read-only” switch, you can copy/move/delete files and perform other actions on the files).

image

To end the session, just either press Ctrl+C on the remote system or dismount from the local ImDisk options and/or control panel item.

I would recommend using the “read only” settings when accessing/mounting attached images until you are very familiarized with the utility and navigating between the systems.  That way you can be sure not to accidently flub something up critically.

Devio is a cool little tool that when combined with ImDisk and some know how can really expand the options in accessing remote Windows disks/volumes.

Just use it carefully and wisely.

Here is more linkage to study this nice little daemon.

Like I said, it could be useful…

--Claus V.

Tip: Managing Flash Cookies

It has been known for some time in various Web circles that Adobe Flash also keeps its own cookie set (also knows as Local Shared Objects – LSO’s) and that these cookies must be managed “manually” apart from the normal browser cookies.

However, it looks like folk are again “re-discovering” this ability as well as the security implications such a thing presents:

Hey, dialog and understanding is always a Good Thing in my book.

Don’t want them or want to mange them? You got quite a few choices.

  • Settings Manager - Global Security Settings panel – Adobe Flash Player – Go to this web-page at Adobe and (yes, Flash based) use it to view your Flash browser settings as well as manage your Flash cookies. Keep it bookmarked.

  • BleachBit - file and privacy cleaner for Linux and Windows – Previously recommended here for it’s ease as a freeware application to vacuum Firefox SQL files.  It also includes the ability to manage/clean Flash cookies.

  •  CCleaner – Similarly, this established system-cleaning freeware utility can also clean Flash cookies from Windows systems.

  • Objection - (Firefox Add-in Extension) – I personally find this single-purpose Firefox add-in does the trick for all my needs.  Once installed you access it via the “Tools” menu drop-down.  Inspect and manage the Flash Cookies as well as delete the ones you don’t want.  It doesn’t do anything else. But it does do this great.

  • BetterPrivacy - (Firefox Add-in Extension) – This one is like Objection above, but it provide much more control and management support of LSO’s than Objection does.  I use NoScript to generally block all Flash services as I surf. If I do want to enable Flash content, I enable it in NoScript.  That said, any Flash Cookies I have I generally have accordingly and it’s usually not a hassle. However, for more fine-grained control of those cookies, this is the tool to have if you are a Firefox user.

  • Flush.app – Mac OSX only.  I’m not an Mac user (iPods excepted).  That said I would have included this anyway for you Mac users just because the website is aggressively cool!  Anyway, this app helps Mac users manage Flash cookies on their system.

Let the Flash Cookie beat-down begin.

--Claus V.

Tip: Add Google’s Beta Search to browsers

If you didn’t catch it, Google “debuted” a beta version of Google Search this past week.

It seems to include some new search algorithms and monkeys at terminals.

Dwight Silverman at the Houston Chronicle’s TechBlog has just about all the information you need to know in his post.

That’s all nice and it does seem to bring a certain “freshness” to the search results.

I typically do my web-searching from a browser, and 99% of the time use the little search-bar integrated in the browser like Chrome, Firefox, and IE all have.

Could I add another entry to each of them for the “sandbox” version of Google’s search?

Yep!  Easy-Peasy!

Firefox/Mozilla

Firefox fans who are used to to the search-bar in the top right corner can load different search engines into it to pick from.

Out of curiosity I wondered if I could find one for this Google "sandbox"version.

Sure enough: Mycroft Project - Google test search engine

Simply find the link and click to add.

Chrome/Chromium

For Chrome/Chromium users, it's a bit more complicated (but not much more) - Google Chrome saves your search engines Google Chrome Help page.

Add, edit, or remove search engines
  1. Click the wrench menu.
  2. Select Options.
  3. Click the Basics tab.
  4. Click Manage in the 'Default search' section.

Use the buttons on the right to manage the search engines in the list. You'll need to provide the following information for each search engine:

  • Name: Nickname for the search engine.
  • Keyword (optional): Fill out this field if you want to create a text shortcut for the search engine. Learn more about keyword searches below.
  • URL: Type the web address for the search engine into this field. See instructions on finding this URL
    1. Go to the search engine you want to add as a search engine option and do a search.
    2. Copy and paste the URL of the search results page into the URL field. Keep in mind that the URL for the search results page is slightly different from the website URL. For example, while you'd go to http://www.google.com to access Google, the URL you'll add here is from the search results page, http://www.google.com/search?q=cucumbers (assuming you did a search for cucumbers).
    3. Replace the search term in the URL with %s. When you type a search in the address bar, your search term will automatically be inserted in place of %s.
How to access site search engines in the address bar
  • Tab to search
    Start typing the web address of the site you want to search in the address bar. If Google Chrome has a record of the site's search engine, it automatically offers you the option to search that site. Press Tab to choose the search engine, type your search term, then press Enter to see search results from the site.

  • Keyword search
    For search engines with defined keywords, type the keyword in the address bar. Select the search engine from the drop-down menu, type your search term, then press Enter.

  • New Tab page search boxes
    The Searches module on the New Tab page conveniently displays the search engines that you frequently use.

Internet Explorer 8

Finally there is IE8: Add search engines in Internet Explorer 8 – CNet

However the money way is to open the following link in IE8, then follow the very simple steps on that page.

The address you want to use is http://www2.sandbox.google.com/

Now Google's beta search is at your browser fingertips!

Pretty handy.

--Claus V.

Adobe Tip: Add filename to footer

Quick tip:

I create and receive quite a few Adobe PDF files in the course of my work.

Most are “complete” documents with names/descriptions prominently placed in the header or as a “title” somewhere on the page.

However, more than a few times I have been sent documents that are pretty similar in content and style but don’t really have any other distinguishing features to help me tell them apart when printed out

I wanted a way to quickly add the file-name of the document to the footer.  Having a date would be useful as well.

I use Adobe Acrobat Professional v8.0 at work for (most of) my PDF processing.  I checked all the information and screens I could, but nowhere in the print/page setup or options could I find that feature.

I turned to the Adobe forums and found this thread.

Adobe Forums: Print File Name with pdf Document

LReinhardF (Reinhard Franke) responded that the solution must be “hand-made” via a Javascript routine that is added to the Adobe program’s javascript folder.

He posted the last version of his code at http://www.refob.de/downloads/Acrobat/SetRemoveFooter.js

Right-click on that link and save it to the appropriate folder. \program files\adobe\acrobat "X"\javascript

Restart Adobe and it will appear as a option pick under the File menu approximately above the Print section.

It was a fast and simple solution that now allows me to better manage the hard-copy PDF printouts I use.

Note: this doesn’t apply to Adobe Reader.

There are some additional tips and Javascripting tweaks on the first page of that forum post.  The second page also has some more tips and information on doing the same thing but with header-inserts.  I was happy with the original solution, but if you are looking for more, keep reading the forum thread onto the 2nd page.

Cheers!

Claus V.

Monday, August 10, 2009

Focus on Forensics Linkfest

Last week was wild at work.

Not only did I get to borrow some neat hardware for drive work, I also tried to provide some perspectives and opinions on “forensically-sound” image capture.

On top of that, I also had just enough time to really play with Harlan Carvey’s RegRipper on a real (non-investigation related) image capture.  More on that later in the post.

It was a very crazy week but I felt oddly satisfied; that I had begun to get a handle on some nagging things.

Documentation is Everything

Shop-talking this week about incident-response in general, and “what-if” scenarios, I had the opportunity to share the importance of establishing and documenting what was done when a suspect system is focused upon.  Please note: I am not a forensic expert (IANAFE) but there are some some basic common sense things that need to be done.  Particularly when it isn’t clear at the onset if the system drive will just be wiped and reimaged or if it needs to be officially escalated to internal or external law-enforcement groups.

As such, it seems imperative that the responder approach the system with the thought in mind of preservation of the machine state as well as documentation of what was done; just in case one has to explain what occurred with the drive/system along the way.

As I don’t personally have any such standard templates that would fit the bill, I had to go looking for some that we could use in a pinch.  Luckily I found enough to get me covered for now, and certainly will inspire me when I have the time to design our own.

  • forensic it chain of custody document – docstoc – search page for related documents of that theme.  There were quite a number of good looking forms.  I didn’t have time to try to figure out the download process, but even then, I was able to view them and get a better sense of what I was looking for.

  • Forensic Bibliography – E-Evidence Information Center – great resource page with lots of direct links to PDF and other documents related to evidence collection worksheets, search-warrant templates, and chain-of-custody tracking.  I snagged more than a few forms from this site.

  • NHTCU Good Practices Guide for Computer based Electronic Evidence - (PDF) – Useful whitepaper that discusses issues and processes needed around electronic evidence collection.

  • Sample chain of custody form – United States Department of the Navy.

  • USSS Best Practices Guide to Seizing Electronic Evidence v3 – United States Secret Service “pocket-guide”. Update: it has been noted and observed in the post comments that information in this guide seems dated (internal pdf properties give a document year of 2006).  And as commenter Erik notes the guide mentions pulling network connectivity and powering system off. Yet as incident responders know; obtaining network traffic captures (at least for a period) as well as running system memory dump/image, and process/port/endpoint mappings could provide additional clues and information that will be irrevocably lost if the system is simply powered off almost immediately upon seizure. -cv.

  • Authors for Hacking Exposed Computer Forensics – WaybackMachine Internet Archive – The original site of this book appears gone, but some of the links back to forensic checklists, kit suggestions, and forms still live on. Found a few more goodies here.

  • Technology Pathways Resource Center – Technology Pathways – Simply one of the best collections of updated and current forensic documentation, whitepapers, tool downloads, and general subject material there is out there; period.  A must-bookmark page.  I only wish it had an RSS feed to monitor for updates.

Image Capture: Forensic Style: Part One

As I mentioned, I finally got my hands on a Windows system that seemed great to use as a test-bed.  I had worked the better part of a morning a few weeks ago prepping a special-build XP Pro system-deployment to be used for hand-on-testing of applicants to our team.  I took a base system image for the hardware used, then stripped off all the non-essential applications, removed some accounts, set it up to auto-log-in to a restricted user account desktop (after a successful boot by the applicant).  It worked great and I dusted off some cobwebs from my brain in the process.  When done I captured an ImageX WIM of the system, to make redeployment easy in the future of this particular one-use system.

Before I wiped and reimaged it (I use it for image-building for that particular hardware model) I figured now was a great chance to try to practice capturing a “forensic” image file and then have it to practice on.

The first step was getting a forensically “sound” image of the drive.

To do that corrected with no doubt, it is clear that the preferred method is to use a physical write-block device in-line between the drive and the OS used to capture the image.  Something I don’t (yet) have.

I’ve been looking between two primary models:

I’m not sure which would be better but luckily I was able to find a very current review by a forensic professional that seemed to provide a great comparison between the two.

It seemed to find both very good choices, though the Tableau product seemed to have the edge.

They are pricy (if self-bought) seeming to fall in the $250 - $300 range (with cable sets). But seem a critical piece of hardware for forensic-level system captures.

A non-forensically-sound alternative would be a USB drive adapter such as one of these.

Definitely, these provide NO physical write-block protection, though they do offer a convenient way for a support technician or analyst to test and recover files/system off a drive externally. 

In fact, I was able to borrow Mr. No’s Vantec device and test a slew off drives we’ve had on the shelf and sort the good from the bad, in addition to wiping the good ones. I’ll be ordering the Rosewill model soon for my own personal use.  Price for these ranges from $15-$35 depending on brand and features.  Local deals may be even better.

Image Capture: Forensic Style: Part Two

Since I didn’t have a real write-block device, and it was just a test-system capture, I chose to just use a forensic LiveCD to capture the drive-image from the internal drive and save the image to a USB attached storage drive. In theory these disks attempt to provide a software-based OS write-blocked access to the suspect drive for image capture and/or examination.  As I have learned, that may be nice but only a physical write-block device (properly used) can guarantee no write-back to the suspect drive.

For a free solution here are the ones I considered for this exercise…certainly not a complete list of options and some well-known names have not been included in this particular post.

I could have used a  Windows FE boot disk to do the work, then run Data Recovery Software by ADRC to capture a RAW or IMG single-file image, including all the sector info from the physical drive.  It isn’t specifically for “forensic” grade image capture but it would have given me a single-file image in a format I could mount as a virtual drive for examination.

Or I could also have used the Win FE/PE disk along with FTK Imager / FTK Imager Lite from AccessData.  It allows capture of a physical drive in several forensic formats along with dd format. (For more info see this Forensics 101: Acquiring an Image with FTK Imager – SANS forensics blog post).

Or I could also have used the Win FE/PE disk along with ProDiscover Basic from Technology Pathways.  It allows capture of a physical drive in the Pro Discover format along with dd format.

Or I could have used the Win FE/PE disk along with the DEFT Extra pack on a USB stick.

Then for a non-Windows “forensics” level option, I considered using my copy of the RAPTOR Forensic LiveCD maintained by Forward Discovery.  See this excellent post Unsung tools - Raptor Forensics by hogfly at his Forensic Incident Response blog for a how-to.  Hogfly covers the MAC edition of the disk, but I use the Windows version.  Process is pretty much identical.

Or I could also have used the CAINE Live CD for a forensic image capture. Its collection tool set includes both Automated Image & Restore (AIR) as well as Guymager to capture a physical drive in several supported formats, including dd format.

In the end, however, I went with the DEFT Linux forensic LiveCD distro and the guymager application.

With that, I captured a single dd file image of the 165 GB SATA internal physical disk 0 to the USB attached hard-drive in just over an hour.

Easy Peasy.

Mounting the captured (dd) image file

I wanted to now mount the single dd image file to my primary Windows system as a virtual physical drive so I could look at the sector information, run some tools against it, etc.

What to do?

Harlan Carvey covers most all the bases at his Windows Incident Response: Mounting a DD image post. It excellently covers all the major bases.

I first tried ProDiscover Basic and it certainly had no problems handling the task.  In addition it provides some at-hand tools and features for examination and case-notation of findings.  However I wanted something a bit more “seamless”.

In the end I went with incredible (and free) ImDisk Virtual Disk Driver.  It installed like a champ and provides read-only mounting options to a slew of different “image-file” formats; including dd.

I also found this dd2vmdk: dd image to vmdk virtual disk image P2V converter (though not what I was focusing on as I rarely use VMware virtualization).  It seems to stand out from others Mr. Carvey mentioned in his post as it is an “on-line” web-based conversion tool. I guess it could be a handy option if you were in a bind somehow for such a tool.

Once mounted with ImDisk, I then proceeded to verify I could (and did) see all the info captured at the sector level with one of my sector-viewer utilities. I could run GREP routines, as well as various forensic first-pass tools.

Then I tossed Harlan’s RegRipper at it.

Previously I had only flirted with the tool. This was the first time I had a “real” system to play with.

I pointed it at some of the target registry-hive files and let it, well, rip!

Looking at the log results I was astounded.  Not so much by how it performed, I understood that already.  What amazed me was what it discovered about the base image I use to build the systems for imaging.

You’ll have to wait for another post just on that, but suffice it to say, there were a tremendous number of artifacts from the image’s former life before I adopted and built upon it.  I was quite stunned by what RegRipper uncovered.

It convinced me then and there that although this tool was designed for the forensics crowd, it has unrealized value for desktop system administrators, builders, and analysts.  Amazingly informative little tool it is!

Forensic Tips and Treats from across the Webs

As the above illustrates, system admins can find value in the field of forensics.  The following are a series of posts that could be of interest to both groups.

Did I mention I found some new tools?

Yep. I did.  And I was taught how to share!  Lucky you!

  • Forensic Focus Blog – OK. Not really a “tool” but does provide great regular blog linkage to tools as well as software and hardware reviews of a forensics bent.

  • List of Cell Phone Forensic tools — PenTestIT – I’m only interested in Windows forensics and really don’t have a need for cell-phone forensics.  However this is a important field in electronic forensics and should be given the time it deserves.  So this is a great post for the curious or to get some basics.  I suppose some of these might apply to flash-based storage cards (often found in use on cell phones) which would apply just a bit as they sometimes are seen in/with Windows systems as well.

  • Announcing OffVis 1.0 Beta. – Microsoft Research & Defense – Free tool from the MS folks to examine and visualize “…the binary file format used by Microsoft Word, PowerPoint, and Excel.”  Neat particularly when looking at malware-tainted/exploited files of those formats.

  • Open Source Digital Forensics page. Great link resource maintained by Brian Carrier that includes (among many other things) pages with Open Source Windows Forensic Tools and Unix-based Tools.  Bookmark this site fast!

  • Sophos updates free Anti-Rootkit tool - H Security – news that there is a new (and free) Sophos Anti-Rootkit tool available. Registration is required for download but you can never have enough updated rootkit tools at your disposal to scan a target system.  It’s important not just to avoid self-infection but also to see if a possible “a trojan/root-kit did it, not me” defense is possible or supported.

Speaking of Rootkits…

There was news at Black Hat this year of a new boot-kit that could subvert TrueCrypt WDE systems. Please see this GSD Security and Forensics Linkfest: Duck & Cover edition post for the background info if you aren’t familiar with Stoned-Vienna.

Well, the (generally respectable) debate between the TrueCrypt camp and the author and the security folks continues.  It’s been very informative to me on the whole as I work with WDE solutions and find boot-kits particularly fascinating; more-so when paired with WDE protection.

With that in mind, here are some updated/current discussions on the whole thing worth looking at.

For the record I see accuracy in both side’s positions on the matter.

Whew!

Glad to get these links up.

Cheers for now.

--Claus V.