Sunday, September 13, 2009

A Smackrel of Forensics Honey…

I’m baiting this pot of honey with a reflective post by John Sawyer, All Forensic Investigators Are Not Created Equal at the Evil Bytes Blog.

There are forensic "experts" who have a narrow specialization in investigating individuals. Some examples off the top of my head are law enforcement forensic examiners looking at a computer to see if it was used to send threatening e-mails, search for information on making bombs, or view child pornography. The primary, and often only, source of evidence is the suspect's computer that is sometimes accompanied with some corroborating information from the suspect's ISP or a Web/mail hosting provider.

On the extreme opposite end of the spectrum, you have those who work on a much larger scale, taking into consideration many sources of information. I'm not sure there's a good term for them -- security investigator or enterprise incident responder or similar title -- but they go far beyond looking at just one system. Logs from routers, firewalls, and a numerous other types of systems all come into play in order for the investigator to crack the case.

I can’t consider myself really in the same class as true/certified “forensics” specialists.  If I had to place myself somewhere, I guess it would be with those in the second paragraph; one of those “enterprise incident responders.”  I have to know enough about Windows systems, typical/non-typical user behaviors, network elements, and hardware stuff.  Then I have to be able to successfully integrate all those elements together when I approach and analyze a system.  Is it harmless? It is potentially criminal? I have to get hard-data to come to a supportable conclusion, then present that material in a manner that is clear, logical, and fair; often to folks who are not technical in their knowledge base.

Since I don’t have any “formal” forensics training, I have to rely of the stream of material from the real experts and apply that information to our operational environments.  We have a limited budget and a growing workload.  Luckily I’ve been able to thrive with many freeware/Open Source tools shared kindly with the community by the developers bringing them to life.  I’m very grateful for both the knowledge-sharing and the tool-sharing.  That alone helps encourage and drive me to blog so tirelessly.  It’s a way of paying it forward.

In John’s post, he references this Infosecurity (UK) - The black art of digital forensics post by Steve Gold. Steve starts out with dissecting issues of timeline building and the conflicts that can arise when dates are disparate.  Then he moves on to the new “GUI-based” (by that I think he is referring to all-in-one commercial forensic suites) that help “aid” the investigator by parsing out volumes of system data and auto-magically sorting it out (bow optional) for the investigator. He then counterpoints the benefits of such applications with leaving the investigator in a possibly weakened position if confronted by a skilled trial-lawyer who may bring doubt in if the investigation doesn’t know how the software arrived at the data. Finally he concludes with observing that many forensics experts have had to learn on their own how the systems are working, so they can parse out the data needed, interpret it accurately, and wrap it up.

After the IPSEC steps, he claims, it’s usually a simple matter to classify the data collated and then analyze it fully.

Good digital forensics, he says, is not rocket science, but it does take a lot of thought to be able to complete an investigation and research all the relevant angles thoroughly.

“The bottom line with good IT forensic analysis is that you need to think about what data you have and how you can use it to your best advantage”, he says.

I’m not sure about that last point “…you need to think about what data you have and how you can use it to your best advantage.”  In my possibly naive way of looking at things, you need to understand what data you have, and work with what it tells you.”  Depending on your collection skills and knowledge base, that may be very little or almost the whole story.

To me, the successful analyst/forensic expert, whatever their hat may be, must be first and foremost a successful knowledge integrator.  They have to understand what tools they have at their disposal, what data the system is/is-not capable of providing, and apply the first to the second to extract the key and correct data needed.  Only then can they tease out the story it tells.  And in many ways, a successful analyst/forensic expert isn’t just a technical expert, they must excel at being an accurate storyteller, spinning the truth and reassembling the plot from the pages of a book come unbound.

  • RegRipper Wishlist – Harlan Carvey is taking suggestions for improvements to his RegRipper tool.  I’ve recently got to “live-fire” deploy it and found it incredibly useful for helping me go from a global-view of the system down to the specific areas I needed to focus on.  While it didn’t produce a smoking-gun by itself, it highlighted all the shell-casings (if you will) that moved the search along quickly.
  • Stuff – Windows Incident Blog then focuses on highlighting some useful source material, tips, and technical papers.  Good reading material abounds.
  • Tools for mounting images – Harlan then moves on to showcasing a list of (mostly) free tools that can be used to mount drive image files.  ImDisk is fitting my systems analysis needs quite nicely as I generally work with raw IMG format files, though a rare .dd image file still is captured from time to time.
  • Thoughts on Tool Verification – Harlan then moves on to touch on one of the issues that Steve Gold pointed out earlier…that investigators don’t always know exactly what and how the tool they are using is working under the hood.  He has helped that process a bit by seeding output of RegRipper with some basic tips/guides in some key areas.  That’s a nice touch and certainly helps keep folks on track understanding what they are (or actually are not) seeing in the data.
  • Mo’ Stuff  -- And Harlan teases me about my blogging output!.  He’s able to find time to post regularly during the week.  I have to save it up for the weekend!  In this post, among the many great tool finds, timeline incongruities and the NtfsDisableLastAccessUpdate value, as well as Mark Woan’s tools (more on that in a moment).  Back to timelines…on a system I was dissecting, I had observed two different login events that the timelines just didn’t make any sense on.  Instead of chalking it up as “just one of those things” I made note and set it aside.  Eventually, after additional analysis work and data collection I finally was able to realize that the event element wasn’t “wrong”, but that I had made the initial mistake of placing in the timeline where I expected it to normally be, rather than where in the timeline activity sequence it really happened at. Once I did that, I was back on the right track and a whole new door of system activity became clear and fell into place.  Data and the elements that lead to timelines can be manipulated, destroyed, or “spoofed” by skilled folks, but doing so globally is very challenging.  In the absence of evidence casting doubt on the validity of that data, sometimes you have to accept (with a grain of salt) what it is telling you and trust it to clear things up down the road if you are faithful to it.
  • USB Key Analysis vs. USB Drive Enclosure Analysis and Updated: Computer Forensic Guide To Profiling USB Thumbdrives on Win7, Vista, and XP – two great posts on the SANS Computer Forensics, Investigation, and Response blog.  With the proliferation of portable storage devices, this is one area incident responders need to be familiar with.  BTW, many locations that deploy “whole disk encryption” may also be able to set policies to force encryption of attached USB storage devices.  I point that out because if the encryption policy is set with a remote server, that server may also contain log data of portable USB device usage on the local system.  That could be valuable “witness” information to corroborate findings on the local system. Regripper will provide great registry information on connected devices as will Nir Sofer’s free USBDeview utility.
  • woanware – Amazing toolset collection – As mentioned earlier, via Harlan’s post, I tripped over to Mark Woan’s incredible collection of utilities.  Way too much to mention in this post.  However, I really have been focused on both RegExtract which contains at least 65 plugins to query a Windows Registry for “key” data as well as gmailparser to look for browser cache remnants of Gmail usage, and ChromeForensics for parsing data out of Google Chrome/Chromium usage.  The micro csv2html tool is one of those brilliant tools that simply does what it does (turn a CVS formatted file into HTML table format) very well. ipsorter, NetCalc, and NoteTaker might appeal to the broader sysadmin audiences as well. Hop over there and make Mark proud.
  • ChromeAnalysis - Google Chrome Forensics from (and FoxAnalysis) could be useful in a pinch.  I always like having more than one tool that does the same thing so I can get a “second-opinion” if I’m not 100% sure about the validity of what I am capturing.  It also goes without saying that Nir Sofer’s collection of Browser Tools must be in your toolbox by this point.
  • I’ve been banging my head on my cubicle desk lately as I’ve been having to process a disk IMG file or two and a few of the Nir tools (and others) that I have been needing to use are “verboten” by our Symantec AV solution.  I guess I could make a whole nother physical system sans Symantec but it’s a lot of work transferring my otherwise stocked utility kit to that system.  But executing, even in memory, any of those tools sets off a slew of “infection” alerts.  I finally arrived at a clever (to me) workaround.  As I am mounting the Image files (read-only mode) to my system, they then become visible as a drive letter.  So I created a Windows Virtual PC system, left off SAV, and configured it to attach (share) the same drive letter as my image file is using proper.  Then I can download/execute the particularly offensive system utilities safely and easily within the VM and point them to the “mounted” source image as needed. No alerts and I am able to use the tools.  It’s not elegant but it does the work in a pinch.
  • Matthieu Suiche has put out a Call for Beta-Testers :: windd utility RC2 (32-bits & 64-bits). If testing out a memory-imaging tool is your thing, drop Matthieu a line. He specifically is looking for folks that have more than 4GB system RAM to test it with.  See also his Windd Windows Physical Memory Imaging Utility info page as well as his direct link to windd RC2.
  • Decrypting a PointSec Encrypted Drive Using Live View, VMWare, and Helix -- SANS Computer Forensics, Investigation, and Response blog.  It’s a lot of work but it is in process a bit similar to what I have to do using my Custom Win PE Boot Disk geared for PGP WDE systems.  You can either decrypt the entire drive (long and time consuming), or you can boot with a PGP driver-injected PE disk, pass off the encryption authentication token/passphrase, and then rip an image (through the PGP driver) of the “unencrypted” physical drive at the sector level.  I’ve done a few and it works like a champ.
  • Welcome to the Rule 26 Blog – interesting IT/forensics blog from the legal-eagle perspective.  IAMAL so a few of these sites go a long way to helping me appreciate the issues (and procedures) needed to keep on the good side of incident-response legal issues.  They also have some nice forensics-response material (tips) as well.  .
  • EDD Update: The Death of Imaging – Eric Blank seems to be--what we as kids would say—hard at work  “…poking at a fire-ant bed with a stick too-short”.  That said he does make a few interesting observations, including the storage-space race to the 1TB level and beyond.  As these capacities become more and more common-place, the thought of taking a forensic image becomes more daunting.  Not impossible, but challenging; particularly when actually filled with that much data.  Instead Eric seems to prognosticate that “Live file extraction will become the de facto method of gathering ESI.”  In fairness, Eric does clearly acknowledge the value of bit-based imaging and the data it provides.  However he seems to suggest that live-file extraction (only those visible to the system) and not in the unallocated spaces will the the way to go.  Then drop down to the comments as Wayne Kerr reminds Eric that he is not addressing “live-image” forensic imaging software and methods.  I would add that I didn’t see forensic live memory captures or network forensic captures mentioned in the post either. Both provide critical additional data to understanding a suspect system that is volatile and when not captured, may vanish for good if not captured.  Eric’s response to Mr. Kerr was telling, “Live forensic imaging (as described in your comment) is an invitation to disaster and spoliation. … Live imaging exposes electronic data to inadvertent destruction and alteration.”  Eric does (point agreed) that network based live-imaging can be very slow as well.  However, in some cases, this might be the best and least intrusive manner to capture critical data that would otherwise be lost and destroyed…which is where the casenotes and detailed documentation comes into play.  And while by nature, executing code on a suspect system (memory image capture or “remote” disk-image sector capture) impacts it, if done correctly it could be minimized and the benefit might outweigh the “spoliation”.  Kudos to Eric for bringing the discussion to the table.
  • Finally for all you Google Trends voyeurs watchers and Google search addicts, two posts from McAfee Avert Labs blog were a bit interesting from the security-watch front this past week:  Searching for Malware Data Likely to Lead to More Malware and Google Trends Suffering Abuse Today.  Bottom line is that rogue A/V makers are seeding Google with linkage back to their sites so that unwary users looking for solutions to malware, trojans, viruses may be tricked into visiting their sites looking for relieve but instead find themselves hammered with more virus/malware headaches than they had to begin with.  Sad.  Likewise, they also seem to be keeping an eye on hot Google Trends and seeding sites of their own creation in a way to also appear in the top of ‘hot search’ result pages as well.  Check those search-links carefully before you click that link!  Know where you are going and avoid those darker alleyways unless you really know what you are doing and are well shielded.
  • Alex Eckelberry’s Sunbelt Blog has been an excellent digest of malware-related issues and topics.  It has traditionally been the place to go for information on emergent rogue anti-malware products plaguing users.  However, in case you missed the link in the item above, Sunbelt Software is now also hosting the Rogue Antispyware blog which provides a constant stream of current information regarding this particular “class” of malware infections.  Malwarebytes blog also identifies many of these rogues and provides removal tools and tips as well in most all of their “rouge” posts. Finally the Microsoft Malware Protection Center also details updates to their handy MSRT (Malicious Software Removal Tool) as well as providing interesting rogue/malware analysis details from time to time.  (Sadly, even the official MSRT tool isn’t immune from being spoofed by its own rogue version: Different Strategies of Win32/FakeAV - CA Security Advisor Research Blog).

In the wise words of HP world Auror Alastor Moody: “Constant Vigilance!”

Claus V.

Tool Stew

I’m tired just looking at this list!

So I’m passing these links on to you so we can share the burden together.

Windows Base

Network Veggies

  • The other day I mentioned NetGrok which is a clever Java-based network traffic visualizer.  I never was able to get it working on my Win 7 system, nor the Vista builds.  I spend some more time with it on my XP Pro system and still couldn’t get it working.  The Java kept erroring a nullPointer message.  I did load it up in a fresh XP Pro Virtual PC build and after following the steps and using the latest Java release I did get it working.  Not sure where the conflict is.  One of the tricks I learned is that the groups.ini file that controls the grouping display doesn’t use standard IP notation.  Nope instead you have to set the IP addresses in Classless Inter-Domain Routing (CIDR) notation.  I hadn’t ran into this format before but it was easy to follow.  Do a CIDR Notation - Google Search and you should be set.  One more thing, when you do get it running you will then need to use the menu-bar option to set your network adapter it should use.  Once I got it working it was very slick and cool.  Only it locked up after just 10 minutes of running.  Maybe it was a VPC thing…  Still hoping…

  • NetGrok uses the Jpcap set.  No changes with the version that is included in the setup package for it, but there is the link for the curious and watchful.

  • Related, check out Analyzer: a public domain protocol analyzer.  It worked pretty simply with no fuss.  However, I think that while it has a few things that are interesting as a packet-sniffer, the usual ones such as Wireshark, NetWitness Investigator Software, and Microsoft Network Monitor 3.3 fit my needs better.  For the full list see the recently GSD blogged Network Capture Tools and Utilities post.

  • NetworkMiner Network Forensic Analysis Tool (NFAT) and Packet Sniffer was one of the high-points in that post and I just found out that it was updated to version 0.89.

  • ZeroRemote v1.2.5 - (freeware) – Spotted and offered by TinyApps.Org Blog. Although I highly recommend and depend on the free version of ShowMyPC, I’m looking forward to playing with this one as well.  If TinyApps recommends it, it must be good!  Also related: Microsoft SharedView.

Browser Flavorings

  • Chromium Blog: Extensions Status: On the Runway, Getting Ready for Take-Off – Extensions for Chrome/Chromium are now coming down the pipe.  Nothing spectacular (Sample Extensions) just yet but I’m betting this will snowball pretty fast now.

  • woanware has an amazing collection of system utilities and some forensic-related tools to boot.  Particularly impressive is ChromeForensics which parses out the contents of the user-profile for Chrome and Chromium builds very, very nicely.  I was having trouble getting it to work with my Google Portable Chrome build.  Woany patiently spent some time with me troubleshooting and diagnosing.  In the end it turned out to be a freaky corrupt (but working fine) user profile.  I built a fresh portable Chromium build,downloaded the latest Chromium buildbot/snapshots, transferred my bookmarks over into it, and ChromeForensics worked perfectly.  The “Thumbnail” tab view is really spectacular.  Tip:  when you browse to import the location point it to the \default folder.  On my Vista\Win7 the Chrome folder location used is “C:\Users\Claus\AppData\Local\Chromium\User Data\Default” and for Chromium the folder location is “C:\Users\Claus\AppData\Local\Google\Chrome\User Data\Default”.   A few related freeware apps (not woanware) : ChromeAnalysis, and ChromeCacheView.image

  • Silvermel :: Theme for Firefox. – I’m usually quite happy to stick with the standard/default Firefox theme. But I stumbled onto Silvermel and am overjoyed with it.  IT doesn’t remarkably differ from the default theme but it is much more polished and refined.  It looks smacking-delicious in NewsFox rendering.  The horizontal icon/bookmark spacing seems a bit wider than the default, but the vertical spacing is tighter. I’m not sure if the font is different but it seems easier to read to me.  Really classy theme.

  • NASA Night Launch :: Theme for Firefox and PitchDark for Fx :: Theme for Firefox.  Here are two very dark, almost “special-ops” looking themes for Firefox.  Nice for night-time viewing and/or when you need that edgy-techy dressed for success look for your fox.  It’s no small wonder that NASA Night Launch remains at the top of the most weekly downloads list for the Themes, beating the next popular theme almost 2-to-1.

Meaty Tools

  • SpaceSniffer - (freeware) – Yep one more hard-drive file/folder size visualizers (of many such great Pocket Hard-Drive Utilities).  I do like the text labels very nicely. It also supports several different views, can scan NTFS Alternative Data Streams, is portable (no install needed), and uses a XML file for saving settings…not the registry.  Nice!

  • InstEd -- (freeware) – I’ve used Orca (Microsoft's MSI editor) before to muck around with MSI files, as well as Universal Extractor to open them.  However InstEd comes highly recommended so I’m adding it to my toolkit.

  • ProcNetMonitor -- (freeware) – tool by Nagareshwar Talekar to help hunt down processes, to network connections, to ports.  See also CurrPorts, Process Explorer, and VStat.  ProcessNetMonitor combines several of these abilities into one package.  Spotted at PenTestIT. Nagareshwar actually has a very large collection of PenTesting and password breaching tools at his SecurityXploded website. Check them out. Don’t forget about Nir Sofer’s Password Tools collection as well.

  • Paint.NET v3.5 Alpha, build 3533 -- (freeware) – New version recently released (Alpha so be warned).  I’ve got it operationally deployed on my Win7 x64 system and it really is fast and smooth.  Get it if you want to live on the bleeding edge.  I didn’t fully appreciate the number of Paint.NET community built Paint.NET Plugins that are out there as well.  Normally the base-set of included filters and features of Paint.NET are more than sufficient for my needs, but some effects are pretty cool and nothing like using a good plugin to get that perfect effect.  The thumbnailer application ImageWalker has some cool image filters as well, though I find the older version to have a more robust filter/effect set.  PhotoFiltre is another stunning tool for applying custom filters to images.  The version “X” is not free, but version 6 is still freeware as are a few other tools as well on the page.

I don’t know about you, but I’m pretty full!

Pending one more post later tonight from the forensics front.

Cheers for now.

--Claus V.

Saturday, September 12, 2009

SOS Linkfest: Tools, Tips, Stuff + Recipe!

It's Still Raining!

For the past few days the upper Texas coast has been slogging through a series of rainstorms.  Today we stayed pretty dry while the system move more over the “Golden-Triangle” area and East Texas, leaving metro-Houston area under a blanket of clouds and light precip.

Great day for couch-surfing and college-ball watching. The Cougs walked away with an upset but ND gave up their battle in the end.

SOS is the Best

It’s no secret that my favorite meal of the day is breakfast.  I’d eat traditional breakfast fare all day long if I could.

However, my most craved “breakfast” dish growing up and to this day is what we call “chipped beef on toast”.  Lavie will eat it though Alvis usually declines.  Old military guys refer to it as SOS.

A dreary and wet Saturday was an easy excuse to whip up a batch this morning.

My recipe variation is dead-simple, super-quick, and feeds me (or me and Lavie).  It is much lighter than this 1910 Manual for Army Cooks version that feeds 60 hungry troopers.

  • 2 Tablespoons butter
  • 2 Tablespoons all-purpose flour
  • Pepper (large-grind is my preference) to taste
  • Combine butter/flour/pepper in saucepan or medium-sized skillet over low to medium-low heat until melted.
  • Stir well (I use a wire whisk) and let get “bubbly” for about 1-2 minutes.  Watch carefully so the roux doesn’t burn, otherwise the gravy will not be white (though still good).
  • Take 1 cup whole milk and add to roux.  (to speed thing up, try microwaving the milk first for 30-45 sec.)
  • Whisk well to combine and get roux fully incorporated.
  • Bump up the heat to medium or a touch shy of medium. (your range may vary)
  • Find as much thin-sliced ham or beef lunchmeat as you care for. For me usually two packages of “Buddings” brand does nicely.  “cube” it up into fingernail-sized bits and add to gravy.
  • Continue stirring gravy mix now until thickened and meat has had a chance to warm up.

If it gets too thick (my preference is to be able to cling to a spoon held upside down) just add a bit more milk to thin (Lavie’s preference).

While it can be served over whole pieces (shingles) of toast, I prefer to cube up the toast first. Makes it easier to get it into my pie-hole faster!  In the past I used to tear the toast slices but I’ve found that using either of two tools can make fast and consistent work cubing up toast. Like Alton Brown of Good Eats! I like a kitchen multi-tasker.  Try cubing the hot toast with either a pizza cutter or a chopper/scraper.  Both work great!

I don’t add salt as the meat takes care of that to my tastes.  I do add the pepper immediately when making the roux as I think it brings out the oils in the pepper a bit and infuses the gravy better.

Couple this with a few hard-fried eggs and some hot coffee.


Beautiful Gantts

The Boss (the work one) requested that I convert my procedure checklist for our IT ops on opening up a new office (fulfilling and implementing the phones/network/server components) into more of a visual format so it was easier to see how all the different resources (IT staff) could be tracked.

Sounded like the perfect excuse to put it into a Gantt chart.

Among the various project management software items I posted before, I could have just reached for MS Office Project.  Unfortunately, only a few of us at work have MS Project.  I wanted something a bit more shareable.  The freeware tool ΤΙΜΙΟΣ Gantt Chart Designer is mighty easy to use (and portable!) but not really shareable.

I did find this awesome Office move plan (US units) – Template at Microsoft Office Online.  It is Excel compatible and is over the top with views.  I saved it to pick apart later.

Instead I picked through a few other really nice (and free) Excel templates for Gantt charts.

In the end I went back to my old standby (and updated to a 2009 release) that is compatible both with MS Excel 2003/2007 versions.

David’s been hard at work and his Design, Productivity, Inspiration, and Empowerment web-site is now officially “off-the-hook!”

Once I downloaded the Version 2 (2009) Gantt chart and after a few hours had it populated with my project template data and sent off to Boss (dully impressed I must say), I went back and found some great material on David’s site.

Couple some of these materials and David’s productivity and organization tips with many of the life-orienting productivity tips from Zen Habits and you might find a some B-12 for your brain!


I’ve been generally happy with Blogger as my blogging platform.  It is solid and I can tweak it to my heart’s content.

Last week I was chasing web-rabbits and somehow ended up stumbling upon Posterous.

Basically it’s a blogging platform that you can manage by sending emails to.  Sure Blogger can do that as well, but the pages have nice design and look and it can handle pictures, videos, as well as text content with some fancy formatting.

You can even add Google-Analytics code to it for tracking.

I’m not planning any switches but I like it and it seems to be gaining a modicum of popularity so I thought I would stake out a Grand Stream Dreams spot just to be safe.

I’ve not really got anything in mind for it quite yet but I do like having a “go-to” option for getting post material uploaded via email on the quick.

Tools of the Trade

I love a good set of tools.  My humble collection fits my needs but isn’t nearly as substantial (and cool) as either of my late grandfather’s tool collections.

While checking my feeds out I was intrigued by this Retro Thing post:

In the past I used to change my own watch batteries but my latest pair of daily watches have the fancy backs that require that special tool to twist off.  This looks like it could fit the bill nicely.

That reminded me (somehow) of this Hard Drive Errors and Replacements post over at SANS Computer Forensics, Investigation, and Response blog.  I’ve got a couple of dead-drives I’ve been wanting to open up to use as objet d'art for my desks.  Only they have that micro-Torx (?) screw head.  So I found that Amazon has quite a few nice micro-bit kits as well: SMALL TORX SCREWDRIVER SECURITY TAMPER PROOF HOLE T5 T6 T7 T8 T9 T10 T15: Home Improvement, or 33 pc. Security Bit Set: Home Improvement, or Maxtech 16521MX 32-Piece Precision Bit Set: Home Improvement.  I’m still going to try the mega-home improvement stores first but these look like a good backup plan.

Do any of the GSD faithful have any recommendations for HDD lid screw bit kits?  I’m open to suggestions!

“9” – Short Edition

I’ve really been intrigued by the trailers for the movie 9 (2009 film Wikipedia link).

So when I found this Geek Dad post 9 Things Parents Should Know About 9 over at Wired! I took the bait and read on with curiosity.

After that I hit the already provided Wikipedia link to get the plot (now spoilt but still sounds good).

Turns out that the full-length version of 9 was based on the short film 9 (2005 film Wikipedia link).

Amazingly, that short-film is up on YouTube in standard and HD versions!

  • YouTube – 9 - Shane Acker’s original short film/cartoon now adapted into a full CG movie

It’s just over 10 min in runtime and though it doesn’t give away any of the full-length movie plot points, it is a great film and great to watch for all you steampunk fans.

For Lavie only (OK if Alvis peeks also): New Moon

Yep. She’s a Twilight fan. 

I’ve read the first book and found it fun.  I’ve seen the movie with the girls on DVD more times that I can now recall.

Lavie’s consumed/devoured/gorged herself on all the current books in the series as well as the “official” unofficial release of the first book (Midnight Sun) from Edward’s perspective.  Lavie has also gotten lost in the depths of the Twilight fan-fiction sites now.

I was able to bring her up today for this; New Moon’s latest trailer.

Nothing like the rain to bring out the fun.


--Claus V.

Monday, September 07, 2009

Thoughts on A Close Cut (or getting “decked” on purpose)


vectorized version of Stewf’s cc Flickr photo: Official Hair Styles for Men and Boys

Let’s take a diversion from the normal tech/info-sec related posting routing for a moment.

I never paid much attention to my hair-cut growing up.  It didn’t matter (and I had no choice) up until jr. high; up to then the little-boy’s ruled.  Then began the constant battles between me and the parental units.  I preferred a length that completely covered by ears and fell in the back to cover my collar.  I wasn’t a “hippie” or anything, I just had some identity issues with my ears (they seemed to stick out too much) like many young men.

In high-school I graduated to the “wing-cut” style for the first two years where you would carry that funky large-n-curvy “Goody-brand” styling comb and “flip” the sides over and back to give a “wing” effect. The crown was loosely parted down the middle. When not in use, the oversize comb was stuck in the jeans behind the wallet appearing about 1-2 “ above the pocket top.  Sound familiar any of you 80’s youth?

Then for my final two years in high-school I had more of what I would call a “spike” top of at least 1-1/2 inches, but the rest was fairly long.  I guess that was the style in the mid ‘80’s.  I don’t remember much about my college & early wedded bliss cut style though I guess Lavie might consider it to be (smirkingly) a short mullet style.  For one brief summer in college the back did get long enough to put up in a mini-pony which Lavie continues to chastise me for even to this day.  That “grew” out of a extended college group camping expedition to Big Bend Park in Texas.

It has only been in the past 5 or so year that I have transitioned to a flat-top, much to most everyone’s approval.

I say “most” everyone because Lavie is still of the opinion that I look much more handsome with a longer length haircut as well as “…missing running my fingers though your hair” stuff.  I just say “rub my Buddha-man’s head for good luck".

I made the change for a couple of reasons; first and foremost was the fact that it was much cooler in the summer.  I have an oily skin type and since I shampoo daily, it helps with the oil-control  Being an IT geek I sometimes am required to go into ceiling space or under/in IT equipment.  In all those cases having the insulation, ceiling-panel bits, dust, etc. in my longer hair was maddening.  With a flat-top it is just wipe and go.  Rain is fun and not a distraction.

Most of all however, I think it helps me feel more mentally focused, ready-for action, and outwardly coveys the inner-discipline I am constantly trying to project and improve on.  Call me crazy (maybe the ladies can understand) but I can tell a real change in my mental-state when my hair grows out “too long”.  I just don’t have the same energy level and attention to detail.  Kinda like Sampson in reverse.

I’ve never really considered if my flat-top style has any particular “official” name.  My regular barber knows to “skin me on the back and sides” and make it super-short & flat on top.

I went through a few cuts where he actually shaved down the sides but generally it was a slow evolutionary process to get comfortable going from the #1 or #2 blade on the sides down to my now-preferred #0 (or is it #000 or #00000) blade.  I’m not certain if anything past a #000 makes that much of a difference though technically you can find blades that close.  A good scalp-scrubbing with the “tightest” blade at hand usually does the trick.

I was looking for an version of a classic “crew-cut” barber-shop poster I once saw while in a former (I believe) Navy-man’s one-man barber shop out in El Cajon, California when I came across this one Official Hair Styles for Men and Boys on Flickr.  It’s not the same (though I have seen variations on this one as well). His had a number of different military cuts displayed, all crew/flat in nature.  Finding that poster is one of the things that got me started on this post.

Turns out (after donating at least a few hours of my time to Google search) that my “official” flat-top haircut style is known as the Horseshoe Flattop Barber Haircut Style.  It gets its name from the fact the sides are “high & tight” and the top is cut so short and flat that if someone looks down on it it looks like a horseshoe of hair.  Now I know.  The illustrative picture on that page is very close to how mine looks when fresh.

The Shave of Beverly Hills also notes details on other flat-top styles including the more traditional Flattop Barber Haircut Style as well as the Buzz Cut Hairstyle.

Wikipedia also has information on assorted close-cut haircuts; the High and Tight, the Crew cut, and then the Buzz cut.

Ed Friedlander MD maintains the extensive (and illustrative) Flat-Top Crewcuts page.  I noted with amusement the following observation he makes:

I have noticed that flattops are especially popular with computer geeks, weight lifters, police officers, and professional military men. All are non-nonsense, self-sufficient, hard-working types.

Curiously, in both our own IT shop as well as that of a sister-agency we regularly interface with, I think only one other guy besides me wears his hair this short, and it is a buzz-cut.  That’s not including the guy who is almost a doppelganger to my brother who just shaves his entire head.  Not that I’ve got anything against that particular style, but it doesn’t seem to qualify.

I found the wonderfully detailed Buzztown Barber Shop website as well that has a great collection of barber-shop lore and stories including a number of them focusing on buzz/flat-top cuts and tips.

If you are ever passing through far East Harris County and are looking for a great “old-school” barber-shop I recommend the Trophy Barber Shop.  The decor might not be for everyone’s taste but it certainly is a local area landmark.  All the barbers are great and their diversity makes for greatly entertaining banter.  It’s my personal barber shop of choice. No TV’s are present though when there is a lull (rarely) in the clippers you might catch some music.  And they still use sharp straight-razors and old-fashioned heated shaving foam to clean-trim the edges of the cuts.  The stately former shine-man and consummate gentleman Mr. John Cooper has long since retired from his shine station, but for the longest time his tiny black & white TV could be seen hidden under a chair displaying a mid-day Astros baseball game.  Now that he is sadly gone, it is gone as well.  And if your appetite is needy after a mid-day Saturday buzz, nothing better to follow it off with a trip across the street to Roosters for some great local burger fare.

In the past (being borderline OCD) I would sometimes come home and “fine-tune” my flat-top with my own clipper set.  Invariably there always seems to be a few stray long hairs that failed to muster for their cut-down. Nobody would notice but it drives me nutty.  Long ago I had picked up a particularly nice set of hair-clippers and it does the job awesomely.  While the shortest setting is probably comparable to a #0 blade, a good scalp-scrubbing with it does the “high and tight” treatment quite nicely.

I’ve also been known (in a pinch) to take the clippers to my head and do my own full flat-top treatment.  This generally occurs when my work-schedule causes me to miss the barber-shop hours of operation.  Something happening much more commonly now, despite Trophy now keeping the shop open during the week-day until 7pm to attract straggling customers like me.  I’m sure the economy has something to do with that decision as well.

While doing my own flat-tops I find it much easier to do when it is already fairly short since the last cut.  I generally go two-weeks between cuts.  Then it is merely a matter of following the existing but just making it shorter again.  This weekend I was really out of whack with circumstances causing me to go over four-weeks since the last cut.  It was still short but more of a standard “man’s cut” traditional length (to Lavie’s delight).  Being that long it was too challenging to try to get the flat-top cleanly polished off myself so I just buzzed the sides and back down “high-n-tight”, then ran a tight #1’ish buzz on the top, forgoing the flat.  Next weekend (if time allows) I will get it “professionally” horseshoed at the barber shop, or if time is not my friend, I will have a much easier time decking it myself.

I can get the transition/taper on the sides handled nicely myself, but to be honest, getting the fade-line in the back perfect is still challenging.  Fortunately Lavie is accommodating and is adept at polishing it off for me.

While not directly related to hair-cuts, I did find this site The Fedora Lounge to be pretty fun as well in covering a number of gentlemanly topics.

Now back to regular programming.

--Claus V.

FireCAT 1.5 “Plus” Add-On Collection

In yesterday’s GSD post I noted the following:

Both of these tools brought be back to the excellent FireCAT 1.5 collection of Firefox add-ons used for security/network/pen-testing and other high-value activity in Firefox. FireCAT is maintained by Security Database Tools Watch.  Check out this FireCAT 1.5 PDF for the full list and if you don’t want to pick-n-choose hop over to the lover-ly Firecat package for Firefox Files on to get the whole collection at once.  What surprises me is that no-one has yet submitted it as Firefox Add-ons Collection.  Looks like I may need to crank up a “standalone” profile of Firefox called FireCAT, install them all, then upload the collection like I did for my Claus Valca’s Extension List (Home)   What think thee? Useful perhaps?

I has searched the Collections :: Add-ons for Firefox for a FireCAT set but didn’t find any.

Sure you can hop over to the Security Database site for FireCAT (linked above) and download them individually via their great downloadable PDF sheet, or the HTML page, or even get (almost) the whole deck from the package put together by Jean-Nicolas.  But a Mozilla Collection would make it easy to see them all and pick-n-choose quite nicely as well.  Unfortunately I couldn’t find one.

Well, this Labor Day holiday morning I pulled the trigger and did it, building a modified “plus” set after a bit of work.

Full props to Security Database who maintains the project and Jean-Nicolas who combines (almost all of) them into a single downloadable ZIP file for making my effort much easier.  I didn’t do the heavy-lifting.  I just assembled the pieces over into the Mozilla Collection.

I offer to you the…

Some Very Important Considerations

  • Neither this collection or Jean-Nicolas’s contain the full collection.  You need to check the Security Database FireCAT 1.5 page to see the full list.
  • There are some additional applications that need to be installed that leverage the power of one or two of these.  Again, see the FireCAT 1.5 for the full scoop.
  • I seriously don’t recommend installing all of them in your Firefox browser at one time.  Really.  Review them all and select only the ones you need. There is some serious fire-power here.  You may throw the planets out of alignment if you try to do so. Don’t blame me if NASA comes looking for you afterward.
  • To build this set, and ensure maximum compatibility (and not nuking out my daily Firefox browser build), I used the Portable Apps Portable Firefox 3.0.13 build.  This allowed me to build an isolated version.  You could also try the Portable Apps Portable Firefox 3.5.2 build.  However some of the add-ons are not 3.5.x supported (and vise-versa).
  • I also had to do some about:config tweaking (Updating add-ons - MozillaZine Knowledge Base) to disable compatibility checking and what-not.
  • I did toss in a few other add-ons I just feel are germane as well; hence the “Plus” designation. These include (but are not limited to) the Enhanced History Manager (manage your history), CacheViewer (manage your cache), NoScript (manage your scripts when surfing), BetterPrivacy (Flash cookie LSO manager), Add-on Collector (to generate the list), Adblock Plus (nuke ads), Close'n forget (target-wipe tabs accessed), Microsoft .NET Framework Assistant (along for the free-ride), HttpFox (HTTP page sniffer), and the MR Tech Toolkit (to manage compatibility issues). I also forgot to add-in the FF Guru recommended Gcache Plus (open pages stored in Google’s cache).
  • Yes. I do know there are quite a few “toolbars” in this collection.  I generally avoid all use and installation of browser toolbars. However these have been recommended due to their support of some advanced/global searching features and/or the additional tools they provide among all the other non-sec/pen-test features. Read carefully before installing to ensure any particular toolbar is what you want.
  • OS platform compatibility has not been tested what works on XP 32-bit may not work on Windows 7 64-bit.
  • Have I mentioned I seriously don’t recommend installing all of them in your Firefox browser at one time? Yes? Just making sure.
  • This collection has not been endorsed by or for either Security Tools (and their FireCAT project) nor Jean-Nicolas. Hopefully they won’t mind the extra attention and access this provides users to their work.

Umm. Claus? What is FireCAT?

Good question.

From the Security Watch folks:

FireCAT (Firefox Catalog of Auditing exTension) is a mindmap collection of the most efficient and useful Firefox extensions oriented application security auditing and assessment

FireCAT 1.5 will be the last release of this 1.x branch. In fact, we are working on a new improved version 2.0 (management of plugins, instant download from security-database, ability to add new extension, extension version checker, Firefox 3.X compatible extensions..)

I’ve posted some links (and contributed a few add-on extension suggestions) to FireCAT in the past here.  Check these out for more information

If you are a system administrator, security consultant, network administrator, penetration tester, tin-foil hat wearer, or web-junkie, you might need something out of FireCAT.


--Claus V.

Sunday, September 06, 2009

Security and Forensics: Perimeter Edition

Hold that line!

Forensic Style

  • Windows Incident Response: Virtualization – Windows Incident Response blog – Harlan Carvey takes a look at how virtualization is keeping the goal-posts moving for forensic examiners.  Great supporting link-set to explore.

  • Papers, Tools, and Such – Windows Incident Response blog – Harlan Carvey moves on with a round-up of various materials to enhance your forensic focus.  Of particular interest was a note “…of master's thesis from Greg Roussas titled "Vizualization of Client-Side Web Browsing and Email Activity"..” (PDF).  Pretty interesting stuff and the paper also contained quite a lot of current tools worth looking into specifically related to email-forensics.

  • Goin’ commando – Windows Incident Response blog – Harlan Carvey’s third post ponders the thought on moving from a reliance on commercial-forensic suites for analysis to task-specific and/or freeware/Open Source tools.  I certainly can say that there is no way I could justify our department outlying the cost of a full-bore commercial forensic suite.  However with a good skill-set, and familiarity with the wonderful number of tools and scripts available for free due to the good-graces of the development community, as a system-administrator, I can take a pretty good assessment and analysis of a system at hand, anyway. Bravo!

  • Flash Cookie Forensics – SANS Computer Forensics, Investigation, and Response blog – Really timely article on how to leverage the information in the “hidden” Flash cookies often overlooked by both user and analyst.  Great info.  For more info see this related GSD blog post: Tip: Managing Flash Cookies.

  • Forensic PC anti-contamination procedures – Computer Forensics Forums – Fascinating discussion thread regarding if/how to “sanitize” a disk before re-using it to host a new imaged system.  In my non-forensics IT work I still prefer to use Windows Diskpart to “clean /all” and zero out all the sectors on a drive to prepare it for the next usage.  In fact, it is our policy that if we are going to re-issue a system from a previous owner to a new one, that we zero-out the drive before putting the fresh (file-based) image on it.  Our thinking is that this scrubs the system of the prior user’s data as well as ensures that any activity (especially in the non-allocated space) can be attributed to actions taken while in the new-owner’s custody.  Yes it adds a bit of time on the system prep but it could save a lot of explanation and analysis on the back-end if needed.  While we use a “all-zero” pattern, I liked the thread post that mentioned using a particular key-word pattern instead.  Funny.

  • DEFT Linux v5 road map and features – DEFT Linux – Looks like this great forensics live cd is getting a fresh coat of paint and engine-work!  Besides application version updates, there is a tease regarding “Dhash 2.0 (now with imaging tool)”.  Expect a beta-release early October 2009 and a final release in November.  I really like DEFT and a few other of the “forensic live cd 2.0” builds that have been released in the past year.  Nice to see this line of tools is continuing to evolve and thrive.

On the Network

  • Web 2.0 for packets | pcapr – An additional packet-capture clearinghouse for folks looking to get sample/test network packet-capture data to work with.  Left via the comment on my related GSD Network Capture Tools and Utilities post.

  • In that GSD post, I mentioned both NetworkMiner as well as NetWitness Investigator Software.  I’ve had the chance to play with both of them a bit more.  I still tend to reach-first for NetworkMiner as it gives some very fast and easy to digest breakdowns on the network packet capture data.  However for much-more fine-grained sorting/searching/examination of the data, NetWitness is very hard to beat.  The only draw-back is that it has a very steep learning curve.  That said, I’ve uncovered a few videos that might be great introductions on using both products.  First, check out this YouTube NetWitness Channel for a series of nice video tutorials on using NetWitness Investigator.  And to compare/conquer both of them, see this wonderful made video hosted on YouTube reviewing both products side-by-side in a demo (runtime 14m:30s ).   (Note:  I don’t intend to make it a habit of embedding video links in posts, it’s just that some are more worthy of others and might be a better draw than the bare-link.)


  • NetGrok -- (free) – Java-based tool to help visualize pcap data and live traffic with both nodes/tree-map views.  Spotted via a PenTestIT post. Get the download from netgrok - Project Hosting on Google Code page.  Yes, there is also a YouTube - NetGrok Screencast as well.  I downloaded the current package at time of this post onto my Win7 system and wasn’t able to get it running.  I’m going to retry on my XP system Tuesday.  I’m not sure if it is a Windows 7 compatibility issue or if it has something to do with the very latest version of JavaRE I am using.  However in the process I did find a few “gotcha’s” us Windows folks need to keep an eye out for.  I’m really excited about this Java-based tool so I really hope I can get it working.  Documentation is pretty thin so if you have used it and have any tips, please drop a line in the comments.
    1. Download and unpack the file. Mine was “”.
    2. Next go into the “lib” folder and then into the “Windows” folder and you will see two setup files: “JpcapSetup-0.7” and WinPcap_4_0_2”.  If you don’t already have these installed on your system from an existing network tool, you will need to install these first. 
    3. Finally I discovered that you will need to find and open the “bat” file (netgrok20080928.bat) which is used to actually launch the Java app.
    4. Edit it so that the first line “java -jar netgrok20080902.jar” reads instead as “java -jar netgrok20080928.jar”  Otherwise it won’t find the jar file distributed with a different name.

  • TNV @ – This is another Java-based network traffic/packet visual analyzer.  From the product page:

    “tnv is a visualization tool for analyzing network packet capture (pcap) data”

    “TNV depicts network traffic as a matrix with the packet capture timeline on the x-axis and all of the host IP addresses in the data set on the y-axis. TNV is intended for network traffic analysis for learning what constitutes 'normal' activity on a network, investigating packet details security events, or network troubleshooting. TNV can open saved tcpdump formatted files or capture live packets on the wire. “

  • InetVis – One more Java-based network traffic tool.  Provided by Network Security Visualisation M.Sc. Research by J-P van Riel.  This one is pretty cool in that it provides a 3-D matrix format to display the data coming in.  Really cool and the development version 0.9.5 now supports Windows.

  • Both the tnv and InetVis tools were found in this post: So fast - so more or less weekly: programming in pentesting is more than essential by “wishi” on the CrazyLazy site.  It actually has a deep list of Ruby and Python related projects for network work as well.  It’s an interesting site and I’m going to add it to my RSS feed list.

With the Firefox

  • HttpFox :: Add-ons for Firefox – Now this looks to be a clever-useful tool.  “HttpFox monitors and analyzes all incoming and outgoing HTTP traffic between the browser and the web servers.”  Cool!  Couple that along with Firebug :: Add-ons for Firefox and you’ve got a pretty powerful combo to sort out what is happening on your page-requests.

  • Gcache Plus – Firefox add-on spotted at the amazing Firefox Extension Guru’s Blog.  I’m often turning to Google cache to look at pages and pre-view changes or the content before “going-live” to the linked site.  This looks to be a helpful tool.

  • Both of these tools brought be back to the excellent FireCAT 1.5 collection of Firefox add-ons used for security/network/pen-testing and other high-value activity in Firefox. FireCAT is maintained by Security Database Tools Watch.  Check out this FireCAT 1.5 PDF for the full list and if you don’t want to pick-n-choose hop over to the lover-ly Firecat package for Firefox Files on to get the whole collection at once.  What surprises me is that no-one has yet submitted it as Firefox Add-ons Collection.  Looks like I may need to crank up a “standalone” profile of Firefox called FireCAT, install them all, then upload the collection like I did for my Claus Valca’s Extension List (Home)   What think thee? Useful perhaps?

In the Reading Room

As I have no formal training in forensics and incident response (I’m working on it!) I have to rely greatly on scouring the net for the best forensics/incident response blogs and presentations/papers to study up and stay current on the latest tools, techniques and issues.  From the links above I found the following material particularly insightful and actually helpfully touched on a few issues I am currently engaged in.

On the Tool Trawler

One added bonus of spending time reading through assorted forensic papers and presentations is that I sometimes uncover new websites and tools that enhance the resources in my tool chests.  This is always a great and happy day when I can add more than a few additional specialized tools to my collection!

  • Computer Forensic Links  -- Collection of links hosted by for various sites, companies, and resources.  Doesn’t look like most have been updated in some time but many are still “live”. Worthy of looking for some good bookmark material.

  • Digital Detective – DCode -- (freeware) – Clever tool that allows you to copy/paste and “…decode the various date/time values found embedded within binary and other file types.”  Much like you might uncover in hex-editors or registry values.

  • » Computer Forensics – An amazing collection of digital forensic-related linkage maintained by Berliner Alexander Geschonneck.  You know it’s got to be quality when he links Hogfly’s computer forensics blog and Harlan Carvey (the windows forensics guy) Windows Incident Response Blog at the very top two positions in his “random list’ of forensic blogs section.   I seriously lost a whole afternoon (during the Notre Dame game) perusing through the massive linkage here.  Pre-check the links carefully, I believe I hovered over at least one forensic link that appears to have be link-squatted by a porn site now.  How ironic.

  • Tools - – Yep.  I know.  “Another German security site?” Yep. Bear with me.  This site has a great lineup of useful tools related to both Linux and Windows forensic utilities.  Some tools are dated and some are fresh.  It’s a great collection of both free and commercial applicatons.  In addition they have  links to their own Forensik CD aus iX 07/2007 and newer Forensik DVD aus iX special 10/2008. Sweet!

  • Runtime Software Products – I’m linking to this site not so much as they do provide the great (free) DriveImage XML Backup Software which is quite popular. Instead you may want to be aware of the following other free products: RemotebyMail which offers remote access to your system for file/program execution command by email as well as Shadow Copy to provide copy of files/systems of running Windows systems and supports command-line execution.  Finally there is the not-free Captain Nemo application which allows mounting of image files and other file-system volumes such as Novell and Linux partitions.

  • md5deep -- (freeware) – an interesting and powerful MD5 (and others) hasher tool (CLI). Particularly useful is the ability to not just hash a file but to hash recursively through and entire directory tree and provide hash for all items.  It also has a time-to-complete feature as well as hash-by filter.  I’ve got my own mini-collection of freeware Windows GUI-based hashing applications that I pick from depending on the reason I am hashing something.  Generally I use the excellent Nir Soft HashMyFiles tool for most of my daily hashing work. Others include Robin Keir’s “Hash", the Hasher tool from [den4b] Denis Kozlov, and finally WinMd5Sum Portable from

  • Live View – Pretty old-news tool, and doesn’t help me much as I tend to be Windows Virtual PC centric, but if you need a handy tool to convert Windows system (limited Linux support exists) image copies that have been captured into a VMWare build for "live” forensic work, this might just be the tool you have been looking for.  I guess there are some times that a “static/off-line” image review just want work or some applications just need it to be running “live” to uncover the data needed.  From the page “…because all changes made to the disk are written to a separate file, the examiner can instantly revert all of his or her changes back to the original pristine state of the disk. The end result is that one need not create extra "throw away" copies of the disk or image to create the virtual machine..”  Quite handy and has me re-thinking my VPC only operation.


That covered a whole-lot more perimeter space that I expected!


--Claus V.

Saturday, September 05, 2009

Man Briefing #2


cc photo credit Augapfel on flickr

Not to say that the ladies aren’t welcome as well…just didn’t fit with the photo quite as nicely.

Work has been quite busy at the moment. I’ve had a few pretty intense “special projects” I’ve been working on these past weeks.

Today it’s serious “couch-time” watching Notre Dame’s college football opener.  I enjoy (but am not rabid) about college football, preferring it much more over pro-ball games.  I follow ND for sentimental reasons.  I would often spend summers with my mom’s parents in their Airstream trailer touring the country as a child. On Saturdays, without fail, Grandma would be found tuning in to the small color TV in the trailer, Grandpa cranking up the roof-mounted antenna and twisting the tuning dial on the ceiling so she could watch her Fighting Irish.  I will also watch the occasional UH Cougar game (when found) along with Army, Navy and UT-Austin games.  Other than than, I really don’t care so much and any college game will do Saturday night when nothing else is to be found on TV.

Good news on the requisition front.  I had been looking at getting a Rosewill RCW-608 USB2.0 Adapter For IDE/SATA or a VANTEC CB-ISATAU2 SATA/IDE to USB 2.0 device adapter for work.  Finally able to justify it and (though we had to go through an approved vendor) ended up with a pair of Tripp Lite U238-000 - USB 2.0 to SATA / IDE Combo adapters.  I don’t care for one thing however.  The dongle end has an embedded 2.5” IDE connector.  To attach to a 3.5” IDE connection there is a loose adapter with the 2.5” connector mating pins (exposed) on one end and the 3.5” female end on the other.  I worry about damage to the exposed pins.  Other than that the kit seems pretty sturdy.

On to the Briefs:


  • Enchanted - Wikipedia, the free encyclopedia – OK This is a guilty-pleasures confession.  For reasons I don’t fully understand, I’ve been jonesing on “Enchanted” for the past few months.  I don’t know if it is the flavor of Amy Adams and her characterization or just the romantic in me.  Regardless nothing seems to relax me more than firing this up on the DVR.

  • Drive Jumper .com - drive hard jumper information.  Great site (one of many) that has a lot of great info on how to set the jumpers on a HDD.  Sometimes when I pull one of our spares off the shelf, the model doesn’t have the  jumper info noted on the label or the case or the circuit board.  Good reference site.

  • WinToFlash - (freeware) – Yet one more DIY utility to convert a Windows CD/DVD setup disk over onto a (will make bootable) USB device.  Tipped off via TinyApps.Org Blog

  • Scott Hanselman's 2009 Ultimate Developer and Power Users Tool List for Windows -- Scott Hanselman’s Computer Zen – Amazing list of power-utilities for Windows.  Most are free.  I’ll be taking notes and exploring this list for some time.  Going to guilt me into updating a post with my own list of USB power-tools I carry about.  Will have to take a week off for that one! 

  • How To Find Unknown Device Drivers By Their Vendor & Device ID  -- MakeUseOf blog – nice collection of tips and websites/tools to help sort out mysterious devices and (maybe) be able to track down their driver. 

  • Stoned-Bootkit v2 & PE integration – Peter Kleissner is hard at work on his boot-kit.  v2 is in works and in  recent update to his site, he provides information how it can be integrated in a Win PE boot-disk build. Related: Stoned Bootkit blog & Security Database Tools Watch - Stoned Bootkit upgraded to v2.0

  • Oscar’s Multi-Monitor taskBar -- (free/$) – Nice tool that allows you to extend your Task Bar to multiple monitors.  On my home desktop system I had purchased (and still highly recommend) Realtime Soft UltraMon.  It makes multi-monitor desktop wallpaper/taskbar management a joy.  Then for my laptop systems I just rely on Display Fusion (free/$) for the remaining multi-monitor wallpapering control. However it does not have the ability to extend the taskbar like UltraMon.  I’m thinking that a combo of Oscar’s Multi-Monitor taskBar and Display Fusion will make a powerful one-two punch! (see also: Microsoft Sysinternals Desktops (free) tool to create up to four virtual desktops on your Windows system like many Linux builds support natively.)

  • The Guide - (freeware) – Outliner tool to create outline-based notes or other documentation.  I’ve looked into (and occasionally use) this class of writing tools from time to time.  Sometimes you can save a bunch of planning time by doing some rough-drafting first in an outlining application before moving over into a full-featured office-type word processor.  I’ve traditionally been hooked on using SEO Note (freeware) for its fine feature set and portability.  Recent changes to Evernote design have turned me off that product quite a bit where the earlier build designs I found very liberating to use. For incident-response work I’m turning to the excellent (and free) QCC Information Security UK – Casenotes tool.  Portable on USB with minimal effort. For this application I often use another text-editor (Q10 or Dark Room or Jarte) to make (and spell-check!) my initial notes in, then copy/paste them into Casenotes for the final save
  • PNotes Portable – (freeware) – While I am a heavy-user of sticky-notes, they generally are corralled on the whiteboard in my cubicle or on hard-copy documents. However sometimes I do need to leave a digital sticky-note on my desktop.  I find this is a stable and easy-to use solution.
  • Notepad++ Portable -- (freeware) – I’ve gone through more than a few Notepad Replacements but for day-in/day-out usage, this remains my go-to notepad of choice.  I particularly like the syntax highlighting/formatting support.

You’ve been briefed.  Now it’s your duty to keep ‘em clean!

--Claus V.