Thursday, December 16, 2010

Worn Down and Rusted Out Linkfest Edition

worn-down-rusted-out

Thanks for the messages of kindness checking on me that a few GSD faithful have sent in over the past few weeks.

I’m pleased to say that Claus V. is still alive and kicking…just worn down and rusted out a bit.  As many of you have correctly surmised, work assignments have pretty much overwhelmed me and left me with little energy left except for watching Phineas and Ferb, iCarly, and Bones with the ladies off the DVR on the few free hours when I drag home at night as well as wearily wake up on the weekends.  Everyone has had to really crank up the productivity (already red-lined) due to economy pressures with more special-projects in the pipes.

I even got some time off today to catch the Disney movie “Tangled” with Alvis this afternoon.  I’m a sucker for princess movies!  I can’t wait to put the Blu-ray version of this one next to my “Enchanted” disk set.  Good family movie for all ages!

Anyway, the positive news from this unplanned blogging hiatus is that I have really been able to focus on applying many of the security/forensics tools and techniques in a myriad of very unusual incidents so while I am still exhausted to the frame-rails, it’s been a fun trip along the way.   Look for some neat stuff soon from that camp.

Nor have I been taking a “Net-free” sabbatical.  The RSS-feed collector has been diligently at work as well and I’ve been distilling the results to some of the most interesting and helpful links of all that survived the winnowing process.

So, without more ado, sit down, strap in, and hang on tight.  The Linkfest begins!

Microsoft Security Essentials 2.0 ?

Microsoft Security Essentials 2.0 looks like it may have been released.

Microsoft Security Essentials - Microsoft Download Center. Publish date 12/16/2010  (Note: as of this post, that link still shows a version number of “1”.)

I've been running the Beta MSE 2.0 versions on our Windows 7 x64 & x32 systems for some time and have been pleased. Love the inclusion of a right-click context menu "scan with MSE" menu item now.MSSE2.0.6.57.0
This morning my Beta MSE version was 2.0.522.0

After downloading and over-installing the new setup file version downloaded from that page, it now checks in at 2.0.657.0
Some more info on what the new edition offers over at this Security Essentials 2.0 releasing tomorrow mynetx post.

I assume patient users of MSE already will eventually get a push/Windows Update to bump it.

Meta data in the setup file (x64 version) I downloaded and used did report it was a 2.0 version as well…so maybe MS hasn’t updated the version number on the page until an official release announcement…or it could be one last final beta bump before the final release?  I’m not certain.

Spotted over at the (German) Caschys Blog post:  Microsoft veröffentlicht kostenlose Sicherheitslösung Security Essentials 2.0

i-odd Firmware updates and other multi-boot/formatting toys 

I-Odd has released some firmware updates.  If you don’t recall the iodd : Multi-boot madness! post, the i-odd is an external USB2.0/eSATA drive enclosure that allows you to store boot-disks in ISO format and then boot a system with any of them via the selector toggle.  It is wicked cool.

The US i-odd site is offering Firmware Version 1.42.48 (ISO) that supports either FAT32, EXFAT or NTFS partition handling for loading disk images.  Until recently only FAT was supported.

The Korean manufacture's i-odd site actually is serving an even newer firmware version at 1.42.53.
Take your pick.

FAT/FAT32 formatting limitations typically have restricted partition sizes so you have had to use alternative formatting tools to get around those limits if you wanted a really big FAT32 partition to store your ISO’s on.

TinyApps.Org Blog recommended the FAT 32 Formatter from Ridgecrop Consultants Ltd.  If that CLI version isn’t to your speed, they also offer a Windows GUI version of fat32format.  Miles’ recommendations are always golden so that’s the tool I still use.

I recently found mention Fat32Formatter which has a slightly different GUI.

That was picked out from RMPrepUSB HomePage which has an interesting tool to partition/format USB drives and make them bootable for SysLinux or grub4dos bootloaders. 

That was found via this XBOOT vs 1.0.0 beta4 - reboot project that is working to aid in the creation of a multi-boot USB builder.

All this is still very interesting, but TinyApps’s find of the i-odd device makes all these exercises almost academic.  Get the enclosure, buy a 2.5” drive to stick in it, update the firmware, and copy your boot ISO images over to your heart’s content.  Then just toggle to the ISO you want to boot with, select it, and boot away.

One last TinyApps mention: check out his amazing documentation work TinyApps.Org : Mounting disk image partitions.  He sent the link to me some time ago but I’ve been swamped and only had time to do very limited Linux-based work at work so I haven’t been able to give it its true due.

Secunia PSI 2.0 Beta Available 
Security company Secunia announced in September the release of the PSI 2.0 Beta.

Auto Update your Programs - Secunia PSI 2.0 Public Beta - Secunia Blog

From the blog post, the engine remains the same but the user interfaces, the auto-updates, and reporting have all been revamped. Secunia PSI changelog

While I and everyone else can continue to benefit from the cloud-based Online Software Inspector (OSI) version, having a localized Personal Software Inspector (PSI) on your Windows system can go a very long way to ensuring your applications are able to be kept current without much mess or fuss.

Adobe Advances

The Adobe folks have been hard at work revamping and prepping a number of products that are often found on many enterprise and consumer Windows systems.

Adobe Labs - Adobe Flash Player 10.2 beta - This is the latest “mainstream” Flash beta version.  It includes enhanced support for IE 9.0 releases and full screen mode support for users with multiple monitors.  However it only comes in a x32 bit release version.

Adobe Labs Download: Flash Player 10.2 Beta Release

Adobe Labs - Adobe Flash Player "Square" is also available and does include x64 bit support for Windows, Mac OS, and Linux.  I’ve been running this one on my x64 Windows 7 system with no issues at all.

Adobe Labs Download: Adobe Flash Player "Square" Preview Release

Related: How-to: Disable Chrome’s built-in Flash to use a Flash beta release. DownloadSquad
You may also have heard Adobe released version 10 (a.k.a “X”) of the Adobe Reader.

Adobe Reader X is Here! « Adobe Secure Software Engineering Team (ASSET) Blog

Adobe - Adobe Reader download

PDF security guru Didier Stevens has some initial thoughts: Quickpost: Adobe Reader X and provided a wicked-helpful link to Adobe’s FTP server. The en_US FTP folder contains both msi and exe based installer versions!

To add to the helpfulness, Aaron Parker at StealthPuppy has a number of great Adobe Reader deployment tips and tricks postings.

Deploying Adobe Reader X | Aaron Parker

Uninstalling Adobe Reader | Aaron Parker

…including a tip-out to the Customization wizard for pre-deployment installer tweaking; note you can get the 10.x version from the FTP site.

Network Nuggets!

One of the duties that has required a lot of my time has been network monitoring and traffic analysis.  I continue to make good progress with Microsoft’s Network Monitor 3.4; specifically the nmcap.exe CLI tool.  I’ve not had a dropped packet yet during a capture session.

Marking Frames with Network Monitor 3.4 - Network Monitor Blog

Network Monitor Freezes While Loading Capture - Network Monitor Blog

CodePlex Parser Site - Check for the latest Network Monitor parser sets here.

In case I haven’t mentioned it recently (it’s been a while) inSSIDer Wi-Fi Scanner over at MetaGeek is now out at version 2.0.  It was a great help tracking down a network tap some time ago.

And despite my comfort and pleasure with Network Monitor 3.4, I am now trying to transition back to Wireshark.  NM3.4 only seems to output in “cap” format, not pcap.  That’s no big issue but I then have to do an extra step of “editcap -F libpcap infile.cap outfile.pcap” to convert things.  This has been quite fast, but it is a step I shouldn’t have to be taking. 

My biggest complaint to date with Wireshark (and it’s a noobie one) is that I kept getting occasional crashes during capture in the Wireshark GUI mode.

However since I’ve gotten comfortable working in the NMcap CLI tool mode, I’ve started flirting around the the TShark CLI utility for captures as well.  It seems to be more stable for longer-run capture sessions.
Along those lines I’ve been collecting resource links on TShark:

Tshark examples: howto capture and dissect network traffic - CodeAlias

tshark filters - PacketLevel

tshark examples - random notes

TShark Packet Filtering - TheSprawl

Wireshark/TShark Utilities - TheSprawl

Pcap format is essential as I continue to use the NetworkMiner Network Forensic Analysis Tool (NFAT) and Packet Sniffer for much of my post-capture analysis work.  Unfortunately, it doesn’t handle NM “cap” format files, thus the conversion to pcap first in editcap.  So capturing in pcap native files is a time-saver.

You may also recall that I’ve been restricted to using an older .88 version of NetworkMiner as some packet captures end up forcing a premature shutdown in versions up to the current .92.  I actually was able to engage developer Erik Hjelmvik in this Topic: Versions past .88 prematurely exit discussion.  He was awesomely kind and patient.  We eventually took the discussion off-line and with his gentle guidance I was eventually able to provide him some helpful data that explained the issue.  He thinks that the issue “…could occur when there are partially overlapping TCP segments at the same time as the TCP packets arrive out-of-order.”

A future version of Network Miner should address this issue, and bring many more enhancements.  Hopefully Erik will release an updated version soon!

It was really challenging but really rewarding having the opportunity to work with Erik on this issue.  He is a really great guy for kindly providing that level of support to me on a free-to-the-community project.

Microsoft Tips, Tricks, and Treats

Download details: The Windows® Automated Installation Kit (AIK) for Windows® 7 - Released in mid-November under version 2.0.

The Case of the Slow Project File Opens - Mark’s Blog; troubleshooting awesomeness!

The Windows 7 Guide: From Newbies To Pros [FREE EBOOK] - MakeUseOf - Nice resource for you all who are planning on handing out Windows 7 systems as gift to current XP users.

Enhanced Event Viewer for Windows 7 released - The Windows Club is a fancier version to view and search event logs.  Pick it up over at the sateesh-arveti - Site Home  on TechNet Blogs

Tenniswood Blog has an update tip on How to enable Remote Desktop in Windows 7 Home Premium.  Follow his links to grab the new and improved bits.  Me?  I’ve still got this around on our home systems as a “just in case” but am really loving the TightVNC 2.0 application even more.

While we are still on the subject, MakeUseOf blog has a really interesting Control Your Computer Remotely Using HTML5 With ThinVNC post worth checking out.

The Best Ways To Customize The Welcome Screen In Windows 7 by Simon Slagen on MakeUseOf has a trio of ways to modify your Windows 7 login screen ranging from the very simple to the very complex. Of them, I agree with the post and found that for most users the Logon Screen For Windows 7 tool by DanielNET software was the easiest to use.  That said I’m surprised my first utility to encounter in this class, Windows 7 Logon Background Changer didn’t get included.  It hasn’t let me down yet.

Image is Everything

TOOL: Image Resizer 2.11 for Windows 7/Vista  - Kurt Shintaku’s Blog is a dead-simple, integrated way to let anyone quickly and easily resize their images fast.  It’s a must add.

Freemake Video Converter updated with cool new features - freewaregenius.com is yet another great and very full featured video converter.

Lightworks - Open Source highly complex but wonderfully approachable video editor is out in a public beta.  I’ve been waiting for this one for some time and am amazed it is sitting on my desktop.  The GUI is very well designed but start digging under the hood and I think this tool has the stuff to leave the other freeware/open-source video editors in the dust.  For a Windows platform, this must be seen.  I’m itching to get a new video-production project to toss at it.  This is not for casual users who might find Windows Live Movie Maker 2011 or another similar non-MS product easier to get started with.  Registration (easy and free) with Lightworks required to get the download bits.  Lots of documentation in PDF form is a happy bonus.  Requires download of third-party “Matrox VFW” codecs.

For other options and software tools in video editing see this GSD Blog Video-Editing Resource Roundup.

Finance Planning Tools 

Things have been very tight around the Valca home.  For almost the past two years we have had to painfully downsize to a single-income family lifestyle.  It has been almost that long since Lavie was able to work.  However thanks to discipline and the kindness of family and friends, we have weathered the belt-tightening fairly well.  Hopefully the new year will bring new riches both in terms of our family employment outlook as well as the bank account.

We continue to benefit from the use of Microsoft’s free “Sunset” edition of Microsoft Money Plus.  I’m using the Money Plus Sunset Deluxe version but there is also the Money Plus Sunset Home and Business
However, if you trust and and are looking for a cloud-based financial planning tool, check out the following finds:

Sprouty - Simple and easy budgeting

Mint.com

Either of these along with some healthy Finance & Family encouragements from zenhabits, those (by choice or circumstance) living in the “simple life” may find some great tools and resources to help them breath.

More Utilities

These didn’t seem to fit in other categories, so here they reside:

CSV file editor, for Windows - CSVed is now updated to version 2.1.3.  This freeware tool has saved my rear lots of times for complex pre-editing of tricky CSV files before dumping into Access or Excel.

BulletsPassView - NirSoft’s new build to view the passwords stored behind the bullets in Windows / IE.  Doesn’t work for everything but is super-useful in a pinch. May set off AV as “hackware” or PUP.  That’s a AV thing nothing wrong with the tool in the right hands.

6 Must-Have Apps For Computer Repair Technicians - MakeUseOf blog.  Interesting roundup. Not what I would pick for my “must have 6” list, but they are worthy to add to your toolbox.

FOG-ing the Future?

With only a literary nod to JKR, the FOG project is one really neat looking project.
fogproject.org

FOG allows for Windows system imaging capture/deployments from a Linux OS.  It is very cool looking and very neat, particularly with an almost turn-key PXE-based capture/deployment solution.

Windows Image Deployment with FOG - Petri.co

Lifting the Fog - Compendium IT

Cloning Windows 7 VMs Using FOG - The Horrendous World of IT

FOG - Computer Cloning/Imaging solution Server (0.27) - VMware Virtual Appliance Marketplace
See also these FOG Project Video Tutorials

There is a lot of documentation and YouTube video resources and it looks to be a very mature (and still developing) project.

If you haven’t heard of FOG yet, it’s worth checking out, particularly if you are an imaging guy.
That said, I still like working with Microsoft ImageX WIM file images and deploying them in PE-based methods in our environment.  Being able to off-line mount and service image files has helped me lots of times.

Virtualizations

In the “Lifting the Fog” link above, the author incorrectly states that the virtual version of FOG uses Oracle’s VM VirtualBox.    That isn’t correct.  It is a VMware appliance version, not VirtualBox.  I guess it is easy to get them mixed up by name alone.  I currently have Windows VirtualPC, Oracle’s VirtualBox, and VMware’s VMware Player all installed on my system!

VMware Player still is getting updated (and remains free).  If you don’t want to register to get the bits from VMware, try this Download VMware Player 3.1.3 link via FileHippo.com.

Think the VMware Player will trap you into using only pre-configured VMware appliances?  Check out the free VMware resources by developer DEVFarm Software such as the really cool VMX Builder. One of may cool tools at VMXBuilder.com

VirtualBox fans may be surprised (or not) to learn that while the public build of VirtualBox is at 3.2.12, if you dig around you can find and use VirtualBox 4.0 beta builds.  I’ve been using these for a while and they are really nice!  I really find the GUI interface improvements particularly enjoyable…not to mention all the under-the-hood updates!

Download VirtualBox 4.0.0 Beta 3 - Change Log - FileHippo.com

Index of /virtualbox/ - Oracle’s FTP site for direct VirtualBox bits including the [DIR] 4.0.0_BETA3/

Whew!

Hope you found something here enjoyable and I appreciate the GSD fans who have been waiting for a new post.

Check back again soon for the forensics and security linkfest followup.

Even more goodies await!

Cheers!

--Claus V.

Sunday, October 17, 2010

Books, Networks, Security, and Forensics

The little-brother endowment for big-brother improvement has allowed for the recent expansion of my technical library by three more volumes.

I have just ordered the following books after a long wait in my wish-list pile:

I had flirted with also picking up the Wireshark Network Analysis: The Official Wireshark Certified Network Analyst Study Guide by Laura Chappell, Gerald Combs (Amazon.com) but decided instead to invest in a Canon Speedlite 270EX Flash (Amazon.com) for our Canon Rebel DSLR as all work and no play makes Claus a cranky boy.

The first two selections reflect an expansion and recognition that understanding and analyzing network traffic can not only complement Windows systems forensics and incident response, but in some cases be the canary in the mine that signals something much larger is going on worthy of focused investigation at the machine level.

A recent series of events have driven both these points home to me in a very powerful way.  So I really am excited waiting for their arrival.

As for Harlan’s book, it really is one of the cornerstone books of Windows forensics and I’ve really felt weaker for not having read it yet.  I’m truly honored and stoked to be adding it to my bookshelf.

The nature of my work demands that I approach things from an holistic approach and I really hope that the combination of these materials gives me a sharper edge in analysis as well as how all the parts can better fit together.

In the News:

(IN)SECURE Magazine issue 27 released - Great security and risk-management articles in portable PDF reading format.  I’m always waiting for the next edition!

Hiberfil Xpress and FTK Imager 3 posts - Forensics from the sausage factory.  DC1743 tears into the Hiberfil and touches on it’s compression as well as new support (script) for examination via EnCase.  The second post points out the awesome and free forensic image capture tool (and then some!) FTK Imager 3 is now out from AccessData.  This newest version does require a system-install, but they have also released a bumped version of their free/portable “Lite” version to 2.9.0. Go get’em!  AccessData Product Downloads

CAINE 2.0 Live CD - “NewLight” computer forensics digital forensics - LiveCD Distro - I was unexpectedly surprised to discover CAINE 2.0 “NewLight” was released in the past few weeks.  CAINE and DEFT both are my current favorites for Linux-based “LiveCD” distros and are jam-packed with complimentary toolsets.  CAINE 2.0 has a fresh look and updated features all the way around.  I’ll save post-space here by not posting a list of all the new and updated feature-sets, but suffice it to say, it really  is super-slick and just like mighty-mouse, lots of power in a small size!

Gift Card FAIL: What do sequential numbers and shopping sprees have in common? - PaulDotCom - Yeah…worrying.  Besides the obvious issues, what really stands out to me is that I’m not the only one who can’t seem to turn their brain off from security/incident response musings…even when off-the-clock.  Every situation and every place presents opportunities for mental security pushup work.

Asset Tags For Dummies - Liquidmatrix Security Digest.  Part II from the theme above.  Really, we also stick honking-big asset tag stickers prominently on our equipment that can be read from 10 yards or greater away, with enterprise name and everything.  Plus the brand of our whole-disk encryption provider on a separate sticker.  “So we can tell which systems are whole-disk-encrypted” easily by just looking at the case.  At least that was the justification provided.  Really?  Can we?

Memory forensics on Windows 7 (x86 and x64) and Windows 2008 x64 and Avoid the Knee Jerk Reaction -M-unition Blog.  Two great posts from the MANDIANT gang including the announcement of the release of Memoryze 1.4.2900 which has added support for Windows 7 64-bit, Windows 7 32-bit, and Windows 2008 64-bit along with the previously supported platforms.

Free Malicious PDF Analysis E-book - Didier Stevens.  Go grab it now!

FireMaster : The Firefox Master Password Recovery Tool - SecurityXploded.  Free tool to recover the master password from Firefox.

Symantec’s w32_stuxnet_dossier (PDF) is a perfect model of how a incident/threat analysis report should be written.  It seems to set a new gold-standard for informative analysis and technical writing for malware/threats.  Wow!

Tshark/Wireshark SSL Decryption - Lessons Learned - PaulDotCom - Mark Baggett has written a great tutorial on how to configure Wireshark to decrypt SSL packets.  Great stuff.

PrefetchForensics v1.0.3 : woanware - Mark Woan has made some improvements to this free Windows Prefetch file analysis tool.  Update your copy now!

Forensic analysis of "Frozen" hard drive using Deep Freeze - Computer Forensics, Malware Analysis & Digital Investigations.  Deep Freeze is one of several “steady-state” system solutions that “restore” a Windows system back to a predefined configuration when the user’s session is over.  In theory this should erase all tracks, but as all good forensicators know, there’s gold in in the streambed one you dig just under the surface a bit!

Xplico » Xplico 0.6.0 - Just released!  Xplico is a Linux-based tool that allows for reassembly of network traffic browsing sessions.  I’ve been having to use it quite a bit lately and find as I get to know its capabilities better, I am floored by the power and benefit having this tool in my arsenal brings me.  I’m planning a followup post on Xplico very soon here at GSD.  Stay tuned!

Happy Digging!

--Claus V.

Mostly Minor Network Notes

Here are some minor tweaks and features, mostly of a network nature.

Manual Uninstall of the Cisco VPN Client « Mobile Expertise -- because sometimes the uninstaller just doesn’t work, and the new installer won’t put it on, particularly with that stubborn Deterministic Networks package present.

Get the Classic Style Network Activity Indicator Back in Windows 7 - How-To Geek.  I’ve not been impressed with the lack of network activity indication on Windows 7.  Sure, it is a very weak and basic way to see if and when you are having network issues, but it can be a good first warning.  This Network Activity Indicator for Windows 7 via IT Samples is a very good approximation to the XP system tray indicator.

How to Optimize Network Connections in Windows XP - Windows Networking - On my XP system at work, I’ve got several network connections available, though some are used more regularly than others, and within them, some bindings will not be used ever.  So it seemed to me that it would be nice to rearrange the preferred order of the network connections, and disable any unneeded bindings for good measure.  This article was perfect.  In no time I had resorted and tweaked them.  Subjectively I think it helped a bit, but I didn’t actually benchmark before/after performance.

While useful at work and easy to do on the XP systems, before long I was wondering if I could do this same thing on my home Windows 7 laptop.  For my own system, depending on where I am sitting in the house and what I am doing, I may prefer to hook up via a wired Ethernet cable rather than using wireless…watching videos or downloading mega-files (Windows Updates, software packages, virtual appliances, Live CD ISO’s, etc.).  However, I was getting frustrated as despite plugging in the network cable pre-boot, I always seemed to be defaulting to my wireless connection instead!

So I had been manually disabling the Wi-Fi then forcing it to go to the Ethernet cable.  But that just didn’t seem right.

I already knew I set a preferred order for network devices in XP, but I just couldn’t find it in Windows 7 as easily.

Then I found this.

How to Change the Priority of Wired/Wireless Network Cards in Windows - How-To Geek

Better, and interesting.   But what about GUI only lovers?

Change Wireless Network Priority to Make Windows 7 Choose the Right Network First - How-To Geek.

Making progress but this is for prioritizing your Wi-Fi network connections, not for juggling both your wired/wired network connections.

So I ended up pulling all the pieces together for a Windows 7 system; and using the “XP” method noted earlier.

Start/Control Panel --> Network and Sharing Center.

On the left side-bar, select “Change adapter settings”

image

On the menu-bar, choose, “Advanced” and from the drop-down menu “Advanced settings”

image

Then in the resulting dialog window, select the network connection(s) and using the green arrow on the right, change them in order up or down accordingly.  Save your changes when done.

image

In my case, I have the Local Area Connection (my wired Ethernet port) set at the top as my preferred item, then my home Wireless Network Connection second.

This way, if I plug in and boot, the LAC takes precedence and connection gets established before Wi-Fi.  If it isn’t plugged in, then the Wi-Fi connection takes over.

Non-Network Tweaks

One of the remaining pet-peeves I’ve had with Tatiana, my new Dell Studio 15 laptop, has been the sensitivity of the touch-pad.  I’ve had to put with with automatic text zooming when I brush against it or hover my thumb over it.  Touching the side/bottom scroll zones on the touch-pad sent web-pages flying up/down & left/right.  It was like trying to manage the throttle of a Mustang 5.0 on a slippery-as-glass wet roadway!

Fortunately, I’m not the first who has found this default Dell touchpad behavior, really, really annoying.

How do I change my Dell Touchpad settings and preferences?  -- Ask Dave Taylor!

Turns out Dell has an embedded “Dell Touchpad” management utility tab embedded in the mouse settings.

Poking around in there, I set the pad sensitivity from “hair-trigger” down closer to heavier touch, I disabled the text-zooming feature, and set the scroll-zones on the touch-pad to be much narrower than default.

A few more fine tuning tests and the touchpad is now no longer a bad-actor but well groomed thespian.

Finally, I added a System Restore Point Shortcut - Windows 7 Forums - great tips on how to make a shortcut to fire off an System Restore Point rather than the longer method.

Cheers!

--Claus V.

Sunday, October 03, 2010

Just a Note or Two and some SteamPunk

image

cc attribution: Notebooks by See-ming Lee 李思明 via flickr

Wow.  Can’t believe it has been this long since the last post!  What’s sad is that very little of it has been spent on the new laptop.

Mostly bad-crazy work stuff leading me to be exhausted by the time I get home from work. Then honoring time and family commitments on the weekends.  So much to post…so little time.

On the plus-side I’ve been able to really put some of the tools and techniques I blog about into incident response action lately.  While it is never a “fun” thing to have to do, it is pretty cool when you get to apply your knowledgebase in extreme situations.  While (unfortunately) it’s very doubtful I will share any information at all, I do expect to share some more information on tools and techniques I found valuable in the process.

I’m taking a break at the moment from technology posts to go a bit “old-school”.

While I generally use QCC’s freeware tool CaseNotes to document my incident response activities, and find it really does an excellent job fitting my needs I almost always keep a pen and micro-sized paper notebook on my person as well.  Beats writing on my hand and is great for jotting down phone numbers, bits of data, field observations, quotes, URL links, etc.

I’ve been thinking of this lately as I saw some Moleskine mini-notebooks a few weeks ago when visiting the bookstore with mom.  I didn’t pick any up but they did catch my attention.

Then The Art of Manliness blog ran a series of articles that really encouraged me to use them that much more:

The comments in the first post were a treasure-trove of links and materials for the notebook carrying fan.  I found a number of great sources for fun and functional mini-notebooks.

Field Notes - Seemed to be one of the most popular sources for no-frills “common-man” notebooks.

Rite in the Rain - Was praised by field workers, outdoorsmen, military/LE, and other extreme environment folks.

Moleskine - This brand seems to have splashed onto the market with much fan-fare.  The quality and variety seems to make them very popular with note-takers and artists alike.

Right now, I am using these Top Flight Sewn Mini-Marble Composition Books (Amazon.com) that Alvis tossed my way.  They fit unobtrusively in my front pocket and are surprisingly durable.  They are very cheap…so I tend to toss them when all the note taking is over and they are filled up.  Not really archival material.

I had been using these Mead Wirebound Memo Books (Amazon.com) but the wire ring would get crushed after a few days in my pocket and the pages tore out too easily.  So I just keep one in my car only for quick notes but that’s it.  It will likely be replaced soon.

These Writersblok Bamboo Mini Notebooks looked like a cheap and nice alternative to my current notebook fare. Made by K I K K E R L A N D, they seem high quality and fit the quirky and fun other products offered by them.

Turns out there is a whole fan-following of notebook bearers!

I’ve scored a few new RSS links for some sites that live and breath all things creative and useful with notetaking and notebooks.

The Little Black Book by Pad&Quill - This was pretty clever…and inspired me.  I’m overwhelmed at the moment with ballistic nylon carrying cases for all my portable hard drives and gizmos.  After looking at this, I was struck with how easy it would be to stop by ye-old/used-bookstore and pick up some tomes that had outward character to their binding and cover.  Then hollow them out to make carry-cases for the portable USB HDD I carry.  Some glue and some tiny metal/magnets to hold the lid shut and bam--pretty neat carry-case!

SteamPunk Resources

As a Sherlock Holmes fan, I appreciate the romantic notion of the Victorian era (but accept the Dickensian reality).  Add to that the fact that Last Exile is based heavily on a “SteamPunk” styling and my artistic eye is smitten.

Turns out there is a whole fan-base devoted to making and living SteamPunk style.

Steampunk Wallpaper is a very recent find that has provided a ton of awesome high-quality desktop wallpapers in the SteamPunk/grungish style.  Really stunning work here by the artists.  Even if you aren’t a fan, you are bound to find something appealing.

The Steampunk Workshop | Technology & Romance - Fashion, Style, & Science - Ongoing web-site filled with the very best examples and guides to SteamPunk hardware and software.

The Steampunk Home - Neat ways to add that anachronistic touch of class to your home; many with commonly available materials repurposed.

SteamPunk Magazine » Downloads - Free PDF downloads of SteamPunk Magazine.   Very interesting articles and perspecitves…to say the least!

Happy notetaking and jotting!

--Claus V.

Sunday, September 12, 2010

A Dell Named Tatiana

After much family encouragement and a fair bit of penny-pinching, I recently ordered up a new personal laptop system from Dell.

This was to be a replacement for the well-loved Gateway MT6451 notebook I’ve been using.  I had already had the DC plug repaired once and it was failing again.  I wasn’t ready to reinvest in another repair, so it had been sitting static on my desk to avoid having to re-jiggle to cord/plug to keep power flowing.  Not very practical for a laptop.

As noted in a recent GSD post, I did a lot of research and consideration for this system choice.  I wanted something “small” so it would be a bit more portable than the 17” + notebooks now commonly available. I wanted power, so that meant an  Intel i7 core system, and I still needed something that was at a decent price point.

In the end, fueled by some good discounts, I settled on a Del Studio 15 (1558) notebook.  It’s got the i7 core, a 500GB drive (SATA…no SSD for me yet…),and a wireless 802.11a/g/n card that now finally allows me to take full advantage of the D-Link DIR-655 Xtreme N Gigabit Router wireless router I picked up some time ago.image

I did spring for the full 1080p high-def display option (gorgeous!) though a Blu-Ray drive wasn’t an available option at the time.  However, standard DVD playback is really, really good.  It also has dedicated 1 GB video video card. And I got the Ruby Red lid.  A wise purchase as it really conceals fingerprints, and as my brother says, “…red makes it go faster.”

Alas, the Gateway just couldn’t successfully run many higher-end graphic applications under Win7; including Celestia, Photoshop C4 x64, Google Earth, and a few others.  It was getting to be an annoyance.  No more.  Google Earth renders beautifully fluid.

It takes about a minute to go from a power-off state to desktop.  I’ve yet to really challenge the i7 core.  I’ve done some x64 bit Photoshop work already as well as video editing and it barely causes a bump on the utilization graphs. (I run Process Explorer at boot as a scheduled task, sending to the system tray with the “-t” switch.)

I’ve not had time to finish setting up my virtual machines yet, so I’m very hopeful the i7 core will really add virtualization performance.

Sure, an i5 core would have probably been sufficient, but this is the very first time I’ve actually allowed myself to get a system I really wanted (from a feature standpoint)…and then a splurge of a bit more in power.

I’ve christened it “Tatiana” due to the red lid and power in honor of the Last Exile character Tatiana Wisla and the complex relationship between Tatiana and Claus in the Last Exile anime series.  She masterfully pilots a red “vanship” fighter and is Claus’ match.  Seemed fitting.  Hence when it was on order and I was anxiously awaiting delivery, Alvis would tease me with a wicked tone, “Dad’s been busy getting to know his new mail-order-bride. Tatiana.”

Untitled

The biggest concern after reading reviews that really gave me pause to consider were findings that the cooling fan was obscenely loud in early Dell 1557 Studio 15 models with the i7 core: Review Dell Studio 1557 Notebook - Notebookcheck Reviews and this Dell Studio 15 (1558) Review - Laptop Magazine. And they got really hot on the bottom/top.  I am pleased to say that isn’t the case with my experience with the 1558 model.  While the power brick is thinner than I would expected (my work Latitude E6400 brick is almost twice as thick to only support a dual-core) it is the only thing that seems quite warm.  The 9-cell battery pack lifts the notebook up creating a large air zone underneath.  I find using a hard-board placemat to rest it on while on my lap is perfect.  The fan rarely spins up unless the core is really working, and the keypad/wristpad does get warm, it is not hot to me.

Software is loaded up. Things are tweaked.

Thanks to Tiny Apps blog for the Tiny HDD activity monitors post.  This notebook has no HDD activity LED indicators at all (what up with that Dell?) so I settled on the HDDMon utility. Sweet!

I’ve also tweaked it for some network usage requirements.  I miss the old XP style network activity indicator icon in the system tray so I added in a free Network Activity Indicator for Windows 7 - IT Samples.  More here Get the Classic Style Network Activity Indicator Back in Windows 7 - How-To Geek.  I’m going to return to network tweaking for Win 7 systems shortly.

All in all it seems to be a rock-solid, wicked-powerful notebook that I hope to get a lot of use out of.

Hopefully this will expand my computing abilities and enhance the GSD posting activity and adventures to come.

So, the Valca home welcomes it’s newest member, Tatiana!

Cheers!

--Claus V.

Saturday, September 11, 2010

Been too long…

Yep still here.

As Alvis has commented more than once recently in a wicked tone, “Dad’s been busy getting to know his new mail-order-bride.”

While not nearly as salacious as it sounds coming from her, I’ll save that info for a follow up post. However she is partially correct.

Last Monday, I had planned a relaxing Labor Day holiday chilling out at home catching up on blogging and clearing some pieces of work.  Mom had called however and decided she needed some out-and-about activity with son #1 since son #2 was living large in Colorado on a respite before leaving fair Texas for an long term work-assignment in a foreign country; Baton Rouge, LA.

So mid-morning I drove over to Mom’s, loaded up the car and pointed it to the shadow of downtown Houston.

She had caught a local news piece on the local Houston connection to the movie Mao’s Last Dancer and was determined to see it before it left the single screen that was showing it.  It’s got flashbacks to communist China and the humblest of villages, ballet, opera, love, ballet dancers, Houstonians, Houston sights and scenes, ballet dancers, a famous local lawyer and an international showdown.  And the F.B.I. makes an appearance at least once.  What’s not to love! Right?

Anyway I’d seen neither the trailer nor the news piece so was suspicious but a good sport.

We drove over the the 1930’s-era River Oaks Theatre, found one of the few parking spots that didn’t have a “30-min shopping only” sign painted boldly on the hot black pavement and stood in line for the tickets.  (Only later would I spy the nice super-new parking garage hidden across the street from the theatre. Oh well…next time…)

While I have known and heard of the River Oaks Theatre, I’d never been inside.  It reminded me instantly of a similar home-town one long since crumbled that I used to go to as a kid.  This one has been lovingly cared for by a devoted staff and brings back an instant ambiance of the golden-screen days.  The seating was very comfortable and I felt we were falling back in time. Well, had it not been for the fancy Hagan-Daas ice-cream bar mom was munching on.  The theatre specializes in international, art, and foreign films that would almost never see the light of projectors in the local mega-movie-plex.

It was a very full house.  And the movie was really good.  Sure, some of the Houstonian stuff seemed a bit over the top, but I guess that’s how most of the world thinks we talk. (We don’t.) And there were some local scenes in the background shots that were not period to the ‘80s.  But small quibbles aside, it was a very impactful movie.  Like most in the audience, I was leaking man-eye-sweat at the end of the film.  Definitely recommended and worth seeing.

Afterwards, Mom wanted to go across the street to the B&N to replace a Julia Childs book she has lost.  I got a bit sentimental (maybe it was from the movie) but it was strange.  Right inside the entry was a kiosk where a clerk was demonstrating the benefits of an e-book reader to folks, selling units, and books.  Time is turning my friends.

I worked in the local library growing up in my teen years and used to love the proximity and time spent among the shelves.  It was a perfect job. Now I seem to dash into the bookstore for a technical book, and dash right out.  Not with mom.

We lingered.

She looked at the tables, opened up random books, chatted away, and just was present there.

That forced me to be so as well.

And I noticed lots of books again; history books, cartography books, novels.  Their covers carefully planned to invite and entice.  Best sellers and bargain buys.  One shelf was filled with strange and unique books, selected by the local employees, with little cards on the shelf edge. The cards had the staff-member’s name and a single sentence why they loved it so much and recommended it.  The comments were more wonderful and mysterious than any ad-campaign or glitzy display. It was humble and seemed genuine.

And as I stood there surrounded by all the books two things struck me; that these books represented so many new authors trying to get started and old ones firmly established, all telling their own, special story, and that I probably was like many now, in too much of a rush to linger and let the books and stories seduce me as they used to so passionately, instead being addicted to the mad-hose-pipe flow of RSS feeds, Internet media, and that damned moving picture screen in our living-room.  What will such book stores look like 10 years from now? The same? or will they have been replaced by the Kindles and Nooks and the warmth of the pages on a cold winter’s night be replaced by the cool plastic.

I mean I get it. Really.  While I don’t (yet) have an e-book reader in our house, I see and understand the convenience and flexibility of having so many stories and such available on download demand, but real books are still touchstones, for now.  And it has been too long since I slowed down enough to just hang out with them and let them try to lure me away from the straight and narrow, to Timbuktu’s and fields and fen.

Anyway, by now mom was hungry so I suggested a local Mexican eatery in the East End or maybe a local BBQ place.

No.  Mom would have nothing of that.

We re-crossed the street (sorry Houston, you still have a long way to go to being a pedestrian-friendly town) and mom led the way over to the nearby La Madeleine café.

While familiar, I’d never eaten there yet.  Mom had and soon she had picked her quiche and tiramisu while I had scored a French-dip sammy and a cup of French roast coffee.  We sat at a small table, chatted, and took our time eating.  Both the time and the food was delicious.  And the people watching was quite entertaining.

Eventually we ended the early afternoon and we braved the now impending downpours of what was left of Tropical Storm Hermine as she started her two-day deluge of our bayou-based city.  We made it home, but there was some major ponding on the freeway lanes.  Only good timing and fortune allowed us to have our walkabout without a single drop falling until we were headed home.

Been a long time since I spent that kind of long, lingering day.  And I guess Mom knew I needed it even more that I realized.

Moms are so wonderful…

--Claus V.

Sunday, August 29, 2010

This Week in Security and Forensics: Beware the cake!

image

Cube Party! image used with permission from John Walker at "rockpapershotgun.com"

Yeah, the cake is a Portal thing.  Let’s dispense with introductions and get right down into it this week before GLaDOS barges in.

Anti-Virus

Not new but I think it is worthwhile to reflect on the impact rogue/fake AV products have.  Not only did I get the joy of cleaning one such infection off my own dad’s system, last week I painfully listened to another dear friend tell of dropping almost $400 to local PC shops to remove another such infection…in the end they just reinstalled Windows for him.  I told him to call me first next time.  My local pizza house rates are much cheaper, and I find it perversely fun to hunt and clean this stuff off a system.

Lessons:

Communicate. Luckily its victims were visiting www.cacetech.com, so we could pass along updates in near real time. Google and Bing helped track down users posting questions to online forums. I responded to each question with any information I had at the time.

People don’t run AV software. Seriously — you should at least be running something like MS Security Essentials by now.

Even cake is dangerous. One of the infections apparently happened while looking for pictures of cake on Flickr.

It’s my understanding that the free VIPRE Rescue tool can also cleanse it from a system.

The winnersMicrosoft Security Essentials, AntiVir, Avast, Agnitum, AVG, EmsiSoft, Eset, Kaspersky, Symantec, PC Tools, Check Point, Lavasoft Ad-Aware, Kaspersky and of course, Sunbelt and many others. 

  • Clam AntiVirus - Recently released in version 2.0.  This is not your father’s ClamAV any longer.  Now includes “cloud-based” protection engine and many more enhanced features.  See also VRT: ClamAV Release Announcements for a full detailing of the little devil.
  • Alureon Evolves to 64 Bit - Microsoft Malware Protection Center - This was fascinating and a sure sign of the growing prevalence of x64 bit systems.  Alureon is a rootkit that has commonly targeted x32 bit Windows systems.  Security teams noted the inclusion of an inert file called ldr64 as part of the file system.  Lately it now has morphed into an active version that can infect 64-bit systems.  Fortunately, it’s presence is detected by Microsoft Security Essentials and evidence is easy to find manually if running.  The Disk Management pane of Computer Managmenet console will be blank of all local HDD and DiskPart command doesn’t locate any disks when “list disk” is run.

Tips and Techniques

Making Material

  • Fundamental Computer Investigation Guide for Windows -- Microsoft TechNet -- Not sure where I came up with this. Dated back from 2007 but still is a small free resource zip file to download, read, and archive. Besides the primary information document, it also contains some DOC files to use as worksheets and templates…or as inspirations to design your own. Download

The Fundamental Computer Investigation Guide for Windows discusses processes and tools for use in internal computer investigations. It introduces a multi-phase model that is based on well-accepted procedures in the computer investigation community. It also presents an applied scenario example of an internal investigation in an environment that includes Microsoft® Windows®–based computers. The investigation uses Windows Sysinternals tools (advanced utilities that can be used to examine Windows–based computers) as well commonly available Windows commands and tools.

  • I’m not sure where I found the link from, but the US Justice Department’s CyberCrime Laboratory created an awesome Digital Forensic Analysis Methodology Flowchart (PDF link).  Print this one out. Study it, and keep it handy for review.
  • Just dropping this older GSD Post Focus on Forensics Linkfest in the mix here as it contains links to multiple templates and forms for chain of evidence recording and such.
  • Intro to Report Writing for Digital Forensics -- SANS Computer Forensic Investigations and Incident Response Blog -- Must read because it never is enough just to dig up the pieces during an investigation, to be successful you must document your process as well as present it in an understandable manner for non-technical folks to understand and technical folks to be able to validate.

Tools and Utilities

  • Quickpost: .LNK Template Update -- Didier Stevens -- tool update to now identify well-known Shell GUID’s as well.  See also his .LNK template post for additional info.
  • Fget -- (freeware) -- HBGary tool “…The fget tool forensically extracts files from raw NTFS volumes on remote windows systems in your domain. This tool works over the network and can extract any file (including those that are locked and in-use) in a forensically sound manner, without altering target filetimes or attributes. In particular, the tool can be used to extract files that are critical to timeline reconstruction.”  Spotted via this FGET: Network-capable forensic data acquisition tool post at Help Net Security.
  • Fingerprint -- (freeware) -- HBGary tool “…framework for scanning binaries (preferably binaries extracted from memory so they are already unpacked). It allows scanning for ascii/wide strings and byte patterns, then annotating results. Results are saved in an xml format and can be compared to previous results. The goal is to allow quick development of new search patterns and easy comparison to previous binaries.” Spotted in a great write up Open Source Malware Fingerprinting – Free Tool at the ESET ThreatBlog.
  • Historian -- (freeware) -- Reads history, bookmark, cookie and cache information for raw browser files from Gaijin software.  Recently updated to version 1.4.4.  While there are lots and lots of tools now to help with browser history examination, I still like having different ones at my disposal to give me flexibility in both analysis and reporting.
  • RegFileExport -- (freeware) -- It’s a new NirSoft tool!  This gem is a CLI tool to “…easily extract data from offline Registry file located on another disk drive. RegFileExport read the Registry file, ananlyze it, and then export the Registry data into a standard .reg file of Windows. You can export the entire Registry file, or only a specific Registry key.  RegFileExport may also be able to export some of the Registry data even when the Registry file is corrupted and cannot be loaded by Windows.  Check out the whole page to get the usage and “more information” areas understood as well.  It can even handle extraction of Registry data from XP restore points!  “You can find the Registry files of every restore point under C:\System Volume Information\_restore{guid}\RPxxx\snapshot. However, you must change the permissions of this folder in order to access these files, or alternatively, you can run cmd.exe as a SYSTEM account (with 'at' command), and then you'll be able to access this folder and the Registry files that are stored in it. Be aware that the _restore{guid} subfolder also has 'hidden' attribute.”  Sweet!
  • TinEye Reverse Image Search -- I thought this was cool.  Suppose you come up with a image file that appears to have been downloaded from the web, but you don’t have a context for the source?  You could try TinEye to see if you could find locations where the file came from on the Web.  While it would be difficult to say with certainty that was the source, it might help provide some interesting information especially if taken as part of a larger context of data.  via Idée Labs

Mostly Wireless

I had spotted that the next two items were recently updated and then decided to go ahead and list other wireless-related utilites since birds of a feather…well…you know…

Oh those DLL eyes

  • It’s those darned DLLs again... -- Windows Incident Response blog -- Probably the very best roundup and review of the latest DLL “vulnerability” now capturing the attention of the for/sec groups since the .LNK brouhaha. 
  • Malware Persistence without the Windows Registry -- M-unition Blog -- Noted here both for the great technical explanation of the issue as well as the provision of a free tool to help assess the situation on a system.  From Nick Harbour’s post:

I’ve written a program to identify all locations and filenames that a DLL could be placed to achieve persistence on a given system.  The idea is that you can run this program on a clean (Gold Image) system and forensically search for any DLL name listed in the output on a machine you suspect of being compromised with this method of persistence. 

The program examines running processes and determines hijackable DLL locations by the following properties (applied to each loaded dll in every running process in the system):

  1. The process executable that loaded the DLL is not located in the System32 folder
  2. The DLL name is not found in the KnownDlls object
  3. The DLL is not found in the same directory as the executable

Any loaded DLL that contains all three properties is susceptible to being trumped by search order hijacking.

The tool (compiled and source) to identify possibly malicious 32-bit DLL locations from a clean system can be found here.

You have to run it from the command line and it requires "elevated" or administrator privileges to run.

Also, the output will be to the CLI window. Depending on how much data you have you may not be able to see all the results.

Try "piping" the output to text with a command similar to below. Then when done open the resulting text file in notepad.

finddllhijack.exe > dllwatchlist.txt

Worked great on my x64 Windows 7 Home Premium system and I got output of a total of 560 different dll files/locations to keep an eye on.

"Here be Dragons" caution: This tool doesn't provide a "smoking gun" to any actual malware-based dll's or vulnerabilities. So please don't go deleting stuff just because it shows up here. That's not the point of the tool. It does help collect information about potential targets for the examiner to then consider with the points made by Mandiant above.

Returning to the linkage roundup…

Finally let’s let Microsoft give us all the remaining bits of the scoop from their perspective.

As well as their tool to help mitigate the issue (platform specific tool download links at the bottom of the page).  Just read well to understand the tool and how it works before using!

And if you haven’t guessed it, this is just a new resurgence in an old exploit.

Yes my friend, only eat the cake if you dare….

--Claus V.

Saturday, August 28, 2010

Oh for the love of Pete!

Seriously Dell.

So about two weeks ago I assisted a dear older friend of mine with setting up his new Dell Studio 16 system.  What followed was almost a repeat of Dealing with the Dell … 2010 Edition that I had done for his Inspiron desktop system back in March 2010.

We didn’t touch that system but only copied his user folder files (my documents, my pictures, etc.) over to this new system.

Case closed.

Only he called me back the next day to report his desktop system wouldn’t turn on. Something about it coming up in “power-save” mode on the monitor and then nothing.

I swung back over the following night after work and took a look.

The “power-save” mode message was a red-herring as that was his LCD display displaying that message.

He said the day after I had left, he came in to find it just dead.

I hit the power-button and got the BIOS, then it went into the Windows 7 “Safe Boot/Normal Boot” option.  Then it went dark.

No biggie, I punched the power button again but got nothing this time, not even BIOS.

Hmm.

Suspecting a loose power-cord I eased the unit out of the desk cubby to pull/replug the power plug into the PSU, only I heard a strange deep grinding noise.  Odd.

So I unplugged all the cabling, set the case on the side, and opened it up to inspect.

Everything looked OK, but then my eagle-eyes caught that the heat sink seemed a bit off-kilter.

Closer inspection found this indeed was the issue.  It looked like the clip holding the fan/heat sink to the core had popped loose.  The loose heat sink banging against the case lid was the noise I had heard.Photo0349

I went to reattach it and found the core problem.

If you look at the image to the left, the top area outlined in green shows the plastic knuckle the single spring-clip attaches to on one side of the core.

On the bottom can be seen the second mounting point…only the plastic knuckle for the clip has broken off.  (I found it after a bit of searching in the case.)

So the final root cause analysis is that the plastic knuckle failed (defect?) causing the heat sink clip to no longer apply tension to the heat sink/cpu.

The contact had become loose enough now that the CPU could not cool and at boot, got hot and tripped the thermal safety fuse, shutting down the system and preventing boot.

No telling how long things had been this way.  Since the orientation of this desktop model is tower-based, the system board is vertical so it is possible that gravity and thermal-paste adhesion allowed the heat sink to make just enough contact for the heat-transfer to continue for some time.  Just fortunate the other clip end held to keep the block of aluminum from crashing loose down the system board all this time, including my blind removal of the unit from the desk cubby.

It was late so I gave him all the information to provide to Dell support (it was under warranty) the next day. Serial Number/Service Tag, Express Service Code; tell them the plastic mounting bracket that attaches to the system board has failed, heat sink not coupling to CPU causing the failure and you need a replacement. The fact that I initially saw a normal BIOS/Windows boot recovery screen made me feel the CPU itself hadn’t burned up earlier. Case closed. 

FAIL #1 -  My dear friend called Dell the next day and spent an hour with tech-support. They were following the handbook troubleshooting flowchart and wanted him to allow them to remote attach to the system so they could diagnose what was failing themselves remotely.  Goodness.  No boot.  Good luck with the remote attach and control there Dell overseas support.  He gave up in frustration.

I came back again later the next day and made the call myself.  When we finally got our call picked up, I passed the information over to the dear Dell support rep for the system, then simply explained what the issue was, that I needed a replacement mounting bracket. “We’ll send a motherboard, memory, PSU as well just to be safe.” was the reply. 

My friend was amazed.  I guess I deal with enough PC support vendors at work that I just talk the geek-talk directly with authority and am not challenged. Five minute discussion with me verses a hour for him. Go figure.

Two days later the Dell tech contractor rolled out and changed out the motherboard entirely, and PSU for good measure.  This set the stage for…

(Note: Fail # 1.5 -- the Dell rep didn’t bring out any fresh thermal paste with him.  When challenged by my friend on this (since I had mentioned it to him) the rep said something to the effect that there was enough still on the pieces anyway and that removing the paste already on there to put fresh paste on would lower the thermal performance. WTF?)

FAIL #2 -  My dear friend called Lavie the next day asking if I could help him again as now he has a black desktop wallpaper and the system says it is running counterfeit software!

As Lavie repeated their conversation I knew exactly what happened.  Sweet Jebus, Dell!

Stopping by again on the way home, my friend explained how he had spent another hour + with Dell trying to solve this on his own with them.

After repeated attempts by him to enter his Windows 7 key code (copied from the label on the case) he and the Dell rep gave up as it wouldn’t “take” for some reason.  The Dell rep then had him boot into the Dell recovery/diagnostic partition and told him to do a system restore.  Thank goodness my friend had the presence of mind to ask “Won’t this delete all my data?”

Yep. Said the Dell rep. But it was the only way to get his system back again since there obviously was an issue with the product key.

So my friend hung up and called Lavie to send me over.

I got there, fired up the system, went to the product (re) activation area on the system properties window and selected “activate by phone”.

Awed, my friend watched as I fed in the numeric code the system had presented me and then entered in the response code echoed by the automated Microsoft system.

Accepted, activated. Rebooted. Done.  Moving on.

Because Dell had chosen to replace the entire motherboard, rather than just taking off the plastic mounting bracket from the good motherboard and swapping it for the bad one, the system board had changed tripping Windows 7 internal anti-piracy measures and required a product reactivation.

To make matters worse, neither Dell rep (in person or on the phone support line) had even suggested he just attempt to activate over the phone when the on-line method failed.

So now he is up and moving along just fine again, and swears he will call me first before calling Dell ever again.

How’s that for customer service?  I’m sure my check from Dell is in the mail right now.

--Claus V.