Sunday, January 24, 2010

Rapid-Strike Linkfest: Micro Edition

I know.  After the monster posts from last week, a micro-linkfest just seems out of place.

Luckily it has been a fairly slow week in the blog-o-sphere with most attention focused on the ongoing Google-Gmail-China thing and some bit of to-do regarding a Microsoft IE vulnerability and referred to as the “Aurora bug” it has been fairly quiet.

That’s a good thing.

So sip on these links…nothing deep.  Mix of sysadmin and some security/forensics stuff.

  • Sysinternals Updates: ProcDump v1.72, Desktops v1.02, Sigcheck v1.65, DiskView v2.3.
  • The Case of the Slow Logons – Mark Russinovich has a great (and belyingly simple) troubleshooting walkthrough to solve a mystery of a 3-minute logon lockup.  Some (almost) exact same systems had the issue and others did not….read on to see how some simple techniques with Sysinternals tools got to the heart of the matter.
  • ShellMenuNew - (freeware update) – Nirsoft’s tool to disable/enable “New” menu items in Windows Explorer got a quick update. For more information on the tool read Nir’s blog post: New utility to disable/enable items in New submenu of Explorer.
  • WinPrefetchView - (freeware update) – Nirsoft’s tool to view the content of Windows Prefetch (.pf) files also got an update.  This new version 1.05 adds in 'Run Counter' and 'Last Run Time' columns. So while some updates aren’t necessarily needed, this one adds additional useful information for both sysadmins and forensics guys and gals .
  • Evernote v3.5 - (freeware/$ for Premium subscription service) – got a major GUI makeover this past week.  I used to use Evernote when it was available in a portable version way-back-when.  The new web-connected version has cooled me to it.  I’m not interested (yet) in syncing my data across the Web, and other note taking apps (portable and not (like MS OneNote)) have filled the void that Evernote left.  That said, for those looking for a powerful, flexible, and Web-synchronized note taking application—that interfaces with a variety of platforms, Evernote is just too darn awesome to not admire and like it.  So here you go.  Check out the newest build and celebrate in their glory.  Spotted at Evernote 3.5 for Windows Released, Introduces Better Interface – Lifehacker.  Version 3.1 has a “install as portable” option once the primary version is fully installed on a system.  Feedback indicates no portable version release is intended for 3.5 onwards.
  • Paragon Backup & Recovery Free Edition – Spotted this a while ago and just because the free edition is so hard to find, thought I would post it mostly for reference.  It has a lot of great features, but it misses some others in the free version as well.  See this GSD post: Sync & Backup Tools (freeware) for more backup software options.
  • M-unition - DOD Cyber Crime: New Audit Viewer/Memoryze – post – the Mandiant gang is hard at work and will soon be debuting some new versions of awesome (and both free) incident response software tools Memoryze and Audit Viewer during their upcoming DOD Cyber Crime presentation.  Quoting from the post linked above:

    …we will discuss MANDIANT’s Malware Rating Index (MRI). We will finish with real APT incident demos where I’ll walk through the investigation of an infected system with APT.
  • Now, a little more about MRI. MRI is a huge update to Audit Viewer.  Instead of going after a fish (malware) with a hook (signatures), I’m going after fish (malware) with a drag net (MRI). The goal of this feature is twofold. First it is going to  help pinpoint specific processes that should be investigated further while attempting to eliminate some of the non-suspicious processes and get them out of the analyst’s way. It’s also designed to try and make APT detection easier. A lot of work went into looking at our samples and how they behave etc, and coming up with definable behaviors that trap those little creatures. MRI is made up of two components. The first component is a definable behavior rule set that is completely customizable. It is made up of three different types of rules:

    • Process Path Verification – allows users to define what processes should be launched from what directories. This triggers on malware that copies and names itself after svchost or other system processes to subdirectories within system folders. For example a default rule is that svchost can only be executed from \windows\system32. Any time we see it running from somewhere else we flag the process.
    • Process User Verification – allows users to define what processes should be running under what users.  This triggers on malware spawning svchost for purposes of unmapping image bases or hiding dlls within spawned svchost. So, for example, if malware copies itself to system32\dllcache and then names itself svchost.exe, you can define a rule saying svchost.exe should be running as local service, network service, or system. When Audit Viewer see svchost running as administrator it gets flagged.
    • Process Handle Inspection – this allows you to define specific rules pertaining to malware or generic behavior. For example a default rule is to flag svchost or iexplore anytime it has a process handle to cmd.exe. There is just no good reason for this to _EVER_ happen. You can also define rules based on specific malware, for example if a3c mutant is present then flag the process as being infected with sality.

    The second component of MRI is a process address space scoring mechanism. We will be releasing an update to Memoryze at DC3. The new release will contain bug fixes as well as a new feature called “Verify Digital Signatures.” When this parameter is turned on memoryze will perform a “digital signature check” on all loaded modules. This can only be enabled on live memory analysis. The digital signature check verifies the module on disk is digitally signed.

  • Tableau Forensic Products - TSW-TIM - (free) – Tableau High Performance Software Imager – Version 1.0 released.  This tool is designed to facilitate forensic image captures by responders.  From the product page:

    TIM v1.0 includes:
  •     * Innovative real-time acquisition graphics
        * Ability to schedule jobs for sequential or simultaneous imaging
        * Support for Encase .EO1, .DD, or .DMG output file formats
        * User selectable .EO1 compression levels
        * User selectable naming conventions (date+time, drive serial number, or model+serial number)
        * Advanced error recovery and reporting
        * Calculation of MD5 and SHA-1 hash values
        * Image job, HDD, and write blocker information (for reporting and archival)

    TIM is a free download for Microsoft Windows XP, Vista, 7 or later (both 32 and 64-bit versions).

    Now if I could just get my requisition for the Tableau T35es forensic bridge cleared through the approvers…I would be in hog-heaven and be able to test this imaging software out…darn-it!

  • Google Chrome Forensics – SANS Computer-Forensics bog – not a “sexy” post, but chock-full of great reference material regarding Chrome/Chromium information for incident responders.  One nit-pick, the post mentions two versions: one being Chrome and the other Chromium distribution for Linux.  However that doesn’t seem right, even though the link referenced ( two different versions ) does say this.  There are also Chromium versions for Windows and OS X as well as Linux.  I use the Windows Chromium build as it contains the nightly pre-compiled Chromium builds.  Also, don’t forget the great freeware utilities for investigating Chrome browser activity including:
  • Pico Projector Film Fest Turns Ice Sculpture Into Screen - Underwire |  Micro-projectors are on the march!  Just thought it was cool.


--Claus V.

No comments: