Sunday, June 20, 2010

On Watch: Forensically Focused…


Black Hawk watch” CC image on flickr by The U.S. Army

Wow.  Can’t believe how long it has been since I’ve been able to find enough free time to do do a forensic focused link-fest post.

Rest assured, I’ve been hard at work in the trenches, ever vigilant for tips and tricks to help both forensic pros and sysadmins find common ground in responding to Windows system incidents.

I hope you won’t leave disappointed…

QCC Information Security “CaseNotes” Updated

I’ve been using QCC’s CaseNotes for some time and find it really does an excellent job fitting my needs. The Digital Standard: Case Notes had a recent post that highlighted many of the best features of this freeware tool and that got me thinking.  Has it been updated lately?

Yep.  Pleasantly so!

  • More CaseNotes Updates – QCC blog post on the latest (June 8, 2010 ish) version of this application..

  • CaseNotes Updated! – and the QCC blog post from May 2010 that had some earlier fixes with in-depth explanations.

Major fixes include:

  • Case file backups only made during explicit user initiated saves
  • Backup copies now stored in a dedicated sub-folder
  • Number of case file backups increased from 3 to 10
  • Greater assistance for the corrupt case file 'password' issue
  • New menu item to reset screen position data to fix maximised windows
  • Fix for Open File dialog not recognising .Notes files in Windows 7
  • New dedicated 32 & 64 bit versions (emphasis mine! Woot!)
  • Supporting documentation still needs to be updated - coming soon.

I’ve found it challenging to keep up with updates on many such tools and utilities, fortunately, I was able to find RSS/Atom feed links this time so if you RSS feed-read, take these down:

MANDIANT Update Madness!

  • M-unition » Blog Archive » Web Historian: Reloaded.  Yep.  MANDIANT has gone wacky and updated their already wonderful Web-Historian application and taken it to a whole new level!  So far I’ve been using it in full “installed” mode. But I suspect that with some tweaking of the custom/advanced path settings it might be supported in a “portable” mode.  New version supports FF2/3+, Chrome, and IE 5-8. Man!  The GUI has been majorly re-worked and can scan both local and “off-line” sources. Thumbnail previews are supported on compatible browsers. It also can export a “sanitized” version of history usage for sharing.  This is a really advanced tool now and worth of checking out.  Did I mention it was free?  Tip: Read the PDF that comes with it.  Saves a lot of of time on the learning curve. From the blog post….
    • Collects web history, cookie history, file download history, and form history into data sets  
    • Perform a live artifact scan of the local system
    • Perform an artifact scan of one or more arbitrary history files from all supported browsers
    • Data displayed in gridview style with full search, sort, and filter capabilities
    • Export data sets to XML, HTML or CSV
    • Extract and export history files used in live artifact scan
    • Customizable scan settings can tweak the scan to target specific browsers and data sets
    • View page thumbnails and indexed content
    • Export sanitized version of history results to distribute to others
    • Website Analyzer provides visualization of datasets using bar graphs, pie charts and timelines
    • Website Profiler shows a quick “report card” of artifacts for various websites

  • Web Historian 2.0 – download – register if you wish or just click the “Download Now” arrow at the bottom.

  • M-unition » Blog Archive » New Memoryze, Audit Viewer, and Training.  Yep. Memorize and Audit Viewer also got updated!  Lots of new features and stuff.  From the post….

So what is included in Memoryze and Audit Viewer 1.4? Well, here is the short of it.


  • Support for Windows 2003 x64 SP2
  • Improved support of Vista SP1 and SP2 including port enumeration and a better installer
  • Enumeration of digital signatures for all loaded modules in a processes’ address space, hooked and hooking drivers, and all drivers found by driver signature scans
  • Enumeration of MD5/SHA1/SHA256 hash on disk for all loaded modules in a process’ address space and all drivers found by driver signature scans
  • Updated documentation
  • Single installer for 64-bit and 32-bit versions

Audit Viewer:

  • Improvements to the Malware Rating Index (MRI)
  •      Report visualization of MRI results
  •      MRI rule editors that will allow users to graphically edit the MRI rule file
  •      Handle Trust view to help identify suspicious handles
  • Ability to search results within a specific process
  • Multi-select with copy
  • Multi-select and export to a CSV file

I also see tantalizing teases about possible future public releases of MANDIANT tools for Memoryze/Audit Viewer for x64-bit Windows, and free tools to analyze Windows Vista/2003 (64-bit)

Forensic LiveCD Updates

What’s new?

      • Update: Sleuthkit 3.1.1 and Autopsy 2.24
      • Update: Xplico to 0.5.7 (100% support of SIP – RTP codec g711, g729, g722, g723 and g726, SDP and RTCP)
      • Update: Initrd
      • Bug fix: Dhash report (reports were not generated)
      • Bug fix: DEFT Extra bug fix (a few tools did not work if the operator click on their icons, added the dd tool for x64 machines)
  • CAINE 1.5 – CAINE forensic LiveCD is out. See this Release page for details.

  • CAINE 2.0 (code name "NewLight") is cooking – CAINE news blog.

WinFE Developments

WinFE is not my primary forensic LiveCD.  I’ve got a few others that come first in point-rotation. However, it still has a very warm and dear place in my heart.

So I was excited to see the hard work Brett Shavers has done in keeping this tool not only active, but expanding the knowledgebase and ability of others to use and build this WinPE kissing-cousin.  Provided below is the main page as well as great WinFE resources and posts to peruse.

Well done, Brett!

Also, though not part of Brett’s project, the following Praetorian Prefect post is a great and fresh primer on WinPE and forensic work. I particularly found useful the tips on DiskPart with read-only mounting of the off-line mounted volumes/drives.

Kon-Boot News 

While Kon-Boot might not be a tool for most forensic folks, sysadmins could have great use for it.  I’ve mentioned it a bit here on GSD and have been quite fascinated with the tricks it can perform as a bootkit.

  • Kon Boot – Kryptos Logic – This latest version is fully commercial and (reasonably so) you now need to pay-to-play, though a 1-user personal license is just $15.99 and a 1 year 1 user commercial license is just $60 more.

  • What’s My Pass? » Kon Boot 1.1 – What’s MY Pass blog has a roundup of some of the newer features in the commercial version.

  • All this said, the original KON-BOOT - ULTIMATE WINDOWS/LINUX HACKING UTILITY is still offering up free downloads of that earlier build so go grab them while they are still kickin’ free.

Windows Incident Response Blog: Link Madness!

I sometimes feel guilty for cross-linking to Harlan’s most-excellent adventuring forensics blog, who in turns cross links back here to the humble GSD blog but hey, good things often go full circle!

Here are some of the wonderful posts I’ve found extremely resourceful in content.

And though not a Windowsir blog post, this seemed the best place to put this quick-reference gem from Tim Mugherini…

Rolling on with RegRipper…

Since I’m still exhaling from Harlan’s site…seems worth-while to drop these links on morphing the incredible RegRipper (which got a site design refresh as well).

There is a whole lot to find and examine on the new RegRipper site so put some time in there.

  • RSS Feed – RegRipper site.  New as well the ability to RSS feed news and updates.  Sweet step-mother of baby Jebus! .

Please forgive me while I pause to get a fresh cool minty beverage and recover for a moment.

Command Line Goodness Series

CLI tips and tricks from cepogue on The Digital Standard blog that can’t be ignored.

A Big TinyApps way…

Not to be out-done, TinyApps bloggist is laying down the whack of his own.

And in case you missed in embedded in the the previous GSD post…

SANS Computer Forensic Investigations and Incident Response blog

Yet another source of amazing tips and linkage. Oh my.

And because I can’t remember if I found it on WindowsIR blog or here at SANS…

  • offers a great tool (USB History Dump) and article about extracting USB Trace Evidence from the Windows registry.  See also the NirSoft tool USBDeview and the Woanware tool USBDeviceForensics.

Security/Response Checklists 

John mentions these Lenny Zeltser productions in particular and encourages tweaking these CC v3 licensed works to fit your own needs.

Who’s been cooking Sausage?!!

Why it’s DC1743 of course over in the Forensics from the Sausage Factory blog!

Alvis and I prefer a pork/venison mix, steamed.  Go figure.

The Final Four

Yep four more links to go.

  • NTPWEdit – Reset Windows password – 4sysops blog – Tool that works very well in WinPE/FE builds. Not that any of you forensic guys would be making such changes to a suspect system.  However syadmins may need to if malware or sheer local-user maliciousness boggled out the Admin password.

  • Forensic Pagefile: SAM Cracking using Ophcrack and Encase – I’ve not used Encase to do so, but I have followed a modified method to extract SAM files from an off-lined system, brought them over into a VM running the installed version of Ophcrack, then cracked dem profile passwords to accomplish my l33t sysadmin needs (…self-mocking there guys…).

  • Tableau Revision History – TIM. In case you didn’t get the email, Tableau’s Imager (TIM) software product has had a few updates that are pretty important to get and upgrade to; involving both critical bug fix as well as minor ones.

  • (IN)SECURE Magazine issue 26 released – Chock full of security tips, news, and other goodness.  Related:  Harlan offers this free new issue link (PDF) to Hakin9 magazine.  Get the read on!

Be safe, be thorough, be fair and objective.  Be ever vigilant.


--Claus V.

1 comment:

Brett Shavers said...

Thanks for the kind words on the WinFE work (although I'm really just a user of it helping it along).

There is an update that you may like well enough to boast WinFE a few notches toward your first choices of boot disks...hopefully in the next 2 weeks, I'll have the downloads on my site that allows for a GUI for DiskPart, push button ease to inject drivers on a running WinFE system, and some other goodies. I also just migrated the site from Blogger to WordPress...

And thanks for your writings on WinFE, I read them thoroughly.
Brett Shavers