Saturday, July 17, 2010

Security and Forensics Linkfest: Weekend Edition

Keeping with the GSD Theme this weekend…

Hang on, I’ve tried to group these a bit but it is still a ride all over the place.

PlainSight – Forensic LiveCD that incorporates counts RegRipper amongst the power-tools in the features. Can be run from a bootable USB device or CD and can be pointed to disk images or local disks.

The Windows Forensic Environment blog has some WinFE Teaser Screenshots showing some of some of Colin Ramsden’s custom WinFE build Work.  Very sexy stuff!  I can’t wait!  And for the CLI-challenged crowd, working with DiskPart in WinFE might take a moment to get used to. Luckily Brett Shavers has some easy tips in his DiskPart article as well as a cross link provided to his exhaustive The (Nearly) Perfect Boot CD (PDF) document.

For the past two weeks I’ve been working on a special project recovering lost files from a 1 TB drive (well, recovering them from a cloned copy of the original drive).  Although I already had my tools and methodology down before beginning, I did some some research in the process to make sure there weren’t any tips and tricks that could enhance my response work.   Here are some links that I found resourceful to save.  I may or may not be able to share details on this project sometime in the future.

REMnux: A Linux Distribution for Reverse-Engineering Malware is another pretty cool LiveCD ISO and/or VMWare image.

Finally, the off-line bootable Offline NT Password & Registry Editor for Windows systems has been updated to 100627 at the end of June 2010 by Petter Nordahl-Hagen.  Supports NT/2k/XP/Vista/Win7.

Computer Forensics - Windows Search forensics – by Joachim Metz is a great review on “Analyzing the Windows (Desktop) Search Extensible Storage Engine database”

Quickpost: Preventing the /Launch Action “cmd.exe” Bypass and Quickpost: No Escape From PDF by Didier Stevens get into PDF security issues.

Harlan Carvey Windows Incident Response: Links post touches on Didier’s work and then goes deeper on infection vector sources.  Also spotted in that post is that ShadowExplorer is at version 0.7.  This Manual page should give you an overview.

Lots of goodies in this Digital Forensics Case Leads: Spies, Social Networking Experiments, Live CDs & More SANS Forensic Blog post including the Orion Live CD (read the paper PDF first), and an assortment of free tools (link lists) provided by Forensic Control.

We are now doing regular network traffic monitoring, so all things Wireshark and forensic packet analysis are top on my read/watch list.  Such as this video of Hansang Bae’s presentation with Wireshark regarding his responsibility for Packet Capture Infrastructure at Citi.

The H Security has an incident summary by Frank Boldewin CSI:Internet - The image of death based on deconstruction of an email containing a suspicious PowerPoint presenation.  Great detail and chock-full of tips for incident responders to take note of.  See also his previous incident story Alarm at the pizza service.

Frank’s website,, contains even more incident responder goodies.

Nir Sofer’s been busy with a post on Recover L2TP,PPTP,PPPOE,DNS password from the router Web interface as well as updates to SniffPass Password Sniffer and SmartSniff.

Autoruns and Dead Computer Forensics at the SANS Forensic and Incident Response blog details added features (and limitations) of the latest vrsion of Microsoft Sysinternals Autoruns tool; the ability to load and analyze the autorun items from an offline system.  While not perfect it is a large step forward.  In addition, I found that it now loads saved autorun session files (*.ARN) much more cleanly than before.

Help Net Security had a tip to Casper Secure Drive Backup 2.0, a commercial ($) solution for complete system backup of PGP-WDE drives while still in their encrypted state.  This is one of the headaches of WDE.  I work with PGP-WDE systems almost daily, and performing incident response and system support to them is a headache. Sure you can make a backup of your system/data, but unless you capture a sector-based disk image of the whole system for restoration, or off-load the system backup in some “unencrypted” manner, and then re-encrypt that back up data, your back-up version might circumvent the whole point of having WDE in the first place.  Anyway, this is a pretty cool featured solution and the only one specifically for PGP-WDE that I have come across. A free 30-day trial version is provided by the company.  So from both a drive imaging/cloning and PGP-WDE perspective, I’m intrigued. contains quite a collection of script/tools by Patrik Karlsson, primarily vulnerability and penetration testing.  I came across this while looking for a tool to extract my home TightVNC 2.0.2 passwords (which I stupidly set without writing down!).  Alas even Nir’s VNCPassView wasn’t able to handle the new version.  So I just uninstalled TVNC from my couple of systems, then reinstalled and set new passwords, writing them down this time.

WinTaylor 2.0 is out! via the CAINE forensic LiveCD folks.  WinTaylor is a Windows based auto-launching interface for a collection of utilites for incident response, system auditing, and forensics work.  There are a few distros like this, boot the system with the LiveCD side, or auto-run the CD in a running Windows system and use these tools. 

The Sleuth Kit (TSK) & Autopsy: Open Source Digital Investigation Tools – yes, probably anyone and everyone who cares knows that TSK is now updated to 3.1.3 at the start of July 2010.

JL’s stuff: MovingHow To Respond To An Unexpected Security Event Forward was a tiny post but packed quite a punch by including these links:

As you may or may-not know, Google has been offering https:// based encrypted search support now via  However, that did cause some issues for users doing regular Google site searches when network administrators blocked the https:// based google location.  So now it has bee moved to  I mention this mostly as traffic monitoring might turn up some indication of these sessions but without the details normally expected to be found from bases search traffic. This Official Google Enterprise Blog: An update on encrypted web search in schools post gets into some of the details as do these posts:

For forensic packet capture reassembly, NetworkMiner Network Forensic Analysis Tool (NFAT) and Packet Sniffer is a favorite tool and I see it was updated to version 0.92 back at the end of May 2010.  I’ve had stability issues on my XP/Win7 systems for some reason with it, the packet capture assembly bombs out when loading PCAP files.  I’ve not tried 0.92 yet and had to go all the way back to v 0.88 or 0.89 for a stable build for some reason.  Don’t forget about NetWitness Investigator Software (also free) and Xplico - Internet Traffic Decoder updated to version 0.5.8 in late June 2010.  You can find it now on many LiveCd’s but they also now offer a VirtualBox image for it as well. Cool!

Finally, this Digital Forensics Case Leads: Ann’s Aurora Edition at the SANS Forensic and Incident Response blog ended being a real time-sink for me!

Somehow from that post I tripped over all the following links chasing the white rabbit.

Looks like it is one of many tools that uses Python.  I’m seeing it pretty often so I wonder if it would be worthy my while to get some foundational knowledge and experience in working with it on Windows systems?


--Claus V.

No comments: