Sunday, January 24, 2010

Rapid-Strike Linkfest: Micro Edition

I know.  After the monster posts from last week, a micro-linkfest just seems out of place.

Luckily it has been a fairly slow week in the blog-o-sphere with most attention focused on the ongoing Google-Gmail-China thing and some bit of to-do regarding a Microsoft IE vulnerability and referred to as the “Aurora bug” it has been fairly quiet.

That’s a good thing.

So sip on these links…nothing deep.  Mix of sysadmin and some security/forensics stuff.

  • Sysinternals Updates: ProcDump v1.72, Desktops v1.02, Sigcheck v1.65, DiskView v2.3.
  • The Case of the Slow Logons – Mark Russinovich has a great (and belyingly simple) troubleshooting walkthrough to solve a mystery of a 3-minute logon lockup.  Some (almost) exact same systems had the issue and others did not….read on to see how some simple techniques with Sysinternals tools got to the heart of the matter.
  • ShellMenuNew - (freeware update) – Nirsoft’s tool to disable/enable “New” menu items in Windows Explorer got a quick update. For more information on the tool read Nir’s blog post: New utility to disable/enable items in New submenu of Explorer.
  • WinPrefetchView - (freeware update) – Nirsoft’s tool to view the content of Windows Prefetch (.pf) files also got an update.  This new version 1.05 adds in 'Run Counter' and 'Last Run Time' columns. So while some updates aren’t necessarily needed, this one adds additional useful information for both sysadmins and forensics guys and gals .
  • Evernote v3.5 - (freeware/$ for Premium subscription service) – got a major GUI makeover this past week.  I used to use Evernote when it was available in a portable version way-back-when.  The new web-connected version has cooled me to it.  I’m not interested (yet) in syncing my data across the Web, and other note taking apps (portable and not (like MS OneNote)) have filled the void that Evernote left.  That said, for those looking for a powerful, flexible, and Web-synchronized note taking application—that interfaces with a variety of platforms, Evernote is just too darn awesome to not admire and like it.  So here you go.  Check out the newest build and celebrate in their glory.  Spotted at Evernote 3.5 for Windows Released, Introduces Better Interface – Lifehacker.  Version 3.1 has a “install as portable” option once the primary version is fully installed on a system.  Feedback indicates no portable version release is intended for 3.5 onwards.
  • Paragon Backup & Recovery Free Edition – Spotted this a while ago and just because the free edition is so hard to find, thought I would post it mostly for reference.  It has a lot of great features, but it misses some others in the free version as well.  See this GSD post: Sync & Backup Tools (freeware) for more backup software options.
  • M-unition - DOD Cyber Crime: New Audit Viewer/Memoryze – post – the Mandiant gang is hard at work and will soon be debuting some new versions of awesome (and both free) incident response software tools Memoryze and Audit Viewer during their upcoming DOD Cyber Crime presentation.  Quoting from the post linked above:

    …we will discuss MANDIANT’s Malware Rating Index (MRI). We will finish with real APT incident demos where I’ll walk through the investigation of an infected system with APT.
  • Now, a little more about MRI. MRI is a huge update to Audit Viewer.  Instead of going after a fish (malware) with a hook (signatures), I’m going after fish (malware) with a drag net (MRI). The goal of this feature is twofold. First it is going to  help pinpoint specific processes that should be investigated further while attempting to eliminate some of the non-suspicious processes and get them out of the analyst’s way. It’s also designed to try and make APT detection easier. A lot of work went into looking at our samples and how they behave etc, and coming up with definable behaviors that trap those little creatures. MRI is made up of two components. The first component is a definable behavior rule set that is completely customizable. It is made up of three different types of rules:

    • Process Path Verification – allows users to define what processes should be launched from what directories. This triggers on malware that copies and names itself after svchost or other system processes to subdirectories within system folders. For example a default rule is that svchost can only be executed from \windows\system32. Any time we see it running from somewhere else we flag the process.
    • Process User Verification – allows users to define what processes should be running under what users.  This triggers on malware spawning svchost for purposes of unmapping image bases or hiding dlls within spawned svchost. So, for example, if malware copies itself to system32\dllcache and then names itself svchost.exe, you can define a rule saying svchost.exe should be running as local service, network service, or system. When Audit Viewer see svchost running as administrator it gets flagged.
    • Process Handle Inspection – this allows you to define specific rules pertaining to malware or generic behavior. For example a default rule is to flag svchost or iexplore anytime it has a process handle to cmd.exe. There is just no good reason for this to _EVER_ happen. You can also define rules based on specific malware, for example if a3c mutant is present then flag the process as being infected with sality.

    The second component of MRI is a process address space scoring mechanism. We will be releasing an update to Memoryze at DC3. The new release will contain bug fixes as well as a new feature called “Verify Digital Signatures.” When this parameter is turned on memoryze will perform a “digital signature check” on all loaded modules. This can only be enabled on live memory analysis. The digital signature check verifies the module on disk is digitally signed.

  • Tableau Forensic Products - TSW-TIM - (free) – Tableau High Performance Software Imager – Version 1.0 released.  This tool is designed to facilitate forensic image captures by responders.  From the product page:

    TIM v1.0 includes:
  •     * Innovative real-time acquisition graphics
        * Ability to schedule jobs for sequential or simultaneous imaging
        * Support for Encase .EO1, .DD, or .DMG output file formats
        * User selectable .EO1 compression levels
        * User selectable naming conventions (date+time, drive serial number, or model+serial number)
        * Advanced error recovery and reporting
        * Calculation of MD5 and SHA-1 hash values
        * Image job, HDD, and write blocker information (for reporting and archival)

    TIM is a free download for Microsoft Windows XP, Vista, 7 or later (both 32 and 64-bit versions).

    Now if I could just get my requisition for the Tableau T35es forensic bridge cleared through the approvers…I would be in hog-heaven and be able to test this imaging software out…darn-it!

  • Google Chrome Forensics – SANS Computer-Forensics bog – not a “sexy” post, but chock-full of great reference material regarding Chrome/Chromium information for incident responders.  One nit-pick, the post mentions two versions: one being Chrome and the other Chromium distribution for Linux.  However that doesn’t seem right, even though the link referenced ( two different versions ) does say this.  There are also Chromium versions for Windows and OS X as well as Linux.  I use the Windows Chromium build as it contains the nightly pre-compiled Chromium builds.  Also, don’t forget the great freeware utilities for investigating Chrome browser activity including:
  • Pico Projector Film Fest Turns Ice Sculpture Into Screen - Underwire |  Micro-projectors are on the march!  Just thought it was cool.


--Claus V.

One day only deal: WinPatrol PLUS $0.99 – January 29th

Bill Pytlovany is a great guy.

By that I’m not able to say regarding his personal life.  I image he feeds his pets regularly and shows kindness and love to his family and fellow man.

No.  I’m speaking more professionally in that he is the developer of WinPatrol 2010.

WinPatrol Plus does a lot of things, but at the heart it monitors critical points of your Windows system and block/alerts you when changes are attempted to be made.  Normally that isn’t a problem, but many installers and malware will do the same thing and WinPatrol forms a great line of defense against them gaining a surreptitious foothold on your system.

WinPatrol Free has been available as well which offers WinPatrol Free vs PLUS.  Many of the features between the WinPatrolPlus and WinPatrol free are the same, however with the paid version, the biggest benefit may be access to WinPatrol PLUS knowledgebase.  This will help new users understand and make more informed decisions on what is running (or attempting to run) on their system.

WinPatrol supports Windows 98 through Windows 7 systems, including x64 bit systems.

Typically, WinPatrol PLUS is $29.95 for a single-system, lifetime license.  Still a great bargain price.

However, Bill posted to his blog the following bombshell:

Yes that’s right.  Bill has gone off his rocker and is offering a single-system, lifetime license for just $0.99.

That’s ninety-nice cents for a darn good application for the common folks.

Now bear in mind that WinPatrol PLUS isn’t really a substitute for a good anti-virus/anti-malware application.  There are lots of great free and outstanding commercial ones out there for those duties.

Nor is it a tool to help you remove malware from a system once it is infected…though it certainly can bring some great tools and features to the workbench to help with the process (see also WinPatrolToGo.).

Please note: this is a special deal and will be valid only for 24 hours on January 29th, 2010.

Why?  Well as Bill explains on his blog notice...

I’m curious and thinking a crazy single day experiment could be fun and may be worth the risk. So what the hell.  If you want to upgrade to WinPatrol PLUS on January 29th, I’ll give you a lifetime WinPatrol membership for less than a dollar. Instead of the regular price of $29.95 I’ll provide a coupon on that brings the price down to $0.99 USD. That comes out to approx. .70 € to our international friends

This will be a one-day only “experiment” starting at midnight EST on Jan 29th and will last 24 hours.  Will over 30 times the normal number customers upgrade to WinPatrol PLUS?  If so, will other software developers notice?

Like our current $30 plan, the 99¢ license will be good for life. Like sales in the App Store or Droid Market however, this license is only valid for a single computer. Sound fair enough? If you’ve been someday planning on upgrading to WinPatrol PLUS, January 29th is the day to remember. Just go to this Friday and you may be a part of history.

Do you think the traditional software industry is in danger? If you think 99 cent software is coming or I’m just crazy than write about this on your blog.  I will need enough people to know about this experiment to make it valid. That’s also why I had to pre-announce a special offer which may kill sales between now and Friday.

It’s just too good a piece of software to pass up for just 99 cents.

Thought I’d pass the tip on to you…and no, I’ve not received anything in return for this post.  It was craziness I just couldn’t help but share with the GSD blog readers.

Good Luck Bill!

Can’t wait to hear of the results.

--Claus V.

Tuesday, January 19, 2010

Security and Forensics Roundup: Heavy Version #6


Public domain photo: taken by U.S. Air Force Senior Airman Julianne Showalter

Hang on to the netting.  This is going to be one long and bumpy ride!

Digital Rags

There is some great on-line periodical reading on the webs.   I like keeping some handy for down-time reading between meetings or while waiting for a vendor to show up.

  • Into The Boxes – This is an exciting new digital forensics and incident response “eZine”.  Clearly a work of love and detail by contributors such as Didier Stevens, Don C. Weber, Harlan Carvey, and Jamie Levy.  You can’t not stop by and add this to your watch-list (the good kind).
  • Into The Boxes: Issue 0×0 – The premiere release (PDF Download link).  Jam packed with great articles such as:
  • Windows Box: Windows 7 UserAssist Registry Keys by Didier Stevens.

        This is an analysis of the new UserAssist registry keys binary data format used in Windows 7 and Windows 2008 R2.

    *nix Box: Red Hat Crash Memory Forensics – Jamie Levy

        This article covers the installation and use of Redhat Crash Utility for Linux memory forensics.

    Software Box: Beware The Preview Pane – Don C. Weber

        A quick dip into the preview pane functionality provided by AccessData’s FTK Imager and FTK Imager Lite.

    Squawk Box: PCI Interview with Harlan Carvey

        An interview about digital forensics and incident response as it pertains to Payment Card Industry-related investigations.

Actually, the “funnest” article for me wasn’t one of these but a "quick-tip” by Don C. Weber that reminds us that before you toss out/destroy that portable USB hard drive, it might be worth cracking open the shell to see if it has a re-purpose-able SATA to mini-USB powered hard-drive adapter.  Sure you can buy a kit, but if the drive is bad, this might make a quick and “free” hardware tool grab.

  • (IN)SECURE Magazine issue 23 released. PDF format eZine including topics such as…
  • Table of contents

    • Microsoft's security patches year in review: A malware researcher's perspective
    • The U.S. Department of Homeland Security has a vision for stronger information security
    • Q&A: Didier Stevens on malicious PDFs
    • Protecting browsers, endpoints and enterprises against new Web-based attacks
    • Mobile spam: An old challenge in a new guise
    • Study uncovers alarming password usage behavior
    • Ask the social engineer: Practice
    • Jumping fences
    • the ever decreasing perimeter.

Linkposts, Tools, and Lists Extraordinaire

If you haven’t already encountered these, all great posts with a wealth of tips and tools to supplement your knowledgebase.

  • Linkilicious in 2010 – Windows Incident Response blog. 
  • When a tool is just a tool, pt II – Windows Incident Response blog. Harlan goes on a tear about the role “tools” have (commercial titans or the lesser-known gods) as being a focus in case testimony.  As Harlan wisely sages:
  • …all tools should be considered just for what they

    What should matter most is the process used and documentation created by the analyst. If you thoroughly document what you've done, then why shouldn't you be able to testify about it on the stand, regardless of the tools used? I know a few analysts who've documented their work such that someone else (i.e., LE) could validate their findings via commercial tools (because that's what the LE analyst was most comfortable with) and then testify about the "findings".

  • Link-idy link-idy – Windows Incident Response blog. More tools and analysis tips. 
  • Even More Linky Goodness.... – Windows Incident Response blog.   Yep.  This batch includes some memory-focused items as well as links to some images for practicals.
  • More Linky Goodness, plus – Windows Incident Response blog.  Neat stuff with recovering deleted registry data in unallocated hive space.
  • Forensics: Beverages Aside, A Look at Incident Response Tools - Praetorian Prefect – A most excellent and full-bodied post with a nicely structured collection of methods and tools to help in incident response.  This is one of those posts you want to bookmark and keep coming back to.  Definitely KB-level material here.
  • Looking at IR Tools – Windows Incident Response blog. Older post from 2006 that still stands with a great roundup of IR tools, most all freeware.
  • The Value of Push Button Computer Forensics - Jamie Morris crosslinks to discussions on on-click incident and forensics response.  Again is the solution in the tools or the training and skill of the analyst?  My money will always be on the analyst.  Although well designed (and used) tools can speed the work the analyst must do and allow faster sifting of raw data.
  • Plugin Browser - New RegRipper Tool  – Windows Incident Response blog. New tool to help you understand what exactly the RegRipper plugins do and how they can enhance and focus your registry analysis with it.
  • SFDUMPER Selective file dumper by Nanni Bassetti & Denis Frati spotted on PenTestIT.  Linux based tool (love to see a Windows port) that allows you to sweep a system and collect all the files of a particular type or filter.
  • Gizmo Drive - (freeware) – Tool to mount ISOs, encrypted hard drive images to a virtual drive.  Updated on 12-09-2009.

Network Forensic Updates

New updates to awesome tools and some supporting materials to boot.

  • NetworkMiner Network Forensic Analysis Tool (NFAT) and Packet Sniffer - (updated) - (download on SF) – Version 0.91 released 11-22-2009.
  • Xplico - Internet Traffic Decoder - (updated) – Version 0.5.4.  Included in the DEFT Vx5 LiveCD forensics build or the Linux package files here. This and the previous 0.5.3 build update includes feature adds such as:
    • Facebook web chat dissector
    • New XI based on CakePHP 1.2.5
    • New representation of images
    • For each image you can see (with the proxy enabled) the page where the image is contained
    • WLAN and LLC basic dissectors
    • HTTP dissector Improvements
    • snoop Packet Capture File Format as input file
    • DNS dissector with graphical representation in Xplico Interface (XI)
    • NNTP dissector
    • PPPOE dissector
    • direct live acquisition from XI
    • default  CLI dispatcher in command line execution
    • file extension for the HTTP contents

  • Network Monitor : No Frames Captured Due to Disk Quota – Reminder that if you are capturing packet data, you better be sure you’ve got the room to store it!  Depending on the traffic and utilization, you can fill up your disk storage very quickly!
  • Technology Pathways has a fairly recent 2009 presentation on Introduction to Network Forensics (PDF)

Forensic/IR LiveCD Updates

Even though I am a Windows medium guy, I still make sure to carry a number of the most recent (and some older) Linux LiveCD forensic/IR CD’s.  There are just some tools that don’t have a good Windows counterpart, and while nothing beats a physical read/write blocker, I’d rather trust some of these than nothing at all when capturing a system image.

Quietly released, these distros are well worth the time and effort to download and burn.

  • DEFT Linux v5 and DEFT Linux v5x with Xplico - Computer Forensics live cd.  From the developer’s descriptions:
  • DEFT Linux v5 is based on the new Xubuntu Kernel 2.6.31 (Linux side) and the DEFT Extra 2.0 (Computer Forensic GUI) with the best freeware Windows Computer Forensic tools ; it isn’ a customization of Xubuntu like the old version, it is a new concept of Computer Forensic live system that use LXDE as desktop environment and thunar file manager, mount manager as tool for device management, dhash2, guymager, dcfldd, ddrescue and linen as forensic imager tools, sleuthkit 3.01 andvautopsy 2.21 as landmark for the disk forensic, nessus 4 as security scanner and much more like:

    • an advanced file and directory researcher
    • foremost, scalpel and photorec carving tools
    • a complete support for the most used file systems
    • a complete support for logical volume manager
    • a complate support for afflib and ewflib support
    • a very powerful tools for network forensic as Xplico, wireshark, kismet, ettercap and nmap
    • a very powerful tool for identify file type from their binary signatures (TrID)
    • the last version of ophcrack, the password cracker based on rainbow tables and john the ripper password cracker
    • chkrootkit, rkhunter and exploit scanner
    • clam 4.15 virus scanner
    • steganography detection software as outgess
    • tool for screenshot as take screen shot and video screen capture as record my desktop
    • deft-mount script for mount device in read only

    For a complete list, please visit the package list page.

    There are two DEFT Linux v5 release, one dedicated to disk forensic (DEFT v5) and one dedicated to network and cell forensic (DEFT Vx5); DEFT Vx5 contain Xplico.

  • CAINE Live CD – Version 1.5 – I really like this one as it (like Helix) comes with a Linux boot side and a Windows IR auto-launching utility side. Per developer Nanni Bassetti :
  • The distro is open source, the Windows side (Wintaylor) is open source and, the last but not the least, the distro is installable, so giving the opportunity to rebuild it in a new brand version, so giving a long life to this project ....

    CHANGELOG CAINE 1.5 "Shining"

    Kernel 2.6-24.25 updated.


    md5deep,foremost updated
    launchers fixed
    manual updated
    README.txt in the bash scripts directory
    Photorec and Testdisk and XSteg in the Forensics menu
    Window list and Show Desktop added.
    Widows Side:
    Wintaylor updated
    HexEdit added
    Regmon updated
    FTKImager updated
    Index.html fixed

  • Helix 3 Pro: First Impressions - SANS Computer Forensics, Investigation, and Response.  Micro review of a November 2009 update by John Jarocki.
  • HelixCE beta rc1 ISO – The “Community Edition” of Helix is downloadable at eCSI Denver eDiscovery and Computer Forensics Experts page.  Registration for download link required.
  • Katana v1.0 – Kyuzo – Released over at Hack from a Cave. (download source). The good folks at Security Database Tools Watch give us a great summary of key-points for this pen-testing focused distro:
  • Katana is a portable multi-boot security suite designed for all your computer security needs. The idea behind this tool is to bring together all of the best security distributions to run from one USB drive. Katana includes distributions which focus on Penetration Testing, Auditing, Password Cracking, Forensics and Honey Pots.

    Included in this distribution are:

        * Backtrack 3
        * Backtrack 4 beta
        * the Ultimate Boot CD
        * Organizational Systems Wireless Auditor (OSWA) Assistiant
        * Slax 6
        * Ophcrack XP
        * Ophcrack Vista
        * Damn Small Linux
        * Damn Vulnerable Linux


    1. Requires USB flash drive of size 8GB or larger with 6GB free space.
    2. Download katana-1.0-beta.rar to local disk. Requires 6 GB of free disk space on local downloading system. (NOTE: FAT16/FAT32 partitions cannot accommodate a 6GB file.)
    3. Flash drive must be formated FAT32. (OPTIONAL: Create "katana" directory on local disk.)
    4. Extract katana-1.0-beta.rar to the "katana" directory and move to USB flash drive OR extract directory to the root of the flash drive.
    5. Change directory to the freshly copied /boot directory on the USB device. Make sure you’re in the "boot" directory on the USB device!
    6. For Linux/OSX run ./, for Windows run ./boostinst.bat
    7. Make sure computer BIOS allows USB boot. Boot from flash drive. All Done!

  • Matriux - The Open Source Security Distribution for Ethical Hackers and Penetration Testers – Yep. Yet another. Security Database Tools Watch summarizes it thusly:

    The Matriux Arsenal contains a huge collection of the most powerful and versatile security and penetration testing tools. The Matriux Arsenal includes the following tool / utilities / libraries (The first release will contain only few of the listed tools):

    See their page for the full (and to be added) tool watch list.
  • BackTrack 4 - Released! -  Available in both ISO (for DVD sized burning) or VMWare image formats.

ProDiscover Basic Edition Freeware Update and more!

Not sure if everyone noticed this or not but Technology Pathways seems to have quietly slipped a new freebee (lite) version on the interwebs recently:

  • Download ProDiscover Basic Edition (Version 6.1).  They don’t have their own page and I don’t want to direct link to the download file from their page so head over there and scroll down to the free tools section.  Curiously, the “portable” version is still U3 format at version 5.  However, I found that if you install the 6.1 version then extract the files to a USB stick it seems to still work “portably.” However your results may vary.
  • The also have some wonderful and recent video demos on usage techniques.
  • Remote System Triage with Indexed Based Search and ProDiscover IR
    Demo of ProDiscover Version 6.0 Volume Shadow Copy Remote Image/Preview
    Demo of ProDiscover Version 6.0 Indexed Based Search and Regular Expression

    Again, head over to the Technology Pathways resources page and download them from there under the Technical Webinars section

Please note that they are in a “WRF” video format which seems to give some folks fits.

To view them, simply head over to Cisco WebEx Support Utilities or specifically this WebEx Player download link to get the player.

F-Response Tactical

Bit of a larger gun than I get to play with at work, but I know lots of IR folks are familiar with it.  New release out.

Speaking of Remote Forensics

Peter Kleissner’s post Remote Forensic Software – Online-Überwachung and the Austrian law had just enough detail to get me curious.

…a very good report about the different aspects of remote computer surveillance (including pros/contras, problems, legal questions etc.).

This is especially for our company important, because we are working on the “Remote Surveillance Software”. At DeepSec I presented some of its parts. Of course there is a lot of critics about the usage of a “federal trojan”, however you should read the above document. As they are saying, it is necessary to be in consent with the Verhältnismäßigkeitsgrundsatz (principle of proportionality) which would make it difficult because there are other ways to investigate available.

There is a good summary about the Endbericht zur Online-Durchsuchung written by Univ.-Prof. Dr. Bernd-Christian Funk.

Some issues I want to comment technically (and which I think are very important and missing in the document):

    * Seite 13: Verhinderung der Nachahmung “muss jede eingebrachte Komponente in einem hohen Maße einzigartig bzw. hinreichend stark personalisiert sein.”
      This would not be software itself, but the used communication servers and protocols. It would be nonsense to develop a new trojan for every suspect, however, it would make sense to have different keys for encrypting the communication and changing investigation protocols for every suspect (e.g. what to look for).

    * Seite 93: (im engsten Sinne) als „Suche nach verfahrensrelevanten Inhalten auf Datenträgern, die sich nicht im direkten Zugriff der Strafverfolgungsbehörden befinden, sondern nur über Kommunikationsnetze erreichbar sind“ (Anfragbeantwortung im dt Bundestag)
      That means we are searching for data not available through forensic analysis of the hard disk, but for data available only in volatile memory.

It is important to differ between Online Durchsuchung and Online Überwachung, the one means to “read” the hard disk, the other to surveil the suspect. Both are currently illegal, because a search warrant (the first) has the character of a real person making the search warrant and offering the possibility to hand over searched materials freely.

It took me a while, but I think I was finally able to track down a very good English version of the document.

It is a fascinating read and actually refers to US law enforcement and court issues and methods as well.

Forensic/IR Timeline Topics

I myself facing the challenge of sifting through system analysis data and having to reorganize it into a meaningful narrative.  It wasn’t easy.

  • log2timeline v0.40 released – From the Security Database Tools Watch gang, here are the updates:
  • Version 0.40

    • [CFTL output] Fixed few bugs in the output module, didn’t work in the current CFTL version without these modifications (has been verified to work with CFTL pre-relase version 1.0)
    • [EXIF input] Fixed a bug in the exif input module, there was a problem with the format of date variables read by ExifTool library. Added a format string to force the date format to be the same.
    • [glog2timeline] Modified the GUI, glog2timeline to make it feature compatible with the CLI interface, added:
      • Simple menu structure
      • Added the possibility to add timeskew information
      • Added the possibility to prepend text to output (a la -m)
      • Added the possibility to perform most of the operations through the menu structure
      • Added the possibility to check for latest version (version check)
      • Added a simple progress bar and information about the artifact being processed [more work needs to be done here]
      • Added the possibility to define the timezone of the suspect drive (list all available timezones sorted, using UTC as the default zone)
    • [List library] Modified the name of the Log2t::List library to Log2t::Common so that the library can be used for all common functions that are shared between more than one module (instead of only focusing on listing directory entries)
    • [BinRead library] Fixed few bugs in the BinRead library that dealt with Unicode reading
    • [WIN_LINK input] Modified the text output of win_link input module, to make the output more readable
    • [RECYCLER input] Modified the so that it reads the recycle bin directory instead of the INFO2 file. Added the possibility to read $I files as well (the newer format as used in Vista, Windows 7 and later operating systems from Microsoft). The new input module reads the directory and determines if it is examining the older or newer version of the recycle bin and parses accordingly
    • [timescanner] added a banner to timescanner, giving people warning about the tool, since there have been reports of it being unreliable in parsing all files that it should be able to do. This banner will stay until the tool has been fixed (coming version)
    • [timescanner] added the possibility to add timezone information, as well as to add a timezone related functions to be used by libraries
    • [timescanner] Fixed a bug, forgot to close the input module after parsing an artifact (creating some problems)
    • [USERASSIST input] fixed a bug in the userassist module. It crashed if it encountered a registry file it was unable to load (eg NTUSER.DAT.LOG), added a check for that, so timescanner will not die when he reaches such a file
    • [FIREFOX3 input] added an extra check in the verify routine to double check that we are in fact examining a FF3+ history database, now connecting to the database to see if there is a moz_places table there before proceeding. Added few error message checks as well, to improve the error handling of the verification. Fixed a bug where Firefox 3 history files were not included in the timescanner tool (had to do with the verification and improper check if the database was locked)
    • [log2timeline] Added the possibility to define the timezone of the suspect drive (-z ZONE parameter). The default timezone is local (that is the local timezone of the analysis station). This affects the timesettings of all artifacts found on the system and adjusts it accordingly). The option of "-z list" will print out a list of all available timezones that can be chosen.
    • [OXML input] Modified the verify function, only read the ZIP header if the magic value of the file indicates that this is a ZIP file (reduces time needed for the verification function, and therefore reduces the time needed for timescanner)
    • [Common library] Added constants to the Common library (BIG_E and LITTLE_E) that are shared with other libraries and modules
    • [input modules] changed all input modules that call the BinRead library so that they initialize the endian. This fixes a bug in timescanner, since some input module set the BinRead to big endian, which is not changed back when another input module that reads in a little endian was started (making verification and all uses of binary reading wrong, leading to the fact that timescanner did not parse the files)
    • [Time library] Added a function called fix_epoch to take an epoch value, and use the supplied timezone settings to modify it to UTC
    • [input modules] Modified the input modules so that they all now output the timezone information in UTC
    • [Setupapi input] Modified the SetupAPI input module, considerable changes made in the way that the file is parsed
    • [log2timeline] All input modules now output their time in UTC, irrelevant of the method of storing time entries. This makes it vital to add a parameter to define the timezone of the suspect drive
    • [evt] Added a new input module that is capable of parsing Windows 2000/XP/2003 Event Log files (mostly rewrite of by Harlan Carvey)

  • It’s about time.... – Windows Incident Response blog.  New Decode64 timeline helper tool from Harlan that takes “…a string representing the date/time stamp (analyst pastes it into a easy is that??) and with the push of a button, translate that to both a Unix epoch time, as well as to a human-readable time, in GMT format.”
  • More Timeline Creation Techniques  – Windows Incident Response blog.
  • Some Analysis Coolness  – Windows Incident Response blog. (More timeline thoughts and linkage).
  • Clocks – CYB3RCRIM3 blog.  Interesting legal cases dealing with timeline and file-dates in the appeals process.  Reminders of the challenges faced, not just technically, by IR/forensic folks as they build their analysis.
  • TechnoSecurity 2009: Forensics Aspects of File System Time Attributes - Head over to the Technology Pathways resources and download the zip package.  It’s a whopper at 113 MB but you get several PDF training documents as well as a collection of freeware timeline tools to use and are highlighted.  This is a timeline technique study package well worth the time to dive into.
  • Attribute Changer shell extension - (freeware) – From is just one (of many such) utilities that might be used to “fuzz” forensics and IR responders.  Can be used “…to change all kind of file and folder attributes, date, time and even NTFS compression.”  Not an 3vil thing in itself.  Just a highlight of the work faced by the good guys.  More about the tool over at 4sysops post “FREE: Attribute Changer – Change file attributes recursively on multiple files and folders”

Browser Forensics

  • Windows Incident Response: Browser Stuff.
  • Other Interesting Items (Browser Session Restore Forensics-PDF) – Harry Parsonage details some neat Firefox facts.  Spotted over at the Forensics from the sausage factory.
  • Firefox 3 History Recovery - Get Firefox 3 History Recovery at  More information about the tool over at this ff3hr — PenTestIT post.
  • Voyage - A Firefox Addon to Rediscover Your Web Browsing History.  I’m intrigued to see if this tool or even History Tree (Add-ons for Firefox) might present an alternative web-activity time-line view to show how the web-surfing activity transpired.  Clever visualization maps for sorting complex data.  Could be inspirational for other techniques and timeline presentations as well.
  • .GooglePasswordDecryptor - (freeware) – by Nagareshwar Talekar could be used to extract Google-related information from browser data.  From PenTestIT where I spotted this tool:
  • …free tool to recover stored Google account passwords by various applications. Most of the Google’s desktop applications such as GTalk, Picassa etc store the account passwords in their private encrypted store to prevent hassale of entering the password everytime. GooglePasswordDecryptor goes through each of these application’s encrypted stores and decrypts this Google account password.

    Google uses the single centralized account for managing all of its services such as Gmail, Picassa, GTalk, iGoogle, Desktop Search etc. Since all of these core services are controlled by one account, losing the password will easily make one’s life miserable. If you try the Google password recovery service will turn out to be useless, unless you have setup the secondary account for receiving the password and you remember all the personal details that you have entered at the time of account creation.

    -Google Talk
    -Google Picassa
    -Google Desktop Seach
    -Gmail Notifier
    -Internet Explorer (all versions from 4 to 8)
    -Google Chrome

Windows Systems Tools and Knowledgebase

In-flight refueling completed…the mission continues!

The WoanWare Factory

  • ForensicUSBDeviceInfo - (updates) - “ForensicUSBDeviceInfo is an application to extract numerous bits of information regarding USB devices. It uses the information from a SANS blog posting to retrieve operating system specific information.”
  • v.1.0.1 & v.1.0.2 Changes

    • Fixed some minor UI discrepancies e.g. Setup.api.log  (v1.0.1)
    • Improved the parsing of   (v1.0.1)
    • Added parsing of the setupapi.log  (v1.0.1)
    • Updated the parsing for the XP setupapi.log file, so it should work even when the computer (where the files came from) language is not english   (v1.0.2)
    • Updated the parsing for the XP setupapi.log file, so that it matches the install data more frequently, since the format of the file was more complex than originally thought   (v1.0.2)
    • Added Time Zone window to allow the selection of a different time zone offset. Thanks RobL   (v1.0.2)
    • Modification to every date/time output in the application to allow a time zone offset to be calculated and displayed   (v1.0.2)

  • ForensicUserInfo - (updates) – “..a GUI tool that allows you to import registry files (requires the SAM, SOFTWARE and SYSTEM hives) and then extracts the user information from the various files and then decrypts the LM/NT hashes from the SAM file. The application can export the information to either CSV or HTML.”
  • v1.0.2 Changes

    • Fixes a bug that could cause the RID to be 0 where a user does not have a LM and NT hash defined e.g. default guest account
  • lnkanalyser v1.0.1 - (update) – “…Windows shortcut (LNK) files hold a wealth of useful information for forensic investigators. There are a number of LNK file parsers out there, and most are ok, some are incorrect and some just don't get enough information extracted e.g. UUID parsing. Microsoft have now released the binary file format … which makes it a lot easier to get things right.”
  • firefoxsessionstoreextractor - (update) – “…A console application to parse the FireFox sessionstore.js JSON files. The idea came from the paper (Web Browser Session Restore Forensics ) written by Harry Parsonage.”
  • Changes

    • Added "cookie" parsing (v1.0.1)
    • Added "_closedTabs" parsing. Thanks HarryP (v1.0.1)
    • Improved the output layout to make clearer (v1.0.1)
    • Updated to output the "formdata" attributes (v1.0.2)

  • RegExtract - (updated) – “…my own binary Windows registry parser that is to be used in a number of forensic applications. I needed a good test bed and what better than to compare the results with RegRipper, so I have implemented all of the plugins available with RegRipper plus a few more. There is currently at least 60+ plugins. You can run an individual plugin against a registry hive or select a registry hive and run all plugins applicable to the input registry hive or run specific plugins in a specific order. I will be adding the ability to run the plugins against the hive located in the System Restore (again another idea from RegRipper).”
  • Changes

    • Added the output of the determined registry hive type when in file mode  (v1.0.1 – Console)
    • Added new Folder mode that allows the user to run any user selected plugins, in a user selected order against all registry hives in a folder. The functionality uses automatic hive recognition to determine the hive type and then runs the applicable, selected plugins   (v1.0.5 – GUI)
    • Modified the new Folder mode to allow each registry hive to generate a separate results text file (v1.0.5 – GUI)
    • Updated the UserAssist plugin to deal with the new format for Windows 7. This change would not have been possible without the excellent research by Didier Stevens (v1.0.5 – GUI)
    • Tidy up of the plugin output for numerous plugins (v1.0.6 – GUI)
    • Added Time Zone window to allow the selection of a different time zone offset. Thanks RobL (v1.0.6 – GUI)
    • Modification to every date/time output in the application to allow a time zone offset to be calculated and displayed (v1.0.6 – GUI)
    • Updated the SSID plugin to parse out the information in the  SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles, including the DateCreated and DateLastConnected values. The date/time values were parsed using the a blog posting from Mark McKinnon. (v1.0.6 – GUI)

  • FreeDownloadManagerForensics v1.0.0 - (new) – “…a free download manager and was mentioned on the SANS forensics blog. The application stores its logs under "userprofile\Application Data\Free Download Manager". There are various different files stored, the main one of interest is "downloads.his.sav.”

Well done Mr. Woan! Well done.

BitLocker and Password Recovery

TinyApps Blog got me on this hunt a while back.  I’ve been letting the issue gain momentum.  More FYI stuff than anything else.  I’m in the "if you have physical access to the machine then sure, all bets are off” camp.

Security Related

  • VirusTotal Uploader 2.0 – Add-in tool to allow right-click context menu sends of suspicious files up to VirusTotal.
  • Updating Microsoft Security Essentials without Using Windows Update [Tips] - Windows 7 hacker.  CLI option if the GUI doesn’t work (or if you are batch-file crazy).
  • SpyDLLRemover Portable 3.0 Released - - Portable software for USB drives.  Not sure how it stacks up but is one more USB based AV/AM Tool.
  • SIMfill - (new) – Tool from the Computer Security Division.  “…a java application that populates Subscriber Identity Modules (SIMs) with reference data and can be used to assess the data recovery capabilities of forensic SIM tools. The package includes an initial set of reference data for use with SIMfill, the source and compiled code, a readme file, a user's guide, and a video demonstration.” Spotted at this post.
  • Apple vs. Kaspersky - Functionality Wins – Digital Soapbox.  When two good products encounter mission-definition conflict, it is almost always the user who looses in the name of “security”.

Reheated DECAF

I’m not going to say anything else.  I think I covered my personal feelings in this DECAF and COFEE, and a brush post.

…and finally…PDF Failure (again)

Mission complete!

Off for nappies!

--Claus V.

Monday, January 18, 2010

Mega Linkfest – Dog-pile Style


cc photo credit: Collapsed scrum by Paddy K on flickr

Been collecting this pile of links for what seems like months.  Finally get an opportunity to unload.

They are piled on thick so set some time aside and bookmark for future reference.

Windows Offline Updater – Updated

One of the handiest tools I have for servicing Windows systems that haven’t been automatically updated in some time is the Offline Updater utility.  I last posted about in back in 2007: heise Offline Update 4.0 - Now Serving Vista and Office users!

In one fell swoop you can build individual or combined update packages of Windows and Microsoft updates.  You can burn then on CD, DVD, or copy over to USB.  All the update packages come directly from Microsoft update servers so they are clean and fresh.

With Windows 7 now out, I decided to go back looking for any updates and was pleasantly surprised to find it has received a new storefront and additional feature support.  This project continues to be developed and maintained by the original author, Torsten Wittrock.

Supporting Windows OS’s XP, Server 2003, Vista/Server 2008, Windows 7/Server 2008 R2.  All in both x32 & x64 bit flavors.  You can make a single ISO or individual ones for each product selected, and copy the the updates for the selected products to a USB stick.  MS Office Suite updates for XP, 2003 and 2007.  And finally, there is also legacy support for Windows 2000.

This is one that really can save some time and aggravation, particularly when you have a lot of systems to update, little time to do it, and doing all systems at once over the wire might seem like sucking a Jack-in-the-Box shake though a beverage straw. 

NirSoft Overload!

Nir Sofer has been hard at work updating older utilities and releasing new ones.  Get all of these for takeout!

  • FlashCookiesView – (new) - “…is a small utility that displays the list of cookie files created by Flash component (Local Shared Object) in your Web browser. For each cookie file, the lower pane of FlashCookiesView displays the content of the file in readable format or as Hex dump. You can also select one or more cookie files, and then copy them to the clipboard, save them to text/html/xml file or delete them. “  Works on all Windows systems from 2K to Win7.  You can also use the tool to load them from system images or offline-systems.  Really could be handy for incident response or forensics work.  This should make review of these cookies much easier than previous methods for Managing Flash Cookies.  This is a great new utility.

  • WinPrefetchView – (new) - “…is a small utility that reads the Prefetch files stored in your system and display the information stored in them. By looking in these files, you can learn which files every application is using, and which files are loaded on Windows boot.  The main window of WinPrefetchView contains 2 panes: The upper pane displays the list of all Prefetch files in your system. When you select a file in the upper pane, the lower pane displays the list of files stored inside the selected Prefetch file, which represent the files that were loaded by the application in the previous times that you used it.  These is also special Prefetch file, with '' filename, which can show you the list of files that are loaded during Windows boot process.”    Another brand spanking new utility.  Supports all Windows systems from XP to Windows 7.  Another tool I can think of a number of uses for in incident response.  Also supports off-line system examination of this file.

  • DiskSmartView – (new) - “…is a small utility that retrieves the S.M.A.R.T information (S.M.A.R.T = Self-Monitoring, Analysis, and Reporting Technology) from IDE/SATA disks. This information includes the disk model/firmware/serial number, cylinders/heads, power-on hours (POH), internal temperature, disk errors rate, and more. You can use the S.M.A.R.T information retrieved by DiskSmartView to find out whether there is any significant problem in your disk drive.”  Supported on Windows 2000 – Win7 systems with SMART enabled HDD.

  • DiskCountersView - (new) – “…displays the system counters of each disk drive in your system, including the total number of read/write operations and the total number of read/write bytes. It also displays general drive information, like disk name, partition number, partition location, and so on..”  Supports Win XP to Win7 with some support for Windows 2000 as well.

  • AlternateStreamView - (updated) - View/Copy/Delete NTFS Alternate Data Streams. Updated to better support Win7 and x64 systems.

  • BlueScreenView - (updated) – Obtain online/offline blue screen of death (STOP error) information. Recent updates include addition of 3 new columns: Processors Count, Major Version, Minor Version, 'Explorer Copy' option, which allows you to copy dump files to the clipboard and then paste them into Explorer window, and Combo-Box to easily choose the MiniDump folders available in the hard-disks currently attached to your computer.

  • SmartSniff - (updated) - Freeware Packet Sniffer - Capture TCP/IP packets on your network adapter. Updated to now export TCP/IP steam filetypes 'Raw Data Files - Local' and 'Raw Data Files – Remote' “..for exporting only one side of the stream.”

  • OperaCacheView - (updated) - Cache viewer for Opera Web browser. Recently supporting Opera versions up to 10, this update adds “…'Explorer Copy' option, which allows you to copy the cache files into the clipboard, and then paste them into Explorer window. 'Delete Selected Cache Files' option. ‘Mark Missing Files' option.  'Hide Missing Files' option.

Utility Update

Here are more great utility updates from Piriform and Sysinternals (and one new beta from Piriform folks as well).

  • Sysinternals Updates - VMMap v2.5, Disk2vhd v1.4; Autoruns v9.57

    This update to VMMap, a process memory analysis utility, now identifies thread environment blocks (TEBs), the process environment block (PEB), and reserved memory.

    Disk2vhd v1.4: Now includes an option for Windows XP and Windows Server 2003 that directs it to fix up the kernel and HAL to make the VHDs generated for these systems bootable in Virtual PC. It also skips sectors with CRC errors to enable the conversion of systems with failing disks.

    Autoruns v9.57: Now reports more group policy script entries.

  • Sysinternals Updates - ProcDump v1.7, AccessChk v4.24, Sigcheck v1.64, Desktops v1.01

    ProcDump v1.7: This update to ProcDump, a command-line utility that will generate memory dumps of processes based on various selectable criteria, now supports periodic timed dumps as well as dumps based on virtual memory thresholds.

    AccessChk v4.24: AccessChk, a utility that shows effective security permissions for files, registry keys, services, and more, now supports process tokens.

    Sigcheck v1.64: This release adds reporting for more signature verification errors.

    Desktops v1.01: This fixes a bug that prevented Desktops from launching Explorer on secondary desktops when run on 64-bit Windows 7.

  • Recuva - File and disk recovery utility - Piriform

    - Files can now be recovered without requiring the scan to complete.
    - Improvements to Thunderbird email recovery.
    - Fixed bug with "Check for Updates" link.
    - Fixed bug with tab stop not working after canceling scan
    - Fixed wizard options bug, which affected some languages.
    - Minor bugs fixes and performance improvements.

  • Defraggler - File and disk defragmentation utility – Piriform.

    Here's the full list of changes:

        * New native 64-bit EXE.
        * Defrag engine improvements to take advantage of 64-bit code.
        * Fixed Vista and Windows 7 repaint issue when language was changed.
        * Improved moving routine for small orphaned files.
        * Lots of small tweaks and improvements.

  • Speccy – Beta release of a system information gathering tool – Piriform.  Yes there are lots of other great System Information gathering tools.  This one comes in a single exe format and has a really nice GUI.  It won’t replace the highly complex SIW | System Information for Windows by Gabriel Topala or SIV - System Information Viewer but for an application I can stow on a system I’ve built, it looks very useful and promising. Spotted in this mini-review at MakeUseOf blog: Speccy – An Advanced System Information Tool For Your PC.

Fast New Finds 

  • AstroGrep - (freeware) – Nice, fast, and easy to use Windows grep tool.

  • Explorer++ (freeware) – This alternative file manager for Windows is impressive to me for the portability, the interface, the tabbed format, and that it delivers in both x32 and x64 bit flavors.  Nice friendly alternative for those who want to use a more friendly file manager than Windows Vista/7 offers, but don’t need the advanced features say in freeCommander.

Security Updates

  • Sunbelt Blog: VIPRE 4 now in beta – Notice courtesy of SunbeltBlog.  “VIPRE 4 includes an integrated firewall, HIPS, IDS, NIPS and all kinds of other goodness.” 

  • Security Database Tools Watch - FireCAT v1.6 the online version released.

    What’s new ?

    - Online version. Think to activate "Full Screen"
    - Added a description of the extension
    - Added "Actual release and Firefox compatibility"
    - A logo is now embedded when available
    - Many new extensions added (thanks to Kev Orrey for Maltego Mesh and Maximiliano Soler for a least 10 extensions)
    - Bugs and dead links fixed
    - Preparing for the release 2.0

(Mostly) Free ScreenShot Capture Apps for Windows

Just to show how frazzled my brain has been lately, I spent over thirty minutes diving my blog archives looking for this post.  Not only have I done so many I have to search it now for linkages, but I totally forgot I had collected the links but not published them.  I may spin these off into a separate post later.

  • FastStone Screen Capture – This one remains my favorite and “go-to” screen capture tool.  The newest versions aren’t free, however Portable Freeware has a link to the last free version.  Several different modes as well as the ability to open the capture into a nicely featured editor. 

  • Microsoft Vista/Win7 Snipping Tool - My Digital Life.   Free with the OS.  Not much to it but gets the job done in a pinch.

  • Bug Shooting – Quite a lot more going on under the hood on this one, but not really geared for “normal” screenshot usage.

  • Screeny -

  • Window Clippings - ($/trial) – Not free but very polished and comes in x64 bit Windows support as well.  Do you really need a x64 build of a screen-shot utility? Probably not, but it is still cool and I couldn’t help but mention it.  Also supports transparency effects and shadowing of Vista/Windows7 OS’s as well as handles those pesky rounded corners nicely that most all other apps cannot.  Uses a single exe file.

  • Snagit ($) by TechSmith – Again not free but a very popular and trusted screen capture (and motion recording) capture tool.  Even Lavie knew this one as they used it at her former place of employment.  She is very comfortable with it.  If you don’t want to pony up some $, you can still download an older version (7.2.5) of it that works great which was offered free as a special promotion.  Just Download SnagIt (via My Digital Life) or at this Old Version of SnagIT 7.2.5 Download via and then locate the promotion registration key and use it to get it going.

  • HoverSnap – Nice and pretty simple screen cap app.

  • Jing – Not your father’s screen capture app. This one is geared for the on-line socializing folks.  Although it can do all the basic static screen capture tricks, it can also do video capture and offers lots of uploading options to various social media sites.

  • WinSnap - NTWind Software - ($/trial) – Not free but also so nice I couldn’t help but list it as well. Also comes in x32 and x64 bit flavors and this latest version was a major refresh.  Also wonderfully handles Vista/Win7 corner rounding, transparencies, and shadowing.  Yep. Portable and U3 versions also available.

(mostly) Drive and Device Tools

  • Device Remover - (free) – New find this week. Sophisticated tool.  No other way to say it.  This is one bad-ass utility. Requires .NET 2.0.  Just launching this thing with the CLI loader showing says it means business.  Comes in both x32 and x64 auto executing format it supports Microsoft Windows 2000/XP/Vista/Windows7 OS’s. Nirsoft’s DriverView is handy for viewing installed drivers but this sucker really can surgically provide information on drivers and processes, both installed and in memory, and give you options for dealing with them.  For more info see this 4sysops post: Device Remover – A powerful Device Manager alternative

  • 4sysops - FREE: H2bench – Benchmark hard disks – Michael has a nice listing of various HDD tools on his sysadmin blog.

  • SpaceSniffer – (freeware) – my new favorite with disk space utilization and graphing.  Recently updated. 

  • HDDScan – (freeware) – nice SMART disk tool with a user-friendly GUI. Portable and has been recently updated. 

  • Drive Manager -- (freeware) – another really handy multi-utility disk tool.  Bonus is the ability to see the HDD serial number reported.  Good for incident response documentation and auditing. 

  • Adobe Labs - Adobe Flash Player 10.1 beta 2. – Yeah. I’m hiding this one in here.  Good, cool, neat.  Really nice rendering and playbacks.  Only issue is that it pinkified-pixelated my YouTube playbacks on my Shuttle SFF Win7 RC1 system despite updating the latest AGP 512MB fancy video card I had installed.  Had to roll back to the latest public Flash to resolve the issue (for now).
Video Stuff

  • HandBrake Updates to 0.9.4 with Over 1,000 Changes, 64-Bit Support - Lifehacker.
  • Create Professional Looking Photo Slideshows With Photo Story 3 – MakeUseOf blog.
  • which reminded me of the freeware “Ken Burns” style app PhotoFilmStrip.
  • Win7 Library Tool - Zorn Software.  Yes.  This indeed is a Windows 7 File System tweaking tool. I’ve mentioned it briefly before but it seemed apropos again.  It allows you to create a Windows 7 library folder for media filetypes.  Surprsingly this is something that you can’t do natively. See this Lifehacker post Win7 Library Tool Gives You Complete Control Over Media Libraries for more info.  Per Lifehacker:

    ”Win7 Library Tool shows you all your libraries in one window, and when you choose to edit one, you can edit tons of otherwise hidden Library properties. You can change a library's icon, create a mirror (allowing you to make the path to a library much shorter), add network or other non-indexed folders to your libraries, and even back them up for restoration later on (say, if you decide to do a clean install). Essentially, it's what library management in Windows 7 should have been.”
  • Hulu - Labs: Hulu Desktop – While I watch very, very little on-line television or other programming, when I do, I like smooth playback and easy episode finding.  Hulu has provided both in the past but the web page interface has been a bit unpleasant experience wise.  So when I downloaded and set up the Hulu desktop beta, it really wowed me.  Smooth playback and a much more entertainment-like experience. Still I can quickly navigate and find the media shows I’m looking for.  Very nice.
  • Videora Converter - Free Video Converter – Yep. Yet another nice (and free) video format converter. Found when I went looking for another Samsung phone media converter and came across this Videora Samsung Instinct Converter.  See also these Samsung Instinct Audio Converter, Samsung Instinct Wallpaper, Samsung Instinct Ringtones
  • GSpot Codec Information Appliance.  Cool and advanced tool to analyze media files to determine what codecs would be required to play them as well as which codecs are installed on your system.  GSpot doesn’t provide the codecs but gives you lots of information to resolve the issues.

Speed Tests

Lots and lots of speed tests on the interwebs. Here are my latest picks.

…in the beginning was that Windows “god-Mode” meme….

This one blazed across the net quite fast, fortunately the follow-up posts were much more educational than the original trick.  No forbidden fruit here.  It’s all legit “tree of knowledge” stuff.  The good and evil bit is up to you….

Windows 7 Tweaking

As I detailed in my One Windows 7 Upgrade down, two (maybe three) to go… post, I have a number of things I do when I do a Win7 install.  Nothing dramatic.  I am compelled to mod the login background using the freeware Windows 7 Logon Background Changer and use a modded FxVisor utility form x64 found under “Method Two” of this Shortcut Arrow - Vista Forums post to change/reduce the Windows shortcut icon indicator.  Lavie’s laptop that I finally upgraded to Win7 Home Premium got a custom “Twilight” theming all the way round.  She was surprised and delighted.  It turned out quite nice IMHO.

I also like to do away with the original super-sized Windows 7 taskbar items and re-enable the QuickLaunch bar (seen here in the Get your Big Whata-Microsoft Linkdump Here! post).  That’s also a gimmie.  That same post also has some methods to get a “Windows Classic” start menu tweaked as well.

For more fine grained tweaking you might also want to check out these sysadmin-friendly links, tips, and free utilities.  They are a system setup tweaker’s delight.

  • GodMode Creator for Windows 7 & Vista - (utility) - The Windows Club.  If the steps in the section above were just too complicated for you, this free utility has got you covered.  Pick the godMode/angelMode folder feature you want and click away!
  • Preme for Windows 7 - (utility) - Simple tool to set some some advanced windows tricks with the mouse/cursor and hot-zones on the desktop.
  • Windows Access Panel for Windows 7 & Vista - (utility) - The Windows Club. This one gets the seat of honor on my QuickLaunch bar by being icon shortcut position #1.  Less overwhelming than godMode, it provides a fast jump to all the most commonly needed control panel items.
  • Quick Restore Maker - (utility) - The Windows Club.  While some installation routines make a system restore point, manually kicking one off before a major (or minor) system change, tweak, or installation can mean some digging to get to the starting point.  This gem lets creates a link for you to click on demand to get it going in a rapid deployment.
  • GRC | ClicKey  - (utility) – This one is an oldie but still a goodie.  Simple exe file lets you set one of 26 audio-feedback click sounds to your keypressing.  Add as a startup item or (even better) a scheduled task and it might improve your keyboarding.  Certainly at the (free) price, is much cheaper than one of those amazing  Das Keyboard clickity uber keyboard wunders.  See this Give your silent keyboards a click sound of their own with ClicKey The Windows Club post for a bit more info if you are curious.  To avoid the “splash” when adding to a scheduled task or startup, launch with the correct parameter.  See the page for details.
  • Handy Shortcuts - (utility) - The Windows Club. For some folks the method to add some system function shortcut to the desktop just doesn’t seem intuitive.  This tool makes it a breeze.
  • 99 Ready-to-use Windows 7 desktop shortcuts - (utility) - The Windows Club.  If the list in the “Handy Shortcuts” tool above isn’t robust enough for you, give this one a shot.  Wowzers!  Contains actual Windows 7 shortcut links to all kinds of features, places, and things.  Just find the one you want in the package and add it to the location you need to deploy it on in your Windows 7 system.
  • WindowsVJ Xclusive Release Windows 7: Tips & Tricks - (free Ebook) - Vasu Jain has provided a really nice, muti-format Ebook that lists over 50 clear and easy to follow tips and tricks to tweak out Win7.  I keep this on my Win7 systems as well as a resource for fine-tuning different elements.

Windows Odd’s n Ends

Last but not least, here are some more flotsam and jetsam on the Microsoft shores.


Feels good to get these emptied out.

--Claus V.