Sunday, April 25, 2010

Playing Catch-up

Despite all my best wishes and efforts, I’ve really been under a tremendous production load of projects at work lately.

Hours stretched, long drives into field office locations for “in-the-trenches” work. Stuff like that.

I have still been checking my RSS feeds and building the linkage piles, but goodness, no time for weekend link posting of late.

One small benefit of the delays is that I will often go back now and re-consider that pile of 20+ links and after a week, find that some just weren’t worth posting comments on after all…so they will be struck.

This slow-simmering seems to result in a much tastier collection of tools and utilities.

So here you go.  About a month’s worth of slow-home-cooking served up for your dining pleasure.

Networking Link Portals

One of the things we have been doing lately is doing site-wide network traffic monitoring and analysis.  Our great network team has developed a pretty easy and deployable process to initiate a remote traffic capture and then internal analysis of the traffic/files.  Nothing super sophisticated but we can now pretty clearly generate a response report in record time.  That’s a small miracle in itself.

Here are three “portal” locations for great linkage and reference materials on Network traffic and analysis.

  • Cheat Sheets - Packet Life. Great collection of free PDF-formatted reference sheets on many things network traffic related. This Wireshark Display Filters (PDF) page alone has been very useful.

  • Network Monitoring Tools – Amazing collection of links maintained by Les Cottrell at Stanford.  Be careful. You could easily loose hours looking through the resources documented and organized here!

  • WinPcap Network Tools and Links – Lots of great tools, reference materials, and what-not all lined up and linked regarding WinPcap-supported tools.

Remote System Auditing Tools

In aftermath of yet another incident project, I began looking for an efficient way to remotely audit the physical status and configuration of remote systems in our network.  We haven’t really had a need in the past to do so, and in the past year have only now been running post-deployment audit reports on systems that we initially set up to capture/document key hardware items. However it has become clear I needed the ability to do ad-hoc surveys and reporting on the status of Windows systems long-since deployed in the field.  Our network management infrastructure software can (in theory) do this, but it is non-intuitive and burdensome to do so.  In addition, it requires the workstation objects to have been correctly imported to the container in the first place to access.  Not done so?  No data.  So obviously I could have some big holes in my site/system audit reports.

So I started looking for a simpler reporting solution.

I found a number of great (and free) tools to do so but they were either much more robust that I needed, or required a client/server model of deployment, or the reporting was just not customizable out for rapid site-wide auditing and exportation for additional analysis in Excel/Access.

Some of those tools that “almost” fit the bill but eventually fouled out were:

  • Total Network Monitor – freeware – Softinventive Labs.  Pretty full featured and awesome.

  • Remote System Information 3.0 - (shareware) – nice and had much of the system hardware auditing stuff I needed but the reporting wasn’t robust enough nor was the fact it was shareware and I couldn’t find where the developers were still in business.

  • Network Manager (NINO) - (open source) – Located this one on SourceForge and looks like a really heavy-duty network monitoring tool.  Ended up being too beefy for my targeted needs.

  • OpenNMS – (Open Source) -  Another very robust network management platform.

  • Lan Sweeper – (Free/$$ versions) – I really, really liked this one.  It covers so many of the mission-critical system auditing and monitoring points.  However it is based on a client/server type of model.  I wanted something that didn’t require me to deploy clients on all our systems in addition to the existing network client infrastructure in place.

  • Zenoss – (Open Source) – Another very mature and polished network/systems monitoring platform.  Again, too robust for my needs.

  • Network Inventory - (shareware/$) – Very nice but ultimately not free/OpenSource and cost is king now.

  • Network Inventory Advisor - (free-trial/$) – Also nice, especially in that it was not agent/client based but again, the free trial period is limited and there is no $ in the budget for this project.

  • AdvancedRemoteInfo - (freeware)  — Pet project of Matthias Zirngibl at masterbootrecord.de.  This was an unexpectedly special find from Germany.  Still in development, this beta level utility really has a lot of great bells and whistles.  It provided extensive information about remote system hardware/software and data-points.  It also allowed for some useful remote interactions with the target system and reporting was much better.  However, again, I needed something that let me manage reports on a site-wide number of systems, not one-system-at-a-time reporting.  Still, this is a great tool and I’m going to be keeping an eye on it in the future!

At this point, after almost an entire week of looking for just the right tool, I was almost ready to give up.  I checked in with Michael Pietroforte over at 4sysops.  He referred me to his lineups of Free Windows Networking Tools and Free Windows Inventory Tools  (in fact see his full selection of categorized Free Windows Admin Tools – 4sysops). However, none of those offerings were fitting the bill either.

Then while in the middle of our dialog, I found that an old-favorite had been updated with just the feature-sets I was looking for:

This ended up being perfect as it is a single, portable exe file based utility.  Though not “tiny” at 720K, it still packs an amazing feature set in.

I am now able to remotely run an IP scan against an entire network site range, and then can set WMI-based custom reports to pull data from the systems.  Because by audit is IP based, I’m much more likely to identify the devices on the network rather than those “objects” that were imported and calling home from a client/agent configuration only.

And the WMI-based reporting options are off the hook.

Look for a more detailed post soon on this project, but for now, I highly recommend checking it out.

The only potential “gotcha” is that WMI services and firewall port rules/policy must be configured, up, and running on the remote systems to get all the WMI-accessible data for your reports. If you have that in place, then you can easily run and export tons of highly detailed system audit report data.

Please look below for more useful WMI (Windows Management Instrumentation) resources that are must-reads if you are not yet familiar with it and need to do some homework for deploying and accessing the data it can potentially provide.

New or Improved Fun Utilities

These remaining tools caught my fancy this week.  They “remain” from the many more that seemed interesting from this week but on additional look didn’t make the draft-cut.

Remote Desktop Trick

Windows Remote Desktop is a cool trick to access and manage a system across your network.  But what if you don’t have it enabled on the system? And either the end-user is totally clueless, rights restricted, or otherwise unable to initialize some other remote-control solution?  This might be a trick to try.

Chrome Browser

I’m still nowhere near ready to jump ship from Firefox to Chrome full time, but I do find myself using the Chromium nightly versions in a portable version much more.

Here are the very small set of “add-ons” that I have found useful to load on it.

I’m running a portable version of Chrome (Portable Google Chrome 2.0.172.23 or Portable Google Chrome 2.0.159.0) along with Dirhael’s (portable) Chromium Nightly Updater to keep the package frequently updated.  However, that has required unpacking and copying over the update packages into my the portable Chrome application folders.  No biggie but additional work.

So I was delighted to find that Carsten “caschy” Knobloch has recently started including an multi-build supported updater in his Portable Chrome package: Portable Google Chrome 4.1.249.1059 (German site) has the latest full portable packages for download or you can simply unpack it and copy the single exe updater file to your existing portable Chrome package and use it from there.  It automates the process to check, download, unpack, and install the latest Chrome release versions into you portable Chrome folders.  Way too cool!  See this post Neue Version des Portable Chrome Updaters (German) for additional info on the updater proper.

Firefox 3.7 Stuff

And the next iteration of Firefox is still marching closer to readiness.  I like what I am seeing, but I was surprised when my playing with a portable version of this latest release actually BSOD my Windows 7 x64 system.  First time ever that has happened.  Lots of fun stuff here but be careful!

More Cool Utility Toys and Tips – Part II

I hope you found something yummy for your Windows system here today!

Cheers!

Claus V.

Thursday, April 01, 2010

Security and Forensics Roundup: Heavy Version #7

Oh my.  I may have bit off more than I can chew with this load of links.  I’m having a challenging time breaking them all down into meaningful chunks!

Incident Response

  • The Tiger and the Ghost – Nice and reflective thoughts on the changing landscape of incident preparedness from Hogfly over at the Forensic Incident Response blog.

  • Verizon Incident Metrics Framework Released – Verizon has published a framework for categorizing incidents and elements that comprise them.  One of many out there, nevertheless, it might provide some additional ideals for conceptualizing incident events and help guide you as you form narratives that analyze and summarize them for your audiences. Spotted via the TaoSecurity blog.

  • DarkReading Evil Bytes bloggist John Sawyer has posted a trilogy of articles on incident response as well as drive-imaging thoughts and techniques in that response; Adding Forensic Imaging To Your Standard IR Process, Using Hard-Drive Imaging In Forensics, and Drive Imaging Using Software Write Blocking provide an updated refresher on these topics. Good for a quick review particularly for the unfamiliar.

  • Responding to Incidents – Windows Incident Response blog.  Coming in at the anchor position is a great post by Harlan covering all the major points and issues on why establishment and execution of an organizational incident response plan for the IT shop is critical. If you don’t have one, it’s long past time to start building and implementing one.  Failure to do so comes with great peril.

Timeline Merry-go-Round

Having some time ago been faced with the challenge of preparing a digestible incident timeline of a Windows system, I am now paying even closer attention to timeline issues.  Like many, I had reams of data, much of it all valuable. However, the real challenge wasn’t so much the capture and spin-out of the information, it was presenting the findings in an objective manner that successfully and accurately told a story to management and non-IT consultants.  What was of value to me understanding the sequence of events was less valuable to those who wanted the big-picture and major-plot-points.  It end up being as much the art-of-communication as well as art-of-examination.

It’s all about Analysis

  • Flock shepherds in a Life of Grime – Forensics from the Sausage Factory blog.  In which in this installment, we find DC1743 encountering the Flock browser, which is just a fancified version of Firefox geared to the social media experience.

Tools and Toys

Miscellanea: Don’t count out the value of small things…

Cheers.

--Claus V.

April 1st link-dump

No. No April Fool’s jokes here.  All are refreshingly legit.

Cheers.

--Claus V.