“Black Hawk watch” CC image on flickr by The U.S. Army
Wow. Can’t believe how long it has been since I’ve been able to find enough free time to do do a forensic focused link-fest post.
Rest assured, I’ve been hard at work in the trenches, ever vigilant for tips and tricks to help both forensic pros and sysadmins find common ground in responding to Windows system incidents.
I hope you won’t leave disappointed…
QCC Information Security “CaseNotes” Updated
I’ve been using QCC’s CaseNotes for some time and find it really does an excellent job fitting my needs. The Digital Standard: Case Notes had a recent post that highlighted many of the best features of this freeware tool and that got me thinking. Has it been updated lately?
Yep. Pleasantly so!
- More CaseNotes Updates – QCC blog post on the latest (June 8, 2010 ish) version of this application..
- CaseNotes Updated! – and the QCC blog post from May 2010 that had some earlier fixes with in-depth explanations.
Major fixes include:
- Case file backups only made during explicit user initiated saves
- Backup copies now stored in a dedicated sub-folder
- Number of case file backups increased from 3 to 10
- Greater assistance for the corrupt case file 'password' issue
- New menu item to reset screen position data to fix maximised windows
- Fix for Open File dialog not recognising .Notes files in Windows 7
- New dedicated 32 & 64 bit versions (emphasis mine! Woot!)
- Supporting documentation still needs to be updated - coming soon.
I’ve found it challenging to keep up with updates on many such tools and utilities, fortunately, I was able to find RSS/Atom feed links this time so if you RSS feed-read, take these down:
MANDIANT Update Madness!
- M-unition » Blog Archive » Web Historian: Reloaded. Yep. MANDIANT has gone wacky and updated their already wonderful Web-Historian application and taken it to a whole new level! So far I’ve been using it in full “installed” mode. But I suspect that with some tweaking of the custom/advanced path settings it might be supported in a “portable” mode. New version supports FF2/3+, Chrome, and IE 5-8. Man! The GUI has been majorly re-worked and can scan both local and “off-line” sources. Thumbnail previews are supported on compatible browsers. It also can export a “sanitized” version of history usage for sharing. This is a really advanced tool now and worth of checking out. Did I mention it was free? Tip: Read the PDF that comes with it. Saves a lot of of time on the learning curve. From the blog post….
- Collects web history, cookie history, file download history, and form history into data sets
- Perform a live artifact scan of the local system
- Perform an artifact scan of one or more arbitrary history files from all supported browsers
- Data displayed in gridview style with full search, sort, and filter capabilities
- Export data sets to XML, HTML or CSV
- Extract and export history files used in live artifact scan
- Customizable scan settings can tweak the scan to target specific browsers and data sets
- View page thumbnails and indexed content
- Export sanitized version of history results to distribute to others
- Website Analyzer provides visualization of datasets using bar graphs, pie charts and timelines
- Website Profiler shows a quick “report card” of artifacts for various websites
- Web Historian 2.0 – download – register if you wish or just click the “Download Now” arrow at the bottom.
- M-unition » Blog Archive » New Memoryze, Audit Viewer, and Training. Yep. Memorize and Audit Viewer also got updated! Lots of new features and stuff. From the post….
So what is included in Memoryze and Audit Viewer 1.4? Well, here is the short of it.
- Support for Windows 2003 x64 SP2
- Improved support of Vista SP1 and SP2 including port enumeration and a better installer
- Enumeration of digital signatures for all loaded modules in a processes’ address space, hooked and hooking drivers, and all drivers found by driver signature scans
- Enumeration of MD5/SHA1/SHA256 hash on disk for all loaded modules in a process’ address space and all drivers found by driver signature scans
- Updated documentation
- Single installer for 64-bit and 32-bit versions
- Improvements to the Malware Rating Index (MRI)
- Report visualization of MRI results
- MRI rule editors that will allow users to graphically edit the MRI rule file
- Handle Trust view to help identify suspicious handles
- Ability to search results within a specific process
- Multi-select with copy
- Multi-select and export to a CSV file
I also see tantalizing teases about possible future public releases of MANDIANT tools for Memoryze/Audit Viewer for x64-bit Windows, and free tools to analyze Windows Vista/2003 (64-bit)
Forensic LiveCD Updates
- DEFT Linux 5.1 is ready for download -- DEFT Linux - Computer Forensics live cd.
- Update: Sleuthkit 3.1.1 and Autopsy 2.24
- Update: Xplico to 0.5.7 (100% support of SIP – RTP codec g711, g729, g722, g723 and g726, SDP and RTCP)
- Update: Initrd
- Bug fix: Dhash report (reports were not generated)
- Bug fix: DEFT Extra bug fix (a few tools did not work if the operator click on their icons, added the dd tool for x64 machines)
- CAINE 1.5 – CAINE forensic LiveCD is out. See this Release page for details.
- CAINE 2.0 (code name "NewLight") is cooking – CAINE news blog.
WinFE is not my primary forensic LiveCD. I’ve got a few others that come first in point-rotation. However, it still has a very warm and dear place in my heart.
So I was excited to see the hard work Brett Shavers has done in keeping this tool not only active, but expanding the knowledgebase and ability of others to use and build this WinPE kissing-cousin. Provided below is the main page as well as great WinFE resources and posts to peruse.
Well done, Brett!
- Windows Forensic Enviroment Blog – Brett Shavers.
- More Windows FE and triage notes (WindowsRipper?) – video on using RegistryRipper/WindowsRipper to triage a PC with WinFE.
- Current and Future Development of Windows FE.
- Batch File – Brett’s project to help automate the process of rolling your own WinFE build. It’s not rocket-science but this really can help for the more non-technical users.
- Using WinFE – Brett’s tips and tricks for using WinFE. See also this WinFE - Guide (PDF) Brett prepared.
- Videos – Yep. Brett’s got-em.
- Posts (Atom) – Again because I’m having a hard time finding the site feed links. Here you go! .
Also, though not part of Brett’s project, the following Praetorian Prefect post is a great and fresh primer on WinPE and forensic work. I particularly found useful the tips on DiskPart with read-only mounting of the off-line mounted volumes/drives.
While Kon-Boot might not be a tool for most forensic folks, sysadmins could have great use for it. I’ve mentioned it a bit here on GSD and have been quite fascinated with the tricks it can perform as a bootkit.
- Kon Boot – Kryptos Logic – This latest version is fully commercial and (reasonably so) you now need to pay-to-play, though a 1-user personal license is just $15.99 and a 1 year 1 user commercial license is just $60 more.
- What’s My Pass? » Kon Boot 1.1 – What’s MY Pass blog has a roundup of some of the newer features in the commercial version.
- All this said, the original KON-BOOT - ULTIMATE WINDOWS/LINUX HACKING UTILITY is still offering up free downloads of that earlier build so go grab them while they are still kickin’ free.
Windows Incident Response Blog: Link Madness!
I sometimes feel guilty for cross-linking to Harlan’s most-excellent adventuring forensics blog, who in turns cross links back here to the humble GSD blog but hey, good things often go full circle!
Here are some of the wonderful posts I’ve found extremely resourceful in content.
- Some more stuff....
- Stuffz – particularly juicy post with tool and utility updates.
- Anti-forensics - musings.
And though not a Windowsir blog post, this seemed the best place to put this quick-reference gem from Tim Mugherini…
Rolling on with RegRipper…
Since I’m still exhaling from Harlan’s site…seems worth-while to drop these links on morphing the incredible RegRipper (which got a site design refresh as well).
- Turning RegRipper into WindowsRipper -- SANS Computer Forensic Investigations and Incident Response blog. Basically this explains how to set up RegRipper into a Windows system triage tool. Any sysadmins besides me find how useful this capability could be…especially when now able to be used to work against a mounted drive?
- YouTube - From RegRipper to WindowsRipper – see the process in action in this sub-5-minute video including integration with a NirSoft tool for IE history reporting for each system user. I suspect this be the tip o the iceberg!
- RegRipper Program File Downloads.
- RegRipper against a mounted drive -- (DOC file) Adam James’s documentation.
There is a whole lot to find and examine on the new RegRipper site so put some time in there.
- RSS Feed – RegRipper site. New as well the ability to RSS feed news and updates. Sweet step-mother of baby Jebus! .
Please forgive me while I pause to get a fresh cool minty beverage and recover for a moment.
Command Line Goodness Series
CLI tips and tricks from cepogue on The Digital Standard blog that can’t be ignored.
- Command Line Goodness Part 1 – The hunt begins with sample searches for credit card numbers, IP addresses, email addies, URL’s. The stage is set.
- Command Line Goodness Part II. – A case is on!
- Command Line Goodness Part III – Moving on to web-work.
- Command Line Goodness Part IV – CLI utilities can be your friend.
A Big TinyApps way…
Not to be out-done, TinyApps bloggist is laying down the whack of his own.
- Extract strings from raw disk device or image.
- Hard drive enclosure with write protect switch which would be the ACP-2127 at around $20 or so depending on source.
And in case you missed in embedded in the the previous GSD post…
- TinyApps.Org Blog : Boot any and all ISO images from USB drive. Seriously! Now pause for just a minute and image having a tool (with write-protect switch) that you could jog-select any ISO boot image file you have on board, and then boot the system with. CAINE, DEFT, HELIX, RAPTOR, WinFE, WinPE, etc and so forth. All on in a single enclosure. Yummy indeed! See below….
- The iodd 2501 External HDD. Product page. Seed with your ISO’s and you can select any of them to boot from. Oh yeah, it also comes with a write-protect switch. Sounds like the perfect tool for sysadmins and forensic experts with more boot images in ISO format than they know what to do with! Discard the disks! Resellers that were noted (not meant as endorsements of any kind) : LinITX.com - iodd 2501 Portable Virtual ROM – Silver , Amazon.com: iodd 2501 Portable Virtual Rom: Electronics, and Welcome to I-Odd USA.
SANS Computer Forensic Investigations and Incident Response blog
Yet another source of amazing tips and linkage. Oh my.
- First forensics work – Part 1: Organized chaos and panic – Touch n Go on image acquisition.
- First forensics work – Part 2: Sure it’s big enough … but look at the location. – Using Sysinternals PsExec with remote image capture. Please read the excellent discussion in the comments below the post on the challenges and issues with network-based captures.
- WMIC for incident response – Another alternative to PsExec.
- Timestamped Registry & NTFS Artifacts from Unallocated Space.
- Digital Forensic Case Leads: Forensic 4Cast Voting is Open – Lots of tips, tools, and material to read at leisure.
- Windows 7 MFT Entry Timestamp Properties
And because I can’t remember if I found it on WindowsIR blog or here at SANS…
- nabiy.sdf1.org offers a great tool (USB History Dump) and article about extracting USB Trace Evidence from the Windows registry. See also the NirSoft tool USBDeview and the Woanware tool USBDeviceForensics.
- Log Review Checklist For Responders Under Fire - Evil Bytes Blog - Dark Reading. I’m a sucker for good cheat-sheets and checklists.
John mentions these Lenny Zeltser productions in particular and encourages tweaking these CC v3 licensed works to fit your own needs.
- Information and Security Cheat Sheet and Checklist References by Lenny Zeltser.
- Critical Log Review Checklist for Security Incidents.
Who’s been cooking Sausage?!!
Why it’s DC1743 of course over in the Forensics from the Sausage Factory blog!
- Prefetch and User Assist.
- Safari browser cache - examination of Cache.db.
- Recovering Safari browser history from unallocated.
- Safari History - spotlight webhistory artefacts.
Alvis and I prefer a pork/venison mix, steamed. Go figure.
The Final Four
Yep four more links to go.
- NTPWEdit – Reset Windows password – 4sysops blog – Tool that works very well in WinPE/FE builds. Not that any of you forensic guys would be making such changes to a suspect system. However syadmins may need to if malware or sheer local-user maliciousness boggled out the Admin password.
- Forensic Pagefile: SAM Cracking using Ophcrack and Encase – I’ve not used Encase to do so, but I have followed a modified method to extract SAM files from an off-lined system, brought them over into a VM running the installed version of Ophcrack, then cracked dem profile passwords to accomplish my l33t sysadmin needs (…self-mocking there guys…).
- Tableau Revision History – TIM. In case you didn’t get the email, Tableau’s Imager (TIM) software product has had a few updates that are pretty important to get and upgrade to; involving both critical bug fix as well as minor ones.
- (IN)SECURE Magazine issue 26 released – Chock full of security tips, news, and other goodness. Related: Harlan offers this free new issue link (PDF) to Hakin9 magazine. Get the read on!
Be safe, be thorough, be fair and objective. Be ever vigilant.