Saturday, January 01, 2011

Security and Forensics Watch-List: GSD Linkfest Style

It’s a sign of my busy-ness that most all the links for this first-of-the-year security and forensics linkfest post come from the tail-end of 2010.

I’m emptying all these out to clear the decks.  I’ve promised and need to deliver on the Xplico post that was mentioned some time ago.  These are the last bits that should empty out the “to-blog” hopper so I can turn all focus on that one.

Forensics and PenTest LiveCD News

Land Ahoy! DEFT 6 RC is OUT! - Stefano Fratepietro recently announced the “RC” release of the next DEFT iteration.  I’ve been playing with it and am very impressed with the polish and inclusions.  See his inclusions page to see what is loaded in, and check out the sexy-cool screenshot page for all the glamor and glitz.

CAINE 2.0 Live CD - “NewLight” Edition - Not to be outdone, the other highly-active LiveCD forensics distro CAINE had a final version release a while back.  Also highly updated with a “wax-on, wax-off” super-shine polish.  Check out this PDF version of Caine highlights as seen in Linux Magazine Online.

Katana 2.0 - A multi-boot “LiveUSB” distro from Hack from A Cave also got a November 2010 update. CAINE and Kon-Boot got added alone with some new Windows tools.  Maybe unknown to some, it also packs the Katana Tool Kit, based on a PortableApps launcher.  Like other distros, it provides a convenient manner to launch Windows-based tools from a nicely organized menu if using the tool in a Windows environment; rather than using one of the included distros to boot a system.

BackTrack Linux 4 R2 - The venerable penetration testing distribution packs a mean wallop!  You might want to look at both their Forensics page to find some features that might be useful. Also stop in on this SecurityOrb blog-post: BackTrack 4 Tutorials, Manuals and Howtos full of good resources.

Windows Forensic Environment Blog by Brett Shavers covers all things in the WinFE world.  Check out this wonderful post Updated video and other things to get a quick review on how the WinFE build it constructed.  Meanwhile we wait patiently for his magnum-opus WinBuilder based - WinFE creation tool to get released.

The Reading List

Windows Incident Response: Stuff - Great info on timeline thoughts from Harlan Carvey.

Reviewing Timelines with Excel - Journey Into Incident Response - Really great takeaway from Corey Harrell hopped to via Harlan’s post above.

Memory Analysis with Mandiant Memoryze - Digital Forensics How-To from the SANS Computer Forensics & Incident Response blog.  See also their post Persistence Registry keys.

The Digital Standard: The “Not So” Perfect Keylogger - cepogue has provided an interesting keylogger breakdown with lots of cross-response application.

JL’s stuff: Identifying Memory Images - In case you get an image with no clear information as to what system OS it was running under.

Open Source Digital Forensics - Bookmark this site to keep an eye on old and new tools in the Open Source forensic area.  Tools, paper, procedures and some test-image links available.

Derek Newton « Information Security Insights - Not really sure how I ended up exactly on Derek’s site but it is a gem.  Not only has he collected and organized some really nice Useful Links and Forensic Tools sub-pages, but his posts are always very educational.  For example, two recent posts:

Finally, utility-building guru Nir Sofer offers all a Happy New Year To All NirSoft Users ! and then proceeds to tease us with some possible tools under development for the new year!  Awesome!

Wi-Fi Focus

A quick scan of the Wi-Fi surrounding the Valca home shows a total of 7 Wi-Fi networks with two of them wide-open and completely unsecured.  With really handy freeware tools such as the inSSIDer 2.0 Wi-Fi Scanner or NirSoft’s WirelessNetView or the eye-candy rich Xirrus Wi-Fi Inspector it is easy work finding and locating such things.

In his post How to capture data and passwords of unsecured wireless networks with SniffPass and SmartSniff, Nir Sofer shows just how easy it is to start grabbing data from unsecured networks.

I can’t recommend you test this on any network you don’t own or manage but if you are doing pentesting or an incident response involving a possible rogue Wi-Fi operation inside your network operations area, this could be a very valuable technique in some cases.

You might also find this MakeUseOf post 7 Completely Free VPN Services To Protect Your Privacy helpful.  Just saying…

“All-in-One” Forensic Tool?

At the risk of sounding like a fairly-recent Windows Phone 7 "Really?" TV Commercial (YouTube), I’m always very fascinated when I see a tool that honestly tries very hard to roll-up many “incident response” features into a single package. 

Like all such incident response tools, please understand and use the tools in a structured manner so as to not operate with a false sense of security…and potentially do more harm than good. Specifically, is use part of a larger and structured incident response plan, has the tool been seriously vetted, what key things does it NOT do that must be captured using alternative/supplemental tools?

Case in point just peruse this short-list of thoughts on the complexities of incident response from the pros:

I ponder these things as I saw a new tool mentioned recently in the MakeUseOf site Investigate Or Troubleshoot Computer Systems With OSForensics [Windows]

It outlines a new (currently freeware) “many-in-one” forensic/digital-investigation tool by PassMark Software - OSForensics.

To PassMark’s credit, a look at the features shows it contains a very well rounded selection of components.  I’m not really fussing about the tool or its capabilities here.   I’m sure their target audience for the product are trained and harried professional incident-responder folks.  It is part of a number of tools offered by them, including ones to LiveCD boot a target system to capture an image as well as a tool mount the image file for processing with their OSForensics product.  So there is a unified structure to the tools.  Hopefully users will see these integrated parts and use them correctly in concert to process a system that preserves the integrity (ie, minimal/no write-back) to the target system.  PassMark has provided the toolset package.

I’m just curious how many untrained “incident responders” might jump on this tool based on its capabilities and convenience the first time someone hollers about a breach or incident and tosses this tool at the “live” target system. What will the aftermath be?

Of course, that situation probably occurs each and every day with any number of freely and publically available tools used by both “amateur” and certified professional incident responders alike.

That said, OSForensics rounds up quite a wide-range of useful tools and features into a very well organized and accessible package.  The interface is highly navigable.  I’m sure there are tools here for both the sysadmin-troubleshooter and the incident-responder alike to like and appreciate.  Of special note and appreciation is the offering of several “Hash Set” packages to add to OSForensics when scanning a system to rule-out known system files from suspect files worth closer inspection. It also include a “timeline view” function to provide understanding on system events and activity.

Did I mention that it is offered in both x32 and x64 bit versions? Nice!

PassMark is very active in releasing updates to their beta product so development and improvement of the tool is clearly serious stuff here.

My one “gripe” at this point is the decision to require a full system install first, then from there create a OSForensics - Install OSForensics to a USB Flash Drive build.  I’d rather they take a tip from Piriform and just offer both the full-install or “standalone/zip” packages outright.  It would definitely save time and effort in the updating process considering the frequent update release.  Not a major issue, but something to consider.

Definitely PassMark has brought a handy toolset package to be added to your USB stick for all system admins and incident responders.  I’ve added to to my USB drive.

PassMark also offers some other freeware Tools for OSForensics tools that you may be interested in exploring which round out the full toolset for a response and review:

OSFClone - A freeware “LiveCD” tool to create a dd-based disk-image clone for use with PassMark’s tools (or other tools that support such image files).

OSFMount - Used to mount local disk image files to a drive letter. OSFMount has been released in both x32 and x64 bit versions. (Is it just me or does the drive-mount window look very similar to Olof Lagerkvist’s ImDisk freeware tool?)

image  versus  image.

So if you are comfortable using ImDisk you will be at home with OSFMount as well (if you don’t want to stick with ImDisk for some reason I guess…).

Update: A close reading of the “read-me” file included in the OFSMount package nicely does credit Olof’s ImDisk as the initial base for this utility, thereby explaining the similarity!

ImageUSB - freeware tool to create or write-back images to/from USB flash drives.

Check ‘em all out!  Just deploy wisely.

While looking at Olof Lagerkvist’s ImDisk freeware tool page making sure I wasn’t going crazy with the similarity in GUI, I see he is now offering a seriously updated Beta 1.4.0 version of ImDisk that was released on Dec 7th. Super sweet New Year bonus!

Per Olof’s Update description (bottom of list) for ImDisk Beta 1.4.0, I’m quoting below:

  • Beta release ImDisk Virtual Disk Driver version 1.4.0:
  • Corrected a serious bug that seems to have particularily caused blue screen crashes on 64 bit Windows versions on multi-processor computers. Thanks to Bruce Cran for helping the project with debugging on 64 bit architecture.
  • Graphical user interface, that is Control Panel applet and right-click menu option in Explorer now shows option to add MBR (Master Boot Record) while saving disk contents to image file.
  • Algorithm for selecting default virtual disk geometry (C/H/S geometry) for virtual hard disk volumes changed. From this version, driver will auto-select 255/63/512 geometry in most cases. Only exception from this is when virtual disk is smaller than about 2 GB in which case smaller tracks per cylinder size is choosen. User defined virtual geometry can still be manually selected using command line or API directly.
  • ImDisk source archive now contains a subdirectory called ImDiskNet. This is a .NET dll file which could be used from for example VB.NET or C# to create/modify/delete/save etc virtual disks. This dll also contains a class that can be used as a COM object from VB6 or VBScript etc. This dll is also available for direct download here.
  • 64 bit setup now installs 32 bit imdisk.cpl and imdisk.exe in addition to the usual 64 bit versions. This means that API calls and command line calls will work from 32 bit applications even on 64 bit Windows without tweaking with installing dlls manually in correct directories etc.
  • Updated "devio" tool. This version supports both reading and writing dynamic resizing .vhd files used by Microsoft Virtual PC, Virtual Server and Hyper-V. Earlier version had a serious bug that would corrupt disk image when mounted for both reading and writing.
  • Changed notification that is sent to other applications when a new virtual disk is created. ImDisk does no longer wait for all applications to process the notification. It however still waits for all applications to process the notification that is sent when a virtual disk is about to be deleted.

Did you catch that? Devio got updated as well. For more information see this old GSD post: Devio: Remote drive access and acquisition.

Maybe OSForensics can incorporate Devio in their forensic solution package(s) somehow as well in the future for “agent-based” capture of a remote system from within OSForensics?  Just another suggestion.

From Sweden with Love

Erik Hjelmvik, creator of the beloved NetworkMiner Network Forensic Analysis Tool (NFAT) and Packet Sniffer as well as the SplitCap - open source pcap file splitter also offers his SPID Statistical Protocol IDentification project also for Windows systems.

Erik also recently published an article recently titled Network Neutrality and Protocol Discrimination over at that shows the application of his SPID tool.  Neat stuff.


Two more final utilities worth looking into:

USB Write-Blocker - Document Solutions, Inc.  Freeware tool you run-first before attaching a USB drive to look at.  It promises to prevent OS system write-back to the USB device once attached.  While certainly no substitute for a good, physical Forensic in-line USB WriteBlocker, once “proofed” for effectiveness on your analysis bench-system, it might be good software-based solution in a pinch.

BinPack: 2.0.1 Release - West Coast Hackers.  This “new” package release (actually back from August 2010) updates and rounds out a really cool pentest/security/response toolset manager.  Download the core files, then select, build and download the various independent software binaries from their developers and homepages.  Pick what you want; you can always go back and add/remove more later.

Happy hunting!

--Claus V.


Corey Harrell said...

Another free Wi-Fi tool is Ekahau HeatMapper. The tool is useful in pinpointing the physical locations of access points. All you need to do is bring in an image (floor plan or a Google Earth image) then start walking the area. It locates the access point to within a few meters if you are using an accurate image of the area. The only downside is the program doesn’t obtain hidden SSIDs even though it can still map the access points physical location (Kismet could help here). Heatmapper could help you locate those 7 Wi-Fi networks if you were interested.

Here’s the link:

Brett Shavers said...

The WinFE WinBuilder build is out now too. Nothing really changed with what WinFE is or does, but making a WinFE ISO/USB is a whole lot easier with more features to choose from than ever before.

Brett Shavers said...

It's been a little over a year, but there is a dramatic update to WinFE. A GUI application to manage disk drives in WinFE is available from Credit to Colin Ramsden for the script, which incorporates Troy Larson's registry modification.