Saturday, December 31, 2011

Free Wipies

New Year’s Eve is almost upon us.  Figured I close out 2011 with one final post.

Out of a recent post on drive wiping I followed a white-rabbit and ended up on this Disk Wiping with dcfldd at the Anti-Forensics blog.

I’m always on the lookout for tips and techniques when it comes to secure-wiping drives and the post was full of great info regarding use of the dcfldd tool.

When it comes to secure drive (whole-disk) wiping, I’ve still tended to rely on two tools in particular for their ease-of-use and convenience.

The first is Microsoft Windows DISKPART command “Clean all” which “specifies that each and every sector on the disk is zeroed, which completely deletes all data contained on the disk.”

The pro is that the command is very simple to remember and use, and when coupled with a WinPE disk, is dead-simple to effectively wipe out most all drives I encounter.

The second one I love is the CLI tool “wipe.exe” as found in the Forensic Acquisition Utilities set by George M. Garner.

The pro about this one is that it actually includes a progress indicator so you have some degree of feedback on how far you’ve wiped.

I always verify my zero-out wipes when done. For that I prefer to use the sector-viewer tool HxD to scan through the post-wiped drive to ensure it all come up clean; Frhed - Free hex editor is another nice alternative.

I also keep a collection of secure file-wipe tools handy as well.  These are useful for when I have a personal document with sensitive info that is no longer needed, or at work where I have successfully recovered a customer’s data from a seriously crashed drive and the files were successfully restored; don’t need to keep those around on the workbench PC.

EraserDrop Portable - is an easy to use and easy-to-configure tool I find useful to manage large volumes of files/folders needing secure deletion. It is based on Eraser.

Eraser Portable - - Portable software for USB, portable and cloud drives is the portable version of that tool. It is very flexible and powerful, though the interface and job/task “scheduling” might be off-putting to less advanced users. Besides handing wiping of files/folders, it also can wipe free-space on a drive.

WipeFile over at Gaijin is a simple and basic file-wipe tool with lots of options. Just launch, set your wipe-preferences, and drag-n-drop your files for wiping.  See the related Gaijin tool WipeDisk as well.

File Shredder is a “new-to-me” secure-wipe tool. It is quite small and consists of two files; the main exe and a dll helper.  The interface is nice and it also includes wiping of free-space.

ultrashredder is even smaller. Basically just drag-n-drop. While you can set the number of over-writes, you can’t set the pattern.

DPWipe 1.1 by Dirk Paehl is similar to Ultrashredder in the GUI layout, however it does allow selection of the wipe method.

Blowfish Advanced CS. This is an oldie-but-a-goodie which was the very first secure wipe (file and freespace) tool I started using back in my Win98 days. It probably has been passed on by other tools here but I still keep it around for fond-memories.

SDelete is Microsoft Sysinternal’s CLI tool to wipe files as well as zero-out free-space.  I like it particularly well for that second task.

Disk Redactor also handles wiping of all free space on a drive very nicely with a helpful GUI interface.

These are all specialized secure-wipe tools and are pretty easy and convenient to use; a few even have options to integrate into the Windows context-menu shell.  However if you frequently use an alternative Windows file manager (like I prefer to do), there are more than one which include a hand-dandy “secure-file-wipe” option baked right in!

FreeCommander remains my #1 all-time favorite “multi-pass” tool for Windows file management. it includes a secure wipe action that performs a multi-step wipe of the selected item(s). You can set how many passes you want that routine to run.

Explorer++ also includes a “destroy” option (1 or 3-pass choice) to secure delete selected files/folders.

A43 likewise includes a basic secure-destroy option.

NexusFile has a “shred and delete” feature.

My Commander reminds me in many ways of FreeCommander, and it does have a secure delete action.

Happy New Year!

Claus V.

Sunday, December 04, 2011

Mostly for Sysadmins and Windows Tweakers

One last linkfest dump before I turn my attention back to a freshly arrived hardback copy of George R. R. Martin’s A Game of Thrones to close out this dark, drizzly and fast-chilling night here on the Gulf Coast. My brother is deep into the book/HBO series and I think he runs an underground distributed book club network of sorts on it. Hence his gifting me this newfound wonder.

This linkfest is a collection of stuff mostly of interest to system administrators and Windows tweakers…your interest level may vary.

Looking at page hits (which I rarely do) it seems that the following posts remain all-time GSD favorites for some reason.

Blocking IE 8 "InPrivate" Mode

Blocking IE 8 "InPrivate" Mode – Updated

Some folks had issues following the steps to make their own REG files to enable/disable “InPrivate” mode on their own system, so I did some and posted the download linkage in the comments section.

I've created the registry keys myself and uploaded them to a shared folder on

Click that link (or copy/paste it into your browser address bar) then download the "IE8InPrivateMode-Disabled.reg" file directly to your PC.

Depending on your anti-virus application it may complain as .reg files could be malicious. If you want to check, simply open it in Notepad to see that it matches what I have listed on my blog post.

Once you have it download it, right-click on the file and select the "Merge" option.
Depending on your version of Windows and the user-rights of your profile, you may have to confirm some warnings. If all goes well it should be added to the registry and when you re-launch IE8, you should see the option grayed out.

The other registry key in that folder re-enables the option. Follow the same steps and it will allow InPrivate Mode option to work again, unless blocked differently by one of Microsoft's Family Safety programs...

They work on both IE 8 and IE 9 by the way despite the posts being IE 8 centric at the time.

Anyway, the other day I noted this post Internet Explorer InPrivate Browsing Enable or Disable - Windows 7 Forums.  In it, “Brink” also offered some download REG files for merging into the registry.  Out of curiosity I compared them and they were pretty much the same except where my REG files just cover the HKEY_LOCAL_MACHINE key location, Brinks keys have that as well as one for the HKEY_CURRENT_USER key location as well. So basically with Brink’s you get a two-fer deal.

Mine or Brinks…take your pick.

How to REALLY hurt yourself with PSEXEC - Deleting the Undeletable Registry Key and More - Scott Hanselman Computer Zen- Scott’s battle with a “undeletable” registry key makes for a fun read. That said, while his PsExec method worked, I’ve had fantastic success when I’ve run into similar keys on malware-infected systems by using Malwarebytes : RegASSASSIN. I don’t know for sure if it would have helped in Scott’s issue, but I would try that first via the GUI it offers before dropping to the PsExec CLI work (though it is really cool). Related for difficult to delete files: Malwarebytes : FileASSASSIN.

It has been over 4 years now since I set Dad up on his Vista system at his house. In that process I ran into a challenge; how to get his and his wife’s profiles to display at different screen resolutions? She liked a relatively low resolution to see things larger, while dad liked the highest resolution to get the best screen display quality.  In my post of my fix Vista/XP Quick Screen Resolution Toggle Tip I used ResSwitch & ResCopy to create custom desktop icons that lets them just click-to-set the display level at their preference rather than digging into the properties each time.  So when I read this post at Windowshacker How To Set Different Screen Resolution for Individual User in Windows 7, I was curious.  Turns out there is a neat freeware product called Carroll that almost automagically can set individual screen resolution for every user when they log in.  No more clicking desktop icons. And it only took 4 years to get here!

Just in case it keeps you up at night fretting about the text for your Windows desktop icons being underneath them, the Windows Club offers a tip on D-Color which can Display Desktop icons text on the side in Windows 7. Now you can sleep easier.

Decoding Intel’s Laptop Processor List [Technology Explained] - MakeUseOf blog.  Nice explanation.

Dynamic Computer Naming in ZTI Deployments - The Deployment Guys - For you Zero Touch Installation (ZZTI) fans with that issue and need.

Any tech mystery that can combine low-level Windows troubleshooting and analysis with Hello Kitty makes it a Must Read in my book!  Submitted for your education--seriously.

Need more standard low-level troubleshooting tips? How about this exercise.

I’m not yet a Hyper-V guy, but I think it is really cool stuff and read up when I can.  I found this Series: Hyper-V upgrade posts at 4sysops to be helpful stuff.

Tenniswood Blog serves up some awesome remote access card P0rn with a nice Review: HP Microserver Remote Access Card.

Create internet bookmarks as browser-independent files on your desktop with HTMtied - Freewaregenius.  I’ve always found it frustrating that I can’t do this as easily as it seems it should be. Turns out the free tool HTMtied can assist with that process and make it a bit more bearable to do.

How to fix incorrect logon information for Windows XP mode - Virtual PC Guy's Blog - Ben’s solution is pretty easy to follow and will get you running again in no time.

Windows 7 Background Customization - The Deployment Guys blog. There are a number of ways to change the background image in Windows 7, doing so is a “signature tweak” I like to perform on all the systems I am asked to help set up for friends and family members; leaving them with an image that reflects their home/personality is a nice touch.  This post is a bit more technical and geared for pushing such changes for enterprise branding and such. Still good stuff.  I personally prefer to use Julien Manici’s free Windows 7 Logon Background Changer but there is also the Logon Changer for Microsoft Windows 7 and the Windows 7 Logon Screen Tweaker 1.5. Many Windows7 tweaking suites also include this feature in them.

FREE Download Preassembled Windows 7, Vista, and XP VPC Images From Microsoft - Windows7hacker. I try to always keep the latest versions of these handy for ad-hoc testing in Virtual PC. Although at home we now exclusively run WIndows 7, there may be times when I want to trial something in XP or Vista. Rather than dual-booting or keeping another physical test-bed around, I just fire up one of these in a virtual session and away we go! They do have some operational limits baked in, but nothing that should be too much of a headache if you use em regularly.

FREE: Delprof2 – Reliably delete a user profile - As reviewed by 4sysops.  Seriously, if you ever deal with Windows user profiles and occasionally deleting them, you really need to refresh yourself on this post as well as the great freeware tool Delprof2.  While you are there, check out some of the other cool Free Tools from Helge Klein such as DiskLED and ListRegistryLinks which could be handy when doing some incident response work.

MoonPoint Support Weblog - List Installed Programs - This post tips us to a Bill James VBScript script, InstalledPrograms.vbs which when run from the command line prompts for a IP or PC name to remotely check for installed software (or leave blank to check your own). Save the resulting text file for review.  There are a number of “system audit” programs that can do something similar for local systems, but this is the first I’ve seen quite like this.  For generating a list of installed Windows programs on a local machine for reporting purposes and review, I prefer Nir Sofer’s MyUninstaller which seems to be significantly faster than Add/Remove Programs (XP) or Programs and Features (Win7) anyway for adding and removing programs. With MyUninstaller, after running I just select all and save the file in whatever supported format I prefer (usually tab-delimited).


--Claus V.

Check Carefully before Surfing (for safest performance)


cc image credit: flickr image by surfcrs

Been a lot of moving's in the browser plugin world lately.

Based on the number of home-user systems I’ve had the “pleasure” of cleaning recently, it seems that an overwhelming vector for infection is out-dated and vulnerable browser plugins. Nothing like an older version of Flash or Java to bring the sweet stench of PC decay and meltdown to a system.

Need more reading?

Linkz 4 Exploits to Malware - Journey Into Incident Response. Cory writes in that post…

Over the past year I’ve been conducting research to document attack vector artifacts. Vulnerabilities and the exploits that target them are one component to an attack vector. Some may have noticed I initially focused most of my efforts on vulnerabilities present in Adobe Reader and Java. I didn’t pick those applications by flipping a coin or doing “eeny, meeny, miny, moe”. It is not a coincidence I’m seeing exploit artifacts left on systems that target those applications. This has occurred because I pick vulnerabilities based on the exploits contained in exploit packs.

Exploit packs are toolkits that automate the exploitation of client-side vulnerabilities such as browsers, Adobe Reader, and Java. Mila Parkour over at Contagio maintains an excellent spreadsheet outlining the exploits available in different exploit packs on the market. The reference by itself is really informative.

Java is the largest malware target according to Microsoft - The H Security: News and Features

…it is not only exploits of old vulnerabilities that should concern Java users. As has been pointed out on Krebs on Security, a new exploit has emerged that is being built into automated attack tools. The critical vulnerability that this attacks has been addressed in an update, but only the very latest versions of Java are safe from this new exploit. If users are being slow at updating, very large numbers of them are likely to be at risk from this exploit.

Millions of Java Exploit Attempts: The Importance of Keeping All Software Up To Date - Microsoft Security Blog. Tim Rains comments…

Many of the more commonly exploited Java vulnerabilities are several years old, and have had security updates available for them for years. This illustrates that once attackers develop or buy the capability to exploit a vulnerability, they continue to use the exploit for years, presumably because they continue to get a positive return on investment.

While the latest versions of Flash and Java do seem to offer self-update checking ability, it has been my experience that those auto-updaters don’t always check as frequently as they should, or may not even offer an update as soon as it is available.  Don’t even get me started on Adobe Reader.  These features are improvements, but even when they do work, they still require the user to notice the update offer and respond correctly to get the version bump.

At the bare minimum it is good practice to regularly hop over to Secunia and run their free, web-based Secunia Online Software Inspector (OSI).  Hit the page, hit the green “Start” button, let Java do its thing and scan your system for insecure versions of software.

If you or a user can’t remember to regularly do that, Secunia also offers a more robust, installable version of their free Personal Software Inspector (PSI). This one will run as a service on your system constantly checking for and offering recommendations on fixing critical insecure applications.

For my own personal updating check-ins I regularly check in at the Plugins Downloads site.  It’s just easier that way. (If you do RSS they also have a Browser Plug-ins Category Updates Feed). Please be aware that they will often include and/or only offer the very latest versions of these plugins, which may be in “beta” or non-mainstream channel release. Update accordingly to your comfort level.

In particular, some of the latest Flash 11 versions tagged “Beta” may result in moderately obtrusive “watermarking” of its beta/incubator status in certain Flash windows displays (most notably to me, YouTube windows). Not necessarily a deal-breaker but FYI if you run into it.

For “official source only” path, then here you go.

For information on the next levels of Java and Flash you may want to check out these links:

More stuff:

Looking for older Java 6.0.x or Flash 10.3.x series downloads from FileHippo? Can be an issue as they only seem to be offering the latest Java 7.0x and Flash 11.x (betas) from their pages.

The trick is to just hop to one of these older pages and check the right-sidebar which will list the ones for older versions you are looking for.

Just like a surfer maintains their board with wax to keep it protected and performing well before hitting the waves, a responsible web-surfer needs to keep their browser plugins patched and fresh before hitting the Web.

--Claus V.

Quick Malware Notes, Incident Response, and 00-outs

A while back after dealing with some heavily malware-infected systems, I wrote a followup post Anti-Malware Tools of Note.

Since that time, a few other bits and bytes have come across my desk so I thought I would supplement it slightly.

TinyApps bloggist brings our attention to and a recommendation for a “new” Free standalone and bootable antimalware that has ranked very high on Virus Bulletin’s VB100 comparative tests.

That tool is eScanAV Anti-Virus Toolkit (MWAV) which is also available in a standalone eScan Rescue Disk format as well.  Registration is requested to access the download link, however the tools are free.

It is similar in many ways to Microsoft Safety Scanner which I previously wrote about:

Being a “standalone” tool of sorts, it can be run in the WinPE environment or on the “live” system.  The trick in WinPE is to make sure your WinPE build has a large scratch-space value.  Check out this 4sysops post Offline Antivirus – How to run Microsoft Safety Scanner on Windows PE 3.0 for more details.

I do understand that for some folks, the thought of making a custom-spun WinPE boot tool could be quite intimidating.  With that in mind, you will want to keep a copy of the Microsoft Standalone System Sweeper Beta handy.  Of course you will need an uninfected “host” system to create the tool. Download the “builder” utility in either x32 or x64 flavor depending on your hardware and choose a blank CD, DVD, or USB drive with at least 250 MB of space. Execute the tool and build-away.

Of course, you may want to do more with this plain-Jane WinPE build that it lets you.  And you can if you know the tricks our dear TinyApps bloggist posts in his Extending Microsoft Standalone System Sweeper tips.

Michael Pietroforte has some more related details of his on in his 4Sysops post FREE: Microsoft Standalone System Sweeper – Standalone antivirus software

Back in my “younger” days of malware response, tool sets were pretty limited and there seemed to be just a few strong "antimalware” package tools available. One of those I depended on was Spybot-Search & Destroy.  As my skills got sharper and my toolsets became more focused due to the advances in malware, I gradually drifted away from using it regularly.  I was pleased recently to find that they are still kicking strong and have recently made available Spybot Search & Destroy 2.0 Beta 4 for public download and testing.  This version offers “Live Protection” by default, performance improvements, and Explorer shell integration.  Check it out!

The ISC Diary handler Chris Mohan posted Safer Windows Incident Response with a reminder of the dangers of incident-response handler’s cross contamination when working on a potentially compromised system.

Windows Incident Response bloggist Keydet89 has some good tips, and touches on incident response items in his New Stuff post from a just a few days ago.

Specifically he calls out to Corey Harrell’s Journey Into Incident Response blog post Linkz 4 Exploits to Malware. In it, Cory gives some perspectives on Harlan’s Malware Detection Checklist.  Checklists like this are a great starting point for incident response.  Granted, every situation is different, and the hardware, software, and network topology that you operate in may require much fine-tuning to dial-it-in for the best signal to noise ratio. But that’s the point, take the time to develop a structured incident response plan/checklist and the investment will pay off when the stress in on…helping guide you and ensuring no stone gets left unturned.

Cory goes on to address alternatives at finding malware, mentioning Mark Morgan over at My Stupid Forensic Blog discussing How to Identify Malware Behavior.  He then leads over to touch on malware analysis via The Hexacorn blogs post Automation vs. In-depth Malware Analysis.

Both Cory’s post and the referenced links reminded me of Mark Russinovich’s most excellent material recently posted at the Sysinternals Site Discussion pages:

Zero Day Malware Cleaning with the Sysinternals Tools (link to PDF): Mark has posted the slides from the highly-attended and well received Blackhat 2011 Workshop he delivered last week, Zero Day Malware Cleaning with the Sysinternals Tools, which demonstrates how to use the Sysinternals tools to hunt down and eliminate malware.

The team at Mandiant really lead the way in the IR community as well. Not only is their business based on incident response, they continue to offer great MANDIANT: Free Software to the IR community. Those tools aid in detection, analysis, and reporting of all kinds of bad-things. 

TZWorks also offers a great selection of specialized (and free) Prototype Downloads for Forensic tools covering areas such as Artifact Analysis, Registry/Event Analysis, NTFS Analysis, Network Utilities, and PE Utilities. And they come in both 32 and 64-bit flavors!

To borrow a concept from the PDCA process, incident response needs to be seen as a continual process; plan for incident detection, do the incident response, check & study your response and findings, and act on that knowledge to improve your future responses.  All of the items mentioned in the links above can contribute to that process.

For a good read, take a look at F-Secure’s post How we found the file that was used to Hack RSA. This is a fantastic example of not being satisfied with the initial response and mitigation, but going the extra mile to hunt down the actual file used in the RSA attack.  In doing so, they discover that while the attack plan may have been quite specialized, the actual attack vector wasn’t so much.

TinyApps bloggist pulls some most excellent fresh finds in considering the question Is it possible to recover data from a drive overwritten with zeros once?  The conclusion of all the linkage sources provided still seems to be pretty much “Nope!”. From the post:

Daniel Feenberg's Can Intelligence Agencies Read Overwritten Data? and Craig Wright's Overwriting Hard Drive Data are. For those who are still confused (or are just fond of pictures), see Disk Wiping - One Pass is Enough - Part 2 (this time with screenshots).

(Note: that last post link as well as an unreferenced Part I post: Disk Wiping – One Pass is Enough both are from the Anti-Forensics blog.)

I’ve also touched on the subject of secure-disk wiping here at GSD in series of posts:

It was in that last post that I mentioned the following:

I read with curiosity the following posts:

With the exception of the Data Sanitization Tutorial (PDF-link) written by the University of California at San Diego Center for Magnetic Recording Research, I haven’t seen very many other official-grade research papers that detail just how effective a single-pass bit-wipe of a drive is in comparison to a 3-pass or even a 35-pass wipe.  Now there’s a new research paper on the block Overwriting Hard Drive Data: The Great Wiping Controversy that seeks to dispel the mythos surrounding multi-pass wipes.

From the heise Security link:

    • Craig Wright, a forensics expert, claims to have put this legend finally to rest. He and his colleagues ran a scientific study to take a close look at hard disks of various makes and different ages, overwriting their data under controlled conditions and then examining the magnetic surfaces with a magnetic-force microscope. They presented their paper at ICISS 2008 and it has been published by Springer AG in its Lecture Notes in Computer Science series (Craig Wright, Dave Kleiman, Shyaam Sundhar R. S.: Overwriting Hard Drive Data: The Great Wiping Controversy).
    • They concluded that, after a single overwrite of the data on a drive, whether it be an old 1-gigabyte disk or a current model (at the time of the study), the likelihood of still being able to reconstruct anything is practically zero. Well, OK, not quite: a single bit whose precise location is known can in fact be correctly reconstructed with 56 per cent probability (in one of the quoted examples). To recover a byte, however, correct head positioning would have to be precisely repeated eight times, and the probability of that is only 0.97 per cent. Recovering anything beyond a single byte is even less likely.

The actual paper itself must be accessed for $ or bought via a book, however the author kindly repackaged the research paper in a recent post at SANS Computer Forensics blog.  The details there should be sufficient for most mortals.

Overwriting Hard Drive Data – Dr. Craig Wright, SANS Computer Forensics, Investigation, and Response blog


--Claus V.

Saturday, December 03, 2011

Network Tool Notes

Here is a brief collection of network-related tools and utilities that have been gathered in this past week.

Nmap Security Scanner for Linux/MAC/UNIX or Windows - latest stable version now at 5.51 and development version at 5.61. Changelog

PuTTY: a free telnet/ssh client - version 0.61 released a few months ago and 0.62 “pre-release” build also now available with some bug fixes. Spotted via ISC Diary post. 4 years is a long wait for a bump…

How to connect to a Wireless WIFI Network from the Command line in Windows 7 - Scott Hanselman - just because mixing WiFi and CLI is cool.  See also Scott’s Updated for 2011 - McDonald's WiFi Guide with updates for Mac OS X Lion and Windows 7

Wireless Profile Samples - MSDN WiFi XML profile samples and info on the Netsh Commands for Wireless Local Area Network (wlan).

Wireless Network Profile - Backup and Restore - Windows 7 Forums - Tips on backing up restoring your WiFi profiles on Win7.

Wifi Network Backup Manager Utility - Shai Raiten - Small and easy tool to assist with the above processes if helps you a bit.

Network Stuff - A ton on specialized network tools bundled up in a single free utility.  Spotted in this BetaNetws post: Network Stuff: More Internet tools than you'll likely ever use.  The developer offers a number of other interesting tools as well worth looking into - Dev Stuff

NorthWest Performance Software, Inc. - Network Freeware Tools - This company provides quite a collection of free network tools such as the following:

  • NetScanTools® Basic Edition - DNS Tools, Ping, Graphical Ping, Traceroute, Ping Scanner, Whois
  • IPv6ScopeFinder - Displays ScopeID, status, Interface Type, IPv6 & IPv4 addresses, Interface Name.
  • IPtoMAC - can find the MAC Address of any IPv4 device on the local network.
  • ENUMresolver - “A freeware program designed to query your default DNS for the ENUM NAPTR mapping between a telephone number and a SIP, H323, IAX2 or other URI. Use with VOIP systems to check your e.164 or freenum or other mappings. This program queries each default DNS assigned to your system using the or other root tree for the corresponding NAPTR records and displays them.” That’s pretty cool.

Peter Kostov's software for networkers - amazing freeware collection.

ostinato - Packet/Traffic Generator and Analyzer - Google Project Hosting - from the cross-platform project page “Ostinato is an open-source, cross-platform network packet crafter/traffic generator and analyzer with a friendly GUI. Craft and send packets of several streams with different protocols at different rates. … Ostinato aims to be "Wireshark in Reverse" and become complementary to Wireshark.“

Fluke Networks Freeware

Fluke Networks has a couple of freeware tools worth looking into. You need to register to download, however for two of the three of them I was able to find a direct download link with a little bit of extra Google searching. I think you can find them on some download hosting sites as well.

Fluke Networks - IP Inspector - free - Run a scan to find IPv4 and IPv6 devices and open TCP app ports on your network. Also reports hostnames and MACS for discovered devices. Exportable results and IP state changes can be monitored over time.  Found via this LoveMyTool blog post Free New IP Tool - The IP Inspector by Dan Klimke.

Fluke Networks - Switch Port Monitor - free - This tool lets you connect to and monitor network switches to pull and display switch statistics and performance. Aids in switch documentation and troubleshooting efforts.

Fluke Networks - Service Availability Tool - free - Verify service port status for servers, measure response times, run TCP trace routes, save for documentation.

Web-based Network Performance Testing Tools

Could have sworn I had recently made a post of a number of websites that can test network speed and quality. Guess I didn’t.

From the Mandiant Labs

Mandiant Research Tool Release: ApateDNS - Just recently learned about this new Mandiant tool to help with malware analysis from a network angle. From the description:

It is a simple tool that acts as a phony DNS server that can log or manipulate DNS requests being made to it. Malware analysts typically use this to redirect beacon traffic from a guest virtual machine to the host system (or another virtual machine) to monitor beacon and/or communication channels using Netcat or a custom written C2 script. Forensic analysts typically use this tool to quickly extract DNS names from malware samples.

ApateDNS automatically sets up your Windows network configurations by attempting to determine the default route or current DNS settings. This is most useful when in a guest virtual machine since the default route is typically the host machine. As shown in the figure below, ApateDNS has found the default route in my virtual machine ( and uses this IP address for any DNS request on my virtual host. The user may override this by specifying an IP address for DNS Reply IP.

MANDIANT ApateDNS Download Link

Now go get connected!

--Claus V.

Curse You Scott and your Amazing Lists!

I love finding, collecting and using specialized utilities.  It’s as much passion as compulsion.

And though I can go mad-crazy with my linkfest posts running down tool after tool, developing a comprehensive list of my favs and frolics remains a dream for a month-long sabbatical sometime in the future.

So it is with admiration and respect that I found Scott Hanselman of Computer ZEN fame has recently posted his annual “Best of” software tools and software list.

Scott Hanselman's 2011 Ultimate Developer and Power Users Tool List for Windows

It is an amazing collection.

Scott has done some great organizational work in the post, such as highlighting the new items in Green.  Old favorites that have new back-links have been updated.

Categories include:

  • “The Big Ten Life and Work-Changing Utilities”
  • “Rocking Sweet Windows 7 Specific Stuff”
  • “A (.NET) Developer’s Life”
  • “The Angle Bracket Tax (XML/HTML Stuff)”
  • “Visual Studio Add-Ins”
  • “Regular Expressions”
  • “Launchers”
  • “Stuff I Just Dig”
  • “Low-Level Utilities”
  • “Websites and Bookmarklets”
  • “Tools for Bloggers and Those Who Read Blogs”
  • “Browser Add-Ins/Extensions”
  • “Things Windows Forgot”
  • “Outlook AddIns and Life Organizers”

I’m familiar with many of these tools, but as always, there were some great new discoveries for me in his lists.

Granted, many of the items lean to the programmer (since that is what Scott does) but even if you are not a coder by heart, there are lots of great finds here to pick through.

Most are free however there are some apps listed that are not ($).

Permalink: Hanselman Ultimate Tools List

Bonus Linkage:

obinshah / TED Talks Downloader - freeware - I’m a big fan of stretching my brain-cells and trying to take in new concepts in a wide range of fields and fauna. TED: Ideas worth spreading is a site that provides great (and sometimes provocative) conversations from some of the most interesting people today. Normally I just keep an eye on their site and view a particular video discussion as it calls me.  However, sometimes I want to keep one local for future reference or to view on the road.

TED Talks Downloader is a single EXE that offers a way to grab the list of TED Talks available and then after selection, lets you download them directly to your system in several different quality levels. Super great for when the road calls and you don’t have access to a network connection.  Spotted and described on this addictivetips blog post Batch Download All TED Videos With A Single Click via TED Downloader.

Gow – The lightweight alternative to Cygwin - GitHub - an alternative package to Cygwin. It uses an installer to deliver the goods (~130 UNIX CLI apps) to your system.  Adds a Windows Explore shell window to open a CMD window from a folder, easy install/remove, apps get included in your system’s PATH for easy access.  Not too shabby.


--Claus V.

Friday, December 02, 2011

Reflections on the Toys that Remain…

As Alvis grows older and prepares to fledge one of the unexpected things that has challenged me is coming to terms with her childhood toys.

Now, as an only child, Alvis has probably received an above average lavishment of toys and gifts and meaningful-things from us and her extended family. That said, while not “minimalists” we have always strived to resist consumerism-overload and been fairly selective of the volume of “things” she has accumulated.

At least once a year either on her own or in a combined attack on her room, Alvis and I either toss out some toys (cheap disposable/broken ones) or fill a bag or two to be offered for the church garage sale or mission project.

Sometimes she even will allow some of the special kids she babysits from time to time in our home to “adopt” one of her toys they take a bonding to (although never the giraffes, which are sacred).

That has generally worked well to keep the Things Of Alvis managed over the past years, but as she has gotten older fewer and few new “toys” find their way into her room while the art-supplies, books and electronica seem to litter her desk and multiply monthly.

The winnowing process has become even more challenging now as most of the remaining items in her closet, under her bed, and on her shelves have survived for so long due to sentimental value to her (or truth be told, us).  Does Alvis still really want that bobble-head Kim Possible cheerleader figure? Probably not but then that was her idol at the time of purchase and darn-it we all thought it was so cute..just like her at that period.

One day soon she will move on, taking a selected collection of cherished touchstones, leaving the rest for us to hold onto and/or take responsibility of getting rid of on our own if we have the courage to.

All this comes to mind as today I found a summary of an archaeological site dig in Florida a few years ago. The 7000 year old site and follow-on discoveries made a great read for this anthropology-studies minor but the intro text made my heart melt. Quoting Joseph L. Richardson’s words from that Windover Bog People Archaeological Dig - Titusville Florida web page:

“When the 3-year-old died, her parents placed her favorite toys in her arms, wrapped her in fabric woven from fibers of native plants, and buried her body in the soft, muck bottom of a small pond. Some 7,000 years later, when a young archaeologist uncovered her tiny remains, the toys--a wooden pestle-shaped object and the carapace of a small turtle--were still cradled in her arms.”

This boggles my modern mind and my parental heart.  I can see the child’s joy playing with her simple toys and the sadness as her family lays her to rest accompanied by these same cherished objects.  And then I consider all the “toys” Alvis still has in her room and the special meanings they also represent.

Lest we think that our technology and modern toy development (and American marketing ingenuity) has left such simple things behind, I submit to you the following “GeekDad” posts by Jonathan Liu for reflection. You may be surprised by what makes the list.

The 5 Best Toys of All Time - GeekDad |

Get a Kid the 6th Best Toy of All Time - GeekDad |

So as we face yet another season of the Christmas season marketing madness, and the prospect of a grown woman’s silent childhood room in the very near future with the objects that remain, I pause for a moment of the melancholies and “mono no aware”, of what "toys” really are, both in form and function, and what they whisper when they remain after the owner has moved on.

Inspired by the lists above I’m seriously thinking about getting Alvis a custom Transmogrifier shaped in the form of a large rectangular clothing basket with sturdy handles for Christmas; one in Tardis Blue. She had one before as a child and used it with great passion and pleasure often paring it with a magical blanket of great mystery, comfort and invisibility and disappearing in the middle of the living-room for hours on end with nothing but giggles coming from the space they previously occupied. 

I think it might just be perfect as when she tires of jetting around both Time and Space for old-time-sake (although she would probably leave the brake on like a certain Time Lord) she could use it to carry her own laundry to the Laundromat.


Claus V.

T-Bird Note to Self

Just a note about Mozilla Thunderbird in case I forget.

I use Microsoft Outlook at work as my email client. I have Microsoft Office 2010 at home available to be used as my email client but that seems like overkill for managing my personal email accounts.

For most all my extended family (except Dad who prefers using Outlook both for work and home) I recommend Windows Live Mail 2011 since it has a very clean interface and the Ribbon and tabs and pretty (intuitive) icons seem to make this email-client a breeze for family members to use (and me to guide them through tasks).

All that said I continue to find Mozilla Thunderbird the perfect fit for my personal email needs.

In fact, it works so well, I have only four Add-On items that I run on it now:

Office Black :: Add-ons for Thunderbird - I really have grown to like this theme after having rotated through quite number of great themes over the years. The icons work nicely and are of a pleasant size. And the muted color palate seems relaxing.

Color Folders :: Add-ons for Thunderbird - Unlike the extensive and deep folder structure I have in Outlook at work, my folder structure here at home is much more simple and shallow. That said, I find myself manually moving items out of my Inbox mostly into a few regular folders.  While the text in the Office Black theme and settings isn’t bad, sometimes I have a hard time just dragging/dropping the message into the correct one.  Color Folders allowed me to colorize selected key folders to set them off from the rest.  Now if only Outlook had this ability…

Extra Folder Columns :: Add-ons for Thunderbird - This Add-On allows you to add additional columns to the Folders sidebar for size, unread # items, and total # items.   If you select the unread items column, then it removes the (#) item that Thunderbird puts on the folder name line to avoid redundancy. Suggestions for improvement? I wish that the “size” field displayed would be a little more sophisticated with the count.  Example: you have one main folder with three sub-folders. The columns for counts seem only to apply to the individual folder, meaning that the main-folder # only displays the number of items in the folder itself and doesn’t include sub-folder item counts. Collapse that folder tree and it still shows the number of items in the main folder and doesn’t aggregate the total to reflect all messages in that and the subfolders combined. Another minor quibble; the size-on-disk of each folder displayed uses both MB and KB values. 1MB or more and the size is displayed in MB while < 1MB and you get a KB value. I get the logic but you have to look carefully to understand what it is reporting to you.

Lightning :: Add-ons for Thunderbird - calendaring, scheduling, and to-doing made simple and right. Enough said.

For backing up/migrating my T-bird profile I rely on MozBackup. It’s never failed me. 

As a multi email client backup/restoration tool there is also KLS Mail Backup (free for personal use) which in addition to T-bird can also back up WIndows Mail and Windows Contacts, Windows Live Mail and Contacts, Outlook Express profiles and contacts, IE Favorites, Firefox profiles, Postbox profiles, Opera profiles, The Bat! profiles and IncrediMail profiles.

Moving on…

Claus V.