Oldies But Goodies - Linkfest

Progress is being made on several piles of links I’ve come across but haven’t posted yet. It is actually turning out to be a good thing culling them down like these.

The links below were in a For/Sec/Net folder I was using to hold blog material under that subject until it got too full and too old for me to continue dropping items in there. Some went back to late 2011!

Yesterday I decided to do some Spring cleaning and deal with it.  I dumped a LOT of links that seemed either dated or just not as important now as they seemed to be back then.

What remains below are links that I still wanted to document for research/reference. I did update/supplement some of them with some new material if applications the original links I captured have been updated.

Anyway, here you go if you are interested.

Watching the Networks

• Using Wireshark to Support the Application (by Tim Poth) - LoveMyTool blog - video presentation on Wireshark techniques for troubleshooting network issues.
• Network Mystery #2 (by Betty DuBois) - LoveMyTool blog - video presentation on analysis of a slow network performance situation.
• Wireshark in the Large Enterprise (by Hansang Bae) - LoveMyTool blog - video presentation on the role Wireshark can play in a large network environment.
• Using Wireshark's Editcap to Reduce Your Trace File Size (by Tony Fortunato) - LoveMyTool blog - short (7m) video on splitting capture files to make capture file more manageable.
• Ostinato: Craft and Play Packets (by Joke Snelders) - LoveMyTool blog - Overview of the packet crafter and traffic generator application Ostinato.
• PDD - Packet Dump Decode (by Joke Snelders) - LoveMyTool blog - packet/hexcode dumping/conversion too.
• NetworkMiner 1.3 Released - NETRESEC blog - old news for a great program.
• Security Onion includes NetworkMiner - NETRESEC Blog
• No more Wine - NetworkMiner in Linux with Mono - NETRESEC Blog - I just followed these steps and got NetworkMiner running perfectly in Ubuntu 12.04 this weekend. Sweet.
• Passive OS Fingerprinting - NETRESEC Blog
• NBTScan. NetBIOS Name Network Scanner. - I use this CLI tool each week. Works great. Mark Woan recommended this version as an alternate: nbtscan - NETBIOS nameserver scanner
• Magic Tree from Gremwell - Interesting tool to help manage network scan data. Works with nmap.
• Home of 0x4553-Intercepter and 0x4553-NAT or Intercepter-NG - very interesting pen-test/sniffing tool that can parse out quite a lot of items.

Tips, Tricks,and other Material

• Facebook Forensics - Help Net Security - Points to paper published by Valkyrie-X Security Research Group on Google Docs or download it in PDF format.
• How we found the file that was used to Hack RSA - F-Secure Weblog : News from the Lab
• Bypass Vulnerabilities in Squid and McAfee Web Access Gateway - SpiderLabs Anterior blog.
• Quickpost: Blocking and Detecting a Teensy Dropper - Didier Stevens
• Plug and Prey: Malicious USB Devices - IronGeek reference material
• Lost a Windows Registry key? Yaru can recover it - BetaNews blog - review of  (YARU) Yet Another Registry Utility tool.
• Carving Symantec VBN Files - Security Braindump - guide on using QExtract to remove SAV quarantined files for incident analysis. However it has limitations and Bugbear provides some tips on an alternative method of extraction.
• CSI:Internet - Controlled from the beyond - The H Security: News and Features
• Purchase information such as your e-mail address and name of iTunes song removed - Caschys Blog (GTranslated) - I’ve been meaning to post this for a while. Caschy illustrates how if you buy songs via iTunes the file gets embedded with the purchaser name/email address. I thought this might have some possible use when looking forensically at a system/files.
• (IN)SECURE Magazine
• DOWNLOAD ISSUE 33 HERE  - PDF Link
• DOWNLOAD ISSUE 32 HERE - PDF Link
• Proceedings of The 9th Australian Digital Forensics Conference - I may have posted this before, but it contained a lot of great presentations and whitepapers I had to relink.

Scan it & Dump it!

• rootrepeal - Beta rootkit detector
• GMER - Rootkit Detector and Remover
• Live Memory Forensic Analysis - SANS Computer Forensics and Incident Response blog
• MoonSols DumpIt goes mainstream ! - MoonSols - ISC Diary | MoonSols Dumpit released...for free!
• Volatility: Advanced Memory Forensics - Released to version 2.0 back in August 2011.
• Hexacorn Application Monitor - Hexacorn Blog. Related blog post: How to use HAM?

Tools and Utilities

• TrID - Marc Pontello - Utility to ID files from their binary signature. Def database gets updated often so keep it fresh!
• FileMind Pro Beta 0.6 - Metability Software - Super cool tool to find/review/manage file metadata.
• FileMind QuickFix - Metability Software - and a free tool to scrub metadata from files.
• Know Your Files - Metability Software blog. Not updated recently but still good info.
• TZWorks LLC Prototype Downloads for Forensic tools - TZWorks list of lots of super-cool freeware utilities.
• Registry Decoder - from the project page -- “Registry Decoder provides a single tool in which to perform browsing, searching, analysis, and reporting of registry hive contents. All functionality is exposed through an intuitive GUI interface and accommodates even novice investigators.“
• Free Computer Forensic Software downloads and Secuirty Tools - Forensic Computing Ltd. - Great list of tools.
• DarkComet RAT - Official - tool to extract information from browser history

Live ForSec CD’s

• CAINE Live CD - computer forensics digital forensics - “SuperNova” version 2.5.1 has been out.
• DEFT 7.1 ready for download - Released April 2nd with more than a few updated packages and fixes.
• Ubuntu - Now at 12.04 release version. I prefer to use this for my own self-installations of Xplico and Network Miner packages.
• Ubuntu 12.04 and VirtualBox Image - Xplico team has released a VirtualBox image built on Ubuntu 12.04 which includes their Xplico 1.0.0 version (if you don’t want to build it yourself!).
• ubuntu [Xplico Wiki] - Now you can use the Xplico Repository or one of several terminal scripts to easily (and I mean REALLY EASILY) get the Xplico NFAT application going! Super sweet.

Maltego

I first learned about Maltego when I read this fun post Using Maltego CaseFile to map The Spy Hunter at the wirewatcher blog.

Basically this tool lets you organize your intelligence and forensic investigation information in new and graphical manners to better show relationship between elements. Check out the bottom of this page for some screenshots and links to more presentations.

It comes in both a commercial and community edition.

• Maltego 3.1.1 Community edition released - Maltego Blog - info on the latest version release.
• Maltego Blog - Latest news
• Maltego Blog: Maltego CaseFile Beta released - has 10min video on an earlier version with links to the beta version 1.0 downloads.
• Maltego 3 > Community Edition - registration page. Registration is required to use the community edition.

Note: I’m still playing with the version 1.0 beta version and haven’t upgraded yet to the version 3.1.1 community edition.  The version 1.0 so far has been meeting my basic “play and learn” needs, FWIW.

Whew!

I feel better now.

Next up…new material fresh out of the bakery ovens.

Cheers!

--Claus V.