Sunday, May 20, 2012

So Many Links…So Little Time!

Busy day today. Chores to do inside the house and out. And links galore spilling out of my Firefox sidebar, ripe for posting.

Critical Updates

New Place to Report Fake Tech Support Scam Calls

As if the usual bane of telemarketers isn’t enough to wade through almost every day and night, now we are seeing a renewed push of the fake-tech-support calls. Enterprise IT shops are even having to now send notices across their employee-base to remind them that they haven’t been outsourced to these callers and that employees should always make sure they are talking to the right IT guys and gals. Some places are event starting to black-list some of these third-party remote control sites to clamp-down the borders against these calls.

Troy Hunt has a series of great posts that tell you just about everything you need to know about these scams. I’ve posted them before but Troy’s writings are so good, they need another mention.

The guys and gals over at SANS have gotten into the game as well.

They have opened up two (same) locations for you to report any fake-tech-support calls you may get for intel-gathering purposes. Knowledge is power!

For the SysAdmins in the Audience

Kyle Beckman has written an outstanding series of posts at 4Sysops blog on folder redirection in Windows. Definitely worth taking some notes from.

In other news…

FREE: Veeam ONE Free Edition – Real-time Hyper-V and VMware monitoring - 4sysops

"Could not reconnect all network drives" - TinyApps.Org. Great tip and trick for delaying (slightly) the mapping of network drives until the network is fully available after login.

Windows Error Lookup Tool Portable 3.0.4 (get details on Windows error codes) Released -

Batch-Convert XLSX To XLS Without MS Excel Or An Online Converter - New tool reviewed by AddictiveTips.  Get the tool here from the author.

Jarfix - free tool to fix broken “jar” file associations in Windows.  I needed this after the last Java Runtime update I applied to my system. After installation, I could no longer run the Java-based Software Protection Initiative - Encryption Wizard tool as I had before. I tried several times to update the file-associations but no dice. Then I found this tool, and once executed…problem solved!

Likewise, a few months ago I had re-installed Google Earth but for some reason, lost all indications on how to launch it…no icon on the desktop. None in my “Start” list. Nada. Uninstalled/reinstalled. Still the launcher icon was no-where to be found.  Finally found this link: Google Earth icon has disappeared from my PC : Fix my problem - Google Earth Help  Downloaded the Google Earth Icon Restorer and ran it. Again, problem solved!

Mirekusoft Install Monitor -freeware Installation management software. (Note site down at time of posting) - I have a number of system change monitor/detectors I rely on to monitor how and where a software install impacts a system. Each one takes slightly different approaches. So I read with interest about this new installation monitor/logger. It runs as a service so it catches all installations and documents where in the file-system and registry the bits go. Drawbacks? Maybe a bit unstable and if a program was already installed prior to installing this tool, it doesn’t well-catch the updated installation bits. All that said, it might be worth looking into…particularly in a lab/test-bench setting where you need to document where install bits go before deploying them.  See this CSArchive.Net Mirekusoft Install Monitor post for some screenshots while the main site is down. Alternative programs to consider: Total Uninstaller by (free-trial/$) or Revo Uninstaller Freeware.

Leelu Soft: Watch 4 Folder 2.3 and Track Folder Changes are two other utilities you may want to check out.

I’m not sure why I’m on this theme this week, but the freeware app GeekUninstaller came to my attention this week also. Free and available in both installable and portable versions, helps remove installed applications.  For a few more details and screen-caps, see this AddictiveTIps post: Geek Uninstaller Lets You Completely Wipe Off Any Application From PC

VMware Workstation Player 4.0.3 released / Workstation 8.0.3 - Born and Windows IT Blog - My own recent experience using VMWare Player 4.0.3 for a Win 8 CP run was outstanding. Definitely worth getting these updated bits. VMware Player 4.0

Group Policy Central - new blog to me about Group Policy topics, including some Win 8 items and findings. Doesn’t appear to be updated quite as frequently as I would like, but since it is new, I’ll probably find more than enough material here to keep me busy until the next post comes out.

Network Nuggets of Gold!

NetBScanner - New tool from NirSoft - NetBIOS scanner. Provide a IP range and get IP addresses, WS Names, Workgroup membership as well as MAC address. Super nice GUI. Add this right now to your network toolbox!  Reminds me of the CLI tools (work good for me) NBTScan and the similarly named nbtscan. More info on NetBScanner at this AddictiveTips review. 

wpic v1.0.0 - woanware - A “simple console web page capture tool based on Chromium project that captures an entire web-page. Reminded me of IECapt which is an IE based web-page capture tool that I use daily for some data archiving.

NETRESEC CapLoader - Not free - interesting tool to process large network PCAP files and filter flows of interest. See this CapLoader Demo - YouTube for more info.

Curiously, there was this related post The Adventures of Packet Tracy, PI over at wirewatcher blog on parsing down large PCAP sets for URLs of interest.

HolisticInfoSec: toolsmith: Buster Sandbox Anayzer - Detailed information and walkthrough regarding a new release of Buster Sandbox Analyzer back in April.

In a GSD post On the Hunt… I detailed a quite involved process in hunting down/validating network connections and mapping them to specific switch ports. Over at LoveMyTool blog, Tony Fortunato posted a short video on how to find out which switch port the client is connected to. Pretty standard stuff.  However, I’m always putting a sharp eye on these just in case I find a new or better technique. And I did! For whatever reason (Cisco IOS updates?) we’ve seriously lost our ability to search for MAC addresses in the Cisco Network Assistant product. We are not alone as others are encountering issues as well. Anyway, we have some workarounds in the GUI but they are a bit time intensive looking through many, many switch port connections.  So like Tony, I find it (generally) faster to just telnet to each switch, run a “show mac address-table” and list the MAC/Port associations and look for the target MAC. On 48-port switches, that is a lot of searching. Tony’s video taught me the following trick; “show mac address-table |include <mac address>”  Including the pipe-include lets me pop just the single MAC I want. Sweet!

More here: Cisco IOS "include" filter.  And for the full list of powerful Cisco CLI options, check out this Cisco IOS Terminal Services Configuration Guide, Release 12.2 - Regular Expressions  [Cisco IOS Software Releases 12.2 Mainline] at Cisco Systems . Note your Cisco IOS version may render some of these commands a bit different, if supported at all. You probably also want to tuck away this Regular Expressions (PDF) for reference as well.

Finally, over at Anything About IT blog, Alex Verboon posted this Script for finding Executables that are command-line programs via a free utility IsCommandLineApp by Helge Klein. Might be useful in incident-response.

For the ForSec crewmates

In my recent Forensically Sound: Quick Post #3 I posted a number of links touching on early forensic surveys of Windows 8 “release” builds. I warned that none of these observations are 100% guaranteed to be present and accounted for in the final baked version, but they are good starting points. Troy Larson wisely commented on that post “Regarding Windows 8 forensics: I would be careful of relying too much on the public preview versions for detailed forensic analysis. Offsets and formats can still change.” Noted! So with Troy’s perspective firmly fixed in mind, here are a few more links touching on early (very early) Win 8 forensic notes and observations.

Portable Agents to QuickScans: Tips on Using the Latest Version of Redline - Mandiant M-unition blog

SANS DFIR Wall Poster Preview - SANS

File Formats ZOO - Hexacorn blog - file sector header information for common file formats.

File Formats ZOO – Installers - Hexacorn blog - likewise for software installer files.

The Curious Case of the Forensic Artifact - Hexacorn blog - in which the process of solving a curiosity is illuminated.

RegRipper: Update, Road Map, How not to get p0wned by RR v2.5, and Approximating Program Execution via VSC Analysis with RegRipper - Windows Incident Response blog -- my o my how RegRipper has grown!

More About Volume Shadow Copies - Journey Into Incident Response:  Corey Harrell dishes more on VSCs.

Related…VSC Toolset Update: Browsing Shadow Copies - Digital Forensics Stream post by Jason Hale with interesting comment thread follow up.

TypedURLs (Part 1) and TypedURLs (Part 2) - Crucial Security Forensics Blog posts by Paul Nichols.

Addressing Malware Issues from an Operational Perspective - Crucial Security Forensics Blog post by Michael Robinson. Great quick read on malware in the organization and changes that may be needed in operations.

Resurrecting “Dead” Images for Live Analysis - Crucial Security Forensics Blog post by Mark A. Wade.

Old Servers never die – unfortunately - Forensics from the sausage factory. Great “how-to” tips and results on imaging a server/system over the network, when you must…

Digital Forensics with Open Source Tools (Amazon link) - New book by Cory Altheide, Harlan Carvey. It’s a book after my own heart! Open Source/freeware (closed-source) tools for for/secs.

Windows Live Messenger – MessengerCache folder  Forensics from the sausage factory. This post was very interesting as it took a fresh look at what may be a commonly used application on some Windows systems.

“You Can’t See Me”…(my bad…I guess you can…)

A recent round of migrating users into a new AD domain (and some folder rcopy/redirection work on the side) has left a few users with missing data post-migration. I have tons and tons of tools to recover deleted data from a drive. The sysadmin I was working with reached for a new one to me in our troubleshooting work together, FreeUndelete over at Did the job nicely and the customer had their files restored in no time. I offered my own recommendations in thank-you. In doing so I spotted that Kickass Undelete recently got bumped up to 1.3 beta version. Others I like include Recuva. I also learned (via this AddictiveTips blog post) about Orion File Recover Software Free. I also saw this review at AddictiveTips blog for Wise Data Recovery freeware software. For even more tools, check out this GSD post File Recovery Extravaganza.

PhotoGrok / Java

PhotoGrok: EXIF-Based Image & File Viewer With Metadata Filters - AddictiveTips blog. I have more than enough EXIF-data/File-Viewer apps than I really need, but I’m a sucker for a new utility so I went ahead and downloaded the PhotoGrok tool and was quite pleased with the effort. It’s a nice tool. However, when I went to try to uninstall it, it wasn’t listed in my Add/Remove program (errr, make that Programs and Features) list. Nor could I find a link to an uninstaller in my program file list.

Checking the desktop shortcut target location led me to

“C:\Windows\SysWOW64\javaws.exe -localfile -J-Djnlp.application.href= "C:\Users\profilename\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37\3b46d1a5-79989755"”

Now how do we uninstall this?  Unfortunately, the otherwise well-written FAQ didn’t seem to spell out the method. Yikes. Time for some deeper digging.

Turns out PhotoGrok is a Java WebStart application.

To remove you can follow the principle outlined in this post: How to Clear the Java Web Start Cache as explained by a different software vendor. This post Clearing the Java WebStart Cache by NGS has some better screen-captures (although they may be outdated a bit if you have a more recent Java build on your system…it should work well enough to get you what you need to know). Still not sure? See this final set of screen-caps for a newer Java build: Java Web Start 1.6 beta2 Review courtesy of

See, no need to panic! Easy-peasy if you want to strike it from your system.

Reset that Windows Password! (or crack it with a new release of Ophcrack…)

So last week--a tech was having some issues having a pushed application install on their system. Turns out their domain account didn’t have admin group membership and was causing the bomb-out. No problem, let’s just add you to the…hmm…for some reason all the admin account passwords are different from our standard and the “fail-safe” account is disabled. Oh snap. I hear the drumbeats of a system reload! Can you say “too-bad, doo-dad?”

Luckily, I had a backup plan.  Booted the system in my custom WinPE, used the embedded tools to off-line authenticate to the whole-disk encrypted system drive, then used NTPWEdit 0.3 to update the Admin password accordingly. Reboot. On the local system admin account now, added tech to the admin group. enabled the disabled account, good to go.

See also Password Renew at sala source (which I understand doesn’t play well under WinPE).

Related: Ophcrack LiveCD updated May 15th. More news about this build here: Distribution Release: Ophcrack LiveCD 3.4.0

"This new live CD includes the latest version of ophcrack 3.4.0. It is built on Slitaz GNU/Linux 4.0, the latest version of this great live CD. Christophe Lincoln from Slitaz helped us to enhance the scripts for partitions and tables detection. A new ncurses interface is also available to help users look for tables on other drives or interact with ophcrack. Finally a live CD without tables has been released as well for users that already downloaded or bought tables. The directory containing the table files must be placed inside another directory called tables in order for ophcrack to find them automatically."

More Ophcrack release news here: news page

Now where’s my mop?


--Claus V.


Mark Woan said...

My wpic tool was written to replace IECapt, as I needed it to work without any interaction, however, IECapt kept popping up SSL certificate error dialogs etc!

Anonymous said...

I updated the FAQ on the PhotoGrok page to include instructions for removing PhotoGrok. Thanks for pointing this out.