Saturday, August 25, 2012

Power Pile of Links

Chain links _ Flickr - Photo Sharing!_2012-08-25_17-32-04CC attribution: "Chain links" by HowardLake on flickr.

Got to go into the office tomorrow for one of those rare (for me) weekend special project rotations.

So I’m afraid a have just a bit less time that usual to spend on the blogging front.

Today’s offering is a large mix that covers LiveCD’s, some WinPE stuff, virtualization, new utility “how to” videos, third-party plugin updates, browser bits, networking, admin tips, password hint leakage, forsec, and a bit of graphical goodies.

ForSec LiveCD’s 

PALADIN 3.0.1 Forensic Software - Paladin just released version 3.0 of their LiveCD. You must have set up a free user account first and log in to access the PALADIN Download page. Changes in 3.0 & 3.0.1 are:

Version 3.0 New Features -

-- PALADIN Toolbox has been ported to Ubuntu 12.04

-- Network Share Icon has been added to the desktop to access network volumes that have been added via the MOUNT Tab

-- Boot support for current Intel Macs (including the newer MacBook Airs)

Release Notes

3.0.1 - Fixed issue where Unallocated Image function was producing 0 byte files.

Road to DEFT 7.2 and more DEFT Linux - Computer Forensics live cd - Deft 7.2 is scheduled for release in September 2012 and will mark a milestone of sorts. It will be the last x32-bit system release. Starting with 8.0 builds, they are going for x64 system support builds only. Shouldn’t be a deal-breaker, just keep a 7.x version handy as well.

DEFT 7 Cyber Forensic Tool Overview (by Casey Mullis) - LoveMyTool blog. Since we were speaking of DEFT, Casey Mullis gives a nice walkabout of DEFT 7 with nice screenshots if you are interested.

ESSPEE - Penetration Testing & Forensics - - Updated to “R1 x86”. This is a new distro to me and is based on BackTrack 5 for pentest/for/sec work. Uses the “Unity” desktop interface.

Back|Track 5 R3 - new release. More details BackTrack 5 R3 Released!, BackTrack 5 R3! — PenTestIT, and from this H Security: News and Features post, BackTrack 5 R3 adds tools for Arduino and Teensy attacks. Choose your path carefully! Available in both KDE or Gnome flavors, with x32 or x64 platforms. In case you can’t decide, you may want to first look at this general KDE and Gnome Comparison post by ubuntucat.

WinPE Stuff

The few of you who regularly read this humble blog may have seen some recent activity in the comments sidebar. Turns out we had a recent celebrity visitor "Steve” from RMPrepUSB who posts a crazy-number of posts and tips on WinPE and USB booting in general.

Steve left a tip regarding use of the imagex.exe argument “/norpfix” switch when capturing images…specifically as it applies to junctions when the image is applied to a differently-named volume.

What is /norpfix switch, and what does it do? - Blogs from Zhou, Minxiao

In case you are interested, RMPrepUSB is a super cool tool to format and create bootable USB media. Lots of bells and whistles here and extreme tippage and tutorials for you WinPE fans.

If I’m not careful I can loose hours at a time gong though Steve’s extensive tutorials. Here are justa few you might find interesting:

Windows 8 and WinFE - Windows Forensic Environment blog. Brett Shavers tips us to a cmd script from Troy Larson (The WinFE dude) that allows creation of a WinFE build from Windows 8 RTM. New to WinFE building? Well then, see also:

How to sync time in Windows PE -

VirtualBox and VMware Player updates

Pretty good synchronization getting these updates out guys!

First up, VirtualBox 4.1.20 is out.

Next, VMwarePlayer is rolled up to v5.0 with some significant changes.

For VirtualBox, be sure you download and upgrade your Oracle VM VirtualBox Extension Pack at the same time. Likewise VMware users should also be sure to install the latest VMware Tools in your VMware hosted virtualized client OS for peak performance.

Defrag Tools Video

Defrag Tools - Microsoft Channel 9 - neat source for fresh reviews of MS tools and techniques now has two more quality videos up.

Update those Browser Plugins!

I’m thinking I’ve put in close to three hours this past week updating our home systems as well as Dad’s system to ensure they have the latest Flash/Java/etc. updates.

Adobe closes numerous critical holes in Reader and Acrobat - Update - The H Security: News and Features

There are lots of places and ways to download and get the updates; inside app updaters, direct from the software builder’s site, or from third-party locations like filehippo or majorgeeks.

I generally tend to just rock over to filehippo and pull them down. I suppose there is a risk they could have been corrupted or “seeded” with unwanted bits, but so far I’ve not had any problems and their Plugins Downloads page makes nice “one-stop” shopping.

At work it is hard keeping up with what “build” version we need to upgrade these to as for Flash there are both 11.3.x and 11.4.x versions which may cause problems for certain in-house software applications if compatibility is not verified first. However, most home-users should probably be on the 11.4.x run right now.

Likewise there are both Java 1.6.x builds and 1.7.x build branches. Again, most home-users should probably be on the 1.7.x builds.

Regardless, once you are done with your patching, hop your Windows IE, Mozilla Firefox, and Google Chrome browser(s) over to Qualys BrowserCheck and run a quick free check to make sure they are sufficiently patched.

Additional Browser Notes

In my recent post Greased Monkey Business I celebrated the joy of finally finding a custom Grease Monkey script I could use that would justify adding it to my Firefox browser; Removing UTM data from URLs automatically for cleaner bookmarks. It has been a lifesaver to my blogging work.

So this past week I gave a second banana to the Monkey; Scrub Google Redirect Links for Greasemonkey from “ping”.

Check out this MakeUseOf post that goes into the details: How To Copy Crap-Free URLs From Google’s Search Results

Comodo IceDragon 14.0 released -- get it NOW! - BetaNews notice of the Comodo tweaked Firefox 14 browser release. (actually it is version 14.0.3). Direct download is available from this Comodo forums link: Comodo IceDragon ver. 14.0.3 is now available for download!!

BrowsingHistoryView - Nirsoft - Version 1.0 new utility release to view browsing history of all your web browsers. Nir Sofer has been offering browser-specific utilities to view browsing history, but this gem covers the four major ones at once; Internet Explorer, Mozilla Firefox, Google Chrome, and Safari. New Web browser history viewer - NirBlog

Network Fun

NetworkMiner 1.4 Released - NETRESEC Blog - New release improves handling of fragmented IPv4 packets. Hurray! Also no longer checks for pcap extension; works as long as it is a valid libpcap file, DHCP options are extracted, new parser for a particular protocol. There are also some nice GUI improvements.

Trace File Case Files - Sharkfest 2012 (by Jasper Bongertz) - video presentation of using Wireshark to trace out real-world problems and solve them.

Wireshark Security Update - ISC Diary. Wireshark builds got updated to squash bugs and patch vulnerabilities. Go get busy…Wireshark · Download

Notes for the Sysadmins

Simple but Extremely Useful Windows Tricks - Open Security Research - Nice list of handy Windows tips.

Why The Size of My Partition is Maxed Out at 2 Terabyte and How to Get Over it - Windows7hacker. Just guided Dad though adding a second internal HDD to his Vista system. He’s getting into digital photography and while he has lots of room left on his OEM primary HDD, adding a 2nd drive gives him an exclusive place to drop the files. I guess we could have gone with a external USB drive, but the internal was faster in the long run for large file transfers. Talked him into a 7200 RMP 1TB SATA drive. With some guidance got him to get it successfully installed. Then via a quick remote-control session, got it formatted, labeled, and added to the OS fine. Considered going for a 2+TB drive for a few more bucks, but this was easy enough. Next time I will have to follow the link tippage and set up a GPT disk if the conditions warrant.

Microsoft updated - Borns IT & WIndows Blog (Google Translated) - Nice review of the new SkyDrive updates.

RegKeyFixer - - sweet little tool by Joakim similar to Sysinternal’s RegDelNull. Related: Reghide

ForSec Links

Password hints easily extracted from Windows 7, 8 - Ars Technica

All Your Password Hints Are Belong to Us - SpiderLabs Anterior

A Fistful of Dongles: AFoD Interview with Eric Zimmerman - A Fistful of Dongles - Eric Huber interviews F.B.I Special Agent Eric Zimmerman. Great article (and Eric wears a mean flat-top to boot!). Many years ago I had applied to the F.B.I. hoping for a career there following in the steps of my grandfather who was a former Special Agent under Hoover. Alas…it was a path not to be.

ShellBag Analysis - Windows Incident Response Blog

SetRegTime - Windows Incident Response Blog

Linkz for Tools - Journey Into Incident Response Blog - Corey Harrell has some info on this post, particularly those tipping us time-challenged guys to the Time Zone Converter – Time Difference Calculator and Time Zone Map. Also valuable is the final section “Process, Process, Process” which strikes home the critical value of knowing in advance HOW you are going to do exactly WHAT it is you want to accomplish; supporting examples include links to the Forensic Process Lifecycle (PDF) from Lance Mueller at ForensicKB, the previously GSD blogged SANS DFIR Poster 2012 (PDF) download, and Corey’s own Journey into IR Methodology scratchpad.

Man versus AntiVirus Scanner - Journey Into Incident Response Blog - Corey shows of the value of having skillz and technique and a rock-solid process in a John Henry’esqe dance against an anti-malware scanner. Really a great tutorial and exercise.

Registry Decoder 1.4 Released and Updated Registry Decoder Live - New versions are available. I noticed that in the past separate downloads were available for x32 and x64 however I don’t see that in this release. I’ve not followed up yet to see if the newer version handles both automatically or not.

Generating computer forensic supertimelines under Linux: A comprehensive guide for Windows-based disk images - Forensic Focus. ForenicsRichard has also released the Shell (Bash) and C Source code as well.

Finding Smoking Gun and going beyond that – Helpful Forensic Artifacts - Hexacorn blog - another strong article supporting previously mentioned themes of having a process to use in looking for clues which here are referred to has HFA’s (Helpful Forensic Artifacts) to guide the overall investigative and analysis journey and discovery.

HexDive 0.4 - New update at Hexacorn to a tool which extracts strings from a file/sample for additional review. Corey recommends using BinText or Strings to further review the output.

The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 1) - Mandiant M-unition blog

The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 2) - Mandiant M-unition blog

Grab Bag

Change the Windows Logon Screen Background - CybernetNews tips us to Luke Payne Software » Logon Screen Rotator. While I do rotate my Win 7 desktop login picture periodically, (right now it it Tardis based), generally I keep it stable. This is a cool tool however for those who like a bit more variety.

Organize & Manage Huge Photo & Video Databases Using Snaps - AddictiveTips reviews the Snaps - Photo management application.

Microsoft Reimagines Paint - Next at Microsoft - New “version” of the perennial “Paint” app. (Win 8 only).

Tip o' the Week #133 - The Art of Cut n' Paste - The Electric Wand


--Claus V.

No comments: