CC attribution: "Chain links" by HowardLake on flickr.
Got to go into the office tomorrow for one of those rare (for me) weekend special project rotations.
So I’m afraid a have just a bit less time that usual to spend on the blogging front.
Today’s offering is a large mix that covers LiveCD’s, some WinPE stuff, virtualization, new utility “how to” videos, third-party plugin updates, browser bits, networking, admin tips, password hint leakage, forsec, and a bit of graphical goodies.
PALADIN 3.0.1 Forensic Software - Paladin just released version 3.0 of their LiveCD. You must have set up a free user account first and log in to access the PALADIN Download page. Changes in 3.0 & 3.0.1 are:
Version 3.0 New Features -
-- PALADIN Toolbox has been ported to Ubuntu 12.04
-- Network Share Icon has been added to the desktop to access network volumes that have been added via the MOUNT Tab
-- Boot support for current Intel Macs (including the newer MacBook Airs)
3.0.1 - Fixed issue where Unallocated Image function was producing 0 byte files.
Road to DEFT 7.2 and more DEFT Linux - Computer Forensics live cd - Deft 7.2 is scheduled for release in September 2012 and will mark a milestone of sorts. It will be the last x32-bit system release. Starting with 8.0 builds, they are going for x64 system support builds only. Shouldn’t be a deal-breaker, just keep a 7.x version handy as well.
DEFT 7 Cyber Forensic Tool Overview (by Casey Mullis) - LoveMyTool blog. Since we were speaking of DEFT, Casey Mullis gives a nice walkabout of DEFT 7 with nice screenshots if you are interested.
ESSPEE - Penetration Testing & Forensics - SourceForge.net - Updated to “R1 x86”. This is a new distro to me and is based on BackTrack 5 for pentest/for/sec work. Uses the “Unity” desktop interface.
Back|Track 5 R3 - new release. More details BackTrack 5 R3 Released!, BackTrack 5 R3! — PenTestIT, and from this H Security: News and Features post, BackTrack 5 R3 adds tools for Arduino and Teensy attacks. Choose your path carefully! Available in both KDE or Gnome flavors, with x32 or x64 platforms. In case you can’t decide, you may want to first look at this general KDE and Gnome Comparison post by ubuntucat.
The few of you who regularly read this humble blog may have seen some recent activity in the comments sidebar. Turns out we had a recent celebrity visitor "Steve” from RMPrepUSB who posts a crazy-number of posts and tips on WinPE and USB booting in general.
Steve left a tip regarding use of the imagex.exe argument “/norpfix” switch when capturing images…specifically as it applies to junctions when the image is applied to a differently-named volume.
What is /norpfix switch, and what does it do? - Blogs from Zhou, Minxiao
In case you are interested, RMPrepUSB is a super cool tool to format and create bootable USB media. Lots of bells and whistles here and extreme tippage and tutorials for you WinPE fans.
- Create Bootable Windows or Linux USB with RMPrepUSB - ghacks.net
- RMPrepUSB (and USB booting) - RMPrepUSB blog
If I’m not careful I can loose hours at a time gong though Steve’s extensive tutorials. Here are justa few you might find interesting:
- 16 - How to boot to different WinPE versions using a single boot.wim that contains multiple images
- 83 - Download ImageX, BCDBoot and other WAIK tools - RMPrepUSB
- 53 - Windows 8 To Go (boot Windows 8 from a USB drive!) - RMPrepUSB
Windows 8 and WinFE - Windows Forensic Environment blog. Brett Shavers tips us to a cmd script from Troy Larson (The WinFE dude) that allows creation of a WinFE build from Windows 8 RTM. New to WinFE building? Well then, see also:
- Build questions - Windows Forensic Environment blog.
- WinBuilder - Windows Forensic Environment blog.
- Colin’s Final Version of his write protect application - Windows Forensic Environment blog.
- Winbuilder Tutorial - Windows Forensic Environment blog.
- Windows Forensic Environment - Colin Ramsden’s site for WinFE Lite building.
How to sync time in Windows PE - WindowsNetworking.com
VirtualBox and VMware Player updates
Pretty good synchronization getting these updates out guys!
First up, VirtualBox 4.1.20 is out.
- Oracle releases VirtualBox 4.1.20 - BetaNews review by Nick Peers.
- Download VirtualBox 220.127.116.11170 - FileHippo.com - (sometimes faster)
- Oracle VM VirtualBox - Download from Oracle
- Changelog – Oracle VM VirtualBox
Next, VMwarePlayer is rolled up to v5.0 with some significant changes.
- Download VMware Player 5.0 - Get it from VMware direct, or..
- Download VMware Player 5.0.0 - FileHippo.com
- VMware Player 5 Release Notes
- VMware releases Workstation 9, Fusion 5 and Player 5 - BetaNews
- VMware Player angetestet 5 - Borns IT & Windows Blog (Google Translated)
For VirtualBox, be sure you download and upgrade your Oracle VM VirtualBox Extension Pack at the same time. Likewise VMware users should also be sure to install the latest VMware Tools in your VMware hosted virtualized client OS for peak performance.
Defrag Tools Video
Defrag Tools - Microsoft Channel 9 - neat source for fresh reviews of MS tools and techniques now has two more quality videos up.
Update those Browser Plugins!
I’m thinking I’ve put in close to three hours this past week updating our home systems as well as Dad’s system to ensure they have the latest Flash/Java/etc. updates.
There are lots of places and ways to download and get the updates; inside app updaters, direct from the software builder’s site, or from third-party locations like filehippo or majorgeeks.
I generally tend to just rock over to filehippo and pull them down. I suppose there is a risk they could have been corrupted or “seeded” with unwanted bits, but so far I’ve not had any problems and their Plugins Downloads page makes nice “one-stop” shopping.
At work it is hard keeping up with what “build” version we need to upgrade these to as for Flash there are both 11.3.x and 11.4.x versions which may cause problems for certain in-house software applications if compatibility is not verified first. However, most home-users should probably be on the 11.4.x run right now.
Likewise there are both Java 1.6.x builds and 1.7.x build branches. Again, most home-users should probably be on the 1.7.x builds.
- Download Shockwave Player 18.104.22.1686 - FileHippo.com
- Shockwave Player - Adobe.com
- Download Flash Player 11.3.300.271 (IE) - FileHippo.com
- Download Flash Player 11.3.300.271 (Non-IE) - FileHippo.com
- Download and install the latest Flash Player version - Adobe.com
- Web Player Download for All Operating Systems - Adobe.com
- Download Java Runtime Environment 22.214.171.124 - FileHippo.com
- Java Downloads for All Operating Systems Version 6 Update 34 - Java.com
- Java Downloads for All Operating Systems Version 7 Update 6 - Java.com
Regardless, once you are done with your patching, hop your Windows IE, Mozilla Firefox, and Google Chrome browser(s) over to Qualys BrowserCheck and run a quick free check to make sure they are sufficiently patched.
Additional Browser Notes
In my recent post Greased Monkey Business I celebrated the joy of finally finding a custom Grease Monkey script I could use that would justify adding it to my Firefox browser; Removing UTM data from URLs automatically for cleaner bookmarks. It has been a lifesaver to my blogging work.
So this past week I gave a second banana to the Monkey; Scrub Google Redirect Links for Greasemonkey from “ping”.
Check out this MakeUseOf post that goes into the details: How To Copy Crap-Free URLs From Google’s Search Results
Comodo IceDragon 14.0 released -- get it NOW! - BetaNews notice of the Comodo tweaked Firefox 14 browser release. (actually it is version 14.0.3). Direct download is available from this Comodo forums link: Comodo IceDragon ver. 14.0.3 is now available for download!!
BrowsingHistoryView - Nirsoft - Version 1.0 new utility release to view browsing history of all your web browsers. Nir Sofer has been offering browser-specific utilities to view browsing history, but this gem covers the four major ones at once; Internet Explorer, Mozilla Firefox, Google Chrome, and Safari. New Web browser history viewer - NirBlog
NetworkMiner 1.4 Released - NETRESEC Blog - New release improves handling of fragmented IPv4 packets. Hurray! Also no longer checks for pcap extension; works as long as it is a valid libpcap file, DHCP options are extracted, new parser for a particular protocol. There are also some nice GUI improvements.
Trace File Case Files - Sharkfest 2012 (by Jasper Bongertz) - video presentation of using Wireshark to trace out real-world problems and solve them.
Notes for the Sysadmins
Simple but Extremely Useful Windows Tricks - Open Security Research - Nice list of handy Windows tips.
Why The Size of My Partition is Maxed Out at 2 Terabyte and How to Get Over it - Windows7hacker. Just guided Dad though adding a second internal HDD to his Vista system. He’s getting into digital photography and while he has lots of room left on his OEM primary HDD, adding a 2nd drive gives him an exclusive place to drop the files. I guess we could have gone with a external USB drive, but the internal was faster in the long run for large file transfers. Talked him into a 7200 RMP 1TB SATA drive. With some guidance got him to get it successfully installed. Then via a quick remote-control session, got it formatted, labeled, and added to the OS fine. Considered going for a 2+TB drive for a few more bucks, but this was easy enough. Next time I will have to follow the link tippage and set up a GPT disk if the conditions warrant.
Microsoft updated SkyDrive.com - Borns IT & WIndows Blog (Google Translated) - Nice review of the new SkyDrive updates.
Password hints easily extracted from Windows 7, 8 - Ars Technica
All Your Password Hints Are Belong to Us - SpiderLabs Anterior
A Fistful of Dongles: AFoD Interview with Eric Zimmerman - A Fistful of Dongles - Eric Huber interviews F.B.I Special Agent Eric Zimmerman. Great article (and Eric wears a mean flat-top to boot!). Many years ago I had applied to the F.B.I. hoping for a career there following in the steps of my grandfather who was a former Special Agent under Hoover. Alas…it was a path not to be.
ShellBag Analysis - Windows Incident Response Blog
SetRegTime - Windows Incident Response Blog
Linkz for Tools - Journey Into Incident Response Blog - Corey Harrell has some info on this post, particularly those tipping us time-challenged guys to the Time Zone Converter – Time Difference Calculator and Time Zone Map. Also valuable is the final section “Process, Process, Process” which strikes home the critical value of knowing in advance HOW you are going to do exactly WHAT it is you want to accomplish; supporting examples include links to the Forensic Process Lifecycle (PDF) from Lance Mueller at ForensicKB, the previously GSD blogged SANS DFIR Poster 2012 (PDF) download, and Corey’s own Journey into IR Methodology scratchpad.
Man versus AntiVirus Scanner - Journey Into Incident Response Blog - Corey shows of the value of having skillz and technique and a rock-solid process in a John Henry’esqe dance against an anti-malware scanner. Really a great tutorial and exercise.
Registry Decoder 1.4 Released and Updated Registry Decoder Live - New versions are available. I noticed that in the past separate downloads were available for x32 and x64 however I don’t see that in this release. I’ve not followed up yet to see if the newer version handles both automatically or not.
Generating computer forensic supertimelines under Linux: A comprehensive guide for Windows-based disk images - Forensic Focus. ForenicsRichard has also released the Shell (Bash) and C Source code as well.
Finding Smoking Gun and going beyond that – Helpful Forensic Artifacts - Hexacorn blog - another strong article supporting previously mentioned themes of having a process to use in looking for clues which here are referred to has HFA’s (Helpful Forensic Artifacts) to guide the overall investigative and analysis journey and discovery.
The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 1) - Mandiant M-unition blog
The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 2) - Mandiant M-unition blog
Change the Windows Logon Screen Background - CybernetNews tips us to Luke Payne Software » Logon Screen Rotator. While I do rotate my Win 7 desktop login picture periodically, (right now it it Tardis based), generally I keep it stable. This is a cool tool however for those who like a bit more variety.
Organize & Manage Huge Photo & Video Databases Using Snaps - AddictiveTips reviews the Snaps - Photo management application.
Microsoft Reimagines Paint - Next at Microsoft - New “version” of the perennial “Paint” app. (Win 8 only).
Tip o' the Week #133 - The Art of Cut n' Paste - The Electric Wand