The short weekend is done. The “Sandy Watch” is on for what could be -- for our northeastern friends -- a storm event to be remembered for many years to come. So comes a pile of security/forensic and utility-minded links spill out below for the curious and information hungry.
Forensics and Security
Girl, Unallocated: Be Very Quiet... I'm Tracking Emails Through Headers - Girl, Unallocated Blog. The Girl has a great post looking at email headers and their bits and perils. One gem is a report (PDF) from Stroz Friedberg and a particular focus on email headers. The report as a whole is a great read and again provides a lesson in technical report writing and presentation as well as some forensics pushback on anti-forensics techniques. At 102 pages, it isn’t a brief, but well worth the time to download and study.
The Girl’s post reminded me of another great publicly-available report that addressed emails in a forensic investigation. In my GSD post Interesting Malware in Email Attempt - URL Scanner Links, I wrote the following bits at the end:
A recent Digital Forensics Case Leads post has mention of a super-fantastic investigation/forensic report involving anonymous emails. This is must-read material, not just in terms of the investigative methodology but also the way the report was composed and presented. Very clearly done! I’m keeping a saved copy of the report for future reference; both technically and as a report template. From the post via the link above:
“University of Illinois recently released a detailed investigation report (PDF) regarding anonymous emails allegedly sent by its Chief of Staff to the University's Senates Conference. The report is an interesting read, and also serves as a potentially useful model for those looking for report samples and templates.”
How a Google Headhunter's E-Mail Unraveled a Massive Net Security Hole - Threat Level @ Wired.com. I almost overlooked Kim Zetter’s post on how Mathematician Zach Harris -- as an exercise -- discovered a flaw in some providers user of a weak DKIM key to sign emails originating from them. Fascinating and short read.
DEFT 7.2 and DEFT english manual, ready for download! DEFT Linux - Computer Forensics live cd . New DEFT version out. Last one in x32 bits. Future versions will be strictly x64 flavored.
Xplico – Xplico 1.0.1 - Xplico new version release just dropped. From the brief post:
- nDPI integration
- performace improved
- FTP dissector improved
- Added the prism dissector
- CLI execution bug fixed
- PCAP-over-IP SSL encryption
- IRC dissector improved
- File reconstruction from Fragmented Payloads improved
- FaceBook Chat updated
- FaceBook Message (partial)
- HTTP without initial packets (packets lost)
- RTP dissector improved
- PCAP2WAV, RTP2WAV interface added
And don’t forget! Now you can update/get via apt-get! for Ubuntu 11.04 and higher. Sweet!
sudo bash -c 'echo "deb http://repo.xplico.org/ $(lsb_release -s -c) main" >> /etc/apt/sources.list'
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 791C25CE
sudo apt-get update
sudo apt-get install xplico
LastActivityView - Nirsoft brand new utility! - Use this new tool to view the latest computer activity in Windows operating system. Nir Softer has some more details on his NirBlog: New utility that shows general computer activity. Could be useful for incident response and analysis and other “quick peeks” for key system activity indicators to narrow down the search.
FileAlyzer Portable 22.214.171.124 (detailed file analyzer) Released -PortableApps.com
Hacking KeyLoggers - Open Security Research has a great post that not only identified a USB keylogging device, but takes it to the next level in hacking it to determine the impact of the device and when it might have been dropped. Clever stuff.
Attacking TrueCrypt - The H Security: News and Features. Another interesting post that almost slipped by me. Interesting by itself but also shows the benefit of using “cascaded algorithms” in TrueCrypt to thwart current attacks…for now.
Restoration of defocused and blurred images - Yuzhikov.com. This is super cool. Vladimir Yuzhikov hasn’t just done a proof of concept for de-fuzzing blurred imaged (either out of focus or those blurred with a mathematical algorithm), no, he has actually released a free Windows app to demonstrate the possibilities. Besides images, text that is out of focus can be unblurred as well. This is very fascinating and could assist investigators facing images and other digital files with blurred faces or content. It’s not exactly easy or guaranteed to work, but it is very promising start and Vladimir notes he is continuing development and refinement. Read his work please and snag the download.
Google Drive opens backdoor to Google accounts - The H Security: News and Features . Quoting from the post, “The Windows and Mac OS X desktop clients for Google's Drive file storage and synchronisation service open a backdoor to users' Google accounts which could allow the curious to access a Drive user's email, contacts and calendar entries.” read the post for more info. As usual it seems to be a convenience versus security trade-off again. Choose your cake wisely. I stick with using only the web interfaces and pass on the client versions of these cloud-based storages services…for now.
The TinyApps bloggist has been hard at work digging out great tips and techniques for importing the virtualized “Windows XP Mode” into popular virtualization software. As always, the posts are impeccable with lots of details and supporting source documentation for additional study and research.
- Import Windows XP Mode into VMWare Player - TinyApps.org blog
- Import Windows XP Mode into VirtualBox - TinyApps.org blog
- Must-have tool for VirtualBox users - TinyApps.org blog.
Oracle VM VirtualBox - Version 4.2.4 just dropped…by the way. I almost missed it were it not for my RSS feed filters. See the changelog for more details. And be sure to grab the 4.2.4 VM VirtualBox Extension Pack as well.
How to run Microsoft’s IE VPC images in VirtualBox
ievms - Automated installation of the Microsoft IE App Compat virtual machines
Browser Plugin Update Time…Again.
Yes dear readers, it is “Jack and Jill” time again. Bother.
Adobe Shockwave got updated, as of this post, the newest (Windows) version of Adobe Shockwave is currently 126.96.36.1998.
- Adobe - Adobe Shockwave Player - direct download
- Adobe - Security Bulletin: APSB12-23 - Security updates available for Adobe Shockwave Player - Adobe
- Adobe patches 6 critical security flaws in Shockwave - ZDNet
- Adobe fixes critical Shockwave vulnerabilities - The H Security: News and Features
Adobe Flash was updated as well. Newest (Windows) version is currently 11.4.402.287.
- Adobe - Flash Player - version information
- Adobe releases 25 critical Flash patches - The H Security: News and Features
- Adobe - Security Bulletins: APSB12-22 - Security updates available for Adobe Flash Player - Adobe
Java also got a quick update to both build versions. Windows Java updates are available in 1.6.0_36 and 1.7.0_09.
- Java SE 6 Update Release Notes - Oracle
- Java SE 7 Update Release Notes - Oracle
- Java SE Downloads - Direct download
Trying to figure out if all your browser plug-ins are current can be a super-pain for the inexperienced and geekless.
My go-to recommendation remains to pop over to Qualys BrowserCheck in each of your installed web-browsers, be it Chrome, Windows IE, or Firefox. Alas, Opera, Safari, and other browsers are not currently supported, however a check in one of the supported browsers may quite likely uncover a outdated plug in, patching it may fix the others in the process. For a backup check, hope over next to The Secunia Online Software Inspector for a second opinion.
If you want a good all-in-one location to manually download your plugs, check out Browsers and Plugins Downloads over at FileHippo.com.
Utility and SysAdmin Finds of the Week
Defrag Tools: #13 - WinDbg - Defrag Tools @ Channel 9. New video on Sysinternals tool usage; specifically integrating Debugging Tools for Windows.
Case of the CertUtil Import Refusing The Correct Password - chentiangemalc. Great practicum post on troubleshooting a strange password error where the password was correct but not being taken.
SpeedyFox - Boost Firefox,Skype,Chrome,Thunderbird in a Single Click! - CRYSTALIDEA Software . It has been forever…like dinosaurs roaming the earth eras ago…since I last saw any post anywhere on speeding up a pokey Firefox browser by “optimizing” the JSON databases. This is a dead-simple process to improve launch-time for a well-used Firefox browser. It’s been months since I last optimized mine. When I went to run SpeedyFox, my favorite tool to do so, I wondered if there had been an updated release. My version was at least a year old. Happily I found there was a newer version, and that it now supports optimizing Chrome-based browsers as well. It remains available as a free edition. Current version is 2.0.3 but while I was sleeping, the developers have been adding support for Skype, Chrome (including SRWare Iron and Pale Moon), Mozilla Thunderbird, and Firefox (including Epic Browser). There is a Mac version (Firefox only) also.
If you use Firefox/Chrome/Thunderbird, stop, drop and run right now! Did I mention it supports custom paths to your browser profiles so you can optimize portable versions on your drive/disks? Sweet baby Jebus!
CR2 Converter - I shot a lot of photos for Lavie and her family last weekend with the Canon 5D Mark II. Pops asked for copies and when I was getting ready to pass them off, I realized I had not changed the setting from “RAW” only to RAW+JPEG. So I had over 300 digital images in RAW .cr2 format that his computer cannot read and that are not really a practical format for him anyway to use. Sure, I could batch-convert them in Lightroom/Photoshop, but I really just needed to get them quickly on a CD for him. I have more than a few RAW freeware tools for tweaking individual RAW file images but that was too time-consuming to use. Luckily, with just a bit of Google diving, I found the freeware Canon RAW Image Converter “CR2 Converter”. It supports batch-conversion and did an acceptable job for this task. My i7 x64 8 GB RAM system chewed through converting the files in no-time. To my eyes the resulting images were a bit lightly purple-tinted…not bad or unpleasant but definitely noticeable when compared to the RAW file. Nothing that some simple color correction can’t fix if really important. For Pops it wasn’t but YMMV. I wouldn’t use it everyday for batch processing but for quick-n-dirty RAW .cr2 to JPEG/JPG/GIF/BMP/PNG/TIFF conversions it is a super time-saver. Tuck it away for when needed in a pinch.
Cheers and hopes and prayers for the very best across the north-east seaboard as Sandy rolls in.