Sunday, March 09, 2014

Security Watch Quickpost

Last but not least, here is a roundup of interesting for/sec posts.

Hiding in plain sight: a story about a sneaky banking Trojan - Malwarebytes Unpacked

Sunsets and Cats Can Be Hazardous to Your Online Bank Account -  Security Intelligence Blog | Trend Micro

Tools for Analyzing Static Properties of Suspicious Files on Windows - SANS Digital Forensics and Incident Response Blog

Is OllyDbg Version 2 Ready for Malware Analysis? - SANS Digital Forensics and Incident Response Blog

(IN)SECURE Magazine issue 41 released - HelpNet Security blog

More Tracking User Activity via the Registry - Windows Incident Response blog

Reconstructing Data Structures - Windows Incident Response blog

Exploring Windows Error Reporting - Journey Into Incident Response

Windows 8 Prefetch 101 - Invoke-IR | PowerShell Incident Response blog

Beyond good ol’ Run key, Part 8 - Hexacorn Blog

Post-Snowden Forensics - Forensic Methods

Repurposing Network Tools to Inspect File Systems - repurposing-network-tools-inspect-file-systems-34517 (PDF file link) - SANS Reading Room whitepaper. Very interesting thinking.

Pineappling all the things in Utah - Troy Hunt’s blog


--Claus Valca

Boot Me: LiveCD’s/WinPE/WinFE and other things…

Quick-post for the offline system booting and LiveCD/USB-booting crowd.

“One of our goals when developing Kali Linux was to provide multiple metapackages that would allow us to easily install subsets of tools based on their particular needs. Until recently, we only had a handful of these meta packages but we have since expanded the metapackage list to include far more options:

  • kali-linux
  • kali-linux-all
  • kali-linux-forensic
  • kali-linux-full
  • kali-linux-gpu
  • kali-linux-pwtools
  • kali-linux-rfid
  • kali-linux-sdr
  • kali-linux-top10
  • kali-linux-voip
  • kali-linux-web
  • kali-linux-wireless

“These metapackages allow for easy installation of certain tools in a specific field, or alternatively, for the installation of a full Kali suite. “


--Claus Valca

News for the Sysadmins

Here is a quick-post for sysadmins in the crowd.

RELEASE: Office 2013 Service Pack 1 - Kurt Shintaku's Blog

How to force Office 365 to upgrade to Service Pack 1 - BetaNews blog

Microsoft releases fix for Windows Update corruption errors - ZDNet

Fix Windows Update corruption errors such as 0x80070002 and 0x80070057 - Microsoft Support

Description of Software Update Services and Windows Server Update Services changes in content for 2014 - Microsoft Support

Fix it tool available to block Internet Explorer attacks leveraging CVE-2014-0322 - Security Research & Defense blog

Fix problems that programs cannot be installed or uninstalled - Microsoft Support - I mentioned this tool in a previous GSD post but at the time hadn’t deployed it yet. What it does is give you the option to deploy to the system at hand to in a “portable” mode to carry with you. When you run the tool it gives you a menu from which you can select the category of issue you are running into, as well as a more detailed sub-listing of specific issues to pick from. Once selected, it will deploy the possible fix to the issue.

Sadly, it was no help to me in my repeated failures to get IE 10 or IE 11 installed on the church-house Win 7 x64 bit PC’s. It keeps failing with cryptic error messages that the required updates are not on the system, but even laboriously manually downloading and installing the documented IE 10/11 prerequisites results in the same failure.

INFO:    Setup exit code: 0x00009C57 (40023) - Prerequisites failed to install.

I’ve spent a lot of time picking though the IE 10/11 update log file (IE11_main.log) generated and cross matching it with a system that has a good/successful log install report, but despite everything so far, IE 10/11 upgrades just keeps failing. I’m not alone in this issue. That will be a post for another day, though…  And I haven’t done an Process Monitor trace file capture yet either…speaking of…

[Aaron Margosis will] be on Defrag Tools (Channel 9) - Aaron Margosis' Non-Admin, App-Compat and Sysinternals WebLog. This one sounds exciting:

We talked about the upcoming Sysinternals book I'm writing with Mark Russinovich, and demonstrated a very cool "App Install Recorder" built with Process Monitor and some PowerShell scripts.

The episode will go live next Monday, March 10, at 9:00am Pacific Time.


--Claus V.

For the iOS crowd

A few nights ago, I came home from work and Lavie was quite frustrated with her iPhone.

She had heard a local news story about how the iPhone can track the user and how to disable the feature…only she couldn’t find the news story on the station’s web-site despite their comment.

I was familiar with a number of “feature” settings that could conceivable track and “spy” on your iPhone usage habits and personal travels, but none of those seemed to satisfy Lavie’s understanding of the news story.

Took me a few days but I finally tracked it down for Lavie:

The applicable part was this bit in the story:

“On an iPhone, it’s a bit more complicated. Just go to ‘Settings’, click ‘Privacy’, then select ‘Location Services’, scroll down to ‘System Services’, that’s where you find ‘Frequent Locations’. Just turn that feature off.”

The news story wraps a lot of drama around the issue but it certainly succeeded in getting Lavie’s attention.

I also found these new-to-me reports of other iOS security concerns.

And by the way…

Dad?  These links are for you and that iPad.  I’d say you could blame it on the cats but you don’t have any pets in the house…


--Claus Valca

PSA: Adobe Patch recently came out, again

File under the been there, done that, thought I would need to wait but had to do it again category…

From mid-February,

--Claus V.

More PCI pains

In a non-binding informal survey of family and friends these past two weeks, almost everyone polled reports they are fed up with having to have their bank/credit cards replaced.

Previous soap-box posts from this GSD blog:

Now even more reports are rolling in of these types of PCI hacks.  It was bad enough consumers had to be on the constant lookout for malware on their own systems that could steal their account information, then there are the ATM/skimmers we have watch out for, now, even within a merchant’s own POS systems and network these bad-boys lurk.

And even when notified by their own bank, now customers are doubly confused and hesitant if the call is legitimate or another social-engineering-hack-attack playing on the public fears and news reports.

When we got a similar call on the voice-mail last week, Lavie didn’t even bother writing down the call back number left (good girl!). Instead she pulled out our local bank branch contact information and went directly to the source.  Yep it was legit -- another merchant we shopped at also got hit in a breach similar to Target’s. Yep, more card replacements on the way; again.

A few simple searches on Google will demonstrate the bank card industry has been wresting with these issues for a long time. Only previously, it seems the scale of the problem had been small enough to fly under the general public consciousness radar. With Target it was so big and touched so many that the barn doors were flung wide open and the cows were in the corn for everyone to see. Now we see shadows behind every merchant’s POS system.

The battle between the fraud perpetrators and the security pros ratchets up a few more notches. It’s the new cold-war baby…oh, wait…I hear that’s starting up again as well. I guess I need to start watching “The Americans” on FX to get prepared again.

For more reads on the topic; both breaches and proposed solutions to get the cows back in the barn…


Claus Valca

Microsoft EMET 5.0 Technical Preview released

I’ve been running the Microsoft Enhanced Mitigation Experience Toolkit (now at version 4.1) for some time on all our home systems.

So with news of new threats that seemed to successfully bypass the EMET protections…

…I was excited to see that a new “technical preview” release of EMET 5.0 was available.

Now I’ve been running EMET since at least back from June 2013, and have seen or heard nary a peep from it.  I’m not complaining. That’s a good thing. I’m just running it with the standard default settings selected at installation.

Strangely enough, this weekend, using EMET 5.0 TP I saw my very first alert occur!

For whatever reason, when I use Internet Explorer 11 I find that this EMET 5.0 TP version is particularly active spotting and blocking potential gotcha’s.




I can’t wait to see what the final EMET 5.0 will do when it finally comes out.

…an ounce of protection…


Claus Valca.

New and Updated Software

Here are some new and updates software listings from this week:

Wireshark - Now out in 1.10.6 (Stable release) and 1.8.13 (Old Stable release).

Wireshark · Wireshark 1.10.6 Release Notes

Updates: Process Explorer v16.02, Process Monitor v3.1, PSExec v2.1, Sigcheck v2.03 - Sysinternals Site Discussion blog

OpenedFilesView - Nirsoft - I normally only mention new NirSoft tools, but this older application release is noteworthy as Nir Sofer reports he found he does have a valid digital signature he can use with it so you won’t need to run in on 64-bit systems in driver signing test mode any longer. Sweet!

Apparently, Windows Live Writer got a stealth version bump to 16.4.3522. I first spotted it via this FileHippo mirror link: Download Windows Live Writer 16.4.3522 -

Trying to find comprehensive release notes on any of the Windows Live Essential applications is a nightmare. However I did eventually track down this page which seems better than nothing: Windows Live Essentials release notes

ImageCacheViewer - v1.00 - NirSoft - New free utility from Nir Sofer to “view images in the cache of your Web browser.” Some more details in this BetaNews post: Browse your IE, Firefox and Chrome caches with NirSoft’s ImageCacheViewer

Finally, the Oracle VM VirtualBox platform got an update. It is now sitting at version 4.3.8-92456.

Happy updating.

--Claus Valca

All Kinds of USB Cloning Challenges…

Part one of this story…

One of the duties I have in the shop is take an image of a bootable USB master stick we get and clone that image to our team’s USB sticks for a project.

We then use that USB to image our systems.

In the past I have requested purchase of a dedicated USB duplication device such as this Aleratec 1:10 USB 3.0 Copy Cruiser Mini Duplicator. It’s a very cool tool and has some good supporting software and can handle a lot of concurrent image restorations efficiently.

That never passed though the approval process so I’ve been left with using a poor-man’s solution.

First, find a good multi-port USB hub. They are pretty inexpensive so you could get a bunch. I particularly like these as the capacity is high with 10 USB ports.

You can find some with up to 25 USB ports if you search deeply enough.  What I liked about these were that the ports seem pretty widely spaced to allow for oversized USB stick cases. That isn’t always the case.

Tip: If you pick up ones with the ports too closely spaced, then you are left either not using all the ports due to clearance issues or having to pick up a bunch of 1.5ft USB 2.0 A Male to A Female Extension cables to get them all plugged in with the clearance issue worked around.

OK. Now that the hardware is set up, the imaging software.

There are a lot of free USB imaging tools out there.

For one-off imaging work I prefer to use Alex’s USB Image Tool. It can capture an image, it can restore an image, you can take a full device image or a partition image.  What I really like is that it also provides additional details about the device such as the serial number and other coded information. That’s helpful if you want to log each device for tracking.  However I don’t find it quite as well suited for restoring the same image to multiple sticks concurrently.

Instead I like to use the free PassMark Software ImageUSB utility.

It captures a BIN file format of the entire USB device (rather than the partition).

And it can restore the image concurrently to as many USB sticks as you want with nary a fuss or hiccup.

It doesn’t give you the same amount of device details (serial numbers/etc.) that the USB Image Tool does, but that’s why having a few different tools in your toolbox is helpful.

So here’s the recipe for the poor man’s multi-USB duplicator:

Use ImageUSB to capture your USB stick to an image file.

Connect up your multi-port USB hub(s) as needed to your system.

Plug in your target USB drives to the hub ports.

Use ImageUSB to write your USB image to the USB sticks.


Important Note: The capacity of the USB sticks you are putting the image onto need either be equal to, or in excess of the capacity size of the original “master” USB stick. If not, you will either end up truncating your image and risking data loss, or (depending on the software) it won’t write the image at all.

This is important as not all USB sticks that say they have “X” capacity the same, actually have the same amount of accessible space on them. That leads us to…

Part 2 of this story.

See, the above process has been rolling on quite well for some months now.

Only we needed more USB sticks for each team-member to carry with the same image build to hike up multi-tasking efficiencies.

And the purchaser ended up selecting and buying USB sticks that were a different mode/make.  Even though they both were USB 3.0 sticks, and even though they were both “64 GB” capacity sticks, when I went to put the image taken from the original stick model on the new one, the accessible capacity of the second USB stick was significantly lower enough to not allow me to safely or confidently put the image on it without risking truncating the image/data in the process.

That’s not good.

So this is what I ended up doing on my x64 bit Win 7 system…

(Method 1)

I first captured an ImageX (file-based) image of one of my larger cloned USB sticks.

I used the x64 version imagex binary as found in the latest Windows Assessment and Deployment Kit (Windows ADK) (GSD blog link).

Depending on your drive letterings, the command-line may vary but the basic structure is thus:

imagex /capture E: c:\temp\USB_Image.wim “USB Image base”

where “E:” is the USB drive letter and “C:” is my local system hard drive.

This captured all the files on the (larger 64 GB) USB drive into a WIM format image.

Then I removed my larger master USB stick.

I then connected the other (smaller 64 GB) USB drive to my system.

And did this from the command line window.



note: this was to confirm which disk number the USB drive was showing at…in this case the USB stick was disk 1 as my system disk was disk 0. Be sure you get this part identified correctly or bad things can happen! Your system will almost certainly vary!







>format E: /fs:ntfs /q /y

note: at this point I have a freshly formatted (smaller) USB stick that is empty. Next I need to make it “bootable” so the USB stick will work as designed for system booting/imaging after the files are restored. I used the bootsect.exe tool to do this. You should be able to find it under the Windows ADK that you probably installed to get to this point to first have snagged imagex.

> bootsect /NT60 E:

note: now it is a “bootable” USB stick we need to put the files back on it again with the imagex utility.

imagex /apply c:\temp\USB_Image.wim 1 E:


At this point I now have the original USB file sets from the larger bootable USB stick ported over to the smaller (also now bootable) USB stick.

I then used ImageUSB to capture a fresh (and smaller) device-based image file of that USB stick.

I then wrote that image to all of the smaller USB sticks.

Done and they all worked just like their bigger brothers.

Now I have two image files to use depending on the target drive’s capacity.

Had the original image been from the smaller drive then I could have put it on the larger drive with no worries or concerns as I would not have faced data truncation in that instance. If the tiny bit of capacity difference mattered, I could have used something like gparted to then expand the partition to take in the remaining unused capacity.

But if you don’t want to do all this stuff, there was another path I could have taken (I’m not sure it was any less work though).

(Method 2)

In this path, I would have first taken a volume-based image of the larger USB stick first using the USB Image Tool.

This doesn’t get me any of the magic code that makes the device bootable, just captures all the partition files instead of using ImageX.

Then I would have removed the master stick, placed in the smaller target stick, still done the whole DISKPART & format & bootsect steps in method 1.

Then I would have used the USB Image Tool to put the volume image back on the USB stick.

Then I would have captured the device image using the ImageUSB utility, and used it to put that image on the remaining (smaller) USB sticks I needed to clone.

Lesson to be learned?

Well, not all 64 GB USB sticks are the same. And if you have a big project that requires cloning a lot of USB drives, it might be wise to stick with the same exact USB make/model/capacity for the project to avoid having to create multiple images to handle the different stick capacities.

Bonus Tip:

Once you have the image file captured, if you don’t want to plug in your USB stick but want to reference the files/structure in it, you can use any of a number of tools to mount that image for review:

The WIM file can be addressed all number of manners with Windows tools and utilities. Most are fun and geeky. But for a fast, no-fuss solution, PeaZip can be used to open/extract WIM files no problem.

If you have a BIN or IMG image file, then you have some other options as well.

OSFMount - from PassMark Software maker of ImageUSB we have been discussing has a free tool that handles all kinds of image files for mounting and some manipulations.

It is based on the ImDisk Virtual Disk Driver coded by Olof Lagerkvist.

There is also the amazing Gizmo Drive software that is free and handles mounting of a crazy-wide number of image file formats.

Then there is my other long-time favorite virtual drive mounting tool; SlySoft Virtual CloneDrive.

Happy USB cloning!

Claus Valca

03/11/14 post update -- Correction made to references. PassMark Software is maker of ImageUSB utility. Previously had noted it was OSForensics, which is their URL and also the name of their free/$$ multi-feature computer forensics application. Credit to Steve Si for catching my error and alerting me.

Also, check out Steve Si’s timely post Bulk duplication of USB drive images over at his RMPrepUSB, Easy2Boot and USB Booting… blog. Steve goes into great detail about the differences in storage capacity that can be found, even between the same USB devices from the same maker.  He also includes a tutorial on using his RMPrepUSB tool to handle the image capture portion rather than relying on some potential gotchas that lurk with using the ImageUSB tool. Check it out and his comment to this post below.

Quick free PSD file access

On my home system I am fortunate to have Adobe Photoshop.

So when I need to work with a PSD file it’s no biggie.

However the other day I was on the church-house computer wanting to work with a free-from-the-community background image file. And it was in PSD format. And this computer didn’t have any PSD file format compatible software on it.


No problem.

I do have the freeware Paint.NET application running on this system for quick image work and editing.

I downloaded and installed the Paint.NET PSD Plugin via CodePlex. The plugin enables loading and saving of Photoshop PSD files. According to the site page, it was originally written by Frank Blumenberg and is now covered by Tao Yue.

Worked like a charm.

I spotted this tip (and some alternative tricks to opening PSD files) via this MakeUseOf blog post: The Best Ways To Open a PSD File Without Photoshop


--Claus Valca