grand stream dreams

The GSD Curmudgeon says “Get off my Yard you Dang Kids!”

2012-01-22T20:39:00.001-06:00

Sigh. I’m getting old.

I recently read a post at ReadWriteWeb by Scott Fulton, III Mozilla's Plan for Keeping Firefox Relevant in a Post-Browser Web.

That day I became dangerously close to becoming the old technologist guy equivalent of the “You kids get off my lawn!” guy we all probably know.

What is Mozilla doing to my beloved Firefox of the near and dear “future”?

HTML5 runtime functionally support (for driving in-browser, non system proprietary, web-apps).
Extending cloud-based services.
An on-line identity management system called “BrowserID”. (How it works)
and more stuff imagined and planned.

That left me grumbly then John Paul Titlow at ReadWriteWeb posted this Mozilla: We're About to Grab More Data About You, But Here's How We'll Keep It Safe.

Mozilla has some big plans up its sleeve in 2012. The non-profit open source foundation is planning some features for its Firefox Web browser and beyond that will require greater access to user data. In a blog post, the organization explains exactly how it intends to use and handle that data. In short, very carefully.

The blog post John Paul references is up at Mozilla Privacy Blog: Mozilla to Offer New User-Centric Services in 2012.

While I recognize and appreciate the very challenging work that browser developers have (not just at Mozilla), I think I’m grumbly for two primary reasons here with Mozilla.

First, I was a very early adopter of Firefox. It was quicker than IE. It was slimmer (memory and feature bloat) than IE. It was more secure than IE. And I could plug all kinds of things into it (Add-Ons/Extensions) to customize it with only those features and capabilities that helped make my experience on the Web better. If I didn’t need it, I didn’t' install it and thus kept the Firefox browser lean and mean.

I really do “get it” with the coming exciting wave of “web-based apps” and running them in your browser and the security it will now bring (think JavaScript/Flash). It’s the next “big” evolutionary shift for the Internet. Really. Who of us really still think of the Internet as being just a super-large reference library and world-wide town-square/market anymore? It’s now a world-wide commercial mall and entertainment center. Really. Oh sure, you can still go down that wing none of the hip kids hang out at and find the pubs where the old-timers hang out, a few plain coffee-bars where the wanna-be journalist “bloggers” hang out and trade stories of yore, and maybe go into that virtual bookstore of arcane knowledge and technical minutia that some of us still love. But really. None of the cool companies and consumers come down this way. They demand different things. Better things. A new paradigm of interaction and operation.

Sigh.

So the browser needs to change to keep up. Bigger, more embedded features. Probably faster. Probably louder too with base-boost and kickers. Hopefully the security alarm on it will be better too.

Secondly, my bones ache every time a new ID management system comes out that gets closer to being a cloud-based requirement. I know, it’s for my own good their doing it. Really. I’m so much safer having more and more of my user data off-loaded to the Webs and Clouds. Clearly the higher and higher it goes away from me the safer and safer and harder and harder it must be for the underground dwellers to grab it. Right? What? Oh, I have to just “trust” everyone “out-there” with my user data and All-In-One credentials and stuff. I’m sure everyone will be honorable and diligent in keeping my account and passwords and user data safe and secure. Nobody ever gets their customer’s account/password information lost to hackers, or on a laptop, or on a USB stick anymore, or via a network traffic hack. Right? That was just in the “old-days”. These new solutions are really, really safer.

I get it. I do. And I appreciate everyone working so hard to keep Firefox and my web experience so much more safe, more secure, and more powerful than ever before. I appreciate modern AC over running a fan past a block of ice to cool my house. Really. And who doesn’t like the convenience of a cellular smart-phone over a plain-old copper analog line service wired into your house?

My browser is growing up, and the world it is living is changing as fast as it is.

Sigh.

I still use (and probably will) Firefox as my personal “production” web-browser of choice. It works for me and my way of being productive. That said, when I’m surfing the web, give me Chrome. I guess I have to still drive the daily commuter into work and back, but yeah, on the weekends I like to pull out the latest sports car for tooling around the highways and byways and back roads.

You know, I was a very early adopter of Chrome. It was quicker than Firefox. It was slimmer (memory and feature bloat) than Firefox. It was more secure than Firefox. And I could plug all kinds of things into it (Add-Ons/Extensions) to customize it with only those features and capabilities that helped make my experience on the Web better. If I didn’t need it, I didn’t' install it and thus kept the Chrome browser lean and mean. In fact, I hear from the Google Chrome Blog that Chrome is about to get more Speed and Security with pre-rendering of pages and enhanced URL and file-download checking. What’s not to like about that!

I gotta admit, high-school senior (these kids again!) Danny Stieben’s timely post at MakeUseOf blog probably sums it up right: Why It Eventually Won’t Matter What Browser You Use [Opinion].

It won’t. Honestly. It just won’t. Time to face the music and admit I’ve got to adopt the new (browser/web) core “technology” design model and landscape or I’ll become irrelevant and end up spending the rest of my days in that dilapidated and decaying wing of the New Web Mall hanging out with the other curmudgeons and making fun of those really dorky guys and gals still using AOL web-mails, web portal home-pages with their IE 5/6 and Firefox 3 web-browsers. Seriously? Who uses those anymore?!! Get a clue.

Here. Spin a wheel and take a pick. Take one. Use one. Just don’t become friends or companions. Someone’s bound to change and the relationship will sour, and there will be a new favorite.

Internet Explorer - Web Browser for Microsoft Windows
Internet Explorer 10 - Test Drive
Google Chrome - Get a fast new browser. For PC, Mac, and Linux
Get More From Your Firefox — Mobile, Add-ons & Other Stuff
Apple - Safari - Browse the web in smarter, more powerful ways.
Opera browser - Faster & safer internet
Category:Windows web browsers - Wikipedia
List of Web browsers for Windows - Web Developer Notes

The GSD Curmudgeon ends with these moving and inspiring words of wisdom and perspective on the whole thing.

Great Motivational Speech - It Just Doesn't Matter - YouTube

Ok…soap box away. We will now return to regular GSD programming.

--Claus V.

On The Usefulness of a Pleasant Desk

2012-01-22T15:05:00.001-06:00

I can’t believe I’ve been blogging now (fairly) consistently since 2005. I’ve gone from a peak posting rate of 311 posts in 2007 down to a low of just 40 posts last year in 2011.

Finding the time to blog has grown more and more challenging and I hope the quality and depth of many of my posts has grown over the years as well.

The last two years in particular have been a personal frustration as I have attempted to grow more “present” with my family and community while dealing with the tremendous workload presented in my “real” job that has meant longer hours, later hours, and technical challenges that have conspired to keep my technical processing brain-core on overdrive.

All that said, the biggest problem I had, however, hasn’t been a lack of inspiration, or of time, or of material.

I seriously believe it was the lack of a good desk and by extension, a good workspace.

See, from 2006-2009 a good part of my primary blogging hardware was based on desktop computers at home. First an old Gateway and later a small-form-factor barebones home-build kit. Both these systems were kept in a nice desk that was located in our library/laundry room. So I could hole up in the space, have few interruptions, and focus on writing, and blogging, and blogging. Lots of productivity.

In 2006 Lavie bought our first laptop. Then in 2007 Lavie won a Gateway laptop and it became her new laptop and the first one became a backup family pc. Then in 2009 Lavie picked up a larger laptop for herself and I took over the Gateway laptop as a secondary system while Alvis took over Lavie’s first one. Though I continued to patch and upgrade the SFF desktop pc I used, the Gateway laptop really became my primary home computing device and blogging platform. And in late 2010 I finally obtained my own "dream" notebook.

I sincerely believe the shift from using a desktop pc (at a desk) to a laptop (wherever) is what led to the biggest hit on my blogging production.

When I sit at a desk I have a productive mindset. When I’m in one of the chairs or couch in our living room I can blog, but it doesn’t feel as natural as just “couch-surfing” the web. I find it hard to build and maintain a writing rhythm if I’m anywhere but in front of a desk.

Since the girls REALLY wanted me to me more present with them and not hidden off in our library area, and I had a laptop, it was very seldom that I found myself in our study and my desk--and in a productive blogging mindset.

I’ve been trying to find a solution to the problem for some time. Unfortunately, the desk in the library while not large, just didn’t seem to lend itself to either our living room décor or function. So I’ve just coped, and the blogging rate has suffered.

Last week I found a cheap trestle-style mini-desk that was perfect in color, style and size for the living room. With minimal rearrangement I was able to place it in the living room along with a nice matching traditional wooden chair with a faux-leather seat cushion. It was a great pairing. While not my favorite in terms of style, it was a perfect pairing of form and function (and price) so I struck while the iron was still hot.

That weekend saw the slew of postings which has almost brought to half-as-many as all I did last year.

Now I have my own elegant and relaxing workspace again to use my laptop at; but still be “present” with Lavie and Alvis after work or on the weekends.

Now the story should end there.

However this weekend Alvis and I finally swapped got around to swapping our desks. These are not to be confused with the new one above.

See, Alvis has been using a large French-country style desk in her room for her homework/TV/laptop/crafting needs. It is a beautiful desk that has an attached shelving unit over it. Meanwhile my desk (the one in the library I have mentioned already) is an Ikea special with a simple solid wood frame, a side-caddy for a desktop PC and a small pullout drawer that held all those misc. USB cables and PC hardware bits that accumulate.

Alvis in her artsy/interior-design-y mode decided she needed to “open up” the space in her room and swap desks. This way she has more physical room (since mine is smaller) and gain a desk that is more work-bench-like for her crafting. It will also work better for her new machine-sewing hobby and crafting system.

So yesterday we set to work clearing off our desks and emptying them of their contents. Lots of cables to re-manage, lots of missed-dust to remediate. And the desks were swapped.

Alvis’s (new-to-her) desk fit perfectly and holds a small LCD TV that doubles as a second monitor for her laptop. The solid wood surface is more firm for crafting and the lack of a overhead shelving system means she can now feed large lengths of fabric easily across the surface. She did add a small wire-baking-rack to the side of it for storing supplies. Now she has space galore in her room reclaimed.

My (new-to-me) desk is in the study. My second LCD monitor is tucked in a corner when I do decide to work back there and need a second monitor. (I decided it just didn’t fit the living room décor or small desk added there.) It has a USB keyboard/mouse combo as well on the slide-out tray just in case. The (now long-since disconnected until I eventually get around to using it as a SAN server option-1 option-2) SFF PC is tucked away in the side-caddy. The real plus has been getting all my technical books and manuals off the stacks in the library floor and nicely organized in the over-desk shelves. I’ve also got my network hardware (switches/routers) and external hard-drives nicely sitting in their “cubbies” as well. It looks downright nice.

Funny how these things work out…I finally find the perfect desk to get me out of the library, get crazy-productive again (and make both my girls and me harmoniously happy). And the very next weekend I end up creating the super organized and comfy writing-desk/computing-workbench in the man-cave library.

I guess that’s just how we roll around here.

So long-story-short, it’s neither a matter of here or there. Simply expect more blogging this year from the GSD ranch.

--Claus V.

Interesting Malware in Email Attempt - URL Scanner Links

2012-01-21T20:32:00.001-06:00

Last weekend I spent some time with extended family helping confirm for them that their on-line email account got hacked and had been used to send some malware-linking spam emails to users in their contact list.

Yesterday our family email account was on the receiving end of someone -- possibly -- who fell victim to an email account hack as our email address was amongst several others included together receiving the email. I say possibly as none of us recognized the sender’s email address and it wasn’t in any of our address books. Possibly our along with the other’s email addresses had been harvested somehow and this was a fake spamming account. The “show-as” name was definitely non-standard and used some letters that related to that in the subject line.

It was pretty evident to me this was probably a dangerous site to go to, but being curiously-minded, I couldn’t pass up the chance to do some detective work.

The email originated from a yahoo mail account.

The Subject line was baited “ACH Transfer Canceled…” and the display name in the email address contained the letters “NACHA.”

ACH is meant to refer to the “Automated Clearing House” which handled financial transactions in the US overseen by the NACHA. To most Americans, I’m betting these acronyms mean very little and they would be more taken with a sudden urge to grab some NACHOES instead. Maybe Europeans would be a little more anxious emails purporting to come from ACH and NACHA. I digress.

First thing I looked at was the message header. Lots of goodies there. We can follow the bounce between the yahoo mail sender to our ISP’s email servers. Times/dates of transmission.

Since this was a Yahoo mail account, it appears the header may actually contain the IP address of the the location the mail account was logged into from. This is the first time I have seen this so I need to do more research. The IP associated with this particular email is located in France.

The website IP Address Locator has lots of good tools for locating IP addresses as well as a feature that allows a copy/paste/analyze of email headers.

The content of the email was very thin, a single line with all the text ran together. There is a URL link markup there, however it misses getting all the characters. Hmm.

Toggling between the different modes of viewing email content in Thunderbird reveals odd results. If I look at it in original html mode I see a single line of text with an hyperlink in the middle.

If I view it in simple html most of the text is the same but a few characters are different.

If I view it in plain text, there is nothing showing.

Hovering over the hyperlink displayed shows a URL shortner link. Hmm. Set that aside for a moment.

So I back and look at the full header view again and find this in the message body:

Content-Type: text/html; charset=ISO-8859-5
Content-Transfer-Encoding: base64

Ah! So I copy/paste that large text block that follow that into this base64 online encoder / decoder and get a binary file to download!

(More regarding content encoding methods here Content-Transfer-Encoding - MSDN, here The Content-Transfer-Encoding Header Field via freesoft.org and here Decoding Internet Attachments - A Tutorial by Michael Santovec.)

Opening that binary file in Notepad++ reveals the html code with the same actual URL embedded.

Guessing here they are using base64 coding for the content to try to get around email scanners.

OK, so let’s check out that URL.

Turns out it is using Google’s own URL shortning service: Google URL Shortener. More info here. Google URL shortener - Web Search Help

Turns out this is a pretty cool choice from both sides of the security fence. By appending the URL with “.info” at the end of a Goog.le shortened URL we can find out the stats from Goo.gl URL shortener (Google Groups)

This is good from an attacker standpoint as they can easily monitor their success rate on the nibbles of this hook and any “hits” to the actual URL. Researchers can get info as well by monitoring the same info and how fast/long the “click-through” may happen.

Neat isn’t it?

Now that I’ve got the actual long URL that this points to, we can start tossing the URL at some on-line link analysis/scanner tools.

VirusTotal shows both TrendMicro and SCUMWARE.org report the long URL as a Malware/Malicious site.

Quttera reports it as serving up a suspicious javascript content via HTML page code.

Anubis: Analyzing Unknown Binaries provided a deeper review of the URL by capturing Windows system events in a virutal sandbox system. It accesses the Windows registry, mucks with some keys, created a cookie, reads the autoexec.bat file, mods some files and maps dll’s to memory and appears to try to download more stuff. The report is available in HTML, XML, PDF, and TXT formats. Also, they offer a traffic.pcap file to download so you can examine the network traffic generated and perform any NFA you want to do. This site/tool rocks from a depth of information standpoint.

urlQuery gives some more report feedback when it is sandboxed. Lots of Java script stuff. Another strong URL analysis reporting site.

Trying it a few more times changing the browser type/java version/flash version gets different results and the URL serving code reflects all kinds of different IP’s each time so that long URL seems to be hosted at a dynamic IP host allowing it to bounce around (serving up HTTP redirects) and serve up the malware code depending on platform from all over the place making it harder to track down the source.

urlQuery actually identified the network traffic code as being detected as Blackhole exploit kit v1.2 HTTP GET request. Another clue.

I tossed the pcap file I got from Anubis into NETRESEC NetworkMiner. Nothing very interesting but my Microsoft Security Essentials alerted when the HTML page was reassembled by NetworkMiner and quarantined the file. It identified the page code as being Exploit:JS/Blacole.AR. (MS’s way of saying “blackhole” I suppose…)

Here are a series of links regarding these kinds of email spam threats in general as well as Blackhole info in particular as it relates with email spam campaigns, if you are curious.

Prevalent Exploit Kits Updated with a New Java Exploit - M86 Security Labs Blog
An analysis of the ACH spam campaign - M86 Security Labs Blog
Cutwail Spam Campaigns Lure Users to Blackhole Exploit Kit - M86 Security Labs Blog
“Steve Jobs Alive!” Spam Campaign Leads To Exploit Page - M86 Security Labs Blog
All Posts tagged Malicious Spam - M86 Security Labs Blog
Malicious email scam "Re: Scan from a Xerox W. Pro #XXXXXXX" returns with a new face - IT Secure Site more on a related Blackhole email spam attempt.
Blackhole exploits kit attack growing - Zscaler Research
Exploit Kit in my Morning Email (BlackHole Exploit Kit . . . Maybe) - ReverSecurity

I doubt this is the last our email inbox will see of these things, but the whole process has been quite fun to follow.

I’ve decided to leave out links/images of the actual email and the header-code/URL (short/long) but have passed it along to a number of security-spam websites in case it is of use.

A long time ago I had a list of URL-testing sites to feed a URL into to see if they were safe or not. Most seem to have gone away, however the following forums had a number of new ones worth bookmarking. Hat tip to “PROROOTECT” for the legwork!

Free Online On-demand URL Security Scanners - MalwareTips forum
FREE ONLINE SECURITY SCANS For Suspicious URL Link - Sysinternals Forums

Here is a combined and cleaned up list based on the collective work there from PROROOTECT in both places and at least one or two I’m tossing in and a few from those lists I removed that seem dead/redirected incorrectly. PROROOTECT does make a great point that the effectiveness of these vary, so a “bad” URL in one may come back as “clean” in another. So it’s best to run your URL through multiple sources.

Note, these are URL/web-page scanners. They are a bit different than on-line file-scanners/sandboxes used to analyze malware samples. Though a few seem to come pretty darn close with the depth of their reports/analysis.

Not “necessarily” ordered in order of usefulness.

IP Address Locator - Track IP, Search IP, Find IP, Trace IP Lookup, What Is My IP Address Location
TrueURL - decode short URLs
Decode Short URL Decoder - cekPR.com - decode short URLs
TinyURL.com - preview a TinyURL
LongURL - decode short URLs
Untiny - decode short URLs
base64 online encoder / decoder - decode base 64 code in emails
Quttera - FREE Online Heuristic URL Scanner
Anubis - Analyzing Unknown Binaries
vURL Online - Quickly and safely dissect malicious or suspect websites
HTTP Web-Sniffer 1.0.37 - view HTTP request/response headers
Wepawet - analyzes URLs for javascript/PDF or Flash exploits.
Finjan URL Analysis - URL analysis
VirusTotal - Free Online Virus, Malware and URL Scanner
UrlVir.com - URL scanner using domain, IP or MD5 hash value. Hosted by NoVirusThanks
SURBL Blacklist lookup - check database for known websites that have appeared in unsolicited (spam) emails. More on the program here: SURBL
URLVoid.com BETA - scan website for malware, threats and other bad things.
URL & Link Scanner - Scan URLs for malicious code - URLVoid.com BETA to scan URL with multiple AV engines.
WAVE - Web Accessibility Evaluation Tool - may not tell you if a site is “malicious” but provides a visual report on the site as well as any funky coding going on.
Comodo Site Inspector - scan page to see if it generates malicious activity or hosts malware.
Website Security Check - Unmask Parasites. Scans site for evidence of exploit code.
Norton Safe Web, from Symantec - is a site safe?
Dr.Web - is a site safe?
Trend Micro Site Safety Center - is a site safe?
AVG LinkScanner Online- is a site safe?
F-Secure Browsing Protection Portal - Can you trust a site?
AVG Online Virus Scanner | Scan Web Pages | AVG LinkScanner Drop Zone - Can you trust a site? (Aussie edition)
Online Link Scan - Virus, Trojan, Adware and Malware Scanner using a variety of scanning engines.
PhishTank - site to report suspicious/phishing URL sites.
Check page for sh*t - resources including a URL check in Google spyware checker.

PROROOTECT’s suggestion to use an online URL screenshotting service to capture the displayed URL safely is some good outside the box thinking. Kinda a “look-before-you-leap” thing if all the above items pass OK.

Shotbot - Screenshot Bot | Ascreen Generator - generates jpeg thumbnails of public websites.
IE NetRenderer - Browser Compatibility Check - I like this one in that you can pick your browser version from a selection. If the URL/page responds differently based on your browser, then this might show it.
thumbalizr - thumb your webpages
url2png - website screenshot service
loads.in - webpage load screenshots in multiple browser with option to pick from from over 50 locations worldwide
ShrinkTheWeb - website screenshot service
Browsershots - supports/mimics so many different browser types and OS’s and allows defining Javascript/java/flash versions that it’s just plain coolly obscene!

Fun trip if it wasn’t so serious…

--Claus V.

Update: I meant to add this in to the original post but got sidetracked. A recent Digital Forensics Case Leads post has mention of a super-fantastic investigation/forensic report involving anonymous emails. This is must-read material, not just in terms of the investigative methodology but also the way the report was composed and presented. Very clearly done! I’m keeping a saved copy of the report for future reference; both technically and as a report template. From the post via the link above:

University of Illinois recently released a detailed investigation report (PDF) regarding anonymous emails allegedly sent by its Chief of Staff to the University's Senates Conference. The report is an interesting read, and also serves as a potentially useful model for those looking for report samples and templates.

Thoughts on a Plan to Drop POTS: Pros/Cons

2012-01-20T13:44:00.001-06:00

cc image attribution: “smashed phone” by Solarbotics on Flickr

Right now the Valca home has had a POTS/landline phone nearly forever. We got the copper during our engagement house-setup period. As newlyweds it was our technological lifeline to the social world.

Eventually we bought our first PC (an old Gateway skyscraper tower model), signed up for dial-up, and were rockin the Interwebs. Communication shift begins.

Later, Lavie was the early adopter of new tech with a cell phone. We’ve stuck with the same provider, though it has been gobbled-up a few times leaving us with the current super-cellular provider. Shift again.

Then I got a cell phone as well. Not shifting, dancing now.

And then Alvis earned the responsibility of getting a cell phone.

Hello Family Plan. Now it’s like we are socially square-dancing with technology.

Cable broadband arrived so the dial-up was ditched and high-speed coax rules now. Social communication on a high-speed rail-line service. Whoopee!

All through time, good old POTS has remained present. It seemed relevant during the Hurricane Ike event a few years ago and we had to evacuate from the house for a number of weeks. Electricity was out but since we had an answering machine connected, we could dial our POTS number to check for power. When the answering machine eventually picked up again, we knew power had been restored.

Yet with Lavie still not working and the cost of living marching ever upward, we continue to look for ways to cut costs but the belt is pretty tight as it is.

Since we already have cable service (digital TV + Internet) I looked at adding the VOIP option, but once the introductory rate wears off in about 6 months, the price jumps and the savings diff is minimal. And when the cable service is out, everything is out. Too many eggs in one basket for my comfort in this one.

The POTS phone provider does have a super-simple plan (not that we have much at all on our current POTS plan) but the price (once you add in all the add-on charges and govt regulatory fees) isn’t that much less that what we are on now.

Now Alvis REALLY REALLY REALLY wants to upgrade her cell phone to an iPhone (which requires a data plan by our carrier). Not a problem but that’s another added cost to the budget.

Since our cellular plan covers all three of our phones, mobile-to-mobile calls are free, we have a family unlimited text plan, and we also get free nights/weekend calls, our mid-range minute package hardly gets used. It shameful to see how few minutes we actually can get to apply to our monthly minute package. Seriously. Dropping to the next lower (lowest) family minutes package only nets us a $9.99 savings. Not enough to cover a data plan addition.

Today I had a brainstorm and am pondering the following.

If we drop our POTS line (~$65 “savings”) and port our “forever home” number over to a 4th cell phone, and add that to our Family Plan for an additional $9.99 monthly charge, even with additional monthly fees we are like saving at least $40/mo. Any simple free phone would do, or I may be able to use an older (but still very nice and rock-solid) digital cell phone I had upgraded from with our same carrier and hung on to.

Pros:

We keep our same home # (assuming it can be ported to a cell service).
Don’t have to notify family, friends, vendors, everyone we do business with.
$ saved each month or at least break even (see next bullet).
Alvis gets her iPhone + data plan (and maybe Lavie too) and we break even.
Minute usage may increase but most calls to family & friends tend to already be mobile-to-mobile anyway, or during the unlimited nights/weekend period.
Home phone comes with us in a disaster/evacuation.
Can donate all our POTS-based phone technology handsets to the needy (if anyone will even take them).
Not tied to a bundled cable service so even if cable goes out, our home # should still work.

Cons:

Power goes out for an extended period of time, charging could be an issue if left at the house.
Maybe our home number couldn’t be ported…then what?
Transition/porting period could be a hassle.
Hope we don’t loose the charger.
Cell phone service/signal may be spotty in different parts of the house.
Can’t have multiple phones conveniently scattered around house to reach for easily when it rings (wall jacks appear to be a dime-a-dozen in our home).
Get locked deeper in with a already super-duper-mega cellular provider.
Would allow funding of iPhone takeover of Valca home and Apple becomes even more entrenched in our lifestyles…not necessarily a bad thing…just an observation.
Cost to replace phone higher if accidently dropped in loo or boiling pasta water while talking over stove cooking. Bad.

Any Grand Stream Dream blog readers out there done the dirty and dropped your copper/POTS for a pure-cellular experience?

The POTS provider is sure to tell us the world as we know it will end and “bad me” for contributing to the demise of POTS

What were your experiences?

Got any advice or see any Pros/Cons I’m missing?

Thanks,

--Claus V.

The Password is…

2012-01-16T21:12:00.001-06:00

Last week we got a call from one of Lavie’s cousins. She and her husband had suddenly began getting phone calls from concerned friends as well as strange “undeliverable” email notices.

Mysteriously, at least one email had been sent from their on-line email account to all the recipients in their contacts in batches of ten or so. Some folks had told them their own security apps had alerted when they tried to follow the link in the email.

It was pretty apparent to the couple that “something” was amiss with their PC but exactly what, they weren’t sure. They had already downloaded a second anti-virus tool and scanned their system with nothing found. They decided to call me to see if I could help them. I recommended they change the password and any security challenge questions immediately which they did, then arranged for a house-call the following day.

I already had a clue on what probably occurred, but went though my full checklist of items as I assessed the system. No rouge processes, no unexpected auto-start items. Additional security scans came through with flying colors.

Then I turned my attention to their email account. This particular email provider (unfortunately) doesn’t provide any IP-based user sign-in event logging like some other main-stream web-mail providers do. That would have provided golden information.

Last account activity - Gmail Help
Check if Your Gmail Account is Hacked with Activity Monitor - MakeUseOf
Yahoo! Enables Monitoring of Login Activity for Better Account Protection - YDN Blog

What we did have is one overlooked original email in the “Sent” folder showing a mail time of 8:15 PM Wed night. Neither of the couple reported being logged in on the system (or the email) at that time so it seemed fairly certain that is when the event occurred.

I mailed that to myself to look into the URL more later.

They use IE 9 and the system was fully patched. Flash and Java were outdated, but not too bad.

Based on my survey and additional questioning, it appears to me that someone had “hacked” their account using some kind of brute-force attack on their account, quickly they had composed at least one email containing a single URL to everyone in their address book. I couldn’t find any evidence of a persistent threat on their system, and based on their feedback, I doubted a cross-site-scripting vulnerability had occurred.

For the really curious, here is a link to the urlQuery (free online URL scanner) findings from that particular URL I found: urlQuery scan result. Turns out that particular link leads to a compromised (?) website serving up fake AV scanner malware via some JavaScript code. That is why some recipients of the email were likely getting alerts when they visited the site. Sneaky.

Turns out hacking email accounts and appropriating them (even “non-maliciously”) for spamming is big business and a common event for many web-citizens.

Hacked! - The Atlantic - James Fallows has a fantastic cautionary tale about the loss of an email account to a hack-attack.
How Can I Find Out Why My Email Account Just Spammed My Friends and Family? - Lifehacker post has some tips on trying to get a handle on the aftermath cleanup.

This couple -- it turns out -- had been using a very weak password so it fell probably pretty fast.

Turns out weak passwords remain a common plague.

ISC Diary | Analysis of the Stratfor Password List is another clear warning of this danger.

Steve Ragan posted a simply amazing Report: Analysis of the Stratfor Password List which has crazy fascinating data on passwords and just how weak most of them were, along with his own password cracking work to show just how easy these fall. See also: Researchers find many weak Stratfor passwords -Naked Security.

A brief Sony password analysis - Troy Hunt’s Blog

Your Top 20 Most Common Passwords - Tom’s Hardware

And just over the weekend there was this: Zappos customer info is breached. Change your password now! [Updated] - TechBlog via Chron.com

What is one to do? This maybe?

xkcd: Password Strength (see also xkcd: Password Reuse)

If you want a quick way to assess the complexity/strength of the passwords you may have stored in your web-browser or some Windows applications, check out the Password Security Scanner freeware tool by NirSoft.

Some highly recommended online locations to check your current password strength against are:

Password Checker: Using Strong Passwords - Microsoft Security
How Secure Is My Password? - website
Password Strength Checker - The Password Meter
Test Your Password - website
Strength Test - Rumkin.com

Coming up with a truly secure and complex password can be a major task for some folks. And the web has no dearth of fantastic advice on the subject of what defines a strong password and how to create one.

Ten Things To Do to Secure an Important Person's Computer (or even Ashton's or a Kardashian's) - Scott Hanselman
Ultra High Security Password Generator - GRC
Password Haystacks: How Well Hidden is Your Needle? - GRC
Flexible One-Time Password MetaSystem - GRC
Password Advice - Bruce Schneier’s Schneier on Security blog
Secure Passwords Keep You Safer - Wired Security Matters post

From SophosLabs via YouTube

And just today, Lifehacker released a super-cool mega-graphic on password selection

Use This Infographic to Pick a Good, Strong Password - Lifehacker

Troy Hunt did a series of great, in-depth posts on password selection and science that are must-reads. I’m liking Troy’s writing and analysis and his blog has been added to my RSS must-read feed list.

The science of password selection - Troy Hunt’s Blog
I’m sorry, but were you actually trying to remember your comical passwords? - Troy Hunt’s Blog
Bad passwords are not fun and good entropy is always important: demystifying security fallacies - Troy Hunt’s Blog
The 3 reasons you’re forced into creating weak passwords - Troy Hunt’s Blog
Who’s who of bad password practices – banks, airlines and more - Troy Hunt’s Blog
The only secure password is the one you can’t remember - Troy Hunt’s Blog

Those last two points are my takeways, that nothing is more frustrating that internal application or external website password policies that are weak by design and force me to use a short password. And that the best password is one so damn complex there is no way I can remember it, even under duress.

I prefer to use the longest password the site/application will accept based on character count. (By the way…seriously guys, place your password policy and field limits up front to make this easy to figure out!)

How do I come up with one? I use two tools, a portable password manager application that stores the passwords in an encrypted container and a utility to generate randomized gobbly-gook passwords. In fact, many of the first item include the second item as a built in feature.

I linked to some of the GRC random password generators earlier but these other free portable password generation tools are great:

Password Guru - CEZEO Software generates complex and secure passwords with rule filters for length and special characters.
Password Generator - Gaijin Software - can generate up to 1000 passwords at once with advanced rule filters. Also includes a password checker to test password strength.
Password GeneratorXP - I’ve been using an ealier version of this app for a very long time. Latest version is 1.5 updated in December 2011. Can generate random passwords up to 99 characters long! Rules allow character inclusion/exclusion and supports special symbols. Super app.
PWGen - Open-Source Password Generator for Windows using AES and SHA-2 crytography methods. Can support passwords with up to a crazy 20,000 length, can be fed a wordlist includes file if you prefer, can exclude “ambiguous” characters (like o and 0, l and 1, etc.). It can create up to 1,000,000 passwords at a time based on your rule patterns, or a single password instantly. The included manual file is great reading regarding password security in general and not just the program operation itself.
PassworG - Free password generator software - pretty simple to use but strong password generator that might be easier for some folks to use.

So how do you manage these complex passwords?

KeePass Password Safe (or) KeePass Password Safe Portable is my personal preference. It has a ton of features, is free and portable, and has a lot of options for organizing the stored records. It is the cat’s meow.
Password Safe is a similar password keeper that comes highly recommended. The interface might be just a bit more easy for some folks to take to as opposed to KeePass.
Era Password manager is a nice password keeper tool again a bit simpler in interface but powerful under the hood if you go looking deeper.
Password Corral by Cygnus Productions is pretty nice.
Password Gorilla - See this Using Password Gorilla page for an overview.

Pick at least one tool from each category and learn to use them, then use them always.

And for those of you who say “Claus, put all my wicked crazy passwords (from PWGen) in an encrypted database password manager (KeePass) and stick them on my USB drive for fast access? What if I loose it?”

I suppose you could create a TrueCrypt encrypted file, then put the encrypted KeePass data base inside it…

Just be sure you select a different crazy complex random password for each of them.

And put them in another password manager for safekeeping in case you forget.

Cheers!

--Claus V.

D7 - Wicked Scary Tweaking tool

2012-01-16T15:06:00.001-06:00

I love windows tweaking tools. I’ve got a large collection of them reaching back into my XP days forward into Windows 8.

Couldn’t live without most of them.

However, I’ve finally met one that just downright scares me. Seriously. I’m still sitting on it wondering if I really want to get behind the wheel of this one (yeah, I do!).

D7 project from Foolish IT

First take a look at a ton of screenshots via this Addictive Tips post: D7 Is All-In-One System Backup, Maintenance, Repair & Tweaking Tool.

From the D7 homepage:

D7 is a tool for PC technicians to aid in many tasks and provide a uniform procedure for technicians to follow. It has many capabilities and many uses including but not limited to:

offline and live malware removal assistance via many internal and 3rd party tools
automatic download/extraction of 3rd party tools on demand when missing
repairing Windows after malware removals
general PC maintenance
offline and live registry editing with mass search & delete features
offline and live data backup
CPU/RAM stress testing
information gathering and quality assurance uses
OS Branding
IP/DNS configuration + backup & restore
shortcuts to frequently used Windows components
quick access to frequently used Windows tweaks
numerous right-click context menu (in Windows Explorer) features for working with files and directories
wrappers / one-click execution options for frequently used command line tools
synchronization of Malware Scan definition files
automatic updates of all your favorite 3rd party tools via Ketarin
offline application of password removal tricks enabling you to gain access to password protected live systems
Too much to list here, right now at least.

And then it is accompanied by this warning that I usually just merrily ignore on most tweaking tools but gives me great pause with D7."

“THIS TOOL IS INTENDED FOR EXPERIENCED PC TECHNICIANS ONLY, NOT FOR "END USERS." This tool can be very dangerous and destructive if you don't know how to use it properly, or are inexperienced in malware removal techniques.”

Need more info before jumping in?

Pics and Vids via D7 page

Online Manual via D7 page

According to the author it is fully portable but there are some considerations. Please see the SETUP section of the online manual for a good understanding.

It’s a simply amazing tool for advanced sysadmins and PC techs.

Wield it with caution!

Dragons lurk here…

--Claus V.

Microsoft Security Essentials Public Betas

2012-01-16T14:53:00.001-06:00

Old news by now (has it been sitting since Nov 2011).

Been running the x64 beta version on my home system with no ill effects. YMMV.

More info below.

Bink.nu | New Microsoft Security Essentials Beta now public - Bink.nu

Microsoft Security Essentials 4.0 Beta Available to Download - Windows7hacker

Free Download Microsoft Security Essentials 4.0.1111.0 Beta - Free Antivirus for Windows - I found this location to download the installation files from rather than register via the Microsoft links previously provided. I did grab the files both from my Microsoft registration and these and checked them both (HashMyFiles: Calculate MD5/SHA1/CRC32 hash of files). All hashes at the time matched.

Windows Defender Offline beta lets you scan Windows before startup - BetaNews

Windows Defender Offline Beta: Create Bootable Anti-Malware Disk/USB - AddictiveTips

Windows Defender Offline Beta - Bink.nu

AppRemover - OPSWAT - “Uninstall & Remove McAfee, Symantec, Norton, AVG, Avast & More Antivirus and Security Applications and Programs”

--Claus V.

It’s a USB Thing

2012-01-16T14:42:00.001-06:00

I was working on a USB project recently and needed to capture an image of a USB device for restoration.

That got me reviewing my pile of USB tools and looking for updates. Found some and a bunch of new-to-me freeware USB tools.

Here you go.

USB Image Tool - alex’s coding playground - updated to v 1.58 with some nice fixes.

ImageUSB - Write an image to multiple USB Flash Drives - PassMark Software - great standalone tool to make/push images of USB flash drive devices. Hard to go wrong with this one!

USB Disk Ejector - Quick And Easy Software - This is a “cutsie” app but seems much easer to me to use than hunting in the system tray for the Windows USB device ejection method. Definitely makes it easier to identify the correct device when there are more than one connected and I’m rushing.

Dev Eject - Stop right now and add this one to your utility pile. Seriously. A co-worker has been having problems ejecting USB HDD devices from his XP system and turned to me to figure things out. He didn’t think he had any open calls to the device running and OpenedFilesView didn’t report any clues either. I turned to Dev Eject and immediately found the culprit: Symantec AV seemed to be doing a file-scan (slowly) when he was ejecting the device. More info in this AddictiveTips post: Identify Processes Hindering Removable Media Ejection With Dev Eject.

Use command line to safely remove USB drives by Mike Williams at BetaNews has a lot of clever tips.

Want lots of freeware USB tools? Serious, low level USB tools? CLI USB tools (and then some)?

Uwe Sieber’s got you covered! Drive Tools for Windows

RemoveDrive V2.2 - Safe removal of drives
RestartSrDev - restarts "Safely Removed" devices which have the "Code 21" problem code
EjectMedia V2.2 - ejects a media from a drive
ReMount - reassigning mounpoints (change drive letters)
ListDosDevices
USB-WriteCache V0.1
USB Drive Letter Manager - USBDLM (Note: USBDLM is Freeware for private and educational (schools, colleges, universities) use only.)

HotSwap! - Kazuyuki Nakayama - gives more friendly interface than the “Safely Remove Hardware” icon in the system tray does.

USBLogView - NirSoft tool to record all USB devices plugged into a system and logs to a file.

USBDeview v2.00 - NirSoft tool to list all USB devices plugged into a system as well as all USB devices previously used (with details).

RMPrepUSB - Tool to partition and format USB drive and make it bootable. Free for private use only. If you know what you are doing, this tool isn’t needed but it goes a long way to helping noobies and the author has a large number of tutorials as well. More here: RMPrepUSB – Amazing USB Formatting Tool! - post from AgniPulse,RMPrepUSB : Install Windows on USB, Speed up USB and do more with it via The Windows Club and RMPrepUSB: Create Bootable Windows/Linux USB, Test R/W Speed & More post via AddictiveTips.

How To Create Customizable Multiboot System Rescue Disk - AddictiveTips post on using SARDU builder to make a multiboot USB tool.

Cheers.

--Claus V.

Taking a quick shot at Screen Shot apps

2012-01-16T14:15:00.001-06:00

There are a LOT of Windows tools for taking screen shot captures. Lots and lots.

It seems each time I learn about a new one it gets added to my pile. However I keep rotating back to a couple of dependable ones.

IMHO FastStone Screen Capture truly is “The Best Screen Capture Software” out there. It’s been a while since FastStone pulled the “free” from this tool after version 5.3. That’s too bad as I really, really like this tool and the built-in editing tools are wicked sharp. Still, I have to mention it because it is that good. The freeware v5.3 doesn’t seem to play well on Win7 x64 systems so now I have had to move on to…

Greenshot has now taken over a a must-install freeware screen capture app on my systems. It has most of the same features of the FastStone tool, but the editing tools aren’t quite as polished. That said, it is very stable, does excellent captures on Win7 systems (x32/x64) and has been promoted to a “run-on-startup” position on my system…a VERY rare honor here at GSD. Image above captured via Greenshot

Xtreme Shot! is pretty cool also and includes those must-have post grab editing features I demand. Check it out and compare against Greenshot.

More? Check out this older grand stream dreams: Mega Linkfest – Dog-pile Style that has eleven screen shot tools listed.

Moving deeper into the “to be blogged” linkpile now…

--Claus V.

Digital Image\Video Resources

2012-01-16T13:59:00.001-06:00

Little bro recently made a Christmas contribution to the “Claus-needs-a-new-hobby” campaign.

While a portion of it does involve me staying up much later each night now (like I needed that bad-habit) reading George R. R. Martin's “Game of Thrones” series on my Kindle, the most recent focus is the coming addition of a Canon PowerShot S95 to my photography tools.

For the longest time I have been seriously looking at the newer digital rangefinder class of cameras and the Olympus PEN E-P1 (Amazon link) fell into my price-point. I’ve yearned for this one for some time, however this particular model has been updated several times (more $$) and the Canon PowerShot S95 (Amazon link) was in the same range (price-wise). Though it also has a newer version, this one just seemed to have many more features (do I really need 1080p video when the S95’s 720p only video may never get used either?).

In the end it was the collection of Flickr: Canon PowerShot S95 group photos that sold me on it along with the smaller (pocket/backpack) format over the E-P1. It came down to me being honest with myself. I can’t take good pictures and improve my technique if I don’t carry the camera with me almost all times to take pictures to begin with…and the S95 is much more pocketable (and less imposing when in use) than the E-P1 or my Canon Rebel XT DSLR. So, photography links on the sidebar have been amended to remove the PEN and add the S95.

Hope to share some pics from it soon.

So, that leads us into these great digital imaging tools I’ve found recently (or have been updated).

Microsoft Research Image Composite Editor (ICE) - This remains my favorite image-stitching tool. Can also handle video stitching techniques: Microsoft ICE update–video to panorama, lens vignette, improved blending - HD View

Hugin - Panorama photo stitcher - This is a new-to-me project. It looks a lot more sophisticated that ICE so I’m looking forward to trying it out as well. It has a lot of control.

Scarab Darkroom - Beta version is free. From the page “Scarab Darkroom is a digital camera raw file converter/photo editor that supports most raw format capable cameras from Canon, Nikon, Olympus, Panasonic, Pentax, Samsung, and Sony. It is fast, easy to use, and produces excellent results. Development is still at the beta version stage.” My S95 has Raw+JPEG shooting format…. More here at AddictiveTips: Edit And Convert RAW Images To JPG With Scarab Darkroom

It’s been a while since I last posted a roundup of freeware video editing tools: grand stream dreams: Video-Editing Resource Roundup

Here are some new links: Top 3 free video editing software for Windows 7 via The Windows Club links to Avidemux, VirtualDub, and VideoSpin.

What amazes me is that the pro-class Lightworks Open Source Project (free!) for video editing never seems to come up. It is incredible. Is it too complicated? I’m looking forward to shooting some 720p video to experiment with the application.

--Claus V.

File and Folder Linkfest

2012-01-16T13:33:00.001-06:00

As we continue the dig-out over here at the Valca link farm we now must turn attention to file and folder management tools.

Track Folder Changes - CodePlex project page - really clever tool still in development that shows (real-time) as files/folders are being changes for a specific folder/directory to be monitored. Nice GUI. More information at Track Folder Changes in Real Time Windows7hacker post and Track changes to folders with Track Folder Changes post at freewaregenius.

SearchMyFiles - NirSoft - Soo love this tool! It’s one of my must-haves for file-finding.

Everything Search Engine - Love this one too. Wicked fast but does it by building its own index database. Doesn’t search within files; just file/folder names.

UltraSearch - Freeware for Ultra-Fast File Search - JamSoftware - A bit like Everything but doesn’t build an index database rather relies on the MFT. Comes with a portable version.

Locate32 Web Site - Another nice free Windows file indexing application.

eXpress FreshFiles Finder - Super-great tool to quickly find the “freshest” files on a system.

FileProcessor - really powerful tool to find files as well as perform a number of actions on those found files. More info via AddictiveTips: FileProcessor: Set Filters, Search & Perform Batch Actions On Files

SpaceSniffer - Love it to visualize space usage on drives.

GetFolderSize - Interesting tool for scanning file/folder size usage on drives. Different GUI but pretty cool! Spotted via GetFoldersize to Determine the Size of Folders on Your Hard Drive - Windows7hacker.

FolderSize - Jan Horns tiny but quick app for folder size reporting.

NoVirusThanks Freeware tools - interesting tools (free and commercial) for Windows system monitoring. Good overview on them here: NoVirusThanks releases four handy system monitoring tools as freeware -Softwarecrew.

TestDisk - CGSecurity - Now at Version 6.13 for file/disk recovery.

ODIN - Open Disk Imager for Windows - interesting GUI/CLI based tool for drive backup and imaging. More info via AddictiveTips: Backup, Restore And Verify Disk Images With ODIN.

Hardwipe | File & Drive Wiper - GSD has had a number of posts already regarding file/drive wiping but this new-to-me tool is worth mentioning here. More info via AddictiveiIps: Easily Wipe & Clean Files, Folders And Hard Drives With Hardwipe.

Forensic Riddle #5 – Answer - Hexacorn Blog has been posting a series of great puzzlers this one leads us to this clever Microsoft resource: Naming Files, Paths, and Namespaces.

TakeOwnershipEx - WinAero - GUI tool that allows you to get full access to files and folders. More info via AddictiveTips: Take Ownership Of Files And Folders In Windows 8.

NTFS Permissions Tools 最新进展 (ver 1.0.0.45078 RC1 (2011-06-14)) - Site is Chinese but AddictiveTips has the lowdown on usage here: Allocate NTFS Permissions Easily With NTFS Permissions Tool.

Kickass Undelete - Browse /Kickass Undelete 1.2 beta - SourceForge.net - I really like this tool for file recovery. It’s not a all-in-one recovery tool, but is another great utility to keep on your response toolbelt.

WinAero: Librarian - powerful libraries manager for Windows 7. Slick interface and easy tool to use.

BExplorer (Better Explorer) - CodePlex - I want to like this project very much. I’m not feeling the love of the existing Windows 7 explorer menu-bar and this would go a long way to making it more powerful to use. However I’ve also had stability/installation issues on both Win7 x32/x64 systems so while it is on my “watch-list” it isn’t yet installed on my system.

FreeCommander - This alternative dual-pane Windows file manager remains top-of-the-heap on my systems. It is required usage here at GSD. I’ve still not found a better alternative though many come close. The developer is hard at work on a new version and the betas look very slick and powerful. Whenever the final public release of that one comes out.

My Commander - The interface on this one looks remarkably similar to FreeCommander. It comes in both 32bit and 64 bit flavors. It is quite nice and would probably be a close runner-up.

NexusFile: File Manager for Windows - This is one with GUI attitude. Want a nice “dark” look? This is it.

Explorer++ - I like this one as a USB stick alternative. Constantly updated and in both x32/x64 flavors it is a single EXE file which makes it nicely portable.

A43 - this was my original love in alternative WIndows file managers. It remains alive in development and has a lot of handy plugins in a format that others don’t seem to offer. Check it out.

Cheers!

--Claus V.

Utility Updates

2012-01-16T12:56:00.001-06:00

Quick linkfest running down some old tools updated and new tools discovered.

Autoruns v11.21: This update to Autoruns fixes a number of minor bugs, including one that could result in a crash when certain scheduled tasks are configured. Microsoft Sysinternals.

Process Explorer v15.12: This update to Process Explorer makes the search dialog asynchronous and reports the types of found items. It also fixes several bugs, including showing a small font when run after an older version, a bug in the restart-process functionality, working set columns not showing data, and again shows information about service processes when run from an unprivileged user account. Microsoft Sysinternals.

Strings v2.42: This Strings release fixes a bug that would result in a crash when the –n or -b options are specified without a file name. Microsoft Sysinternals.

Mark’s Blog: Case of the Installer Service Error: Follow along with Mark in another of his popular ‘Case of the Unexplained’ troubleshooting examples where he retraces the steps of a network administrator that used Process Monitor to figure out why the Windows Intune installer failed on one of his systems and goes on to fix the problem.

Mark’s Blog: The Case of My Mom’s Broken Microsoft Security Essentials Installation: Mark goes deep with the Sysinternals tools to fix a corrupt installation of MSE on his mom’s PC over the holidays.

CSVed 2.2.1 - Now at 2.2.1 version. See also NirSoft’s CSVFileView

CCleaner v3.14 - Piriform - System cleaner

Recuva v1.42 - Piriform - File recovery tool

Speccy v1.14 - Piriform - System information collector

CCEnhancer - v 2.5 - SingularLabs - plugin for CCleaner adding support for over 500 additional aps.

JavaRa - v 1.16 - SingularLabs - not updated but great tool to remove old/redundant versions of JRE. Now under development is JavaRa 2.0 alpha build which includes updating, removal and some additional bells-n-whistles.

Wecode.biz: Alternative Flash Player Auto-Updater - interesting tool to help update Adobe Flash Player. The latest builds of Flash Player do have an auto-updating feature baked in but it doesn’t (to me) seem to fire off and find newer builds as quickly as I would like to see. This is an alternative that might work good on friends and family PC’s.

ISC Diary | Newest Adobe Flash 11.1.102.55 and Previous 0 Day Exploit -Why keeping Flash updated is important…as if we didn’t need a reminder.

Crystal Dew World - lots of updates here including CrystalDiskInfo and CrystalDiskMark

WinCrashReport - Displays a report about crashed Windows application - New NirSoft tool. See also this post by Nir Softer himself : New crash reporting utility for Windows

PST Viewer - Free tool to open and view content of PST files without Ms Outlook - Kernel Data Recovery. See also this review: Gave up Microsoft Outlook but need your PST file? There's an app for that - BetaNews. I like this tool in that when I recently had to carve the PST files off a nuked HDD to recover an end-users PST files, I got a ton of them. Rather than mounting each one to a working Outlook client profile, I just fired up this tool to inspect them with the user to find out which ones we wanted to attach and which ones were duplicates. Saved a boat-load of time. Could be good for incident responders as well.

Highlighter v1.1.3 Released - Mandiant M-unition blog notice. Download link

Download Batch Compiler - SourceForge - You need to install on a system (not portable) but still could be a great resource for building more complex batch files. See more info here at AddictiveTips: Batch Compiler: Create Batch Scripts & Convert Them To EXE Format

Splashtop Remote Desktop - interesting new tool for remote connection management. See this Splashtop Is A Better Alternative To Windows RDP at Windows7hacker blog.

Windows Live Writer Backup - Codeplex project page - See this Windows Live Writer Backup post at Windows7hacker blog.

Cheers!

--Claus V.

EXIF/meta-data Linkage

2012-01-16T12:33:00.001-06:00

Been sitting on these for a while (sigh).

Metability Software is building a really cool and powerful tool to work with and explore EXIF data in images. FileMind Professional. It has a really nice tabbed main workspace and supports importing/exporting and reporting of EXIF data. I’m using the current (free) Beta Software version and it rocks.
They also offer a cool little freeware app FileMind QuickFix which can strip out sensitive EXIF data before posting photo files to the web. Check it out.
PhotoME - Exif, IPTC & ICC Metadata Editor is another free tool which can be used to show/display meta-data of image files. It is exceptionally well-rounded and has been around for a long time. Hat-tip to AddictiveTips for their post which led me to it: PhotoMe Lets You View, Analyze and Edit Image EXIF & IPTC Metadata
BatchPurifier LITE - Free Metadata Removal Tool - Another free tool to remove meta-data from files in batch. See a review at AddictiveTips: Batch Remove Image/JPEG Metadata With BatchPurifier Lite
AutoJpegTrunk (Google Translated) - very simple freeware tool/wrapper for ExifTool by Phil Harvey to clean meta-data. Again spotted at AddictiveTips: AutoJpegTrunk: ExifTool-Based Utility To Batch Remove Image Meta Data
ExifTool by Phil Harvey - freeware awesomeness for the core tool of all things meta-data handling.
Need more? see these Additional Resources on Phil Harvey’s page.
Vinetto : a forensics tool to examine Thumbs.db files
Vinetto - A Thumbs DB Parser/Viewer - Computer Forensics/E-Discovery Tips/Tricks and Information blog - includes info to get it running on Win32 as well as a built Win32 copy of Mark McKinnon’s work.

Why do we care about meta-data (examining and/or purging)?

Well for starters “dere’s gold in dem dere hills!”

Stealing GPS Data from Images in Pentests - Security Aegis
Strip your Images, not Yourself- Metability Software blog
What the Situation Room REALLY Shows…- Metability Software blog
Know Your Files - Metability Software blog
Beyond Data about Data: The Litigator's Guide to Metadata [PDF] 2005 - found via e-evidence.info
What's a Little Metadata Mining Between Colleagues [PDF] 2006 - Jessica M. Walker found via e-evidence.info
Mobile Phones: Digital Photo Metadata [PDF Poster] 2007 - found via e-evidence.info. Note link to the “Carvey_gmu2005.zip” file is broken so either it got moved or dropped. Maybe Harlan can repost or share the updated link? I’d love to see it.
GMU2005 presentations [Zipped PP Presentations] August 2005 -Harlan Carvey - Topics: The Windows Event Log file format; Tracking USB storage devices across Windows systems; File/document metadata.
Windows Incident Response: Updates - Quoting Keydet89 from the linked post:

“Did you map all of the USB removable storage devices that had been connected to the system? You don't need to have the management software installed to copy images and videos (hint, hint) off of a phone...just connect it via a USB cable and copy the images (which will likely have some very useful EXIF data available).”

In addition, there are a number of freeware (and $-$$$$) image viewers/tools that also include meta-data handling embedded in them. This post is focused on meta-data specific tools. I’ll post linkage on some of the other applications that are more in this later class soon.

Cheers.

--Claus V.

Active Directory Linkfest

2012-01-16T11:36:00.001-06:00

I’m working hard at getting up to speed on the whole Microsoft Active Directory thing.

Until lately, I’ve not had either the need nor the opportunity to get heavily involved in supporting customers in a full-blow AD environment. Sure, there are some basic “foundational" things I’ve been able to pick up and use, but now we are moving forward into a brave new world and I gotta kick up my expertise a bit. I’ve already purchased and am working through this excellent Active Directory: Designing, Deploying, and Running Active Directory, Fourth Edition (Amazon.com link) book to get the ball rolling.

So expect a few more AD-related posts around here…at least on the front end they will be more resource linking related as I fill out my virtual bookshelf.

Group Policy for Beginners - Microsoft Download Center - Great MS Word file to introduce basic Group Policy concepts.
Introduction to Active Directory - Learnthat.com - Nice heavily illustrated tutorial on Active Directory basics.
Active Directory Search Results - Microsoft Download Center. Lots and lots of documents, tools and tips.
Microsoft Events (Beta) - Amazing Microsoft site chock-full of awesome webcasts, podcasts, and virtual training sessions. All categorized, searchable, and level-rated Note the only “gotcha” is that the site seems to be driven by Silverlight and is very Internet Explorer dependent. Don’t hop to these pages in another browser unless it contains an IE-engine rendering engine.
Active Directory Related Pages - Microsoft Events - honed down to just AD items. I’ve got a lot of work here. For example, there is this Migrating from Novell NetWare to Windows Server 2003 you can eventually find which includes the full lab as well as a PDF guide. Cool!
Free Active Directory Virtual Labs - The Life of Brian
Download: Remote Server Administration Tools for Windows 7 with SP1 - Microsoft Download Center - Download Details
Download: Group Policy Documentation Survival Guide - Microsoft Download Center - Download Details

The 4sysops - For Windows Administrators website hosted by Michael Pietroforte is my go-to source for the best of tools and tips related to Windows system administration. It is full of great information and resources related to Active Directory items!

Active Directory - 4sysops - Link roundup of ALL AD-tagged posts at 4sysops
Free Active Directory Tools - 4sysops - Link roundup of ALL (free) AD-related tools featured on 4sysops
FREE: Active Directory Telephone Book - 4sysops - free tool to create an organizational phone-book based on AD information. Knowledge is power!
FREE: Active Directory Topology Diagrammer - 4sysops - New feature/tool supported by Visio 2003 or higher.
FREE: SysAdmin Anywhere – Active Directory Management - 4sysops - really slick interface on this tool to manage users in AD.
FREE: AD Info – User friendly Active Directory reporting tool - 4sysops - full featured tool that has lots of pre-built queries for reporting.
FREE: Account Lockout Tools – View lockout status and unlock account - 4sysops - Feature post on a component from Microsoft’s Account Lockout and Management Tools. Sweet.
FREE: AD Tidy – Identify last logged on user and computer accounts - 4sysops - “It can be used to identify when user/computer accounts last logged on to the network and can tidy up these accounts in various different ways.”
FREE: Active Directory Explorer – Active Directory Viewer - 4sysops - Review and reminder of the must-have Microsoft Sysinternals AD Explorer utility. Power to the people!
How to disable USB drive use in an Active Directory domain - 4sysops - Just in case you need to…
Troubleshoot slow logon – Part 1: Profile size - 4sysops - Great troubleshooting guide on login issues.
Troubleshoot slow logon – Part 2: The 3-headed monster- 4sysops - Great troubleshooting guide on login issues continued.
Change the local administrator password on multiple computers with PowerShell - 4sysops - Who doesn’t have to deal with this monster from time to time.

Expect more AD-related resource posts moving forward.

If you have any great and free AD-related tools, tips and resources please share in the comments!

Cheers!

--Claus V.

Baseline of Windows Files in Incident Handling?

2012-01-15T15:58:00.001-06:00

I’ve been sitting on this one for a month or so hoping I could uncover a better solution. Unfortunately I’ve not been as successful as I would like so here it is.

Chris Pogue at SpiderLab’s Anterior blog posted Manipulating Windows File Protection and Indicators of Compromise which contained lots of goodies.

Basically it was a carry on from a previous post on Windows File Protection and malware hunting. In this post Chris shows how WFP can be “subverted” by malware and what clues are available to the incident responder for searching based on his and Harlan Carvey’s prior work.

In Chris’s post he uses an unpublished tool to temporarily disable WFP, change “code” inside a protected system file, then allow WFP to restart, reboots the system and sees if WPF leaves the modded file alone. It did. Chris then documents the changes observed.

I’m focusing on this part here:

let's take a MD5 checksum of dllhost.exe for validation that we have successfully modified our target file.
c:\Windows\System32>md5deep dllhost.exe
a63dc5c2ea944e6657203e0c8edeaf61 c:\Windows\System32\dllhost.exe
OK, next, I ran a strings against the target file so make sure there was not the same string content that I decided to use. In this case, a series of upper case letter "A"s.
C:\test>strings c:\WINDOWS\system32\dllhost.exe | grep AAAAAAAA
Now, I am going to simply append 20 upper case "A"s to the end of the target file.
C:\test>echo AAAAAAAAAAAAAAAAAAAA >> c:\WINDOWS\system32\dllhost.exe
Let's run strings against the target file to see if the modification took.
C:\test>strings c:\WINDOWS\system32\dllhost.exe | grep AAAAA
AAAAAAAAAAAAAAAAAAAA <-- This is the results of the grep search.
Now let's check the MD5 checksum of the target file to see if it changed...as you can see by comparing it to the value from our initial MD5, it didn.
C:\test>md5deep c:\WINDOWS\system32\dllhost.exe
6fb2c878750a84946efacfc50c8e1f59 c:\WINDOWS\system32\dllhost.exe

(Note: I think Chris has a typo in the part I have bolded above. I suspect he meant to type “it did” as clearly the MD5 is now changed from the original file MD5 hash.)

While Chris focuses on the MFT and system logs to flag the event for additional attention, I was focusing on the (relatively easier to spot?) MD5 change itself. If you can spot that the change occurred, then maybe you can drill faster into the corresponding logs/records for event clues on the change itself.

Indeed, Rmdarcher commented in the post that one could “…run the System File Checker (sfc.exe)” to look for modifications. Chris agreed and responded,

“I think the real challenge is not in the identification of the modification, but in the detection of the single file that was modified.
“As I pointed out in the post, and what I still think is the real meat of the issue, is how to tell? How can you tell if a legitimate Windows process has become weaponized. Again, think the best way to even get the point where you can employ something like SFC, is through live analysis, and correlation of data points.”

So what go-to options does a sysadmin have to see if a system’s protected files have been compromised by malware short of combing through the MFT and system logs?

Here are the ones I have come up with so far.

As Rmdarcher commented there is the Windows System File Checker.

System File Checker - Wikipedia
How to Run the System File Checker (Sfc.exe) Offline in Windows 7 and Vista - The Winhelponline Blog
Microsoft Windows XP - System File Checker (sfc) - Microsoft Windows XP Pro Product Documentation
How to use the System File Checker tool to troubleshoot missing or corrupted system files on Windows Vista or on Windows 7 - Microsoft Support KB 929833
Description of the System File Checker Tool (Sfc.exe) - Microsoft Support KB 185836
Windows File Protection and Windows - WIndows Dev Center on MSDN
Availability and description of the File Checksum Integrity Verifier utility - Microsoft Support KB 84120
How to analyze the log file entries that the Microsoft Windows Resource Checker (SFC.exe) program generates in Windows Vista - Microsoft Support KB 928228

That was a good starting point and eventually led me next to the File Checksum Integrity Verifier from Microsoft.

Warning The Microsoft File Checksum Integrity Verifier (FCIV) utility is an unsupported command-line utility that computes MD5 or SHA1 cryptographic hashes for files. Microsoft does not provide support for this utility. Use this utility at your own risk. Microsoft Product Support Services (PSS) cannot answer questions about the File Checksum Integrity Verifier utility.

The File Checksum Integrity Verifier (FCIV) utility can generate MD5 or SHA-1 hash values for files to compare the values against a known good value. FCIV can compare hash values to make sure that the files have not been changed.

With the FCIV utility, you can also compute hashes of all your critical files and save the values in an XML file database. If you suspect that your computer may have been compromised, and important files have been changed, you can run a verification of the file system files against the XML database to determine which files have been modified.
The FCIV utility runs on Microsoft Windows 2000, Windows XP, and Windows Server 2003.

In this case you would need to generate a “baseline” on a known/good system like the one you are comparing against. I imagine you would need to be at the same patch-level as your target system otherwise you run the risk of getting lots of noise to sort through.

Uncover File Manipulations With File Checksum Integrity Verifier [Windows] - ghacks.net
How to use the Microsoft FCIV command-line checksum tool - Michael Cobb at SearchSecurity.co.UK
Microsoft File Checksum Integrity Verifier (FCIV) -George Birbilis @zoomicon

In that last link above "Kirill" comments a tip that leads to another tool, FCIV for PowerShell.

http://www.sysadmins.lv/content/scripts/PSFCIV_1.0.ps1

The author, Vadims Podāns, maintains an English blog here: PowerShell Crypto Guy's weblog

Unfortunately, it doesn’t appear any of the FCIV for Powershell related posts are in English. You can hop over to the Russian pages and do some translations to get the meat of Vadims’s work here: FCIV (Russian original pages) or trust Google Translate here Google Translate versions of PowerShellFCIV tagged posts.

The tool I would probably reach for first is OSForensics by PassMark Software. This is a very strong tool in its own right, but the component we are focusing here on is the “Verify / Create Hash”.

From the OSForensics - Download Hash Sets page:

OSForensics allows you to use Hash Sets to quickly identify known safe files (such as operating system and program files) or known suspected files (such as viruses, trojans, hacker scripts) to reduce the need for further time-consuming analysis. You can download some sample hash sets below. They are individually zipped.

Office 2007 Enterprise (Vista) hash set (1,313 KB)
Office 2007 Enterprise (Win7) hash set (1,978 KB)
Common Keyloggers hash set (124 KB)
Win7 Ultimate (32-bit) hash set (18,825 KB)
Win7 Enterprise (x64) hash set (11,670 KB)
Vista Business (32-bit) hash set (8,475 KB)
Vista Business (x64) hash set (8,069 KB)
XP Professional SP3 (32-bit) hash set (1,889 KB)
XP Professional SP2 (x64) hash set (1,456 KB)

This is a nice “baked-in” feature for looking for suspect files. And again, I’m not sure how much “noise” would need to be sifted through based on OS patching updates to the system files.

Another nice feature of OSForenics hashing support is the ability to Import NSRL hash sets from NIST.

There are a lot of great resources on the web related to use of the NSRL hash sets and similar collections.

Hash Database - SANS Internet Storm Center
National Software Reference Library - NSRL Project Web Site
jessekornblum: NSRL Query Tool - Jesse Kornblum tips us to a new project NSRLQuery by Robert Hansen.
“He's written a client/server program, NSRLQuery, which takes the output of sha1deep and compare it against the NSRL. (Why SHA-1 hashes? The NSRL contains MD5, SHA-1, and CRC32 hashes. You have to pick one...) The results are written to files hits.txt and misses.txt. The former are the files from the NSRL, the latter are those which are not.”
Malware Hash Registry - Team Cymru
FileAdvisor | The Best Search Engine for Identifying Software Files - Bit9

md5deep and hashdeep (now at version 4.0.0) also provides a mechanism to “…to compute, match, and audit hashsets. With traditional matching, programs report if an input file matched one in a set of knows or if the input file did not match. It's hard to get a complete sense of the state of the input files compared to the set of knowns. It's possible to have matched files, missing files, files that have moved in the set, and to find new files not in the set. Hashdeep can report all of these conditions. It can even spot hash collisions, when an input file matches a known file in one hash algorithm but not in others. The results are displayed in an audit report.”

Bad Habit

2012-01-15T14:38:00.001-06:00

Note to self…you so gotta get this one down this new year.

Two spaces after a period: Why you should never, ever do it - Slate Magazine

“Most ordinary people would know the one-space rule, too, if it weren't for a quirk of history. In the middle of the last century, a now-outmoded technology—the manual typewriter—invaded the American workplace. To accommodate that machine's shortcomings, everyone began to type wrong. And even though we no longer use typewriters, we all still type like we do.”

That’s my excuse.

Of all the classes I took in high school, I credit my elective typewriting class for making the greatest contribution to my successes in college and the later transition into a technology career.

With no fear of typing, I was able to sit down at any keyboard with confidence. While no speed-demon at the time, I could touch-type at will and pound out anything needed. I could quickly and confidently organize my thoughts and communicate them. All because of those hours in front of that blue IBM Selectric III typewriter. I never lost that skill though the mechanical feedback isn’t the same anymore and I have to resort to running ClicKey when I really want my fingers to fly across the keys.

Adding that darned double spacing after each sentence was drilled into me in those classes and it is just maddening to abandon.

Here’s hoping for tighter copy this year.

Claus V.

Wipies -- Addendum

2012-01-08T20:41:00.001-06:00

You may recall that both GSD posts on secure wiping -- Free Wipies and Wipies - Part II (Full Coverage Cleaning) -- were both inspired by a blog post by the TinyApps.Org blogger.

Last night I received a kind message from this dear friend pulling my attention back to the deeper issue raised in that post, and while this isn’t a completely unknown issue, it is one that can be easily overlooked by the best of sysadmins in our zeal to “secure wipe the darn thing” and get on with our other daily grinds.

The TinyApps how-to post ATA Secure Erase (SE) and hdparm shares an added benefit for those who dare to tread that hard-drive wiping technique through the “enhanced secure erase” option.

(Very) Basically the issue comes down to this: hard drives may have bad sectors that have been found and so marked as well as additional “host protected area (HPA)s” both of which can be skipped by many “block-erase” wiping tools and utilities. The end result is the possibility of recoverable data left behind in these areas if a standard block-erase method is used.

Host protected area - Wikipedia, the free encyclopedia
Device configuration overlay - Wikipedia, the free encyclopedia

So even though you are diligently laying down your randomized data and/or zeros to all the (accessible) sectors of the drive, the drive itself may be actually hiding physical sectors from your software that will not get overwritten no matter how hard you try.

As TinyApps linked for me in the communication, even the almighty Darik's Boot And Nuke clearly says in its FAQ that it must be used with knowledge to address some of these issues:

Does DBAN wipe remapped sectors? - Darik's Boot And Nuke

Does DBAN wipe remapped sectors?

Use the ATA-6 wipe method if you want to wipe remapped sectors. Most methods do not wipe remapped sectors.

Does DBAN wipe the Host Protected Area ("HPA")? - Darik's Boot And Nuke

Does DBAN wipe the Host Protected Area ("HPA")?

No.

Most vendors that are using the HPA have a toggle for it in the BIOS setup program. Future releases of DBAN may override or dishonor the HPA.

Why not now and why not by default?

Some vendors are using the HPA instead of providing rescue media.

Wiping the HPA would surprise and strand people that expect the HPA to have rescue materials, and it often results in OEM technical support marking and abandoning people that do it. The HPA is a low risk because it is not accessible during normal operations.

DBAN defaults are chosen to best protect people with a minimal understanding of this kind of problem. This point is still open for discussion in the help forum and in the appropriate bug ticket.

That’s not to say this information makes DBAN (or any of the others like it) a bad or faulty tool, just one with some limitations (like most all other block-erase wipe tools) that must be fully understood before deciding if its methods are sufficient for the use at hand.

For example, there are forensic drive access/capture tools that can detect these areas and ensure the investigator is able to respond to them. That’s great news for the good guys and a warning that bad-guys can also take advantage of this as well: HPA/DCO Detection - WiebeTech Forensic Docks

Here (again) are links to two posts about the HPA/remapped sector issue with drive wiping well worth the read:

Securely erase hard drives - ultraparanoid
Can God Create a Rock So Heavy Even He Can’t Lift It? - ultraparanoid

I suppose one good place to start is pre-inspecting your drive before you get wiping to better understand what you are dealing with.

There are a few Windows-based tools that I am aware of that can let you look at either/both HPA area(s) as well as DCO info (if they exist). In most cases, these do require specialized booting of the system either directly with a true DOS disk or a Linux tool to access the drive correctly.

MHDD - HDDGuru
HDAT2/CBL Hard Disk Repair Utility - Lubomir Cabla
TestDisk 6.12 Release - CGSecurity

So, that brings us back to using a combo of tools and methods to wipe both check for the presence of HPA/DCO and address/remove them first before using a block-erase wipe tool or to learn some new techniques for an “all-in-one” wipe method to get it all.

For “modern” hard disk drives that support this feature the “enhanced secure erase” method may be the only option short of extreme physical destruction (with prejudice and malice aforethought) of the drive to ensure all data is irrevocably cleared from the drive.

TinyApps “how-to” post is a great starting point at using a Linux Live CD to accomplish the process and what is happening :

ATA Secure Erase (SE) and hdparm - TinyApps blog
More background here at ATA Secure Erase - ata Wiki
SSD Secure Erase with proper ATA command - mackonsti blog
CMRR - Secure Erase tool - over at the Center for Magnetic Recording Research (CMRR) is another option, though a read through of many comments and other posts suggests this tool may have some performance issues…or not.
Guide How to use HDDErase - OCZ Forum
The Parted Magic LiveCD- I have learned - includes an ERASE tool which does support the “enhanced secure erase” protocol if the drive at hand does as well. It takes care of a lot of the CLI work that might off-put casual wipers. How To Secure Erase Corsair SSDs With Parted Magic -- Corsair Blog. I’ve used Parted Magic quite a lot in the past but never for secure wiping and never realized it had this option.
GParted can do this as well, though it doesn’t seem to have the “wizard” for hdparm that Parted Magic does: Use GParted to secure erase SSD - GSKILL TECH FORUM.
Note: As TinyApps points out in his post, in-fact any Linux distro that includes hdparm at a version of 9.31 or greater would work; the lower versions have a 2-hour timeout which can leave the remaining portion of the disk unwiped.
Guide Secure Erase for Windows - OCZ Forum
Guide Secure Erase From Within Linux For Windows Users - OCZ Forum
Guide How to Restore SSD performance WITHOUT using HDDErase - OCZ Forum

It is my understanding that Windows port of hdparm may work as well that is found in Cygwin. I’ve seen some forum posts discuss that some versions (the later ones) are better than earlier ones.

The Win32/Cygwin version of 'hdparm' will tell you if you have HIPM or DIPM capabilities. - Aaron Tiensivu's Blog

Christian Franke has also provided a native Win32 tool version if you just need it without Cygwin.

Index of /hdparm - via Christian Franke

So to sum up from my perspective,

If you want to keep the OEM HPA area intact (maybe you have a Dell system with diagnostics loaded there) and plan to recycle the drive/system in your organization, then a simple whole-disk block-erase of the drive may be sufficient. Updating the DCO information probably isn’t necessary and may help -- in fact -- preserve the previously found “bad sectors” info if it is present.
If you plan on giving the drive/system away then you should strongly consider attempting the “enhanced secure erase” method first to see if your drive supports it. If not, then you may have to settle for either a whole-disk block-erase wipe and hope for the best (that there is no sensitive data in any HPA/DCO areas (if present) or use one of many reliable, complete, irrevocable, physically destructive methods.

Hopefully I have covered this sufficiently for you to Google on from here.

If not, as always your comments are welcome and appreciated.

And if anyone knows of any additional Windows/DOS/*Nix tools that can handle “enhanced secure erase” wiping of a modern drive, please leave a tip in the comments.

Cheers!

--Claus V.

Make a dual-boot WinPE CD

2012-01-01T17:16:00.001-06:00

I’ve been in the workshop for the past several days hammering out a new WinPE product for our technical field-support team.

You may recall from the GSD post WinPE Building and PGP Support Links Updated that I have previously built a highly-customized PGP WDE injected WinPE boot CD to allow our team to manually off-line boot, then authenticate into a PGP v9.x encrypted hard-drive.

Now we are rolling out systems encrypting with PGP Desktop 10.x. Unfortunately the v10 isn’t backwards-compatible in supporting the v9 encrypted systems.

So I cleared off the workbench and using the techniques I have previously outlined here, built a new customized WinPE boot disk that supports PGP-WDE 10.x.

Only there was one problem; we currently now have a mixed PGP-WDE environment where some systems are running PGP Desktop v9.x and others are running v10.x.

I started to plan just having the techs carry both WinPE boot disks with them. But that seemed silly. The WIM files were both very small. Too bad I couldn’t include both BOOT.WIM files on the same CD as the rest of the CD structure was identical.

Or could I…..?

I knew a suggestion Brett had made earlier that with some BCD file editing on a customized WinPE booting USB stick, that I could multi-boot different WinPE BOOT.WIM. We outlined that process in this GSD WinPE Multi-boot a Bootable USB Storage device post. I can tell you it works like a charm.

But surely that doesn’t work for WinPE CDs. That’s crazy talk. Right?

Nope. Works fine.

David over at the “ITC Guy’s Doodles” blog has it all laid out, simple as can be (with screen-shots):

Creating WinPE multi-boot - ICT guy's doodles

David and I are assuming here you already have the WAIK installed and are long-past the steps regarding building a customized WinPE build or two. If not, check out these GSD posts first for some background if needed:

Custom Win PE Boot Disk Building: Step Four – Pulling it all together – GSD blog.
Custom WinPE Building: Post-Script and PE 3.0 - GSD blog.
QuickPost: Bootable USB Stick – GSD blog.
USB Tricks for Vista and Windows 7 – GSD blog.
Sexy USB Boots (Win PE style) – GSD blog.
WinPE and DISM/PEimg to boost Scratch Space (Ram Disk) – GSD blog.

Once you’ve done that and have your primary WinPE folder structure set as well as your custom BOOT.WIM files ready you basically do this:

Launch your WAIK Deployment Tools Command Prompt (in Windows 7 I chose to run it elevated as Administrator).
Change directories to your WinPE building folder (in my case it was C:\winpe_x86 yours may differ adjust recipe accordingly for your WinPE baking altitude).
Copy into the c:\winpe_x86\ISO\sources folder the BOOT.WIM files you want to include. Note they will need to be named different things. Your first/default booting wim can remain “boot.wim” to keep things easy, but the 2nd (and each additional one if so desired) should be named something more descriptive.
Next you will need to edit the BCD file for the booting build which is located in C:\winpe_x86\ISO\boot location.
Follow David’s steps to make a copy of the default boot entry item to a new second one with a different boot guid. Then you need to “fix” some of the copied sub-items to associate with the new guid value.
Finally, you can rename the default boot item description to something more meaningful.

Use oscdimg to build the ISO file and when you boot it, you should now see your different boot image options appear on the boot selection menu!

Sweet!

I’m not aware of any limitations to the number of different bootable wim files you can have. I suppose that’s mostly limited to the size of your CD/DVD media (if not USB-booting) as well as the size of the custom WIM files themselves.

So for me, I now have one physical bootable CD with two distinct WinPE boot choices…one for PGP v9 and one for PGP v10 support. Locked and loaded now baby!

In theory, if you weren’t really comfortable with all this CLI work, you could use one of two GUI based tools to edit the \winpe_x86\ISO\boot\BCD file.

EasyBCD 2.1.2 - NeoSmart Technologies supports WinPE BCD files. There is also a EasyBCD 2.2 Beta Build that may have additional support. Check out the forum as well as this Multiboot WinPE CD - How to specify .WIM forum post for some tips.

In fact, somewhere between eating lunch, listening to a football game, and trying to pay attention to a holiday story Lavie was telling me while I was following David’s steps, my own “descriptions” work for the BCD file got mixed up a bit and I wasn’t getting the custom boot descriptions to appear as desired.

I was able to quickly and easily use the Visual BCD Editor - Windows 7/Vista to clean up the mess I made and get it all put right. So if you knew what you were doing, you could do it all from the GUI with this tool rather than the CLI.

Anyway, thanks to Bret for his original tip and for David for the game-walkthrough for making a multi-boot WinPE CD.

Cheers.

Claus V.

Wipies - Part II (Full Coverage Cleaning)

2012-01-01T16:24:00.001-06:00

I guess in the back of my subconscious, this and yesterday’s post regarding secure wiping could be related to the new year…you know…start things off with a clean-slate?

Yesterday’s post focused on free tools and utilities for secure-wiping (pretty-much) files and folders from a Windows system.

In a much older GSD post I had touched on total-drive secure wiping options.

Since a lot of time has slid by since that 2007 post, I figured I revisit it and see if it needed some updating. So below you will find a list of tools that address secure wiping of an entire hard-drive.

In the previous post, I already covered by top-two tools for secure-wiping a HDD:

When it comes to secure drive (whole-disk) wiping, I’ve still tended to rely on two tools in particular for their ease-of-use and convenience.
The first is Microsoft Windows DISKPART command “Clean all” which “specifies that each and every sector on the disk is zeroed, which completely deletes all data contained on the disk.”
The pro is that the command is very simple to remember and use, and when coupled with a WinPE disk, is dead-simple to effectively wipe out most all drives I encounter.
The second one I love is the CLI tool “wipe.exe” as found in the Forensic Acquisition Utilities set by George M. Garner.
The pro about this one is that it actually includes a progress indicator so you have some degree of feedback on how far you’ve wiped.
I always verify my zero-out wipes when done. For that I prefer to use the sector-viewer tool HxD to scan through the post-wiped drive to ensure it all come up clean; Frhed - Free hex editor is another nice alternative.

I keep a custom WinPE 3.0 USB stick always handy to off-line boot a target system. By nature, DISKPART and it’s “Clean all” power is baked in. I’ve also loaded it with the forensic Acquisition Utilities tool set so those are also at hand for a quick “wipe \\.\PhysicalDrive0 -p 1 -w 00” command if I prefer the progress meter.

However, there are a number of additional tools, some more “GUI” than others that bring more to the party in terms of wipe-patterns and passes…if that’s your thing.

So here are the rest I’ve found. Use may be licensed for personal only or may also allow for organizational use. So read the fine print carefully to stay honest.

Darik's Boot And Nuke | Hard Drive Disk Wipe and Data Clearing - (aka DBAN) allows for creation of a boot floppy or boot CD. It supports SCSI, IDE, PATA, and SATA disks and should be able to wipe just about any file-system from a drive. You can use one of five preset wipe formats or set custom wipe patterns. If you prefer you can try the method to Create a DBAN USB Flash Drive from Windows over at USB Pen Drive Linux. Other related links (with more screenshots) are Create a Bootable DBAN USB Pen Drive at TrishTech and How to make a bootable dban USB thumbdrive to wipe hard drives at Lee.org. I’ve had mixed success with making a USB version of DBAN (no issues with the CD version), generally the problem comes like others with the “autonuke” option causing a hang. Some forums suggest disabling “media card” drives in the BIOS or like things. Also, you need to be sure to pull the USB stick in the first 10 seconds of the DBAN loading done otherwise you will likely wipe your USB stick as well if left in.

PC Inspector - Emaxx - Basically you download the app and use it to create a boot disk. Then boot your target system with the boot-disk and type “emaxx -US” to get started. It isn’t elegant but it can do the job.

Terabyte Unlimited - CopyWipe - This tool can be used to boot a system and perform a secure wipe (and it can also do disk-imaging as well). Download the zip file and unpack. You can then run the makedisk.exe file to create a boot floppy or boot CD ISO file. Burn it to disk and you are good to go. This application provides support for accessing the connected drive via (through) the BIOS, via the BIOS (directly), via USB2 connections, and for IEEE1394 devices. You then have an amazing nine (9) wipe options to pick from. From a quick 1-pass wipe, up to a 35-pass wipe. Also included is a hardware-based wipe method for drives that support this built-in drive-wipe feature.

Erase hard drive by Active@ KillDisk - This tool comes in both a “limited” free version as well as a “professional” version. The biggest limitation to me in the free version is that it only supports a one-pass zero out of the drive. That’s enough for me! In addition, the free version doesn’t appear to easily allow use as a off-line boot/wipe solution. Rather you would have to install the software on your main system, then attach the target drive to be wiped via USB or a free PATA/SATA connection and wipe accordingly. Not a big deal for advanced users, but might be a bit scary to less sophisticated users who could fear accidently wiping their primary system disk. Fear not. If you carefully read page 10 of the included PDF manual file, there is a link to a zip file that contains a pre-built ISO boot image for free users.

If you are an advanced user and know how to build your own Windows/WinPE boot media disks, you might want to take a look at the Center for Magnetic Recording Research (CMRR)'s Secure Erase (aka HDDErase). You will have to create a boot-disk yourself then add the program file to it, or else download the Ultimate Boot CD ISO file and burn it to disk as it contains this utility (and tons of other clever things as well). One thing going for Secure Erase is that it also supports "enhanced secure erase" modes on supported drives. This works to effectively render the data on a drive inaccessible in seconds by changing the in-drive encryption key. Even though the data is still on the drive, it cannot be read/accessed as the key that interprets that data from the drive has be irrevocably changed.

Ultimate Boot CD is an amazing bit of work. It doesn’t matter if you are an advanced sysadmin or a general PC user, this “all-in-one” project has a great collection of nine hard disk wiping tools. Scroll down the main page a bit to find the list.

SeaTools | Seagate - Poke around a while and you can find the SeaTools version for your supported drive. It contains a basic drive-sanitation tool.

These additional tools are “standalone” of sorts. They may or may not work within a WinPE boot environment. However, they all should work if you choose to attach your target HDD to be wiped to your main system via a USB-HDD adapter.

Roadkil's Disk Wipe Program - standalone tool to point, set, and wipe a drive. Works for USB/Flash drives as well.

DeviceEraser - standalone tool. Wipes both PATA/SATA drives as well as USB storage media.

DP Shredder 1.5 - Dirk Paehl tool to pick a drive, pick your passes, pick your pattern and wipe away.

WipeDisk - at Gaijin. This tool also will wipe physical and logical disks using any of 14 different wipe patterns.

HDDGURU: HDD Wipe Tool - Supports SATA,IDE, SCSI, USB, and Firewire interfaces. can also erase most Flash drive media.

Miray Software - HDShredder - The free version is very limited but can do the job. The free version contains both an ISO, IMG file to make a self-booting version or you can run directly in a Windows environment. The zip file contains a great PDF manual well worth reading if you decide to use this tool.

USB Flash Tools by Sarah Dean has the features to secure-wipe flash memory cards as well as USB flash drives.

Disk Wipe is a newer tool under GNU-GPL free for all. It has a great GUI, built-in sector viewer, and supports several different wipe patterns for addressing USB sticks, SD cards and other portable memory devices. This was a new discovery I found while working on this post so I’ve not field-tested it yet. Check out both the Disk Wipe User Guide and Screenshots here.

Finally, TinyApps.org bloggist left a tip to a related post there on his blog: ATA Secure Erase (SE) and hdparm that bears some checking out.

For the pros, I’ve clearly left out all those leet Linux “live” CD/DVD distros that can off-line boot a system and then secure wipe the drive using any of many tools available under the *nix OS. I figure if you already know about them, then you probably won’t be needing a recap of them here in this more “Windows-centric” tool post. However, if you have made it this far and have a specific distro/tool that you would like to share with us for secure wiping, please drop a line in the comments. For example, this Disk Wiping with dcfldd at the Anti-Forensics blog post uses a Debian build.

Cheers.

Claus V.

Free Wipies

2011-12-31T21:49:00.001-06:00

New Year’s Eve is almost upon us. Figured I close out 2011 with one final post.

Out of a recent TinyApps.org post on drive wiping I followed a white-rabbit and ended up on this Disk Wiping with dcfldd at the Anti-Forensics blog.

I’m always on the lookout for tips and techniques when it comes to secure-wiping drives and the post was full of great info regarding use of the dcfldd tool.

When it comes to secure drive (whole-disk) wiping, I’ve still tended to rely on two tools in particular for their ease-of-use and convenience.

The first is Microsoft Windows DISKPART command “Clean all” which “specifies that each and every sector on the disk is zeroed, which completely deletes all data contained on the disk.”

The pro is that the command is very simple to remember and use, and when coupled with a WinPE disk, is dead-simple to effectively wipe out most all drives I encounter.

The second one I love is the CLI tool “wipe.exe” as found in the Forensic Acquisition Utilities set by George M. Garner.

The pro about this one is that it actually includes a progress indicator so you have some degree of feedback on how far you’ve wiped.

I always verify my zero-out wipes when done. For that I prefer to use the sector-viewer tool HxD to scan through the post-wiped drive to ensure it all come up clean; Frhed - Free hex editor is another nice alternative.

I also keep a collection of secure file-wipe tools handy as well. These are useful for when I have a personal document with sensitive info that is no longer needed, or at work where I have successfully recovered a customer’s data from a seriously crashed drive and the files were successfully restored; don’t need to keep those around on the workbench PC.

EraserDrop Portable - PortableApps.com is an easy to use and easy-to-configure tool I find useful to manage large volumes of files/folders needing secure deletion. It is based on Eraser.

Eraser Portable - PortableApps.com - Portable software for USB, portable and cloud drives is the portable version of that tool. It is very flexible and powerful, though the interface and job/task “scheduling” might be off-putting to less advanced users. Besides handing wiping of files/folders, it also can wipe free-space on a drive.

WipeFile over at Gaijin is a simple and basic file-wipe tool with lots of options. Just launch, set your wipe-preferences, and drag-n-drop your files for wiping. See the related Gaijin tool WipeDisk as well.

File Shredder is a “new-to-me” secure-wipe tool. It is quite small and consists of two files; the main exe and a dll helper. The interface is nice and it also includes wiping of free-space.

ultrashredder is even smaller. Basically just drag-n-drop. While you can set the number of over-writes, you can’t set the pattern.

DPWipe 1.1 by Dirk Paehl is similar to Ultrashredder in the GUI layout, however it does allow selection of the wipe method.

Blowfish Advanced CS. This is an oldie-but-a-goodie which was the very first secure wipe (file and freespace) tool I started using back in my Win98 days. It probably has been passed on by other tools here but I still keep it around for fond-memories.

SDelete is Microsoft Sysinternal’s CLI tool to wipe files as well as zero-out free-space. I like it particularly well for that second task.

Disk Redactor also handles wiping of all free space on a drive very nicely with a helpful GUI interface.

These are all specialized secure-wipe tools and are pretty easy and convenient to use; a few even have options to integrate into the Windows context-menu shell. However if you frequently use an alternative Windows file manager (like I prefer to do), there are more than one which include a hand-dandy “secure-file-wipe” option baked right in!

FreeCommander remains my #1 all-time favorite “multi-pass” tool for Windows file management. it includes a secure wipe action that performs a multi-step wipe of the selected item(s). You can set how many passes you want that routine to run.

Explorer++ also includes a “destroy” option (1 or 3-pass choice) to secure delete selected files/folders.

A43 likewise includes a basic secure-destroy option.

NexusFile has a “shred and delete” feature.

My Commander reminds me in many ways of FreeCommander, and it does have a secure delete action.

Happy New Year!

Claus V.

Mostly for Sysadmins and Windows Tweakers

2011-12-04T21:30:00.001-06:00

One last linkfest dump before I turn my attention back to a freshly arrived hardback copy of George R. R. Martin’s A Game of Thrones to close out this dark, drizzly and fast-chilling night here on the Gulf Coast. My brother is deep into the book/HBO series and I think he runs an underground distributed book club network of sorts on it. Hence his gifting me this newfound wonder.

This linkfest is a collection of stuff mostly of interest to system administrators and Windows tweakers…your interest level may vary.

Looking at page hits (which I rarely do) it seems that the following posts remain all-time GSD favorites for some reason.

Blocking IE 8 "InPrivate" Mode

Blocking IE 8 "InPrivate" Mode – Updated

Some folks had issues following the steps to make their own REG files to enable/disable “InPrivate” mode on their own system, so I did some and posted the download linkage in the comments section.

I've created the registry keys myself and uploaded them to a shared folder on box.net. http://www.box.net/shared/b0fr5x0qg2

Click that link (or copy/paste it into your browser address bar) then download the "IE8InPrivateMode-Disabled.reg" file directly to your PC.

Depending on your anti-virus application it may complain as .reg files could be malicious. If you want to check, simply open it in Notepad to see that it matches what I have listed on my blog post.

Once you have it download it, right-click on the file and select the "Merge" option.
Depending on your version of Windows and the user-rights of your profile, you may have to confirm some warnings. If all goes well it should be added to the registry and when you re-launch IE8, you should see the option grayed out.

The other registry key in that folder re-enables the option. Follow the same steps and it will allow InPrivate Mode option to work again, unless blocked differently by one of Microsoft's Family Safety programs...

They work on both IE 8 and IE 9 by the way despite the posts being IE 8 centric at the time.

Anyway, the other day I noted this post Internet Explorer InPrivate Browsing Enable or Disable - Windows 7 Forums. In it, “Brink” also offered some download REG files for merging into the registry. Out of curiosity I compared them and they were pretty much the same except where my REG files just cover the HKEY_LOCAL_MACHINE key location, Brinks keys have that as well as one for the HKEY_CURRENT_USER key location as well. So basically with Brink’s you get a two-fer deal.

Mine or Brinks…take your pick.

How to REALLY hurt yourself with PSEXEC - Deleting the Undeletable Registry Key and More - Scott Hanselman Computer Zen- Scott’s battle with a “undeletable” registry key makes for a fun read. That said, while his PsExec method worked, I’ve had fantastic success when I’ve run into similar keys on malware-infected systems by using Malwarebytes : RegASSASSIN. I don’t know for sure if it would have helped in Scott’s issue, but I would try that first via the GUI it offers before dropping to the PsExec CLI work (though it is really cool). Related for difficult to delete files: Malwarebytes : FileASSASSIN.

It has been over 4 years now since I set Dad up on his Vista system at his house. In that process I ran into a challenge; how to get his and his wife’s profiles to display at different screen resolutions? She liked a relatively low resolution to see things larger, while dad liked the highest resolution to get the best screen display quality. In my post of my fix Vista/XP Quick Screen Resolution Toggle Tip I used ResSwitch & ResCopy to create custom desktop icons that lets them just click-to-set the display level at their preference rather than digging into the properties each time. So when I read this post at Windowshacker How To Set Different Screen Resolution for Individual User in Windows 7, I was curious. Turns out there is a neat freeware product called Carroll that almost automagically can set individual screen resolution for every user when they log in. No more clicking desktop icons. And it only took 4 years to get here!

Just in case it keeps you up at night fretting about the text for your Windows desktop icons being underneath them, the Windows Club offers a tip on D-Color which can Display Desktop icons text on the side in Windows 7. Now you can sleep easier.

Decoding Intel’s Laptop Processor List [Technology Explained] - MakeUseOf blog. Nice explanation.

Dynamic Computer Naming in ZTI Deployments - The Deployment Guys - For you Zero Touch Installation (ZZTI) fans with that issue and need.

Any tech mystery that can combine low-level Windows troubleshooting and analysis with Hello Kitty makes it a Must Read in my book! Submitted for your education--seriously.

The case of the broken Hello Kitty IZMO toy (Part 1 of 2) - Within Windows blog
The case of the broken Hello Kitty IZMO toy (Part 2 of 2)- Within Windows blog

Need more standard low-level troubleshooting tips? How about this exercise.

The case of the vanishing print jobs - Ask the Performance Team

I’m not yet a Hyper-V guy, but I think it is really cool stuff and read up when I can. I found this Series: Hyper-V upgrade posts at 4sysops to be helpful stuff.

Tenniswood Blog serves up some awesome remote access card P0rn with a nice Review: HP Microserver Remote Access Card.

Create internet bookmarks as browser-independent files on your desktop with HTMtied - Freewaregenius. I’ve always found it frustrating that I can’t do this as easily as it seems it should be. Turns out the free tool HTMtied can assist with that process and make it a bit more bearable to do.

How to fix incorrect logon information for Windows XP mode - Virtual PC Guy's Blog - Ben’s solution is pretty easy to follow and will get you running again in no time.

Windows 7 Background Customization - The Deployment Guys blog. There are a number of ways to change the background image in Windows 7, doing so is a “signature tweak” I like to perform on all the systems I am asked to help set up for friends and family members; leaving them with an image that reflects their home/personality is a nice touch. This post is a bit more technical and geared for pushing such changes for enterprise branding and such. Still good stuff. I personally prefer to use Julien Manici’s free Windows 7 Logon Background Changer but there is also the Tweaks.com Logon Changer for Microsoft Windows 7 and the Windows 7 Logon Screen Tweaker 1.5. Many Windows7 tweaking suites also include this feature in them.

FREE Download Preassembled Windows 7, Vista, and XP VPC Images From Microsoft - Windows7hacker. I try to always keep the latest versions of these handy for ad-hoc testing in Virtual PC. Although at home we now exclusively run WIndows 7, there may be times when I want to trial something in XP or Vista. Rather than dual-booting or keeping another physical test-bed around, I just fire up one of these in a virtual session and away we go! They do have some operational limits baked in, but nothing that should be too much of a headache if you use em regularly.

FREE: Delprof2 – Reliably delete a user profile - As reviewed by 4sysops. Seriously, if you ever deal with Windows user profiles and occasionally deleting them, you really need to refresh yourself on this post as well as the great freeware tool Delprof2. While you are there, check out some of the other cool Free Tools from Helge Klein such as DiskLED and ListRegistryLinks which could be handy when doing some incident response work.

MoonPoint Support Weblog - List Installed Programs - This post tips us to a Bill James VBScript script, InstalledPrograms.vbs which when run from the command line prompts for a IP or PC name to remotely check for installed software (or leave blank to check your own). Save the resulting text file for review. There are a number of “system audit” programs that can do something similar for local systems, but this is the first I’ve seen quite like this. For generating a list of installed Windows programs on a local machine for reporting purposes and review, I prefer Nir Sofer’s MyUninstaller which seems to be significantly faster than Add/Remove Programs (XP) or Programs and Features (Win7) anyway for adding and removing programs. With MyUninstaller, after running I just select all and save the file in whatever supported format I prefer (usually tab-delimited).

Cheers,

--Claus V.

Check Carefully before Surfing (for safest performance)

2011-12-04T15:24:00.001-06:00

cc image credit: flickr image by surfcrs

Been a lot of moving's in the browser plugin world lately.

Based on the number of home-user systems I’ve had the “pleasure” of cleaning recently, it seems that an overwhelming vector for infection is out-dated and vulnerable browser plugins. Nothing like an older version of Flash or Java to bring the sweet stench of PC decay and meltdown to a system.

Need more reading?

Linkz 4 Exploits to Malware - Journey Into Incident Response. Cory writes in that post…

Over the past year I’ve been conducting research to document attack vector artifacts. Vulnerabilities and the exploits that target them are one component to an attack vector. Some may have noticed I initially focused most of my efforts on vulnerabilities present in Adobe Reader and Java. I didn’t pick those applications by flipping a coin or doing “eeny, meeny, miny, moe”. It is not a coincidence I’m seeing exploit artifacts left on systems that target those applications. This has occurred because I pick vulnerabilities based on the exploits contained in exploit packs.

Exploit packs are toolkits that automate the exploitation of client-side vulnerabilities such as browsers, Adobe Reader, and Java. Mila Parkour over at Contagio maintains an excellent spreadsheet outlining the exploits available in different exploit packs on the market. The reference by itself is really informative.

Java is the largest malware target according to Microsoft - The H Security: News and Features

…it is not only exploits of old vulnerabilities that should concern Java users. As has been pointed out on Krebs on Security, a new exploit has emerged that is being built into automated attack tools. The critical vulnerability that this attacks has been addressed in an update, but only the very latest versions of Java are safe from this new exploit. If users are being slow at updating, very large numbers of them are likely to be at risk from this exploit.

Millions of Java Exploit Attempts: The Importance of Keeping All Software Up To Date - Microsoft Security Blog. Tim Rains comments…

Many of the more commonly exploited Java vulnerabilities are several years old, and have had security updates available for them for years. This illustrates that once attackers develop or buy the capability to exploit a vulnerability, they continue to use the exploit for years, presumably because they continue to get a positive return on investment.

While the latest versions of Flash and Java do seem to offer self-update checking ability, it has been my experience that those auto-updaters don’t always check as frequently as they should, or may not even offer an update as soon as it is available. Don’t even get me started on Adobe Reader. These features are improvements, but even when they do work, they still require the user to notice the update offer and respond correctly to get the version bump.

At the bare minimum it is good practice to regularly hop over to Secunia and run their free, web-based Secunia Online Software Inspector (OSI). Hit the page, hit the green “Start” button, let Java do its thing and scan your system for insecure versions of software.

If you or a user can’t remember to regularly do that, Secunia also offers a more robust, installable version of their free Personal Software Inspector (PSI). This one will run as a service on your system constantly checking for and offering recommendations on fixing critical insecure applications.

For my own personal updating check-ins I regularly check in at the FileHippo.com Plugins Downloads site. It’s just easier that way. (If you do RSS they also have a Browser Plug-ins Category Updates Feed). Please be aware that they will often include and/or only offer the very latest versions of these plugins, which may be in “beta” or non-mainstream channel release. Update accordingly to your comfort level.

In particular, some of the latest Flash 11 versions tagged “Beta” may result in moderately obtrusive “watermarking” of its beta/incubator status in certain Flash windows displays (most notably to me, YouTube windows). Not necessarily a deal-breaker but FYI if you run into it.

Adobe Air - FileHippo mirror site.
Flash Player - FileHippo mirror site. (be sure to get both the IE “ActiveX” and the “Non-IE” versions)
Shockwave Player - FileHippo mirror site.
Java Runtime Environment - FileHippo mirror site. (if you run x64, grab and install both the x32 and x64 versions)

For “official source only” path, then here you go.

Adobe - Flash Player Version - This page will tell you what version of Flash you are running and what the latest versions are.
Adobe - Install Adobe Flash Player - Note depending on your browser usage, you may need to check the page in both IE and Firefox to get all the platform versions you need.
Troubleshoot Flash Player installation | Windows - Links to both the update page as well as the direct manual download links for most current level of both versions; Flash Player 10 ActiveX and Flash Player 10 Plugin.
Adobe - Test Adobe Shockwave Player - this page will play and display a Shockwave file which then tells you your currently installed version of Shockwave. Write it down then go to this page Adobe - Adobe Shockwave Player to see what the latest version actually is. If this one is newer, download and install (just watch out for the offered “bonus” software install and uncheck the box if you don’t want it.
To confirm you have the freshest Java beans, pop over to this Verify Java Version page and see what fortune you get. Need an update? Well then my bedraggled friend, stop in at All Java Downloads to pick from the buffet. You likely will be focusing on the Windows 32-bit and 64-bit versions. To keep it simple, you just need to check in at Download Free Java Software.

For information on the next levels of Java and Flash you may want to check out these links:

Adobe releases Flash 11 and Air 3 betas - BetaNews
First Flash 11 beta brings 64-bit support to Linux... finally - ArsTechnica
Java 7.0 released. - SANS ISC Diary post
Java SE 7 Update 1 Released - Oracle download page

More stuff:

Looking for older Java 6.0.x or Flash 10.3.x series downloads from FileHippo? Can be an issue as they only seem to be offering the latest Java 7.0x and Flash 11.x (betas) from their pages.

The trick is to just hop to one of these older pages and check the right-sidebar which will list the ones for older versions you are looking for.

Just like a surfer maintains their board with wax to keep it protected and performing well before hitting the waves, a responsible web-surfer needs to keep their browser plugins patched and fresh before hitting the Web.

--Claus V.

Quick Malware Notes, Incident Response, and 00-outs

2011-12-04T14:13:00.001-06:00

A while back after dealing with some heavily malware-infected systems, I wrote a followup post Anti-Malware Tools of Note.

Since that time, a few other bits and bytes have come across my desk so I thought I would supplement it slightly.

TinyApps bloggist brings our attention to and a recommendation for a “new” Free standalone and bootable antimalware that has ranked very high on Virus Bulletin’s VB100 comparative tests.

That tool is eScanAV Anti-Virus Toolkit (MWAV) which is also available in a standalone eScan Rescue Disk format as well. Registration is requested to access the download link, however the tools are free.

It is similar in many ways to Microsoft Safety Scanner which I previously wrote about:

Being a “standalone” tool of sorts, it can be run in the WinPE environment or on the “live” system. The trick in WinPE is to make sure your WinPE build has a large scratch-space value. Check out this 4sysops post Offline Antivirus – How to run Microsoft Safety Scanner on Windows PE 3.0 for more details.
I do understand that for some folks, the thought of making a custom-spun WinPE boot tool could be quite intimidating. With that in mind, you will want to keep a copy of the Microsoft Standalone System Sweeper Beta handy. Of course you will need an uninfected “host” system to create the tool. Download the “builder” utility in either x32 or x64 flavor depending on your hardware and choose a blank CD, DVD, or USB drive with at least 250 MB of space. Execute the tool and build-away.
Of course, you may want to do more with this plain-Jane WinPE build that it lets you. And you can if you know the tricks our dear TinyApps bloggist posts in his Extending Microsoft Standalone System Sweeper tips.

Michael Pietroforte has some more related details of his on in his 4Sysops post FREE: Microsoft Standalone System Sweeper – Standalone antivirus software

Back in my “younger” days of malware response, tool sets were pretty limited and there seemed to be just a few strong "antimalware” package tools available. One of those I depended on was Spybot-Search & Destroy. As my skills got sharper and my toolsets became more focused due to the advances in malware, I gradually drifted away from using it regularly. I was pleased recently to find that they are still kicking strong and have recently made available Spybot Search & Destroy 2.0 Beta 4 for public download and testing. This version offers “Live Protection” by default, performance improvements, and Explorer shell integration. Check it out!

The ISC Diary handler Chris Mohan posted Safer Windows Incident Response with a reminder of the dangers of incident-response handler’s cross contamination when working on a potentially compromised system.

Windows Incident Response bloggist Keydet89 has some good tips, and touches on incident response items in his New Stuff post from a just a few days ago.

Specifically he calls out to Corey Harrell’s Journey Into Incident Response blog post Linkz 4 Exploits to Malware. In it, Cory gives some perspectives on Harlan’s Malware Detection Checklist. Checklists like this are a great starting point for incident response. Granted, every situation is different, and the hardware, software, and network topology that you operate in may require much fine-tuning to dial-it-in for the best signal to noise ratio. But that’s the point, take the time to develop a structured incident response plan/checklist and the investment will pay off when the stress in on…helping guide you and ensuring no stone gets left unturned.

Cory goes on to address alternatives at finding malware, mentioning Mark Morgan over at My Stupid Forensic Blog discussing How to Identify Malware Behavior. He then leads over to touch on malware analysis via The Hexacorn blogs post Automation vs. In-depth Malware Analysis.

Both Cory’s post and the referenced links reminded me of Mark Russinovich’s most excellent material recently posted at the Sysinternals Site Discussion pages:

Zero Day Malware Cleaning with the Sysinternals Tools (link to PDF): Mark has posted the slides from the highly-attended and well received Blackhat 2011 Workshop he delivered last week, Zero Day Malware Cleaning with the Sysinternals Tools, which demonstrates how to use the Sysinternals tools to hunt down and eliminate malware.

The team at Mandiant really lead the way in the IR community as well. Not only is their business based on incident response, they continue to offer great MANDIANT: Free Software to the IR community. Those tools aid in detection, analysis, and reporting of all kinds of bad-things.

TZWorks also offers a great selection of specialized (and free) Prototype Downloads for Forensic tools covering areas such as Artifact Analysis, Registry/Event Analysis, NTFS Analysis, Network Utilities, and PE Utilities. And they come in both 32 and 64-bit flavors!

To borrow a concept from the PDCA process, incident response needs to be seen as a continual process; plan for incident detection, do the incident response, check & study your response and findings, and act on that knowledge to improve your future responses. All of the items mentioned in the links above can contribute to that process.

For a good read, take a look at F-Secure’s post How we found the file that was used to Hack RSA. This is a fantastic example of not being satisfied with the initial response and mitigation, but going the extra mile to hunt down the actual file used in the RSA attack. In doing so, they discover that while the attack plan may have been quite specialized, the actual attack vector wasn’t so much.

TinyApps bloggist pulls some most excellent fresh finds in considering the question Is it possible to recover data from a drive overwritten with zeros once? The conclusion of all the linkage sources provided still seems to be pretty much “Nope!”. From the post:

Daniel Feenberg's Can Intelligence Agencies Read Overwritten Data? and Craig Wright's Overwriting Hard Drive Data are. For those who are still confused (or are just fond of pictures), see Disk Wiping - One Pass is Enough - Part 2 (this time with screenshots).

(Note: that last post link as well as an unreferenced Part I post: Disk Wiping – One Pass is Enough both are from the Anti-Forensics blog.)

I’ve also touched on the subject of secure-disk wiping here at GSD in series of posts:

It was in that last post that I mentioned the following:

I read with curiosity the following posts:

Single drive wipe protects data, research finds – SecurityFocus

Secure deletion: a single overwrite will do it - heise Security UK

With the exception of the Data Sanitization Tutorial (PDF-link) written by the University of California at San Diego Center for Magnetic Recording Research, I haven’t seen very many other official-grade research papers that detail just how effective a single-pass bit-wipe of a drive is in comparison to a 3-pass or even a 35-pass wipe. Now there’s a new research paper on the block Overwriting Hard Drive Data: The Great Wiping Controversy that seeks to dispel the mythos surrounding multi-pass wipes.
From the heise Security link:

Craig Wright, a forensics expert, claims to have put this legend finally to rest. He and his colleagues ran a scientific study to take a close look at hard disks of various makes and different ages, overwriting their data under controlled conditions and then examining the magnetic surfaces with a magnetic-force microscope. They presented their paper at ICISS 2008 and it has been published by Springer AG in its Lecture Notes in Computer Science series (Craig Wright, Dave Kleiman, Shyaam Sundhar R. S.: Overwriting Hard Drive Data: The Great Wiping Controversy).
They concluded that, after a single overwrite of the data on a drive, whether it be an old 1-gigabyte disk or a current model (at the time of the study), the likelihood of still being able to reconstruct anything is practically zero. Well, OK, not quite: a single bit whose precise location is known can in fact be correctly reconstructed with 56 per cent probability (in one of the quoted examples). To recover a byte, however, correct head positioning would have to be precisely repeated eight times, and the probability of that is only 0.97 per cent. Recovering anything beyond a single byte is even less likely.

The actual paper itself must be accessed for $ or bought via a book, however the author kindly repackaged the research paper in a recent post at SANS Computer Forensics blog. The details there should be sufficient for most mortals.
Overwriting Hard Drive Data – Dr. Craig Wright, SANS Computer Forensics, Investigation, and Response blog

Cheers!

--Claus V.

Network Tool Notes

2011-12-03T13:21:00.001-06:00

Here is a brief collection of network-related tools and utilities that have been gathered in this past week.

Nmap Security Scanner for Linux/MAC/UNIX or Windows - latest stable version now at 5.51 and development version at 5.61. Changelog

PuTTY: a free telnet/ssh client - version 0.61 released a few months ago and 0.62 “pre-release” build also now available with some bug fixes. Spotted via ISC Diary post. 4 years is a long wait for a bump…

How to connect to a Wireless WIFI Network from the Command line in Windows 7 - Scott Hanselman - just because mixing WiFi and CLI is cool. See also Scott’s Updated for 2011 - McDonald's WiFi Guide with updates for Mac OS X Lion and Windows 7

Wireless Profile Samples - MSDN WiFi XML profile samples and info on the Netsh Commands for Wireless Local Area Network (wlan).

Wireless Network Profile - Backup and Restore - Windows 7 Forums - Tips on backing up restoring your WiFi profiles on Win7.

Wifi Network Backup Manager Utility - Shai Raiten - Small and easy tool to assist with the above processes if helps you a bit.

Network Stuff - A ton on specialized network tools bundled up in a single free utility. Spotted in this BetaNetws post: Network Stuff: More Internet tools than you'll likely ever use. The developer offers a number of other interesting tools as well worth looking into - Dev Stuff

NorthWest Performance Software, Inc. - Network Freeware Tools - This company provides quite a collection of free network tools such as the following:

NetScanTools® Basic Edition - DNS Tools, Ping, Graphical Ping, Traceroute, Ping Scanner, Whois
IPv6ScopeFinder - Displays ScopeID, status, Interface Type, IPv6 & IPv4 addresses, Interface Name.
IPtoMAC - can find the MAC Address of any IPv4 device on the local network.
ENUMresolver - “A freeware program designed to query your default DNS for the ENUM NAPTR mapping between a telephone number and a SIP, H323, IAX2 or other URI. Use with VOIP systems to check your e.164 or freenum or other mappings. This program queries each default DNS assigned to your system using the e164.arpa or other root tree for the corresponding NAPTR records and displays them.” That’s pretty cool.

Peter Kostov's software for networkers - amazing freeware collection.

IP Workshop Rel. 2 - Super Beefy IP calculation tool that should probably be in every network jockey’s saddle-bag. Bundles tools that include Subnet Mask viewer, nework calculator, Subnet Mask charting, and more. Similar vendor freeware tools can be found from IP Subnet Calculator - WildPackets and the Advanced IP Address Calculator 1.1 - Radmin. See also IP Workshop Release 1
Easy IP - Lets you save as many IP configs as you want for your system then recall/apply them as needed based on your network location. See also these related freeware tools from other vendors: NetSetMan - Network Settings Manager (more info here) and the TCP/IP Manager
CC PortReport neat little tool that interacts with Cisco CatOS running Catalyst switches and provided information/documentation gathering on slots, ports, Vlans, opStatus, adSpeed, ifSpeed, Duplex, STFast, and Port Naming.
WinIPConfig - GUI tool for “ipconfig” type activities.

ostinato - Packet/Traffic Generator and Analyzer - Google Project Hosting - from the cross-platform project page “Ostinato is an open-source, cross-platform network packet crafter/traffic generator and analyzer with a friendly GUI. Craft and send packets of several streams with different protocols at different rates. … Ostinato aims to be "Wireshark in Reverse" and become complementary to Wireshark.“

Fluke Networks Freeware

Fluke Networks has a couple of freeware tools worth looking into. You need to register to download, however for two of the three of them I was able to find a direct download link with a little bit of extra Google searching. I think you can find them on some download hosting sites as well.

Fluke Networks - IP Inspector - free - Run a scan to find IPv4 and IPv6 devices and open TCP app ports on your network. Also reports hostnames and MACS for discovered devices. Exportable results and IP state changes can be monitored over time. Found via this LoveMyTool blog post Free New IP Tool - The IP Inspector by Dan Klimke.

Fluke Networks - Switch Port Monitor - free - This tool lets you connect to and monitor network switches to pull and display switch statistics and performance. Aids in switch documentation and troubleshooting efforts.

Fluke Networks - Service Availability Tool - free - Verify service port status for servers, measure response times, run TCP trace routes, save for documentation.

Web-based Network Performance Testing Tools

Could have sworn I had recently made a post of a number of websites that can test network speed and quality. Guess I didn’t.

Pingdom Full Page Test - Test how fast a web-page loads. (via CyberNetNews)
WebPageTest.org - Website benchmark and optimazation tool
Stella - Website performance testing site.
WatchMouse - Test webpage loading perfomrance from 10 global locations (full tests limited to 5-per-day).
M-Lab - Collection of specialized research tools for testing network performance issues.
Speedtest.net - The Global Broadband Speed Test - an oldie-but-a-goodie!
Pingtest.net - The Global Broadband Quality Test - great supplemental tool for Speedtest.net
Speakeasy - Speed Test - great alternative site to Speedtest.
Network Diagnostic Tool - Test your connection speed and receive sophisticated diagnosis of problems limiting speed.
Glasnost - Test whether BitTorrent is being blocked or throttled.
Network Path and Application Diagnosis - Diagnose common problems that impact last-mile broadband networks.
DiffProbe (coming soon) - Determine whether an ISP is giving some traffic a lower priority than other traffic.
NANO (coming soon) - Determine whether an ISP is degrading the performance of a certain subset of users, applications, or destinations.

From the Mandiant Labs

Mandiant Research Tool Release: ApateDNS - Just recently learned about this new Mandiant tool to help with malware analysis from a network angle. From the description:

It is a simple tool that acts as a phony DNS server that can log or manipulate DNS requests being made to it. Malware analysts typically use this to redirect beacon traffic from a guest virtual machine to the host system (or another virtual machine) to monitor beacon and/or communication channels using Netcat or a custom written C2 script. Forensic analysts typically use this tool to quickly extract DNS names from malware samples.
ApateDNS automatically sets up your Windows network configurations by attempting to determine the default route or current DNS settings. This is most useful when in a guest virtual machine since the default route is typically the host machine. As shown in the figure below, ApateDNS has found the default route in my virtual machine (192.168.239.1) and uses this IP address for any DNS request on my virtual host. The user may override this by specifying an IP address for DNS Reply IP.

MANDIANT ApateDNS Download Link

Now go get connected!

--Claus V.

Curse You Scott and your Amazing Lists!

2011-12-03T11:01:00.001-06:00

I love finding, collecting and using specialized utilities. It’s as much passion as compulsion.

And though I can go mad-crazy with my linkfest posts running down tool after tool, developing a comprehensive list of my favs and frolics remains a dream for a month-long sabbatical sometime in the future.

So it is with admiration and respect that I found Scott Hanselman of Computer ZEN fame has recently posted his annual “Best of” software tools and software list.

Scott Hanselman's 2011 Ultimate Developer and Power Users Tool List for Windows

It is an amazing collection.

Scott has done some great organizational work in the post, such as highlighting the new items in Green. Old favorites that have new back-links have been updated.

Categories include:

“The Big Ten Life and Work-Changing Utilities”
“Rocking Sweet Windows 7 Specific Stuff”
“A (.NET) Developer’s Life”
“The Angle Bracket Tax (XML/HTML Stuff)”
“Visual Studio Add-Ins”
“Regular Expressions”
“Launchers”
“Stuff I Just Dig”
“Low-Level Utilities”
“Websites and Bookmarklets”
“Tools for Bloggers and Those Who Read Blogs”
“Browser Add-Ins/Extensions”
“Things Windows Forgot”
“Outlook AddIns and Life Organizers”

I’m familiar with many of these tools, but as always, there were some great new discoveries for me in his lists.

Granted, many of the items lean to the programmer (since that is what Scott does) but even if you are not a coder by heart, there are lots of great finds here to pick through.

Most are free however there are some apps listed that are not ($).

Permalink: Hanselman Ultimate Tools List

Bonus Linkage:

obinshah / TED Talks Downloader - freeware - I’m a big fan of stretching my brain-cells and trying to take in new concepts in a wide range of fields and fauna. TED: Ideas worth spreading is a site that provides great (and sometimes provocative) conversations from some of the most interesting people today. Normally I just keep an eye on their site and view a particular video discussion as it calls me. However, sometimes I want to keep one local for future reference or to view on the road.

TED Talks Downloader is a single EXE that offers a way to grab the list of TED Talks available and then after selection, lets you download them directly to your system in several different quality levels. Super great for when the road calls and you don’t have access to a network connection. Spotted and described on this addictivetips blog post Batch Download All TED Videos With A Single Click via TED Downloader.

Gow – The lightweight alternative to Cygwin - GitHub - an alternative package to Cygwin. It uses an installer to deliver the goods (~130 UNIX CLI apps) to your system. Adds a Windows Explore shell window to open a CMD window from a folder, easy install/remove, apps get included in your system’s PATH for easy access. Not too shabby.

Cheers!

--Claus V.

Reflections on the Toys that Remain…

2011-12-02T20:33:00.001-06:00

As Alvis grows older and prepares to fledge one of the unexpected things that has challenged me is coming to terms with her childhood toys.

Now, as an only child, Alvis has probably received an above average lavishment of toys and gifts and meaningful-things from us and her extended family. That said, while not “minimalists” we have always strived to resist consumerism-overload and been fairly selective of the volume of “things” she has accumulated.

At least once a year either on her own or in a combined attack on her room, Alvis and I either toss out some toys (cheap disposable/broken ones) or fill a bag or two to be offered for the church garage sale or mission project.

Sometimes she even will allow some of the special kids she babysits from time to time in our home to “adopt” one of her toys they take a bonding to (although never the giraffes, which are sacred).

That has generally worked well to keep the Things Of Alvis managed over the past years, but as she has gotten older fewer and few new “toys” find their way into her room while the art-supplies, books and electronica seem to litter her desk and multiply monthly.

The winnowing process has become even more challenging now as most of the remaining items in her closet, under her bed, and on her shelves have survived for so long due to sentimental value to her (or truth be told, us). Does Alvis still really want that bobble-head Kim Possible cheerleader figure? Probably not but then that was her idol at the time of purchase and darn-it we all thought it was so cute..just like her at that period.

One day soon she will move on, taking a selected collection of cherished touchstones, leaving the rest for us to hold onto and/or take responsibility of getting rid of on our own if we have the courage to.

All this comes to mind as today I found a summary of an archaeological site dig in Florida a few years ago. The 7000 year old site and follow-on discoveries made a great read for this anthropology-studies minor but the intro text made my heart melt. Quoting Joseph L. Richardson’s words from that Windover Bog People Archaeological Dig - Titusville Florida web page:

“When the 3-year-old died, her parents placed her favorite toys in her arms, wrapped her in fabric woven from fibers of native plants, and buried her body in the soft, muck bottom of a small pond. Some 7,000 years later, when a young archaeologist uncovered her tiny remains, the toys--a wooden pestle-shaped object and the carapace of a small turtle--were still cradled in her arms.”

This boggles my modern mind and my parental heart. I can see the child’s joy playing with her simple toys and the sadness as her family lays her to rest accompanied by these same cherished objects. And then I consider all the “toys” Alvis still has in her room and the special meanings they also represent.

Lest we think that our technology and modern toy development (and American marketing ingenuity) has left such simple things behind, I submit to you the following “GeekDad” posts by Jonathan Liu for reflection. You may be surprised by what makes the list.

The 5 Best Toys of All Time - GeekDad | Wired.com

Get a Kid the 6th Best Toy of All Time - GeekDad | Wired.com

So as we face yet another season of the Christmas season marketing madness, and the prospect of a grown woman’s silent childhood room in the very near future with the objects that remain, I pause for a moment of the melancholies and “mono no aware”, of what "toys” really are, both in form and function, and what they whisper when they remain after the owner has moved on.

Inspired by the lists above I’m seriously thinking about getting Alvis a custom Transmogrifier shaped in the form of a large rectangular clothing basket with sturdy handles for Christmas; one in Tardis Blue. She had one before as a child and used it with great passion and pleasure often paring it with a magical blanket of great mystery, comfort and invisibility and disappearing in the middle of the living-room for hours on end with nothing but giggles coming from the space they previously occupied.

I think it might just be perfect as when she tires of jetting around both Time and Space for old-time-sake (although she would probably leave the brake on like a certain Time Lord) she could use it to carry her own laundry to the Laundromat.

Sigh…

Claus V.

T-Bird Note to Self

2011-12-02T19:35:00.001-06:00

Just a note about Mozilla Thunderbird in case I forget.

I use Microsoft Outlook at work as my email client. I have Microsoft Office 2010 at home available to be used as my email client but that seems like overkill for managing my personal email accounts.

For most all my extended family (except Dad who prefers using Outlook both for work and home) I recommend Windows Live Mail 2011 since it has a very clean interface and the Ribbon and tabs and pretty (intuitive) icons seem to make this email-client a breeze for family members to use (and me to guide them through tasks).

All that said I continue to find Mozilla Thunderbird the perfect fit for my personal email needs.

In fact, it works so well, I have only four Add-On items that I run on it now:

Office Black :: Add-ons for Thunderbird - I really have grown to like this theme after having rotated through quite number of great themes over the years. The icons work nicely and are of a pleasant size. And the muted color palate seems relaxing.

Color Folders :: Add-ons for Thunderbird - Unlike the extensive and deep folder structure I have in Outlook at work, my folder structure here at home is much more simple and shallow. That said, I find myself manually moving items out of my Inbox mostly into a few regular folders. While the text in the Office Black theme and settings isn’t bad, sometimes I have a hard time just dragging/dropping the message into the correct one. Color Folders allowed me to colorize selected key folders to set them off from the rest. Now if only Outlook had this ability…

Extra Folder Columns :: Add-ons for Thunderbird - This Add-On allows you to add additional columns to the Folders sidebar for size, unread # items, and total # items. If you select the unread items column, then it removes the (#) item that Thunderbird puts on the folder name line to avoid redundancy. Suggestions for improvement? I wish that the “size” field displayed would be a little more sophisticated with the count. Example: you have one main folder with three sub-folders. The columns for counts seem only to apply to the individual folder, meaning that the main-folder # only displays the number of items in the folder itself and doesn’t include sub-folder item counts. Collapse that folder tree and it still shows the number of items in the main folder and doesn’t aggregate the total to reflect all messages in that and the subfolders combined. Another minor quibble; the size-on-disk of each folder displayed uses both MB and KB values. 1MB or more and the size is displayed in MB while < 1MB and you get a KB value. I get the logic but you have to look carefully to understand what it is reporting to you.

Lightning :: Add-ons for Thunderbird - calendaring, scheduling, and to-doing made simple and right. Enough said.

For backing up/migrating my T-bird profile I rely on MozBackup. It’s never failed me.

As a multi email client backup/restoration tool there is also KLS Mail Backup (free for personal use) which in addition to T-bird can also back up WIndows Mail and Windows Contacts, Windows Live Mail and Contacts, Outlook Express profiles and contacts, IE Favorites, Firefox profiles, Postbox profiles, Opera profiles, The Bat! profiles and IncrediMail profiles.

Moving on…

Claus V.

Microsoft Tools and Software Stuff

2011-11-27T15:42:00.001-06:00

Fear not, I’ve got a real deep pile of linkage for all kinds of tools, utilities, and software/freeware fun.

Got to start digging somewhere so today’s post will be Microsoft centric.

Updates: release of The Windows Sysinternals Administrator's Reference, Process Explorer v15, Listdlls v3.1, new utility Findlinks v1, and Mark to Speak at Black Hat US 2011 - Sysinternals Site Discussion

Process Explorer v15: This major update to Process Explorer, a powerful tool for inspecting and controlling processes, threads, loaded DLLs, and more, adds GPU utilization and memory monitoring on Vista and higher. It also adds the ability to restart services, has a smaller memory footprint, and has visually cleaner performance graphs.

Process Explorer 15 adds GPU monitoring - BetaNews - Good overview of some of the changes in the latest iteration of Process Explorer. One of the biggest complaints for the original version was that when minimized to the system tray, the graph-on-grey standard color was horrible to see and a backlash resulted in the forums.

v15 graph background colors - Sysinternals Forums - Page 3
New graph colors hard to see - Sysinternals Forums - Page 1

Updates: Process Explorer v15.01 and TCPView v3.05 - Sysinternals Site Discussion - Fortunately Mark Russinovich heard the pleas and quickly came out with an incremental update that allows for custom setting of the graph colors.

Troubleshooting with the New Sysinternals Administrator’s Reference - Mark's Blog. hard to believe but until this release there hasn’t been an “official” MS guidebook to the Sysinternals tools. That oversight is now resolved.

ProcDump v4.0: This update for ProcDump, a trigger-based process dump capture utility, enables you to control the contents of the dump with your own minidump callback DLL and adds a new switch, -w, that has ProcDump wait for a specified process to start.

Process Monitor v2.96: This release changes the appearance of its tooltips to the default theme, fixes a drawing bug in the treeview, and updates the graphs to match the style introduced in Process Explorer v15.

Mark’s Blog: The Case of the Hung Game Launcher: Read Mark’s latest blog post where he uses the Sysinternals utilities to solve a problem he ran into one Sunday morning when trying to play a computer game.

Zero Day Malware Cleaning with the Sysinternals Tools (link to PDF): Mark has posted the slides from the highly-attended and well received Blackhat 2011 Workshop he delivered last week, Zero Day Malware Cleaning with the Sysinternals Tools, which demonstrates how to use the Sysinternals tools to hunt down and eliminate malware.

Coreinfo v3: Coreinfo is a command-line utility that reports detailed information about processor cores and topology, including cache sizes, core-to-socket mappings and NUMA memory latencies. It now shows the processor features supported by the system’s processors. For example, Coreinfo will show if the processor supports hardware-assisted virtualization and advanced virtualization features like Second Level Address Translation.

SDelete v1.6: SDelete, a command-line utility for securely deleting files and zeroing volume free space, fixes a bug that prevented it from accessing some files on 64-bit Windows and swaps the zero-free-space and clean-free-space arguments to make them more intuitive.

Process Explorer v15.04: This release fixes several minor bugs, including a tooltip display bug and one that could result in a miscalculation of CPU usage on Windows 7 in the refresh immediately following the termination of a CPU-intensive process

Autoruns v11: This update to Autoruns, a GUI and command-line tool that lists executables configured to run when you boot, logon or run common applications, adds a “jump to folder” command and several additional autostart locations. The command-line version, Autorunsc, adds a new switch to show file hashes and an option to display the autostart entries for all user accounts registered on a system.

Coming Soon: PST Capture Tool - Exchange Team Blog

This new tool, PST Capture, will be downloadable and free, and will enable you to discover .pst files on your network and then import them into both Exchange Online (in Office 365) and Exchange Server 2010 on-premises. PST Capture will be available later this year. It doesn’t replace the New-MailboxImportRequest cmdlet that exists already for importing known .pst files into Exchange Server, but instead works in parallel to enable you to embark on a systematic search and destroy mission to rid yourself of the dreaded .pst scourge <*pirate growl*>.

PST Viewer - Free tool to open and view content of PST files without MS Outlook - Kernel Data Recovery - I had the opportunity to try out this awesome tool recently. A user’s NTFS HDD had borked out. While I was able to successfully recover all of their personal file data off the drive, their PST file appeared to have Microsoft Camera Codec Pack offers RAW support in Windows | HD Viewbeen lost. I was able to use TestDisk - CGSecurity on a filtered PST file carving of the drive to locate and save more than a few PST files. PST Viewer allowed me to quickly assess the contents of each one until I was certain I had the correct ones needed and could ignore the others, all without having to go through the process of attaching each one to a running Outlook client as a data-file. It was a major time-saver. More in this post Gave up Microsoft Outlook but need your PST file? There's an app for that - BetaNews.

Bit of old new now, but RAW file support now available in Photo Gallery and Windows 7.

Getting RAW support in Photo Gallery & Windows 7 (…and a contest!) - Windows Experience blog
Photo Gallery now supports raw format - Inside Windows Live blog
New codec pack brings RAW support to Explorer, Live Photo Gallery - Ars Technica
Microsoft Camera Codec Pack offers RAW support in Windows - HD View (Microsoft ICE project blog)

Microsoft Live Essentials got some more updates quite a while ago:

Microsoft updates Windows Live Essentials 2011 -- get it now! - BetaNews

Coming this week: an update to Windows Live Essentials 2011 - Inside Windows Live

In addition to changes that improve performance and quality of service, the update also includes full support for SSL in Windows Live Mail, and the latest Bing bar. Here are a few of things we think you’ll find the most interesting:

Mail: We fixed a sorting issue in the Sent items folder and improved the upload reliability and instrumentation in Photo mail.
Messenger: We fixed a couple of stability issues and made various changes for improved voice and video quality. We fixed an issue that was causing sound to be lost after upgrading, and we improved performance when displaying the MSN Today page in the main window.
Photo Gallery: We implemented various bug fixes for crashes related to launching Photo Gallery through Autoplay and facial recognition.
And more: We made many other usability, performance, and stability improvements across the suite of Windows Live Essentials apps.

While I find that the stock calculator in Windows 7 does pretty well for my needs, I prefer using SpeedCrunch Portable (PortableApps.com) for rechecking my calculation jobs (which really aren’t that sophisticated), particularly with it’s input history feature.

I was excited then when I found a CyberNet News review post pointing out the availability of the free Microsoft Mathematics 4.0 application. Turns out this baby can not only handle complex math functions, it also includes a graphing calculator, triangle solver, unit conversion tool, as well as an extensive formulas and equations library. Really cool stuff.

Related alternatives:

RedCrab - The Calculator - freeware - super-featured and intuitive complex scientific calculator program. Portable.

Converber Portable - PortableApps.com - Freeware super-featured unit converter application.

Cheers!

--Claus V.

Just Pondering because I’ve probably eaten too much turkey…

2011-11-26T14:49:00.001-06:00

We use iTunes in our home. Yes, I’ve considered other options for both iTunes-like song managers/players as well as pay-for-media sources. All have their pro and con. In the end it just seems to be the best solution for us. Relatives can pick up iTunes gift cards for the girl, there is a wide selection of tune-age and videos, and it generally works fine. Not to mention support for all the iPod devices we seem to have collected over the years.

However this post really isn’t about that, more about some issues folks have been encountering regarding their iTunes accounts.

Since we use iTunes gift cards as our music tender, it isn’t really a high $ target to watch for. Generally the card gets redeemed and spent almost immediately with a $1 or less balance left on the account at any given time.

I do keep a sensitive ear on the webs for security related matters and when this post showed up many months ago I did pay attention:

I got hacked on iTunes -- Ed Oswald - BetaNews.

Long post shortened, Ed discovered someone, somehow, had managed to raid his Pay Pal and iTunes accounts with some fraudulent charges. Ed insisted he maintained good protection on his accounts.

That post was followed up by iTunes hack widespread, and Apple appears to know about it also by Ed.

More feedback was that others were also encountering this problem, including those with with a gift-card balance on their account. Meet three people ripped off by iTunes fraud ring - Ed Oswald

After that brief flurry of posts and coverage, the issue seems to have spun-down. Either the problem was resolved or the web’s attention moved on to other things.

That probably would have been the end of things, with these posts getting filed into my bookmark cellar and a lesson learned to watch both my email and the sub $1 gift card balance on our iTunes store account (so far no issues), except this post showed up a few months later from Scott Hanselman.

Welcome to the Cloud - "Your Apple ID has been disabled." - Scott Hanselman’s Computer Zen

I found this notable for two reasons, first it came on the heels (related or not) to the prior issues Ed Oswald had posted on, and secondly, Scott is one of those Windows guru’s who “gets it” and according to his post, he seemed to have not left himself in a position for this to easily been a victim of.

And then Scott does a follow-up post that made keeping this on my radar worthwhile:

Rather than just dwelling on the attack vector, consequence, and complaining in general, Scott one-ups the situation by taking a thoughtful look on how iTunes notified him of the issue, and suggestions for notification improvement. Quoting Scott from that post…

I expect my cloud services to let me know in a way that escalates appropriately with the threat when something that doesn't' match my patterns happens.
The meta-points are

The Cloud(s) and all its services are protected only by our passwords and the most basic of fraud systems.
Cloud services are totally centralized, which makes them a big target, but they have activity information about what we're doing online that isn't being utilized to keep us safe.
We, the Users, need to demand better, more secure interactions from the cloud vendors that we put our trust in.
It sucks to lose access to your cloud data.

Well said.

Scott is still soliciting feedback from others with the Apple account issue at "My Apple ID has been Disabled" on Tumblr but it doesn’t look like it has been very active for a number of months.

I haven’t been able to find if these Apple account hack events were isolated or if there was some root-cause that was discovered and resolved. We may never know.

On a probably only tangentially-related note, I was discussing with Dad how we rely on on-line bill-paying for most of our bill payments, banking, and insurance account management. Heck, even at work most all of our HR interaction is done “on-line”. I don’t believe we have had a “brick-n-mortar” HR department for many years. Dad is “old-school” and while quite comfortable with on-line computing, still refuses to do on-line banking/bill-pay. The USPS loves him.

I’ve noticed that for every on-line account service we interact with, they all seem to have large splash-screens at log-on requesting “paperless billing” enrollment. Probably saves on a ton of costs and is marketed as being more convenient and more secure (avoid id theft from sticky fingers pulling bill/account info out of the mailbox).

At the same time, I noticed this USPS add running the past few weeks:

US Postal Service "Hacked" Ad - YouTube

In it the USPS describes the security benefits of the mail system to communicate with customers and how its inherently safer than the Internet with statements such as

“A refrigerator has never been hacked,”
“An online virus has never attacked a corkboard.”
“Give your customers the added feeling of security a printed statement or receipt provides. It’s good for your business. And even better for your customers.”

I’m all for the USPS and their dedicated carriers, and overall it’s a good communication medium. And yes, they have some revenue challenges as the Net continues to be relied on more by subsequent generations of communicators. At the same time, we use a locked postal box and have two shredders in the house to deal with secure-shredding as those items go from the secure “refrigerator and corkboard” to the trash system.

Point is, it seems to be that either in the “cloud” or via the “snail” system data/account information has its own attack vectors and neither is inherently any more safer than the other. Hackers can break into corporate systems and accounts can be compromised with poor IT security and end-user account safeguards, regardless if the billing “method” is paperless in the cloud or papered through the USPS. Likewise, business and users can lock down on-line accounts for customers who can secure them with rock-solid safeguards, but someone can still steal a periodic paper communications from a mailbox (or trashcan) and walk out the door and commit theft (if it even makes it to the mailbox).

Neither is a solution in-of-itself.

Probably the best protection? As Mad Eye would say, “Constant Vigilance!”

And the battle for cost cutting and revenue generation wages on…with security as the forefront selling point.

…like I said..just pondering.

Claus V.

Quick Web Screen Grabs

2011-11-26T11:44:00.001-06:00

One of the processes we have in the shop is to archive a series of network graphs for various URL locations that are created in a specialized MRTG - Multi Router Traffic Grapher deployment.

Once the web-page screen shots with the graphs are each captured, they are combined into a single Word document for that day which is then archived for historical reference and distribution to management.

The result is the daily tasking of an analyst for about an hour clicking through a large Excel table that contains each of the URL links, grabbing a screen shot, pasting it into the Word document, then moving on to the next URL.

This has been going on for some time and unfortunately, the madness of my other projects has kept me from turning my attention onto addressing it for a more efficient process.

Last week was a bit lighter at my workbench so I could consider the issue for a few minutes.

It took me about five minutes to come locate the free command-line tool IECapt - A Internet Explorer Web Page Rendering Capture Utility coded by Björn Höhrmann.

It’s just 102 kB unpacked and though it requires the gdiplus.dll, I had no problem finding that file already present on our XP Pro systems (and about fifteen others in various portable utility program folders on my own system).

My solution for this daily task was very simple.

I created a folder “C:\graphdumps” and copied both the IECapt.exe and (for good measure a gdiplus.dll I had on my system) into it.

I then created a batch file that had a line for each of the separate MRTG page URL’s we need to access. In my case I had approximately 50 or so URLS each on their own line.

As an example, each line in the batch file has something along the following (all on a single line):

IECapt --url=http://www.uhcougars.com/ --out=GoCougs.jpg --min-width=800 --delay=5 --silent

I also choose an simple output filename for each URL line that was clearly indicative of the logical location each URL represented.

For now, I’m outputting as a jpg file format for maximum compatibility with the folks who would receive the final file, however IECapt supports a number of output formats such as .png, bmp, jpeg, emf, and probably a few other formats not listed in the help. I like the idea of using a PNG format instead and may do some comparisons between the two formats moving forward.

I did have one “gotcha” I had to overcome first.

Every time I ran the batch file, I would get an output error unable to generate the thumbnail image.

I checked around and found this forum post IECapt does not work when --url contains a query string which did seem to confirm the issue was that the URL’s I was using in my batch file contained query strings. I didn’t really like the options (recode the program or use a url-shorting service). On a hunch I wondered what would happen if I encapsulated the URL parameter in double-quotes.

It worked perfectly. So for example, each line in my batch file was now changed to add the “ “ accordingly. It now looked more like the following on a single line.

IECapt --url=”http://weather.chron.com/radar/station.asp?ID=HGX19&NOHEADER=1#MAPZOOM” --out=radar.jpg --min-width=800 --delay=5 --silent

My test run of the batch-file took just under 1.5 minutes to complete the pulling and saving of all the pages. I then opened up a blank Word document, selected all the output jpg files that had just been generated in my folder, and dragged/dropped them into the Word doc. I then saved it with the daily file name and was done. From about 60 minutes of dreary click-saving URLs to under 2 minutes of mostly-automated grabbing and pasting. Sweet.

Now if I could just find a way to automatically import these images into a templated Word/RTF format document (with images embedded not linked) I will be set. I’ve looked at “mail-merging images” into Word but I’m not sold yet on the process. There should be an easier way to just pipe the output into an RTF “word pad” document but I haven’t figured that out yet. This way alone is a big improvement so for now a little drag/drop into Word isn’t a deal-breaker. Thoughts/suggestions?

Additional notes:

I considered using the robust freeware tool SiteShoter by Nir Sofer. It supports both a GUI and a CLI mode and is pretty sophisticated. However, for this application, IECapt worked perfectly and is dead-trim. SiteShoter can read out URL’s from a text file to act on, so SiteShoter is a different technique that could be better in some circumstances.

How to automatically capture images of a series of web sites and create thumbnails of the resulting image files. - Post by Paul Bradley that put me onto IECapt and how easy the CLI is to use.

Remembering to actually stop what we are in the middle of doing (especially annoying in the middle of a meeting) when the established URL capture hour comes around is quite challenging as well. More than a few days the designated team-member has forgotten and had to run the captures a few hours later. Because this process uses a batch-file, one can easily set the batch-file to execute as a scheduled task automatically when the capture-hour occurs. Then (as long as the system is running) we can come back later that afternoon and assemble the archive document from the jpg’s that were automatically generated. Super-sweet.

Cheers!

Claus V.

Mostly ISO burning

2011-11-12T19:23:00.001-06:00

This week I had a comment left on an older post requesting assistance with burning an ISO using Windows XP.

I guess I just take ISO burning (and other ISO actions) as such a simple a task that I don’t even give it any thought.

I also take it for granted that I can reach into my 7.5 GB deep collection of tools and utilities and always count on finding the right tool for the task at hand.

It has been quite a while since my last ISO-burning specific post, so I thought I would revisit things and warm up my blogging skills which have been quite rusty of late.

I went though that post and my collection of semi-dedicated ISO burning tools and pending bookmarks to come up with a few new lists.

Below is a collection of free software tools that are primarily very ISO burning centric. Some can do some other things as well but they all are pretty much “select your ISO file, select your hardware burner, burn it.” These are perfect for the occasion quick “one-off” ISO burn duty. I believe they are all (well except for the first one) “portable” in operation assuming the system you are running them on supports any dependencies (ie. .NET).

Burn ISO Images Natively in Windows 7 - Got Windows 7? Then you have ISO burning support baked in!
BurnCDCC - This TeraByte Unlimited tool is my #1 go-to tool for one-off burns of CD/DVD ISO files. Period. It is that simple and that good. Single 144 kB exe file.
BURNISO - from Dirk Paehl is a nice a direct ISO burning tool.
Free ISO Burner - Another nice ISO-burning centric tool. I like this one in that it is a single exe file (802 kB).
Active ISO Burner - This tool has a few additional tricks up its sleeve so if you need a bit more control for burning options, you may want to take a look at this one; write ISO image to CD,DVD,CD-RW,CDR,DVD-RW.
7Burn - RCPsoft.net tool gets a bit more “complicated” again in that it not only easily allows you to burn an ISO to a disk, but also files/folders and limited audio disk support. It also supports burning to Blu-ray media. It does require .NET be present. While it is a single exe file, the size on this one is a heavier 3.67 MB.
Free DVD ISO Burner - Minidvdsoft product. Similar to others here.
ISOBURN - another, simpler ISO burning tool from Dirk Paehl.
Astroburn Lite - Free (non-commercial use only) tool to burn CD/DVDs. (I see this one recommended often in comments for other CD/ISO burning posts so I’m sharing it here. I haven’t used it yet. YMMV)

These next free tools are much more comprehensive in disk burning options. Yes, they can still handle ISO burning, but have a lot more bells and whistles. While they can handle one-off ISO burns, they are probably better suited for heavier ISO building/burning duties.

The Official ImgBurn Website - Love this tool! It does all my heavier lifting for ISO burning (when I am burning multiple copies) as well as building ISO files from files/folders/optical media disks. Super awesome and updated often.
StarBurn Free - This is a very full featured burning tool that comes in both free, $, and portable (I recommend that one) versions. The interface is a bit more “geeky” and if you don’t work too much with burning actions and options,you might get lost. However if you do, you will appreciate the way the actions have been arranged. The built in themes and skins help give it a polished and system-integrated look as well.
InfraRecorder - Another popular burning system that comes in portable versions for both x32 and x64 versions.
DeepBurner Free Portable - While lacking some of the advance features of the “Pro” ($) version, it is a dependable and well-featured program.
AmoK CD/DVD Burning 1.10 - Dirk Paehl’s name arises again in this multi-feature CD/DVD burning tool. Supports skins so you can create a burner with attitude if that is your thing.
CDBurnerXP - I used to use this burning suite on my home XP systems but since ImgBurn, I haven’t looked back. That said it remains popular with many users. I go with the “portable version” on the download page. FWIW: be aware that the third-party advertising app “OpenCandy” does come bundled with some download versions of this program (CDBurnerXP • View topic - New version: 4.3.7 and OpenCandy). Check out the Downloads page carefully and you can find/select a installer version without OpenCandy if you want. I went with the x64 portable version and didn’t have any OC issues. See this Gizmo's Freeware Review post for more info on OC if you are interested.
Hamster Free Burning Studio - I’ve not personally tried this product but it seems to get positive feedback and has a very friendly GUI. Here is review I found if you are interested from the Addictive Tips blog post: Burn BluRay, DVD, CD Disks With Hamster Free Burning Studio, Better Than NeroBurn Lite

While not really and “ISO-burner”, I really love IsoBuster for extraction of files out of an ISO file as well as looking at the file structure of the ISO itself. Not free ($) but with limited (and quite feature rich) free functionality option available.

Want to mount that ISO file to inspect it, or extract files from it? Then you need some freeware software to mount it as a virtual drive.

Windows 8 will natively support mounting of ISO files (finally). Accessing data in ISO and VHD files - Building Windows 8 blog (and) Windows 8 Will Support Native ISO Image Mounting - How-To Geek blog
Pismo File Mount Audit Package - I always find myself installing this tool on my systems. It supports virtual mounting of ISO files (and a few others) as well as having great explorer shell integration.
ImDisk Virtual Disk Driver - Olof Lagerkvist continues to keep this super-awesome tool updated. I’m crazy but install it concurrently with Pismo just because it is that good. Just updated again in October to version 1.5.2.
SlySoft Virtual CloneDrive - My top pick for “slick and polished” virtual drive mounting for non-techies. What’s intimidating when you have these cute sheep icons representing your virtual drives. Can set up to 8 virtual drives to be available at once. Super simple and rock-solid. (Confession…crazy as it seems it also is installed along with Pismo and ImDisk on my home system I like it that much.)
MagicISO - This freeware tool supports an curiously large number of image formats. So if you work with image formats frequently, you will probably want to include this on your system to be ready to mount and explore the image file.
Gizmo Drive - This is kind of like a swiss-army-knife of virtual drive mounting. Not only does it handle ISO/BIN/CUE/IMG file images, but it can mount VHD files as well. Additionally, it offers command line and Windows Shell mounting support. It’s pretty clever and updated pretty often.
DAEMON Tools Lite - Way back in my early tech days, DAEMON tools was one of the few virtual drive tools there was. I found it to be a solid tool that had some driver hooks that sometimes caused BSOD issues on some systems (never had issues myself). I’ve not returned to it since then, but they are still offering a “lite” version that can be used free (at home personally and not for commercial purposes).
Alcohol Soft (120% and 52%) - This was the other major player along with DAEMON tools back in the day. Alcohol continues to offer a free version in their “52%” version that does get bundled with a "toolbar” with feature sets you may or may not care for depending on how you are using the application. I believe it may be uninstalled or opt-out if you wish. YMMV.

Additional material:

Here are some nice guides/how-to’s with screen shots to cover some of the software and actions mentioned here in this post if you are a visual learner.

How to Write ISO Files to CD or DVD - Petri IT Knowledgebase
Simple Ways To Create, Burn And Mount An ISO Image File - Additive Tips
Beginner Geek: How to Burn an ISO Image to a Disc - How-To Geek
Mount an ISO image in Windows 7, Windows 8 or Vista - How-To Geek

Cheers,

--Claus V.

WinPE Building and PGP Support Links Updated

2011-11-10T14:02:00.001-06:00

It’s been a long time since the series of posts I did on WinPE building, specifically with PGP support built in.

The WinPE/PGP supported builds I’ve done still are humming along and a favorite resource for our technicians when they need to off-line boot a PGP encrypted system to recover data from the (corrupted system) drive before a reimage.

Recently PGP Desktop 10.x client began rolling out and I needed to work on a fresh WinPE/PGP build to support it.

Only when I started looking for the PGPpe zip files used to build them, all my bookmarks were dead. Seems PGP got snapped up by Symantec and killed a lot of great linkages in the KB migration process.

Took me a while to hunt them down, but here are working links to all the files and PDF guides you need to help you with your WinPE/PGP building work for both PGP Desktop 9.x and 10.x.

I also noted this post Trying to create a BartPE WDE CD | Symantec Connect Community where a user is experiencing failure using the files to build a 10.2 PGP supported WinPE disk. Feedback at the time (pretty recent) was that PGP has some SDK issues in the WinPE environment and it doesn’t work too well. Fix was pending.

I don’t (yet) need to support 10.2 PGP Desktop client version so hopefully the 10.1.x one I’m soon to build for won’t have any issues. I’ll let you know.

If WinPE/PGP building isn’t your thing, then you can also just download/burn the correct PGP “bootg.iso” file for your PGP Desktop client version. Burn the ISO and then boot/decrypt away…providing you have a good passphrase to use.

Cheers,

--Claus V.

Windows Live Mail error 0x80041161

2011-11-10T13:44:00.001-06:00

Dad is working with his father-in-law who has an issue with his Suddenlink web-mail-based “forwarding” handling of messages.

Seems that (and the behavior is not browser dependent) when he tries to forward a message from his web-based email client, the message body text disappears. File size remains large so it seems to still have the forwarded “content” somewhere in the message body, but it just can’t be seen. Checks on the sent message find the content isn’t visible either to the recipient. Strange.

Anyway, that’s not the immediate issue.

Rather than keep banging our heads on the page coding interaction with the browsers, I suggested we hook him up with a local email client and move away from the web-client interface. No small challenge for the old-timer.

Knowing there is a plethora of good/free email clients out there (I personally prefer Mozilla Thunderbird at home) I suggested to Dad we do a test-run with the gentleman using Windows Live Mail. I’ve personally had great success with migrating others who are technically challenged from a web-mail based interface to this program. The interface isn’t too “techie” and the basic email operations are covered with pretty intuitive icons on the main ribbon tab. Everything a very basic email user needs in a nice GUI.

Suddenlink even provides a handy guide for setting up their email accounts in WLM: Windows 7 - Email Configuration

But before we did a remote-rollout on his system, I wanted to play around with WLM again myself using a few of my “zombie” email accounts for testing (you know…those email accounts you have signed up for a long time ago, almost never use, but keep around as a honeypot for fun email spam flies?).

So when I fired up the WLM client on my laptop, I was surprisingly greeted by an error dialog box saying it couldn’t be launched.

windows live mail could not be started. it may not be installed correctly. make sure that your disk is not full or that you are not out of memory. (0x80041161)

A quick Google led me to this link: windows live mail error 0x80041161 - Microsoft Answers

I went to my Win 7’s system “search field” in my start-menu and typed in “wlarp.exe”. It showed up in the list.

On my Windows 7 (x64) system the location is C:\Program Files (x86)\Windows Live\Installer\wlarp.exe

Launched it. It ran for a while and finished.

Re-launching Windows Live Mail resulted in normal launch and operation with no more errors and allowed me to set up my test accounts for practice before deployment and training begins.

Nice to know.

Now let the real work begin….

Cheers.

--Claus V.

Without fail…

2011-11-06T16:36:00.001-06:00

Why does it seem -- without fail -- that when I am done taking the long-route though a complex and time-consuming process, I seem to only then find a tool that could do perfectly what I was doing in less than half-the time and effort?

In my “recent” GSD post, On the Hunt…I outlined how I was using a bat file to do a NBTSTAT -A process to collect valid IP address, Host names, and MAC addresses; and then how I was doing manual work to convert them into a tabular (CSV) format for importation into Excel.

This weekend I just found this free Windows CLI utility:

NBTScan. NetBIOS Name Network Scanner.

It has a cygwin1.dll component (949 kB) and the CLI executable nbtscan.exe (93 kB). That’s it.

It seems to do all that I was doing, and then some. Nice.

The nbtscan.exe file alone worked perfectly on my Win 7 x64 system in testing against my home network IP ranges. Super-fast and awesomely formatted output.

On the page are also a couple of “Gui” companions as well. One (Use42) had a component in the ZIP file that set off an AV alert with MS Security Essentials. I’m thinking it was because it was a potentially unwanted program (PUP) as it was part of a package for pen-testing work which included nbtscan. Use at your own discretion.

The “gui.exe” one looked nice and simple as well, but didn’t seem to offer access to the additional CLI argument options that nbtscan can use.

Those baked-in argument options with the tool are pretty powerful and useful, check out the page for more information.

post update: in the comments to this post, Mark Woan recommends as an alternative tool, Steve Friedl’s version nbtscan - NETBIOS nameserver scanner. It is a single tiny executable file and doesn’t require the cygwin1.dll component that NBTScan does. In my tests it worked fine on my Win 7 x64 system, however I couldn’t get it to display the MAC information when I used the required argument. I didn’t have that issue with the first NBTScan tool. Probably just a Layer 8 issue… Thanks Mark!

Bonus #1: Check out this new pen-test tool from the same developer: MagicTree

Bonus #2: Sectools.org recently updated their Top Network Security Tools list.

Cheers,

Claus V.

Windows 8 Linkage: “Majestic Metro” version

2011-09-24T21:34:00.001-05:00

cc image credit image by hyku on flickr

I’m having a really, really hard time getting excited about Windows 8 and its “majestic” Metro design style and interface. So hard I almost skipped posting these links.

I’m now more comfortable in the Windows 7 environment and experience than I was/am in Windows XP. Don’t even get me started on my limited Vista run.

There are a lot of technical pundits much smarter and more versed in pre-analyzing the pre-Windows 8 packages that Microsoft have pushed out. Though I have dutifully downloaded the public “Developer Preview” version and got it spinning on a virtual machine (VitrualBox if you care to know), I haven’t tried (nor care at this point) to dual-boot it via a VHD container on real hardware. Nor do I have access to a “tablet” or touch-screen device to really take full advance of the Metro touch interface. (Yawn)

However my initial response is that it pleasant and somewhat interesting. I’m sure the new advances in the kernel and OS functionality will improve the already quite refined Windows 7 version in terms of security and user-perceived performance.

However, unlike Windows 7, I will not be rushing out to the store to snap it up and upgrade our Windows 7 systems. They just work too well, are too stable, and are too nice to bother. For now.

Heck, I can’t get my dad to upgrade from Vista to Windows 7. He actually likes and trusts it. Forget about getting him to leap to Windows 8!

Which leads me to my next concern; with so many enterprise and businesses just now finally making the upgrade jump from XP to Windows 7, will Microsoft be able to sell them on Windows 8 with it’s funky Metro interface (noted, it can be disabled for a more “Classic” business-like desktop experience) and even newer under-the-hood architecture? Probably, eventually I suppose…maybe in the general timeframe as those XP to Windows 7 adoption rates.

So, here is the obligatory GSD post of everything you probably need to know (IMHO) about Windows 8, for now, to satisfy your curiosity, and get you started kicking the tires.

First, a Meet and Greet

Your Windows 8 questions, answered - TechBlog’s Dwight Silverman

Making business lust for Windows 8- TechBlog’s Dwight Silverman

Windows 8–First thoughts - Mister Goodcat' on pitorque.de

Getting Windows 8 Developer Preview

Windows Metro Style Apps Developer Downloads - Microsoft MSDN Dev Center. Get the ISO’s here.

Installing Windows 8 - Virtual Box method

This was the method I went with. I used Mister Goodcat’s pitch-perfect walkthrough post to get my version -- Windows 8 Windows Developer Preview English, 32-bit (x86) -- up and running in just a few minutes. Check them all out first as they all provide good perspectives before starting.

Installing Windows 8 Developer Preview in a virtual machine - Mister Goodcat' on pitorque.de

Pay particular attention in that post above where Mister Goodcat explains at the end how to manually adjust the screen size resolution outside of the VirtualBox session to allow you a better “wide-screen” ratio level. It’s worth the read if you go this method.

Windows 8: An installation walk-through - Hardware 2.0 blog at ZDNet

8 and Windows VirtualBox: how it works - (GTranslated) - Caschy on the German stadt-bremerhaven.de blog

Virtualize Windows 8 ... - (GTranslated) - Gunter Born’s “Borns and WIndows IT Blog”

Running Windows 8 on VirtualBox with Additional Wide Screen Resolution - Windows7hacker

Installing Windows 8 - VHD Native/Dual-Boot Method

This is the method I used to pre-test Windows 7 release versions back in the day on my Vista system. It worked great and there was considerable benefit to running the OS on “real” hardware. It was easy. I didn’t love Vista so much so I didn’t really care about data-loss then. I really like my Windows 7 installation on my blazing-fast Dell Studio system so I’m more hesitant this go round. Maybe I’ll see if Alvis wants to be a volunteer geeklet for the Win 8 testing cause with her laptop…

Guide to Installing and Booting Windows 8 Developer Preview off a VHD (Virtual Hard Disk) - Scott Hanselman’s Computer Zen blog

Installing Windows 8 Developer Preview as bootable VHD - Mister Goodcat' on pitorque.

Dual Boot Windows 8 from VHD using Windows Setup - Concurrency Blog

How to Dual-Boot Windows 7 and Windows 8 Side By Side - Lifehacker

Native VHD Boot Windows 8 as Virtual Machine with Windows 7 - Windows7hacker

USB Install Method & Windows 8 “To Go”

8 Windows install from USB stick - (GTranslated) - Caschy on the German stadt-bremerhaven.de blog

Also interesting is the (native) ability to boot and RUN Windows 8 directly off a USB stick. This is similar to, but much more fully developed than the Windows PE environment fans such as I have been hacking and using for some time now with great delight. Rather than running in a diminished (pre hack) OS environment, this would be the full-meal-deal OS on a stick.

How to create your own Windows 8 To Go Developer Preview - Gunter Born’s “Borns and WIndows IT

(Revisited) Creating Windows 8 To Go on a 16 GB USB-Stick - Gunter Born’s “Borns and WIndows IT

Windows To Go: Bootable Windows Drive May Revitalize Flash Market - EverythingUSB (with video demo)

Just In Case you were Curious

Windows Developer Preview 8-compliant Key? - Gunter Born’s “Borns and WIndows IT

Windows 8 Developer Preview (Build 8102) Expiration Date - CyberNet News blog

Obligatory Tweaking Tips and Utilities

The first link is the utility I chose to use to wrest control back from the Windows 8 interface. The second link I needed because I was impatient and just wanted to shut the thing down.

Metro UI Tweaker for Windows 8 Released - The Windows Club

Shutting Down Windows 8 - Windows7hacker

Metro controller: Disabled MetroUI & Co under Windows 8- (GTranslated) - Caschy on the German stadt-bremerhaven.de blog

Bringing Back The Old Style of Windows 7 Start Menu in Windows 8 Developer Preview - Windows7hacker

How To Shut Down The Full Screen Running Metro Style Apps in Windows 8 - Windows7hacker

Windows Developer Preview 8: Classic Start Menu and switchen MetroUI via context menu - (GTranslated) - Caschy on the German stadt-bremerhaven.de blog

Windows 8: Quick access to applications - Gunter Born’s “Borns and WIndows IT

5 Ways To Tweak Windows 8 Start Menu with Metro UI (Developer Preview Edition) - Windows7hacker

Yeah, that TouchScreen thing

Whatever…

Windows Simulator Lets You Simulate Windows 8 Touch Features Using Mouse - di’Tii.com D’Technology Weblog.

8-touchscreen Windows Simulator - Gunter Born’s “Borns and WIndows IT

Open in Case you now need to RTFM of sorts (sponsored by Lifehacker)

Windows 8 In-Depth, Part 1: The Metro UI - Lifehacker

Windows 8 In-Depth, Part 2: The Desktop - Lifehacker

Windows 8 In-Depth, Part 3: Windows Explorer- Lifehacker

Windows In-Depth, Part 4: The Revamped, Vastly Improved Task Manager- Lifehacker

Technically Speaking Now

UEFI Secure Boot in Windows 8 Explained, The Customer is still in Control of Their PC - Windows7hacker

A Close Look at Windows 8 Revamped Task Manager - Windows7hacker

Windows Server 8 Sheds Its Graphical Baggage - ReadWriteCloud

Links...and whatnot - Windows Incident Response blog - Harlan’s post has some initial forensic observations about the Windows 8 Registry hive structure.

Watch List for Future developments

Building Windows 8 - Blog posts from the Windows engineering team on MSDN Blogs

Windows 8 - Windows7hacker

Hard to believe it was a scant three years ago just a few days from now when I was covering all this ground for the (then) dawning release of Windows 7: Windows 7 – Getting my feet wet…Cannonball style!

Ahh memories….

--Claus V.

On the Hunt…

2011-09-24T16:47:00.001-05:00

(no, this is not a picture from one of our network rooms, though the similarity looks uncanny.)
cc image credit: mrtom on flickr

One of the (many) critical projects I’m currently working on has our team upgrading the network switch hardware across our enterprise.

That alone should be fairly simple, get new switches as needed, pre-configure new switches, schedule swap-time with customer, un-patch cables from old switches, put in new switches, re-patch cables into new switches, move on to next site. Easy right?

However a few very critical things (from a network security standpoint) are causing a lot of work and late nights. Until recently, there was no real documentation kept on where all the network cables/jacks in the facilities were located, patch panel labeling at “old” sites was spotty at best, and furniture and office improvements left access to jack pates and trust in their labels weak at best.

So to take control back of the physical layer, my partner and I have to physically survey and account for the location and labeling of every cable we patch down into the new switches. Considering the size of some of our facilities and number of users, this is a tremendously daunting process. Oh yeah, the two of us typically have just a day on-site to do everything…from survey to final patch down.

Semper paratus, we load up and head out.

When we complete this project for all our facilities, we will have up-to-date floor plans of our physical cable topology and the documentation to match. Couple that with being able to administratively disable the actual ports (not in use) on the switches now, and we can go a long way to extending our network security and troubleshooting. And this is just laying the foundation.

So, here are some free tips and tools and the methodology I’ve painfully worked out as our project and techniques have matured, that maybe can help others taking on this task; YMMV.

Recon work and data-gathering is the key.
A day or two prior to the facility upgrade day, I remotely run a series of scans from a box at the location to collect key data off the local network.
Free IP Address Tracker from SolarWinds - This tells me which IP addresses are active (at that moment), their hosts name (in most cases), and some supplement data which could be useful. Results are exported into a CSV file.
Colasoft MAC Scanner - This free tool very quickly rips though the local network and provides me a list of active IP addresses, hosts names (in most cases), and, very importantly, the MAC address of the machine. Results are exported into a CSV file.
There are some other free tools such as Nir Sofer’s FastResolver and SoftPerfect Network Scanner and Radmin’s Advanced IP Scanner 2.0 that can also handle those tasks but for speed of scan and ease of export, I prefer the first two myself.
Once those scans are in hand (usually both in less than 10 minutes), I then prepare a MyIPS.txt file for the location that contains all the IP addresses (one per line) that subnet contains.
I then couple that TXT file with the following simple DOS BAT file I worked up. While the ultimate source to be credited for the technique is lost to me at the moment to give credit to, I suspect it is related to some tips found on this page: Ping list of computers from a txt file

IF EXIST SCAN-RESULTS.txt DEL SCAN-RESULTS.txt

echo IP,HOSTNAME,MAC >> SCAN-RESULTS.txt
FOR /f %%i IN (MyIPS.txt) DO echo %%i & echo %%i >> SCAN-RESULTS.txt & nbtstat -A %%i | find "<00> UNIQUE">> SCAN-RESULTS.txt >> SCAN-RESULTS.txt & nbtstat -A %%i | find "MAC Address">> SCAN-RESULTS.txt

Normally I include ALL the IP’s for the location in the MyIPS.txt file that is feeding the dos-bat file above. I do so to ensure full coverage. However the drawback is that depending on the number of IP’s that your subnet provides, that can take a REALLY long time to complete. So if you want to save some time, and are willing to accept some possible skips, you could filter one of your Colasoft/SolarWinds export files for active IP’s only and feed it that instead.
Note: I typically run these scans around mid-morning or mid-afternoon when I am most likely to catch the maximum number of users at their desks and PC’s turned on.
Now that I have my SCAN-RESULTS.txt file which provides me the IP address, the HOSTNAME, and the MAC address of each “active/responding” IP, I have to clean it up into a nice CSV format. Some quick cut/trim/replace work using Notepad++ usually does the trick in a short order.
Lastly, I need one more CRITICAL piece of information, switch/switch-port/MAC mapping.
I Telnet onto each of the local switches at the site and after authenticating, I run a “show mac-address-table” command. I copy this output into a text file. This proves me the MAC address being reported for each switch/port. Your command may vary depending on switch manufacturer, model, and firmware version. However, if it is a managed switch, you should have something similar.
Whew, get up and stretch and grab a beverage.
Returning to my desk, I then use a combination of Notepad ++, Excel, and some clever multi-tab/multi-view work to “basically” create a spreadsheet that uses the MAC as the commonality for matching the information in the various logs. My final spreadsheet contains rows for the IP address, the HostName, a device-name field (to be used for printers and other non-pc network items that HostName may not apply to), MAC address, switch number, port number of that switch. If you do this, you will have to work out the technique but I think you will get the general idea quickly.
For rows where I got an IP address with a MAC address only, after all this work I perform some additional network discovery tricks (attempt to connect via HTTP/FTP to the device), a fresh NBTSTAT -A on just the IP (in case someone turned on their PC late in the scan and got skipped) or some other tricks. Usually I achieve a 98% success rate.
I then create two versions of this spreadsheet; one sorted by HOSTNAME and the other sorted out by switch number/port number.
With these now printed out and on hand we hit the site and perform a physical survey:
- I sketch out our data/relay racks and the patch panels on them. I later convert this into a sweet Visio diagram using cool object figures of rack components.
- I have a template sheet that represents our patch panels. I use this during the project rollout to document the physical panel/slot numbers, the actual labels for the ports, the room numbers where the jacks are located, if they are “active”, and if they are patched into a switch.
- With floor plan in hand, we then perform a physical survey of the site, room by room, wall by wall, public and non-public spaces. We note the actual data jacks found on the hard-copy, what they are labeled, and the name of the host system/device attached.
With results in hand, I then sit down to reconcile the patch-panel documentation against the physical survey. Sometimes it matches nicely, sometimes it does not. Sometimes cables may have been abandoned (in the ceiling, in the wall, etc.) or are lost behind filing cabinets that cannot be moved. These are so noted and all “unknown” cable ends are not patched down.
For cases where we were not able to see the jack to get a jack number (behind a desk) I can then pull out my spreadsheet and look up the system’s host-name to find its corresponding switch/port association. My partner or I then back-trace the cable from that switch/port back to the patch-panel to discover the panel/jack label.
For rare cases where we were not able to “network discover” the PC-to-Jack-to-Panel-Switch association (example a cable that is found to be “hot” into a switch but has no PC on it and the jack is not labeled), we normally would have to tone it out. However, as anyone who has attempted to tone-out a cable known to be plugged into a switch, it can be a real challenge. Luckily, I recently found a very reasonably-priced toning tool that has a “cable ID” feature: Psiber Data Systems Inc. Cable Tracker. Set this little gizmo to Cable ID in one of three “pattern settings” and it will flash a beacon pattern on your switch. Just look for that beacon and you then are able to back-trace up the panel. Alternatively, you could attach your laptop to the jack, note your MAC address, then telnet to the switch and find what switch/port it is on.
Note, a partner and a set of good heavy-duty radio units (does anyone call them walkie-talkies” anymore?) make this a fast-two-person job; one person stationed at the patch-panel the other roams the field.
Note: A very cheap but indispensible network testing tool IMHO is the (Amazon linked) Test-Um TP 100 - Network tool/tester kit. Plug this non-powered device into a network (or telco) jack and if it lights up, you will know the other end is connected to your network/switch.
Once we are comfortable we actually know where are the jacks are and who is plugged into them (can be done pretty non-intrusively during business hours) and the patch-panel documentation template sheets have been updated with the findings, we wait until operations shut down and start pulling off all the patch cables, out all the switches, and mounting the new ones.
Then we pull two hard-copy documents; the first is the patch-panel documentation sheet that tells us where all our active users are, and what jacks they are associated with. Also I have a hard-copy template of our new switches/ports in tabular format.
We look on the patch-panel sheet to find the first active port, patch it down into the switch, note on the patch-panel sheet we patched it, and note on the switch port sheet which physical patch panel/port number it came from. (Note I prefer that notation over “labels” as labels can change but the physical panel/port numbers are less likely to.) And so we repeat the process until we are done.
Final step (no customer accidently left unpatched) is to use the aforementioned Test-Um TP 100 unit at the patch-panel to back-check all the unpatched patch panel ports to see if there is attached network equipment we overlooked.
If so these also get patched (for now) and noted on the patch down sheets. More on that in a moment.

The final documents are then converted into electronic versions to share with our other network administrators for use on an ongoing basis. When new cables are added to the site, the electronic floor plan copy showing the found jacks/numbers/locations gets updated, the panel sheet gets updated also. When customers/equipment is pulled, the sheets get updated, the ports get disabled on the switch. When customers/equipment is added/changed, likewise the sheets.

I also use this information to the “label” the switch ports inside the switches with the corresponding panel number and port number. This lets us find the systems physically very quick if we have an incident and are provided a MAC address or IP. A few quick searches and I can not only disable the switch port immediately, but can then direct responding staff to the physical location of the system using all the documentation.
Yes. All inactive/unpatched switch ports are administratively disabled to discourage local site staff from being creative and moving network equipment around into areas without IT approval and handling.

Later (very soon after we are done), I address the few “unknown” patch-downs we did where we found a hot jack on the panel that didn’t correspond to any physical network items during my scan discovery process or physical survey.

Because I had documented the switch/port we patched it into, I can then telnet on the switch and get the corresponding MAC address.
Then I run a Wireshark or Network Monitor capture session at the site filtering only for that MAC address. That almost always nets me the host-name or other identifying information about the device. With that and our asset inventory at my disposal I can trace out the owner/name and assign that to a technician to perform a site-visit to perform another physical location check. Once that is confirmed, they can provide me the missing jack location and documentation is so updated.

We don’t (usually) have to contend with (authorized) wireless devices/access point hardware in our network so that makes things a bit simpler.

Also, after a while, you learn (and are not surprised) to find the odd non-authorized mini-switch/hub unit the local customer brought in without consulting IT (…we thought it would cost too much to request you to run a new cable, …it’s just for a few days, …we are having a meeting and the conference room has just one data jack, etc.).

Eventually once this phase is done, the IT policy makers/managers will need to decide if it would be good policy to implement and enforce MAC filtering on the switches to only allow known and approved hardware/devices to connect. That will certainly lock down the switches even more but will provide even more IT network administration overhead to keep up with our constantly moving customers in all the offices we support.

See. Like I said. Easy.

If anyone has any recommendations or additional tips/tools/utilities you have found helpful in your own network surveys and documentation acquisition, please drop your suggestions in the comments. I’d value anything to refine this process even more.

Cheers!

--Claus V.

VBScript Resources

2011-09-24T14:22:00.001-05:00

For the past few weeks at work, we have been doing some preventative response work on all the workstations across our enterprise environment.

The response was based on log-file results…only a problem was that sometimes the result descriptions we were being provided with either didn’t make logical sense or match what we observed when we manually checked some of the aberrantly reported systems.

I really don’t like chasing shadows, so I set out to find the mechanism generating the raw report data/logs which got re-canned into the report we had to respond to.

Not only did I find it (pretty easily) but I also found where it dumped the raw file daily. So now we could pre-pull and assemble our own report at least a week faster than the canned report we were using got generated/refreshed. Sweet.

Finding the source, I discovered that the raw log file collector was actually a very nicely coded VBScript. (BTW, did you catch that Nir Sofer released a new CSV/Tab-Delimited file viewer and converter utility? And that MANDIANT announced a new release of their free Highlighter utility?)

Once I had a copy of it, I could then pick it apart to understand exactly what was actually being reported (source) and what the labels provided (on the canned report) actually meant.

Turns out, most of it was pretty close, but because of what the actual data-points are collected off the system, the way the application called to generate the raw-result returns, and those returns are manipulated to generate the report, the labels might not be “logically accurate” as they could be in technical matters, although they may be “practically accurate” for the machine status items being measured and concerned with.

So now our response teams know what the report is “really” telling them, we can all prioritize our responses a bit more finely.

Only to get to that point of really understanding what the VBScript was doing--remember IANAC (I am not a coder)--I had to get up to speed with some VBScript fundamentals.

So in doing so, I found these VBScript resources to be awesome in the process. Many are in PDF and/or DOC format so you can keep them handy.

Enjoy.

Introduction to Visual Basic Scripting (VBScript) - irt.org
VBScript Primer - Microsoft TechNet
VBScript Overview- Microsoft TechNet
VBScript Reference- Microsoft TechNet
VBS Reference (.doc) - Microsoft - Microsoft Download Center
VBScript » Introduction - DevGuru Quick Reference (Note: free 307 page PDF version link on that page)
VBScript Reference Manual (direct PDF LINK) - Indusoft.com (255 pages)
VBScript VBScript User's Guide (direct PDF LINK) - gatech.edu (331 pages)
VBScript User's Guide - MSDN Library

--Claus V.

Chrome(ium) Bits

2011-09-24T13:44:00.001-05:00

Yep still here.

Required output at the coal-face down in the mine has come off the rails. Hours are exceptionally long now and I’ve shifted most of the precious little “me time” left to being present with Lavie and Alvis when I see them. And de-stressing by visiting Maru ( 私信 ).

The poor “to blog” folder is bursting at the seams and my Firefox JSON folder is ripe for breakdown!

So here are some quick-posts just to release the pressure buildup.

Gentle readers may recall back in my Finally! Time to Post! New material list I had been frustrated by the challenge of updating Chromium. I had been using a compiled “AutoIt” executable from Caschy to make the process a breeze. It stopped working. We were sad. It was because the source-folder used had been changed. the Updater got updated. We were all happy again.

Only a few weeks ago, we are all sad again. Index of /f/chromium/snapshots/Win had a README that told the tale.

your are probably looking for http://commondatastorage.googleapis.com/chromium-browser-snapshots/index.html

Why yes…I guess I was.

That updated location does contain the new Chromium build sets. Unfortunately, the only compiled New Portable Google Chrome Updater that I am aware of must now be recompiled again (we are waiting) to work for the Chromium builds.

Yes, I can download the latest chrome-win32.zip version each day, manually unpack it, and copy it to my Chromium application folder. I could even write a script to do all that.

But I’m so tired.

So I checked out the Chrome Release Channels page and read for a while, eventually deciding that the Dev channel for Windows version was sufficiently cutting-edge but stable enough to move to. As as added benefit Caschy’s Portable Google Chrome Updater tool still works for the Dev channel as that location hasn’t been piddled with.

More Chrome Flavors

Last week I also became aware of an “enhanced security” version of Chrome: Comodo Dragon . BetaNews has a rundown of some of it’s features: Comodo Dragon: Better browsing security with less bloat

Likewise, SRWare Iron has been kicking around since the very beginning.

If you like portable versions (as I do) then you can check out Iron Portable and Google Chrome Portable both maintained by PortableApps. Also, during the setup process for Comodo Dragon, it allows you to install as a portable version as well.

Enhancing Chrome’s Search Security

Yes, there are some other good search engines out there, but for plain power, trust, and interface, I still find myself using Google.

Spend any time at all doing packet capture and network HTTP analysis (BTW…NetworkMiner 1.1 Released a week ago) and you quickly find out what happens when users do not use SSL for their searches.

Personally, I now exclusively search more securely with encrypted Google web search. However, remembering to type in the SSL address for Google secure search is a pain. So I started to wonder if there wasn’t an easy trick to update the search setting in Chrome…and in Firefox as well.

Yep. Piece of cake, as they say.

How To Make Google HTTPS (Secured SSL) Search Default in Google Chrome? - Mezanul at MyTechGuide.org

Make Your Firefox Search Engine use Google’s SSL (https) Search for Security Reasons - 404 Tech Support

Add Google SSL Search Provider to Firefox Search Box - My Digital Life

So now I’m searching the webs SSL-style by default.

Cheers.

--Claus V.

IE Cookies now look like a box full of chocolates…

2011-08-21T22:33:00.001-05:00

I guess I just took it for granted, but apparently, for the longest time, Internet Explorer has stored its browser cookies using plain-text filenames that were relatively self-apparent as to their site-ownership. Chrome and Firefox use a database file to accomplish things rather than singular cookie files.

Bill Pytlovany of “WinPatrol” fame recently discovered that a Windows Update has now changed that cookie-naming behavior, much to the (temporary) detriment of a cookie-management feature of WinPatrol.

Bits from Bill: Windows Update Changes IE Cookies Names

Luckily for us, Bill is both a very sharp guy, and openly communicates the best of his findings so we can now learn about this security improvement from Microsoft.

While in-of-itself this probably isn’t major news except for some application programmers who do IE cookie review/reporting, it was an interesting look at how Microsoft is continuing to try to tweak the security model for IE.

In that post in a followup update, Bill dug up some great resource linkage from Microsoft on this change over at Eric Law’s blog that is a must-read for those working directly with IE cookies in this post-update landscape.

Specifically, it is Microsoft Security Bulletin MS11-057 - Critical: Cumulative Security Update for Internet Explorer (2559049) which is impacting cookie-handling.

Internet Explorer 9.0.2 Update - EricLaw's IEInternals

From that post (which contains wonderfully illustrative screen shots of the pre and post-update cookie storing behavior) Eric explains thusly:

Cookie Filenames are Randomized

As a rule, Internet Explorer attempts to prevent Internet sites from storing content in predictable locations on the local computer, in order to foil a number of attack types. That rule is why, for instance, the Internet-cache stores content in randomly-named subfolders.
Prior to this update, Cookies were an exception to this behavior—their location was insufficiently random in many cases. Generally, cookie files were stored under the \AppData\Roaming\Microsoft\Windows\Cookies folder, in files named using the user’s login name, an@ symbol, and a partial hostname for the cookie’s domain:
Given sufficient information about the user’s environment, an attacker might have been able to guess the location of a given cookie and use this information in a multi-stage attack.
To mitigate this threat, Internet Explorer 9.0.2 now names the cookie files using a randomly-generated alphanumeric string. Cookies are not instantly renamed on upgrade, but are instead renamed as soon as any update to the cookie’s data occurs. You can see the impact thusly:
We do not expect significant compatibility fallout from this change either, as the names of these files have always been somewhat dynamic. Directly enumerating or reading the Cookie files has never been supported. Instead, local applications that wish to interact with cookies can use the InternetGetCookieEx and IEGetProtectedModeCookie APIs, or they can use the WinINET cache-enumeration functions.

Another treat in the comments is Eric’s clarification that the name randomizing behavior only (should) impact cookies from the Internet zone (in IE’s terms) and not the Intranet zone. So if you have any in-house/network applications that also create/store local cookies in IE, then they should not be randomized if your IE zone settings are set correctly.

Also, it appears that the internal contents of each cookie file are not changed by this handling and can otherwise be viewed using normal methods.

Eric specially address this operation in IE 9.0.2 but earlier in his post’s introduction he wrote that “…two of the security-related changes impact obscure Internet Explorer behaviors in all supported browser versions (6 to 9)—I’ll discuss both of these changes in this post.” So it may be that randomization will be seen in cookie stores of other IE versions.

Finally, it seems (based on my own IE 9 cookie store review post-update) indeed that the cookie-name randomizing only occurs as new cookies are being set or updated as Eric had described above in his post.

While I suspect that any forensicators won’t have much problem dealing with this IE cookie-handling change (I think someone wondered aloud about what’s in a name?), it may prevent the casual inspectors of cookie crumbs from reading too much meaning into them. However the contents, file meta-data, and such should still provide more than enough meat and potatoes to keep the pros happy.

I imagine some IE-behavior inspecting tools and utilities may need to be updated just a bit, but besides being a new “item of note” regarding the IE browser landscape and behavior, it’s will be business-as-usual.

To my untrained eyes, it’s kinda like trying to pick out the chocolate truffle ones from a box of mixed-chocolates. Unless you know the particular swirls and marks, it’s a pot-luck game.

Fortunately I’ve got a friend to help me out. Nir Sofer’s IECookiesView v1.74: Cookies viewer/manager for Internet Explorer seems to have no problems with the post-update changes. In my testing, it happily reports the correct Web-site, access-date, modify date, create date, and domain (among other details) while also showing the newly randomized filename. It does a few other things as well to make IE cookie managing a breeze.

Nothing earth-shattering here, but interesting for the geek crews.

Related and easily overlooked in Eric’s post a link to this A Primer on Temporary Internet Files post at EricLaw's IEInternals that provides some fresh info on IE Temp file handling. Sweet!

--Claus V.

Freeware Smorgasbord

2011-08-21T17:52:00.001-05:00

Here is a collection of new and/or updated freeware offerings that caught my eye over the last month.

Because they survived the winnowing process, there was something about them that was worth me keeping and may be worth you checking out…even briefly.

Advanced Visual BCD Editor for Windows 7 and Vista via The Windows Club “Visual BCD Editor is an advanced GUI for the BCDEdit utility in the Windows operating system. In fact it looks to be the first GUI utility to implement full editing of the BCD store. The user can create and change the value of more than 120 properties of BCD objects by simple edits. Other similar utilities do not give access to not more than 30 properties.” Utility project page link: BCD Editor for Windows 7 / Vista

Looks be be a lower-level BCD editor than my favorite EasyBCD 2.1 - NeoSmart Technologies utility.

H2testw 1.4 (via Google Translate) - German c’t website utility that is useful to check and verify your bargain bin USB drive grab is really not a fake that has had the reported storage-size manipulated. Use with caution (remove key data from your drive and not for use on the system-boot disk).

MJ Registry Watcher (Version 1.2.7.3) - free registry change watcher/monitor application has been updated with some new features.

TEncoder: Open Source Multi-threaded Video Encoder [Windows] - via MakeUseOf blog review. Video format converters are now a dime-a-dozen. I probably have a collection of at least six portable ones that I keep handy (although-truth-be-told, I tend to use one or two exclusively.) However, this one caught my eye as it offers multi-thread processing. Very handy if you have a multi-core system and a lot of video files to process. Utility project page link: TEncoder

TeraCopy - my favorite alternative Windows copy handler from Code Sector has been updated again some time ago and I missed it. FileHippo has a well-summarized Change Log outlining the latest adds and fixes.

FreewareGenius reviewed ProEject recently. Eject USB devices quickly and safely with ProEject post via freewaregenius.com. Clever tool to help those who live off their USB sticks manage them a bit more friendly-like. Not a critical tool but a useful one.

Virtual Magnifying Glass Portable 3.5 (screen magnifier) - PortableApps.com. No, the Valca eyes have not gone so bad that I need this tool (yet) but that said, there are a lot of commercial products around there that accomplish what this one does, and not quite as nicely. So if you need an on-screen magnifier utility…for your family/relations, keep this one in mind. Just saying friendly like.

CCleaner 3.09 and CCleaner for Mac Beta 3 - Piriform has been hard at work enhancing their premier system cleaning tool and it shows. Amazing both in terms of features and performance, this and Nir Sofer’s CleanAfterMe are the only two Windows cleaning tools I go to when doing the kind of Windows housecleaning work that must be done from time to time. (related: CCleaner Enhancer Adds 270 New Rules to CCleaner - How-To Geek ETC)

Newsfox - My favorite RSS Feed Reader for Firefox got an update.

This TinyApps.Org Blog : Backup to drive label instead of drive letter led me to the wonderfully featured Create Synchronicity backup and sync tool. Sweet! Thanks TinyApps!

VIrualBox has been getting some updates of late. BetaNews introduces the biggies in their post Finally, VirtualBox 4.1 brings Aero support, VM cloning.

Having been spoiled with Widows Virtual PC and it’s bundled “PC Additions” pack, I guess I didn’t do due-diligence in my ongoing parallel use of VirtualBox. Embarrassingly, I appear to have overlooked the fact that while you can install a similar “additions” pack into guest systems in VIrtualBox, there is also a separate “extensions pack” to bring more enhanced features to the VirtualBox software.

Installing VirtualBox and extension packs - VirtualBox.org manual page.

Downloads - VirtualBox (and the Extension Pack)

VirtualBox 4.1.2 Oracle VM VirtualBox Extension Pack All platforms
Support for USB 2.0 devices, VirtualBox RDP and PXE boot for Intel cards. See this chapter from the User Manual for an introduction to this Extension Pack. The Extension Pack binaries are released under the VirtualBox Personal Use and Evaluation License (PUEL).
Please install the extension pack with the same version as your installed version of VirtualBox! If you are using VirtualBox 4.0.12, please download the extension pack here.

Cheers!

--Claus V.

NirSoft Utility Births and Growing Spurts

2011-08-21T17:17:00.001-05:00

Nir Sofer continues to provide some of the best Windows system support and administration utilities, freely, that are available over at his NirSoft website. Period.

In my humble opinion, only Mark Russinovich’s Microsoft Sysinternals tools offer the width and breadth of must-have system utilitarianism as Nir’s. And those is mighty big boots to be standing alongside.

So it should come to no surprise that Nir’s prolific coding power hasn’t been resting with a whole slew of new and cool system utilities (all standalone) along with nice updates to some previously released goodies.

I submit to you tonight for your most geeky downloading:

BatteryInfoView -- More into at NirBlog Post New utility that displays battery information on laptops and netbooks

Wireless Network Watcher-- More into at NirBlog Post New utility that shows who is connected to your wireless network.

I really, really like this one. With a few clicks, you can discover and monitor which devices are making wireless connections and keep an eye out for unwanted/unauthorized connections to a large degree. (Alvis…I know you haven’t gone to bed yet! Why is your laptop still on?)

CustomExplorerToolbar-- More into at NirBlog Post New utility to customize the Explorer toolbar of Windows 7

ProcessThreadsView -- More into at NirBlog Post New utility that shows information about all threads in a process, and this BetaNews post Find out what's really happening on your PC with ProcessThreadsView. I see it as a very useful companion to both ProcessActivityView from NirSoft and Process Explorer from Sysinternals.

TableTextCompare-- More into at NirBlog Post New utility to compare comma-delimited (csv) or tab-delimited files created by other Nirsoft tools

DomainHostingView-- More into at NirBlog Post New utility that shows the hosting/owner information of a domain. I’ve already done a few URL studies on suspcious/spam/phishing links. It aggregates a lot of information quickly and provide wonderfully useful information.

WakeMeOnLan-- More into at NirBlog Post New utility that turns on computers on your network with Wake-on-LAN packet. I like it’s enumeration of active devices including IP, Name, MAC, and various other details. Nice one-stop shopping, even if you don’t use it for managing WOL packet sends. Very similar to Nir’s FastResolver network discovery tool but with the added WOL capability.

Keeping up with latest and greatest offerings from Nir certainly can be daunting

Luckily you can subscribe to his Update/Announcements syndication feed link: NirSoft - Freeware Utilities as I do.

You may also want to add the syndication feed link of his NirBlog page which provided some more in-depth software tool background and musings.

There have been quite a few updates as well to existing tools. Of note to me for enhanced usage in incident-response or administration use were:

DevManView v1.23 - Update was as noted on the page “…added a second Device Registry Time value, which usually displays the installation time of the device.”

USBDeview v1.92- Recent updates up to and including this version release as noted on the page include:

“Added 'Turn Off Device On Disable/Remove' option, only for Windows 7/2008/Vista. As opposed to Windows XP, Windows 7/2008/Vista doesn't turn off the USB device when you disable or 'Safely Remove' the device. This new option make a small Registry change to make Windows 7/2008/Vista behave like Windows XP and turn off the device after disable or 'Safely Remove' action. For more information: USB Port Remains Active for Disabled or Safely Removed USB Device. Be aware that this change takes effect only after reboot, and requires full admin rights (execute USBDeview.exe with 'Run As Administrator')

“For USB To Serial devices, USBDeview now displays the port name (Com1, Com2, Com3,...), if it's stored in the Registry. The port name is displayed on the 'Drive Letter' column.

“Improved the detection of the 'Last Plug/Unplug Date' value.“

OpenedFilesView v1.52- Update was as noted on the page “…Added 'Open File Folder' option (F8), which opens the folder of selected file in Windows Explorer.“

SmartSniff v1.80 - Update was as noted on the page “…Added 'Extract HTTP Files' option (under the File menu), which allows you to easily extract all HTTP files stored in the selected streams, into the folder that you choose.”

Now go forth and download!

--Claus V.

Giving it the boot

2011-08-21T16:37:00.001-05:00

…as in off-line system booting, not the GSD blog (despite the drought of posts strangely mirroring the lack of rain and rise in thee-digit temps here on the Texas coast).

I still continue to find joy and purpose for my portable iodd : Multi-boot madness device. It is humming along and greedily continues to consume the bootable ISO files I toss at it.

I-Odd (South Korea) has released some newer firmware updates. In summary, the i-odd is an external USB2.0/eSATA drive enclosure that allows you to store boot-disks in ISO format and then boot a system with any of them via the selector toggle. The I-Odd site has gotten a refresh and much easier to navigate. They are offering firmware update versions 1.42.64N (for NTFS-formatted I-odd partitions, and 1.42.64F for the FAT32/exFAT formatted i-odd partitions. Download page. There are also some utilities and whatnot listed there as well. Only drawback is that as none of the links are clearly time/date noted, it is hard telling if something is a new update or not.

The US i-odd site is (still) offering Firmware Version 1.42.48 (ISO) that supports either FAT32, EXFAT or NTFS partition handling for loading disk images. I’m getting the feeling that this US branch isn’t providing a lot of product love considering the SK site is way ahead of their game.

The maintainer of TinyApps.Org Blog is the kind individual who first set me on notice and then use of the i-odd device.

Not too long ago he sent word of a Kickstarter project called the ISOStick which though not related to the iodd device, is likely to be a kissin’ kousin if all goes successfully.

isostick - the optical drive in a usb stick by Elegant Invention -- Kickstarter.
Isostick: the USB memory stick that thinks it’s an optical drive -- ExtremeTech
isosticks! -- Flickr - Photo Sharing!

That last link is really cool as the developer shows all the work that is going into the design and development. It’s a neat behind-the-curtain look at what it takes to make and bring these magical but ubiquitous “flash-drive” units to life.

In the meantime, if you don’t have a iodd or ISOStick device, you might want to check out these additional neat boot from a flash-drive projects:

WinToFlash - Install Windows from usb

From that project page link:

“WinToFlash starts a wizard that will help pull over the contents of a windows installation CD or DVD and prep the USB drive to become a bootable replacement for the optical drive. It can also do this with your LiveCD.”

YUMI - Multiboot USB Creator (Windows) via USB Pen Drive Linux

From that project page link:

“YUMI (Your Universal Multiboot Installer), is the successor to MultibootISOs. It can be used to create a Multiboot USB Flash Drive containing multiple operating systems, antivirus utilities, disc cloning, diagnostic tools, and more. Contrary to MultiBootISO's which used grub to boot ISO files directly from USB, YUMI uses syslinux to boot extracted distributions stored on the USB device, and reverts to using grub to Boot Multiple ISO files from USB, if necessary.”

The MakeUseOf Blog has a great review/how-to post on YUMI: Boot Multiple Live CDs From One USB Disk With YUMI [Windows]

LiveUSB MultiBoot - This is a French-based project but English-versions have been translated by community members. It is a Linux boot CD project. Here is a Google Translate link for easier reading if you are interested.

Multi-booting systems via a USB device is still cool and useful, particularly for the sys-admin/incident responder crowds. While probably never to become a main-stream product for the masses, it is nice to see these projects and capabilities continue in development.

Cheers.

--Claus V.

IT Saturation Point

2011-07-16T19:54:00.001-05:00

So the other night I had gotten off late from work and being quite tired and looking forward to unwinding in front of some DVR’ed PBS material, took Alvis on an only-because-it-was-convenient-and-we-were-exhausted McD’s carryout run.

Back a the house after probably consuming enough calories and sodium to take care of a Roman legion, I was ridding the kitchen of the evidence, and a super-sytro cup was next to the sink.

“Hey Alvis, you done with this drink?”

Alvis, hovering nearby as my late-night/early-morning project schedule had kept me from seeing her for the past two days all the while working her mobile phone continuing a SMS discussion with one of her BFF’s responded (very airily).

“No, you can delete it.”

I looked at Alvis with bemusement and she looked shocked at what she had said.

“OK…so you want me to move it to the recycle bin or wipe it?”

We both grinned.

Yep…IT saturated indeed.

--Claus V.

For/Sec Linkfest: Revolutionary Edition

2011-07-04T15:20:00.001-05:00

cc attrib: The US Army on flickr, DoD photo by Air Force Tech. Sgt. Jacob N. Bailey

This season’s July 4th finds Lavie and I quietly resting at home watching “classic” revolutionary period movies on TCM. Alvis has flow the coop to a week-long church-youth camp. Firework sales and use have been banned by all the area counties and municipalities due to the record-busting Texas drought and heat. We will probably have to suffice with watching celebratory events in HDTV-mode again tonight.

The weekend has been pretty light on tech-support calls. Dad wanted to give his father-in-law’s old cobbled-together “antique” PC system a refresh so I picked out a nice basic-home-user-grade Dell Inspiron 570 model that will be way sufficient for his pretty-much email-only PC needs. Dad and little-bro set it up yesterday and did most of the pre-installation setup and file-transfer. I’ll do some remote-support work this afternoon to lock it down and recover some account passwords and such off the old system and get them going on the new one. And then yesterday I stripped-down the keyboard off Lavie’s laptop. Seems a week or so ago, Lavie fell asleep with both a small tumbler of sweet tea and her laptop on her chest. A very small portion of the tea ended up in the keyboard. Oops. (very) Fortunately the keyboard tray caught all of the spillage. (un) Fortunately, it was sweet (sugared) tea, so let’s just say the keys were less than responsive with spring-back action. That restoration job took about three hours. Disassembly and cleaning was pretty straight-forward. However getting the scissor-action two-piece key travel parts re-mounted was very delicate work as I didn’t want to break any of them. It took me about twenty minutes to get the mating and mounting technique down before my pace picked up. All is well now and Lavie is clickity-clicking again happily.

Offered here today is a forensic and security slanted linkfest. This folder has been very, very full for a very long time. What survives below are the best of the best as the blogging room floor is littered with editing cuts and discarded linkage that didn’t age well.

In the Reading Room

(IN)SECURE Magazine is a great source of security and network issues. I keep several of these PDF files on both my laptop and Kindle for go-to reading when things are slow. (IN)SECURE Magazine issue 29 and (IN)SECURE Magazine issue 30 are the most current. However, pop onto the Archive page to look for past issues that may have some gems. For example, this early ISSUE 4 (PDF link) has a great article “Structured Traffic Analysis” on pg 6 written by network sec guru Richard Bejtlich. While the article could probably be updated with the newer network analysis tools made available since Oct 2005, the framework Richard lays out still works very well.

InfoSec Resources has lots of great articles to read and study. Check out their article archives for a really wide range of for-sec articles and whitepapers.

CERT Societe Generale - IRM (Incident Response Methodologies) as some good incident handling guides to review or keep filed within reach.

Dashboard | SANS Internet Storm Center - Security “dashboards” look cool and can communicate valuable information. I’ve got several I keep an eye on from time to time. SANS has recently updated theirs.

Girl, Unallocated - Newly added forensics blog to my RSS feed list. Fresh perspectives are always welcome at GSD!

VRT: A Close Look at Rogue Antivirus Programs - Post by Alain Zidouemba that contains PDF of the slides presented on his talk "A Close Look at Rogue Antivirus Programs" given at Hack in Paris conference. I’ve lately been paying closer attention to articles on malware (particularly rogue-securityware) vectors.

Security Aegis has some great posts Real OSINT and OSINT, because knowing is half the battle on “open-source intelligence” work. This is good stuff as when you are doing network traffic analysis, being able to attempt to track down and understand the names/handles seen in the traffic may provide additional clues in your incident response analysis.

The posts over at Malware Intelligence don’t come fast-enough for me, but when they do, they are golden. JAVA Drive-by [infection] On Demand actually got their hands on a “drive-by” generator and pick it apart. Neat.

Network Traffic: News and Reports

Lots and lots of goodies here!

The folks at Packet Life have posted some good material recently: Proving the Network is Not the Problem With iperf and Long-Term Traffic Capture With Wireshark offer great tips and techniques for you network jockeys.

Out of comments from those posts came a jump to the NetStress Network Benchmarking Tool and NetSurveyor Network Discovery Tool -- both of which are offered for free by Performance WiFi.

LoveMyTool blog has the following juicy fruits: Microsoft Network Monitor 3.4: Search the Description Column (by Joke Snelders) and A Deeper Look into Your Network - Cool Tool (by Vivek Rajagopalan)

That second one points us to Trisul Network Metering and Forensics tool. If you just need “near-time” network traffic reporting and analysis, then the Free rolling 3 day window version looks hard to beat.

TinyApps.Org Blog : Setup a virtual network lab brings to our attention the free Marionnet.org project for networking practice and study. It is a very cool project.

The Case of the Great Router Robbery over at InfoSec Resources poses some deep thoughts about the importance of physically securing your routers. It’s not just because many of they are outright high-dollar items to begin with, but the configuration data on them is golden for pen-attack reconnaissance and enablement. It closes with some good thoughts about securing your device if it is stolen and what you should do if loss does occur.

Network Mystery #1 (by Betty DuBois) at LoveMyTool has both a recorded presentation as well as slide-show PDF from Sharkfest 2011. It is appx 1:26 long so it isn’t a fast-view. That said, Betty offers some great guided material for you network tracers.

" ... In this session, Detective Betty DuBois will review one of the elusive network cases she has solved using Wireshark and Pilot. There will be plenty of forensics evidence provided, and lots of practical information to help you solve your own network mysteries. This session will be a deep dive into the "Case of the Slow Network". Betty will walk the attendees through how the data was captured (tshark & AirPcap), the methods used to isolate the problem (SMTP relay infection), and which users were infected ... "

Network Traffic: Tools and Techniques

Solution to the Nitroba case - Erik Hjelmvik (Network Miner) on the NETRESC blog posts some great network forensics tips specific to the “Nitroba Case” exercise. I was fortunate enough to read the first-post version before some elements were modified. Regardless it is a great example of how NetworkMiner can be used to analyze and dissect network traces in investigatory work.

Tools for modeling the user-traffic - superlist of network traffic analysis tools over at comlab.uni-rostock.de. Bookmarkable.

RawCap sniffer for Windows released - NETRESEC Blog. I’m sure I’ve posted this here. Erik released a CLI tool for raw-socket network captures. It’s a slim single-exe file and is pretty cool. No installation required. Definitely worth keeping on a USB stick. I like that I could download it to a local (remote) system and run a targeted trace of that system’s network traffic without needing to install a larger app like Wireshark. Likewise, as Erik suggests in the post, one could “…use the Sysinternals tool PsExec to inject RawCap.exe onto the [remote system] and sniff the packets.”

Split or filter your PCAP files with SplitCap - NETRESEC Blog. Not a new tool, but an update to v1.6. This CLI tool can slice-n-dice very large PCAP files into smaller sets based on IP addresses or sessions. Sure, you can do filtering work in Wireshark and NetMon as well, but this is a very fast tool and makes bulk PCAP file splitting/filtering very easy.

York::Log all network traffic - The SZ Development. Interesting network sniffing/logging tool. Certainly not for Wireshark/NetMon pros; however the GUI and basic logging/websession monitoring features might make it more user-friendly for folks getting their feet wet.

NMTopProtocols Expert Released - Network Monitor Blog

Using Wireshark's editcap to Remove Duplicate Packets Packets (by Tony Fortunato) - LoveMyTool guided post.

Bittwiste: pcap Capture File Editor (by Joke Snelders) - LoveMyTool - review and thoughts on how to use the Bit-Twist program for packet manipulation.

So Many Tools…So Little Time!

Windows Incident Response: Using RegRipper - WindowsIR blog. Harlan provides us an updated guide on how to effectively use his amazing RegRipper tool. See also the New Plugins from Harlan.

Kissin-Kousin of RegRipper is Woanware’s RegExtract. I believe they complement each other nicely. Keeping up with the active updates to RegExtract can be challenging. Focusing on the most recent may cause you to overlook other features that have previously snuck in! See these: RegExtract v1.1.3, RegExtract v1.1.4, RegExtract v1.1.5, RegExtract v1.1.6, and the latest, RegExtract v1.1.7.

Also recently updated in the Woanware factory:

Dropbox Reader - by CyberMarshal. CLI tool collection for investigating DropBox cloud-storage software indicators.

DumpStrings.1sc - Didier Stevens shares a script that dumps ASCII and UNICODE strings found in a file. To be used with 010 Editor.

P2 Shuttle Free - Paraben Corporation - Free multi-tool to remotely mount disks, do live-system process reconnoiter, memory capture, machine searching, active file browsing of email, chant and IE history, and open a disk without mounting. This version does have some limitations so understand before relying on it too much.

P2 eXplorer Free - Paraben Corporation - Free utility to mount forensic disk images of many different formats.

Meanwhile the folks at Mandiant have been busy making material as well:

MANDIANT Intelligent Response 2.0. See this MIR 2.0 Released post for more info. (not free)
MANDIANT Redline - (free) - “Redline is a free utility from MANDIANT that accelerates the process of triaging hosts suspected of being compromised or infected while supporting in-depth live memory analysis. Designed to help find even the best-hidden malware, it analyzes and rates every running process on a system according to risk, combining Memoryze's live memory analysis with MRI (Malware Risk Index) scoring. Redline makes memory forensics accessible to any investigator without relying upon easily-defeated signature-based detection.”
Highlighter v1.1.2 Released

In both posts Windows Incident Response: Tools and Meetup, Tools and other stuff - Harlan offers a great listing of for-sec tools. I especially liked the discussion of “Jump Lists”.

Complementing that discussion is the new woanware tool JumpLister v1.0.0. “JumpLister is designed to open one or more Jump List files, parse the Compound File structure, then parse the link file streams that are contained within. It uses the LNK parser I wrote so stuff like object ID’s and MAC addresses are handled.” Sweet!

The H Security announced that Microsoft releases Security Essentials 2.1. Despite the fact that the recent system infections I had to clean were able to overwhelm (previous versions of) Microsoft Security Essentials, I still have lots of confidence in the product for home users. In these cases, outdated Java/Flash versions left the door to the barn open and MSSE couldn’t keep up with the attack. Any a new version has been quietly released. It’s actually been out for about a week but Windows Updates and/or MSSE internal updating didn’t pick it up. However if you want it now (recommended) download the new version directly from the product page and run. It will do an in-place upgrade with no fuss. For more info or download locations:

Microsoft Security Essentials 2.1.1116.0 released, Download Now - Windows Valley has the (slim) info on what this update brings.
Virus, Spyware & Malware Protection - Microsoft Security Essentials main product page.
Download Security Essentials 2.1.1116 - FileHippo.com (alt download link)
Download and install Offline Updates for Microsoft Security Essentials - Windows Valley has a great tip and linkage on how to “off-line upate” the DAT files for MSSE. I figured this could be done but never took the time to hunt down the source locations. Here you go!

How-To’s and Info of Note

Create a Bootable DBAN USB Pen Drive - TrishTech - Vendor dude has a contract to secure(DoD) wipe our out-of-service system HDD’s before they are returned to the lessor. Most of the time he is running a bank of bases and tossing in a Darik's Boot And Nuke (DBAN) CD and wiping away. Periodically however he would run into a system with a bad CD-ROM drive and would have to strip out the HDD and put it into another system to then run his CD. I asked him why he didn’t just make a boot-USB version of DBAN. Brilliant, wasn’t it…. Here you go.

Security Braindump: Virtualizing Raw Disk Images - Because you know one day you will need to…

Windows Security Center: Under the Hood - Didier Stevens. Wish I had this post from Didier when I had composed this GSD post: How to Repair Windows Security Center List Items.

Tim Mugherini presents NTFS MFT Timelines and Malware Analysis - posted by John Strand at PaulDotCom.

Internet Explorer 9 Security Part 4: Protecting Consumers from Malicious Mixed Content - IEBlog.

For-Sec Live CD News

The world of “Live CD’s” is alive and healthy.

Security Onion 20110628 now available - I’ve only recently become acquainted with the tools and features of Security Onion distro. Very nice and has some great includes from Doug Burks.

PALADIN Download - Sumuri - Version 1.0 was released back in April 11.

DEFT Linux 6.1 Computer Forensics live cd was also released back in April 11. See this new “draft” DEFT english manual if you are not already familiar with this distro.

BackTrack Linux 5.0 - Penetration Testing Distribution was released in May 11. It’s a whopper so unless you got a big pipe, you may need to start the download when you put the cat out for the night.

As previously mentioned here on GSD, Brett Shavers the WinFE guy has been hard at work evangelizing on the WinFE distro.

Sharing the love with WinFE - WinFE Blog
How easy (or difficult) is it to build a WinFE with WinBuilder? - WinFE Blog

Offline Antivirus – How to run Microsoft Safety Scanner on Windows PE 3.0 - 4sysops

Whew!

Now this post is out of the way, I can turn attention back to an Xplico follow-up along with a collection of linkage that came out of a conversation with TinyApps on write-block hardware that has been gathering dust for quite a while.

Happy 4th!

--Claus V.

Anti-Malware Tools of Note

2011-06-26T23:28:00.001-05:00

As promised, here is a resource-dump of some anti-virus/anti-malware tools I either use for came across in my recently documented battles that I thought would be helpful for reference.

As with many things in life, having the right tool for the particular job at hand can save much time and aggravation. Hopefully most of these will already be well known to the GSD faithful readers. But I also hope that maybe one or two of these may be new finds as well to go into your toolbox.

Obviously this isn’t a complete list. However they nicely supplement those I’ve already recommended. Check the side-bar to the left for many more that have been previously shared here.

While I do sometimes favor a direct frontal attack against malware while the system is running “live”, I typically find it much more productive to first whack-away at the infected system “off-line” having booted the system first in a WinPE environment. I prefer to use my own custom Sexy USB Boots tools on a write-protected USB stick. There are lots of flavors of WinPE including WinFE and WinRE and each bring their own benefits/drawbacks to the fight.

One important lesson I’ve learned is that the more scratch-space you can spare on your WinPE build, the better your apps will run in the WinPE operating environment. Check out this WinPE and DISM/PEimg to boost Scratch Space (Ram Disk) post to option things out. If you want to carry the option to boot from several different “boot.wim” files with different scratch-space settings, or maybe WinPE, WinRE, and WinFE boot options all on the same stick check out this WinPE Multi-boot a Bootable USB Storage device post for some thoughts.

Of course there are lots of different options for building your WinPE as well. You can go “old-school” and use the Microsoft WAIK, there is WinBuilder, or you can check out TinyApps cool find to build a WinPE without any of those extra bits. AgniPulse sets out a great tool and method to in his Beginners Guide to Creating Custom Windows PE.

My own preferred first-strike team is to boot the system with WinPE then toss the free tool VIPRE Rescue at the system. There are two things that I think really make this anti-malware tool exceptional. First it is easy to use and very thorough. But secondly, it creates some incredible logs and quarantines the files. Both the logs and quarantined files helps me understand what was going on with the infection and possibly what vector it used. That might help me secure the fixed system and submit the files for additional analysis.

Once the system is running “live” again, I also like to toss Malwarebytes Anti-Malware Free at the system. It is a pretty aggressive anti-malware scanner with lots of options.

I also like SurfRight’s Hitman Pro 3 and have found it seems to do an exceptional job addressing issues that are missed by many other tools I have used. The plus is that you can use their product to get unlimited free scanning + 30 day removal.

Norton Power Eraser is a very powerful tool to root-out deeply embedded malware from a system Read their page carefully first. I’ve had good experience with it myself.

I also keep handy and request a third-scan opinion from the still fairly new Microsoft Safety Scanner. Being a “standalone” tool of sorts, it can be run in the WinPE environment or on the “live” system. The trick in WinPE is to make sure your WinPE build has a large scratch-space value. Check out this 4sysops post Offline Antivirus – How to run Microsoft Safety Scanner on Windows PE 3.0 for more details.

I do understand that for some folks, the thought of making a custom-spun WinPE boot tool could be quite intimidating. With that in mind, you will want to keep a copy of the Microsoft Standalone System Sweeper Beta handy. Of course you will need an uninfected “host” system to create the tool. Download the “builder” utility in either x32 or x64 flavor depending on your hardware and choose a blank CD, DVD, or USB drive with at least 250 MB of space. Execute the tool and build-away.

Of course, you may want to do more with this plain-Jane WinPE build that it lets you. And you can if you know the tricks our dear TinyApps bloggist posts in his Extending Microsoft Standalone System Sweeper tips.

Maybe all you want is just to download and burn an ISO file to CD and use it to try to disinfect a system without all those extra bells-and-whistles that I love so much in WinPE.

Well, many reputable security product vendors offer their own tools as well in that same line.

Calendar of Updates has a page that is kept pretty updated Free Anti-Virus Rescue boot CDs including direct links to Avira Rescue CD & BitDefender Rescue CD.

F-Secure keeps their own Rescue CD resource updated. They also offer some fantastic Easy Clean, Online Scanner, and Blacklight rootkit tool.

Likewise, Kaspersky has their own Rescue Disk 10 tool as well as an Online Scanner, an incredibilly extensive toolbox of free Virus-fighting utilities to address specialized malware threats, a tool to remove banner from desktop, unlock Windows. Kaspersky also offers valuable documentation on common malware information, viruses and solutions, as well as Rogue security software response guidance.

Dr.Web CureIt!! is another LiveCD solution worth knowing. See also their Sysadmin First aid kit page for some additional resources.

Not “free” for everyone but a good LiveCD resource for Norton product users, check out the Norton Bootable Recovery Tool. As explained on the page, “You will need your product key or PIN in order to use the Norton Bootable Recovery Tool.”

Likewise, if you are a Sophos customer, they also offer their customers the Sophos Bootable Anti-Virus tool. However, they do offer some Free Tools as well, including some specialized tools as well as Free Security Scan tools and their Sophos Anti-Rootkit tool.

Need more? Check out this GSD USB based AV/AM Tools post for many more options.

I have an extensive collection of highly-specialized sysadmin tools at my disposal. However the following tools are always the ones I keep coming back to over and over again. All free.

Process Explorer from SysInternals
Autoruns for Windows from SysInternals
RegASSASSIN from MalwareBytes
FileASSASSIN from MalwareBytes

As malware (and particularly scareware/rogue-security “products”) gets more and more sophisticated, it seems even more highly-specialized tools are needed to fight and restore the damage done by them.

Broken EXE Association is a how to and REG files for fixing issues launching applications after an infection.

The Updated Combofix (5-23-11) is a highly specialized tool offered by the fine folks at bleepingcomputer.com forums. It is not recommended to run on your own without guidance from their community unless you are already an advanced/professional Windows system specialist. Seriously. Read their ComboFix usage, Questions, Help? page well and carefully before embarking on its usage.

See also their RKill utility. From that page:

RKill is a program that was developed at BleepingComputer.com that attempts to terminate known malware processes so that your normal security software can then run and clean your computer of infections. When RKill runs it will kill malware processes and then import a Registry file that removes incorrect file associations and fixes policies that stop us from using certain tools. When finished it will display a log file that shows the processes that were terminated while the program was running.
As RKill only terminates a program's running process, and does not delete any files, after running it you should not reboot your computer as any malware processes that are configured to start automatically will just be started again. Instead, after running RKill you should immediately scan your computer using some sort of anti-malware or anti-virus program so that the infections can be properly remove

And for any Mac users/caretakers who are still reading this post, they also have a BleepingComputer Mac Rogue Remover Tool. Check out that page for more info.

This Google redirect virus forum thread has a lot of great tips and steps to follow in addressing malware in general.

As I last posted, I feel remiss to not re-mention this guide Remove Windows Recovery (Uninstall Guide) over at BleepingComputer.com for a good review and walkthrough of a semi-automated recovery process.

Included in there are two noteworthy tools: RKill (Download Link) and Unhide.exe (Download Link). Rkill is a rouge-process killer of sorts and unhide.exe attempts to restore malware-relocated user files back to their original/rightful locations. See this Bleeping Computer Downloads: RKill page for more information as well as this one Question on 'unhide.exe' for more background information on them both.

You can also take the manual restoration approach offered by “colsearle”

Try navigating to the following path: (make sure you have the hidden files and folders visible)
C:\Documents and Settings\your user name goes here \Local Settings\Temp\smtmp
Inside the smtmp folder you will see three folders named 1, 2, 4
1 = Start Menu Program shortcuts
2 = Current User Quick Start shortcuts
4 = All Users Desktop folders and shortcuts
Simply copy the shortcuts back to the original path.

I also found this guide over at SmartestComputing written by “Broni” to be very helpful as well and full of specialized remediation tools and links How to restore files hidden/deleted by Windows Recovery virus.

Although most of what I see now-a-days is Windows 7 and Vista systems for most of my home/family/friends systems. More than a few still have XP systems. One trick still in my bag from days ago is when a system is cleaned of a internet-browsing redirector infection the internet doesn’t work anymore is that in many cases it requires the network sockets to be “reset” by running a tool like LSP-Fix or WinSock XP Fix 1.2 (via MajorGeeks mirror site). This only should be run on XP systems.

Coming full-circle again in this post, some of these tools and techniques require working on a live running system and others can be done “off-line” using a LiveCD/WinPE/otherOS approach.

If you do go with a “off-line” boot method such as WinPE from a bootable USB flash or HDD, you want to be very careful you avoid potential cross-infection in your response/rescue efforts. Yes a bootable CD/DVD does offer greater protection but at the same time, it can severely reduce the number of options or other tools you can bring to bear on assessing and cleansing the system.

If you have a LOT of bootable ISO files (as I do for specialized situations), then I seriously recommend the awesome iodd device for sysadmins and incident responders as well as you semi-pro malware busters. It allows you to carry many, many, many different bootable ISO files on a portable HDD and pick between them on the fly for off-line system booting. Couple that with a physical write-block switch and the ability to partition the hard disk drive you cram into it, and you can carry many portable apps on there as well to access if you are booting in, say, a WinPE environment.

If that seems like way too much (and it never could be) firepower, then at least consider a USB flash drive with a write-block switch. My personal preference is the Kanguru Flashblu II (NewEgg product link). It is a great value for a reasonably sized USB drive with a write-block switch. Sony also offers write-block switches on some of their USB flash drives (Alvis has one in fact) but they are getting harder and harder to find.

If you don’t have the option or resources to pick up either one, but do have a bootable USB flash drive that you have already loaded up with all your scanners, tools, and other response files, consider this simple and free tool usbdummyprotect. The trick to using it is to download the tool and unzip, then copy it directly onto your USB drive. There, run it. It creates a “dummy” file to fill up all the remaining free-space on your flash-drive. In theory, this should prevent malware from copying any files to your drive. When you want your free-space back, just delete the clearly identified dummy file.

Not quite the same thing, but noteworthy is Document Solutions free DSi USB Write-Blocker. You need to download and install this on your own clean-system first. Then run the tool BEFORE connecting a USB flash device. Basically it keeps your own running system from writing TO the USB device once you plug the device onto your PC. This should preserve time/date stamps and other file modifications. It doesn’t necessarily protect your host system from anything bad on the device itself if you choose to either run anything directly or copy off the device and run locally. So understand how it works first then use it when the situation calls.

Finally, in some cases, the malware might have actually damaged or modified the Windows bootloader itself. If this is the case and any of the specialized tools already mentioned didn’t work to restore the Windows boot loader, then you may need to do it yourself.

See this GSD post Partition and Disk Management: Part II – Free and Useful Tools for a rich roundup of resources.

For a really nice and trusted freeware GUI tool check out EasyBCD 2.1 from NeoSmart Technologies.

I also recently discovered MBRWizard which is not a free product (but it is offered dirt-cheap) and has a great GUI as well. However, for your value-expecting fans not afraid of a little command-line ninja work, they do offer a CLI Freeware version! Check out the Command line reference page for more information.

Effectively responding to a malware/rogue-ware infection is never an easy task. It takes careful assessment, planning, research, tool/utility/scanner gathering, off-line booting in many cases, and lots and lots of tedious, patience-requiring work. It takes time, experience, and for the non-technical, lots and lots of help from a devoted community.

Obviously, this post can’t even really begin to scratch the surface of the tools and techniques out there. However, I hope it is a good starting point or comes to be a return-to resource source to collect valuable materials as you go forth and battle.

Cheers.

--Claus V.

Skirmish 2: A Rouge Security Software battle

2011-06-25T16:33:00.001-05:00

Fresh off of having wrestled my friend’s system back from the clutches of a rogue-security product, a few weeks later Dad called in a panic with his Windows Vista system in cardiac arrest.

He had booted his system only to find all their documents, emails, and family photos missing.

On top of that, they had a “security scanner” warning them their system was “infected” in many critical locations and only their product could remove the mess and possibly restore their files.

Oh bother. Not again.

I knew that with this kind of mess, attempting to clean the system remotely would be counter-productive.

Dad offered to drive down and pass the base-unit off to me.

Looks like the workbench was going to stay dust-free.

Basically, I followed the same steps previously outlined in the GSD post Skirmish 1: A Rouge Security Software battle.

However I had to tread just a bit more carefully in the assessment process.

Dad’s system did support direct USB flash-based booting. So I could use one of my custom WinPE USB boot sticks for just a bit faster off-line booting performance.

I quickly determined (much to his relief) that all the user profiles, documents, emails, and photos were in fact present and accounted for.

Turns out this bad-nasty had done some additional mojo which “hid” all the start program files, as well as the user desktop (folder) environment as well.

The full list of infected baddies found:

Trojan:WinNT/Alureon.S
Exploit:Java/CVE-2009-3867.IJ
Exploit:Java/CVE-2008-5353.SN
Trojan:Java/Mugademel.A
TrojanDownloader:Java/OpenConnection.EM
Exploit:Java/CVE-2008-5353.QV

Again, another drive-by browsing infection caused by outdated Java version. Nice…

Because I first carefully assessed the system, in Dad’s system’s case, I had elected to NOT run CCleaner or any other temp-file cleanup tools. This ended up being a very good thing.

This particular infection had relocated all those critical system/program files and settings into a temp folder. Had I run the cleanup blindly, I would have ended up nuking all the original files and had to manually rebuild the entire Start/Program list, as well as the desktop items.

The public face of this infection ended up being a variant of “Windows Recovery” malware/rouge-security scareware.

This guide Remove Windows Recovery (Uninstall Guide) over at BleepingComputer.com has a good review and walkthrough of a semi-automated recovery process.

I preferred to take the manual restoration approach offered by “colsearle”

Try navigating to the following path: (make sure you have the hidden files and folders visible)
C:\Documents and Settings\your user name goes here \Local Settings\Temp\smtmp
Inside the smtmp folder you will see three folders named 1, 2, 4
1 = Start Menu Program shortcuts
2 = Current User Quick Start shortcuts
4 = All Users Desktop folders and shortcuts
Simply copy the shortcuts back to the original path.

Once all was running/cleaned as expected, I had to re-arm the Windows Firewall (disabled), re-arm the automatic updates (disabled), re-arm the anti-virus application (realtime protection disabled).

Again, all Browser Plugin Updates were applied. I updated all the web-browsers, Quicktime, Adobe Reader, etc. Removed some toolbars, stuff like that.

Dad returned a week later and after a super-yummy lunch at a local authentic tex-mex dive, the system got handed back and once reconnected at its home, Dad found it to be perfectly restored.

Now if we can’t just push him onto Windows 7….

--Claus V.

Skirmish 1: A Rouge Security Software battle

2011-06-25T15:24:00.001-05:00

Note: while some may find this a helpful guide, it is not a “cure-all” malware cleaning process. Every infection is somewhat different. What I hope to offer is a process I have used to successfully clean a specific infection from a home-user’s system. Your mileage may vary.

More than many weeks ago, my video-desk buddy at the church asked me for advice about what virus-cleaning product I recommended.

In my experience that means two things, someone actually has a compromised system and that any singular answer I provide will be inadequate to solve their problem if attempted. So I probed further so I could provide a better (more detailed) answer.

Turns out the user was reacting to a report that popped up on their computer warning them they had a whole bunch of infected system files and that their PC was going to perform worse unless they purchased the offered program.

He then proceeded to show me a long list of “infected files” all with crazy names and locations. He had done some Google work on the files listed but hadn’t made any progress.

Well, I agreed he did have a serious issue, but likely those “files” were just a sham and in fact the security warning/program was the problem.

I told him I’d prefer to have him haul his system up to the church early so I could (off the network) hook it up to a spare monitor/keyboard and take a quick-peek. He readily agreed.

That afternoon we met up and after what seemed like a ten-minute bootup I agreed his system was running super-slow. This was a Windows XP system and after I launched the task-manager and it eventually appeared, a number of suspicious running processes were visible. On top of things, the CPU fan was roaring like a jet taking off. Yes…my friend reported…this behavior had been happening recently also.

I was able to identify and disable the main rogue security app “loader” but significant problems remained and I suspected other stuff was lurking unseen at first glance.

Attempts to run any .exe application executable failed. Attempts to run CMD failed as well. The Control Panel was MIA. Bad things were afoot.

This quick-peek told me enough to confirm that my friend had indeed been hit by a scareware/rogue-security “product” infection and was in some serious hurt.

He trusted me to bring his system home and throw it on my workbench to attempt a full cleaning.

So is set the stage.

The battle begins

First thing I did was to off-line boot the system. This was a bit more challenging than one would expect.

Although it was a nice mini-case IBM ThinkCentre unit, alas, it did not appear to support USB flash drive booting.

So I used one of my WinPE ISO files loaded on my iodd device (with the write-block switch thrown) to get the system up and running with me in control. I then plugged in my 2GB USB stick that I had preloaded with various utilities and malware-busting tools. (note: because I didn’t yet have my Kanguru Flashblu II drive, I used usbdummyprotect to fill the remaining free space on the drive to avoid a potential write-back infection).

I then ran VIPRE Rescue overnight against the system. When done it had located and isolated the following infections (and associated bits) in multiple locations:

Trojan.Boot.Alureon.Gen (v)
Trojan-Dropper.Win32.TDSS.cfvs (v)
FraudTool.Win32.FakeRean.e (v)

After rebooting I had a lot of work to do.

Next since the System Properties and Control Panel weren’t working, I discovered that rundll32.exe had been renamed to rundll.exe. An examination of that file convinced me it was the original file, so I renamed it back and those items worked again.

Since any attempt to launch an application failed, I had to repair that. This was made pretty easy by using the correct REG file fix found in this Broken EXE Association page. Fixed.

Because the system was still crawling in terms of performance, I had to start addressing that or else it might take a month to get it running better.

The system was running on 1GB of RAM (2 512MB mismatched speed sticks) with a 40 GB (5400 RPM) HDD at almost 90% filled. Yikes!

The virtual memory settings had a very large custom valued set, so I rolled that back to let the system manage it instead. I turned off start-menu animations.

Next, I ensured that all the user’s documents and other files were present and the start-menu lists appeared normal and unaffected by this malware version. Only after that had been established and I had collected some web-browsing log files to see if I could learn the infection point, I ran both CCleaner and CleanAfterMe to neaten things up and gain some additional free hard-drive space.

Disk fragmentation was horrible (although my friend appears to have been dutifully defragging his registry based on a desktop program that I found installed). So I used JkDefrag Portable to clean that up.

Now that things were running (a bit) snappier, I returned to the infection cleaning.

I used the installed (but apparently was overwhelmed) Microsoft Security Essentials tool to re-scan the system. It didn’t find anything, but now that it was running again, the history showed its battle at the time of the infection to keep the system clean.

Exploit: Java/CVE-2010-4452
Trojan: DOS/Alureon.A
Trojan: Java/Clagent.B

Still not convinced, I next ran Malwarebytes : Malwarebytes Anti-Malware Free which found 15 more bits and pieces.

I then sought-out and installed all the most current Browser Plugin Updates as the installed ones were woefully outdated…hence the vector for the infection in the first place.

Next? I downloaded and ran Hitman Pro 3 from SurfRight. It revealed some more stuff remaining that indicated a boot-loader infection. Bad-stuff man. Hitman Pro did it’s thing and cleaned up that mess.

I recovered both the admin password and OS key as the user had lost those and documented those for him.

Windows Updates had also been borked. As this was a Windows XP system, I found that running the following command in a (now working again) CMD window got them flowing again. More info and methods in this Microsoft KB883821 bulletin

To register the Wuaueng.dll file, follow these steps:

Click Start, click Run, type regsvr32 Wuaueng.dll, and then click OK.
When you receive the following message, click OK:
DllRegisterServer in Wuaueng.dll succeeded.

Now that the Windows updates were all on successfully, I upgraded the browser to IE8 from IE6. Also found installed (and so updated) were Safari for Windows and Firefox..

I removed the registry defragger and installed Defraggler to provide this user a more friendly tool. The outdated version of Adobe Reader got removed and replaced with Adobe Reader X instead. Apple Quicktime was updated.

From here I took the system outside and opened up the case.

Loads of dust-bunnies and the foam-intake filter was completely obstructed with dust buildup. Much cleaning later, the system now was purring quietly along. All the dust was restricting the cool-air intake over the CPU heatsink (also caked in dust) causing the CPU to run hotter, causing the fans to go into overdrive causing the system fan-noise to require ear-protection.

I turned off System Restore so it would dump all the restore-points, some of which had copies of the infected files. This also added a bit more free-disk space.

I ran both Process Explorer (making sure no other rouge processes were found) as well as Autoruns for Windows (which I used to disable/remove some non-necessary helper services).

I then searched out and updated all the device drivers from the IBM/Intel sites I could find that applied to this particular system. For this particular IBM system, I located this ThinkVantage System Update utility that was a really big help in the process.

A full scan with MS Security Essentials and MalwareBytes AntiMalware both came back 100% clean.

For extra measure I also ran both Kaspersky’s Anti-rootkit utility TDSSKiller and Norton’s Power Eraser. Both also reported no issues found.

I flushed the DNS cache and cleared the Java cache. HOSTS file looked normal.

Things were looking up.

I dug around on the spec page for this system and found it could support up to 2 GB of system RAM on the mainboard. It just so happened that I had a pair of matched 1 GB PC2700 333MZ DDR sticks laying around. I pulled the original ones and dropped these in. I think I could hear the system actually taking a deep breath and shudder with relief once again. Performance was much more nimble now!

Alas, I didn’t have a spare drive, but did pass on a note for my recommendation to upgrade to a larger capacity/faster RPM PATA hard-drive as well.

Done.

Time invested? Approximately 10 hours (not counting unattended overnight scanning) spread over a week.

Return on investment from gratefully shining face of owner? Priceless.

Lessons learned

Reviewing all the logs, it seemed clear that the user had browsed across an maliciously-coded web-page in a unpatched browser running unpatched/outdated browser plug-ins. I suspect the java exploit got the ball started and once the actual malware installer app had been dropped/executed on the system. all bets were off despite MSSE’s attempts to protect the system. For additional information on these things these references might be helpful..

Java CVE-2010-4452 - YouTube
CVE-2010-4452 : Oracle Java Applet2ClassLoader Remote Code Execution Exploit - YouTube
Not Just Another Analysis of Scareware - Security Braindump
Vulnerabilities in a Flash - WhiteHat Security Blog
Encyclopedia entry: TrojanDownloader:Win32/FakeRean - Microsoft Malware Protection Center
Win32/Alureon brings back old school virus techniques, enhanced - Microsoft Malware Protection Center

I guess in some ways since the system was in the state it was, the slowness of the performance may have kept things from getting worse or the user being able to continue to work with the infection running in the background. In this case, the scareware/malware only helped cause the system to grind down even slower.

No one single anti-malware app fixed the problem. Because the malware compromised/changed some key Windows filenames and settings, additional manual remediation work had to be performed.

There are a lot of great cleaning tools out there, the challenge is being familiar with the best of them and knowing which ones are the most effect to apply.

The whole process is quite involved and must be taken through logically, building on each success.

Next post -- same thing but with a twist -- Dad’s PC infection.

I’ll also do a standalone post linkfest listing these and other tools/resources I found helpful or came across in these skirmishes.

Cheers.

--Claus V.