Monday, March 02, 2009

Last Gasp Linkpost: Security/Forensics, Microsoft, and Freeware Utilities Galore

Last major collection of links.

Alvis has a TAKS test tomorrow so we are going retro and watching some Azumanga Daioh anime DVD’s to melt our brain cells before heading off to an early bedtime.

I’ll try to section it up a bit.

Lots of neat finds and worthy candidates for your attention.  Don’t be stingy with your time!

Security and Forensics

CAINE Live CD spotted via Security Database Tools Watch.  Another new and promising forensics bootCD based on Linux. Appears to have a Windows auto-run utility side as well.  Looks intriguing and I will be downloading it this week to take a spin.  Does get a few votes down due to the “CSI” theme graphics.  Poking around on the website home page did get my interest and curiosity stirred up quite a bit.

CAINE offers a complete forensic environment that is organized to integrate existing software tools as software modules and to provide a friendly graphical interface. The main design objectives that CAINE aims to guarantee are the following:

- an interoperable environment that supports the digital investigator during the four phases of the digital investigation
- a user friendly graphical interface
- a semi-automated compilation of the final report

Main features:
- WinTaylor, forensic frontend for Windows environment
- Html page IE-compatible to run the forensic tools in Windows
- Ntfs-3g updated to 2009.1.1 (resolve a ntfs-3g bug)
- New boot option: text mode.
- Ubuntu 8.04 packages updated
- Firefox 3.0.6
- Gtkhash, frontend for hashing files
- New reporting features: investigators and case name added
- Multi-language report: italian, english, german, french and portuguese
- Firefox starts with the list of tools and a brief utilization manual

WinTaylor is the new forensic interface built for Windows and included in CAINE Live CD. It is written in Visual Basic 6 to maximize compatibility with older Windows systems, and provides an internal set of well-known forensic programs.

Features

- Report creation tool, that saves in a plain and portable text file the list of used programs with time-stamps .
- Tabbed structure that gives a logical schema to the investigation process.
- Command-line tools that print their output inside WinTaylor.
- Updated Sysinternals tools
- Versatile hashing tool
- Snapshot tool

RAPTOR - Forensic Acquisition Simplified – Just uncovered this LiveCD tool for both Intel and PowerPC flavored systems. Details are thin but I’ve read a number of positive.  Adding to my growing download list.

Raptor is a modified Live Linux CD used to forensically image digital media.  Two versions of Raptor exist.  One for Intel based computers and the other for the older Macintosh PowerPC architecture.  Raptor allows the user to mount, image, hash, format and sterilize digital media in a forensically sound manner.  Raptor can image to FAT32, NTFS, HFS+ and EXT3 file systems as either a .E01, DD (raw image), .dmg (Macintosh disk image file) format or even physical device (clone).  Raptor also allows for two forensic images to be created simultaneously.  Best of all . . . no need to access the command-line or know complicated Linux commands or switches.

Related GSD Posts: Helix3: Thanks for the memories… which provides some other alternative LiveCD based forensics type tools as well as this GSD Windows FE post to roll your own.

WinFE: Windows Bootable Forensic CD - Evil Bytes Blog - Dark Reading – Found a blog write-up that linked back to my Windows FE post. I’ve seen that post get linked up in a couple for forensics forums as well recently.  It’s pretty cool considering the work it took me to track that information down.

L0phtCrack 6 – Coming soon!  This seminal password cracking tool has been reborn like a phoenix from the ashes of Symantec.  The security world waits with baited breath!  Wish I could be there at the release party.  Sample love-fest post: L0phtCrack 6 Release At SOURCE Boston : Liquidmatrix Security Digest.

Ophcrack – One of the current Windows password crackers currently sitting pretty due to the hiatus of L0phtCrack from the scene.  I’ve used it a few times and it worked as promised.  Related: LCP, SID&User, John the Ripper, and Cain & Abel.

Windows Incident Response: Looking for "Bad Stuff", pt II – Harlan offers a thoughtful post continuing the theme of tools AND techniques matter when tracing down suspicious files and activities on a system.  There are no cure-alls. It takes skill, experience and flexibility in using all of those coupled with appropriate tools to carve up a system and identify the malignancies.  Well recommended reading. 

Did Mandiant’s Audit Viewer find something in Conficker? – Security Ripcord Blog – Don hammers home Harlan’s point in this great post showing how not just familiarity with the target malware, but the tools at hand and a good eye appears to have captured some new behavioral data on the Conficker malware.  Good read and malware analysis writeup.

Windows {Microsoft}

VMMap – Brand spanking new Microsoft Sysinternals tool that is way neater than one might think.  Besides mapping running process memory in detail, it also allows capture and reloading of that captured data for later analysis.  Not probably useful for forensics guys and gals who already have an extensive arsenal of tools for that, but for malware hunters and investigators, it might be a really great and (relatively) easy to use tool to dig deeper into suspicious processes found running on a system.

VMMap is a process virtual and physical memory analysis utility. It shows a breakdown of a process's committed virtual memory types as well as the amount of physical memory (working set) assigned by the operating system to those types. Besides graphical representations of memory usage, VMMap also shows summary information and a detailed process memory map. Powerful filtering and refresh capabilities allow you to identify the sources of process memory usage and the memory cost of application features.

Besides flexible views for analyzing live processes, VMMap supports the export of data in multiple forms, including a native format that preserves all the information so that you can load back in.

Ask the Performance Team : Windows 7, Zune and the Case of the Mysterious Debugger – Ask the Performance Team blog.  Mark Russinovich might have some competition.  Wonderful takedown of a Zune software issue.  Great techniques.

Some Changes Since Beta for the RC – Engineering Windows blog – Way too detailed for me to list all here, it is a deep listing of all the major changes made to Windows 7 since the Beta release.  Most all of them sound like they are pretty solid moves and based on customer feedback.  While most people focus on the big things, I keep finding the small things in Vista still causing me the biggest headaches. Particularly when I continue to switch between XP Pro on my work system, XP Home on our desktop unit, and Vista Premium on our laptop which is slowly taking over as my primary computing and blogging platform at home (uggg!  Must…have…my…dual…monitors…back!)

Microsoft fixes AutoRun disable option – The H Security – Almost unnoticed by all but a few autorun fixated security folks, Microsoft updated its update to the patch to truly and selectively disable Autorun activity. See all these for more information:

New or Improved Software

Important Flash Player Updates Released - Firefox Extension Guru’s Blog – Gentle and timely reminder that Adobe Flash has been updated.  Get the new version at the Adobe Flash Page.  On my Vista system I just had to browse to it in Firefox, download and install.  In IE I had to browse to the link, install it via a series of ActiveX prompts. Then I went to the Vista Programs item in Control Panel and uninstalled the older versions (one each for Firefox and IE).  No reboot needed. Guru’s tips work well also

chml and regil: tools to control Windows Integrity Levels – Mark Minasi – Mark has updated his chml tool and released a new registry counterpart called regil.  I’m going to oversimplify, but just like user accounts have permissions, files, folders, and registry items in Windows (Vista and 7) also have things called integrity levels.  Actions by lower WIL’s cannot be applied to higher WIL’s. But higher WIL’s can control lower WIL’s. The link explains this more clearly.  Anyway, Microsoft had a tool called icalcs which allows some manipulation, but it wasn’t enough for Mark.  He coded up a more powerful version called chml.exe some time ago and now has a registry related manipulator called regil.exe.  He offers both free.  Both are command-line tools. Not a regular tool, but might be useful for folks dealing with nasty file-rights changing malware.  At first blush it seems like a fairly impractical tool, but as a system administrator it’s like bringing a pump-action shotgun to a barroom fight, it gets everyone’s attention and can do a lot of damage to shut the party down fast.

USBDeview  v1.35 - (freeware) – NirSoft - “USBDeview is a small utility that lists all USB devices that currently connected to your computer, as well as all USB devices that you previously used.
For each USB device, extended information is displayed: Device name/description, device type, serial number (for mass storage devices), the date/time that device was added, VendorID, ProductID, and more...  USBDeview also allows you to uninstall USB devices that you previously used, and disconnect USB devices that are currently connected to your computer.” But what makes this version update SO COOL is that it now adds the 'Vendor Name' and 'Product Name' columns and displays these great items automatically. To “enable” separately download an external USB IDs file and save it in the same folder.  Easy as that.  Try it.  It is way cool.  More details on this NirBlog post.

SearchMyFiles - (freeware) – New program release. This is an alternative file/folder search program and is way powerful.  Not only can you search by folders/subfolders/drives, but you can also filter the search based on file attributes, file times, file size, or a range thereof.  If you have to jockey around files and root for them, this seems like a great compliment.  More info on the product link and this NirBlog post.

Everything Search Engine - (freeware) – an alternative system file indexer and searcher.  It reminds me a bit of Windows Search 4.0 but it only indexes files and folders and doesn’t search within them for results (like a particular word in a Doc file or inside your Outlook PST).  In that regard it is a bit weaker.  On the other hand it will provide a list of “everything” searched for then you can filter down from there. Worthy alternatives (also freeware) are Locate32, Agent Ransack, and DK Finder. Search away my friends!

SoftPerfect Network Scanner v.3.9.190 - (freeware) – Great and very powerful single exe network scanner. Regularly updated this release contains a number of feature and bug fixes.  Highly recommended.

USB Image Tool - (freeware) – Dead-useful tool to create/restore images of USB flash drives. It also provides USB device info.  Makes quick-swapping setups and file/folder builds of USB drives a piece of cake.  Alex is working hard at updating this tool. Check back often for newer versions. 

DiskXS - (freeware) – Tool that allows creation/restoration of floppy disk images.  We still use a few specialized floppy boot disks and this tool allows me to take images of them to keep on a CD along with this tool.  When technicians need to deploy one, they just find a Windows system, pop the disk in, run the application, and with a single floppy, write the image they need to it.  Added coolness with this app is the ability to extract files from floppy image files, delete files in images, view files in images, and import/export the bootsector and boot code from floppies.  In the past I used (and still also recommend) the freeware floppy imaging tool FlopImager.  The features and recent developments in this one are making me reconsider.

Recuva - v1.24.399 – (freeware) – This great file-recovery program got an update last week.  iPod support has been added to the wizard,  improved virtual machine support, and some other miscellaneous fixes and tweaks.

CCleaner – v2.17.853 - (freeware) – This build now adds wiping of free disk space, mods to the progress bar, improved Apple Safari history cleaning, speeding up the uninstaller tool, and misc. tweaks and bug fixes.  Other recent version bumps addressed Firefox and Chrome cleaning, and GUI interface improvements.  You really need to check often to see what new enhancements are making their way into both of these great Piriform applications. Add the Piriform – Blog RSS feed to your reader and you will be able to keep on top of things easily.

Looking forward

I certainly haven’t yet reached the bottom of Claus’s link barrel and have several more posting subjects waiting in the wings, but I think it is the end of this extended weekend’s posting blitz.

Coming soon at GSD, Win PE 3.0 boot disk building goodness, more VistaPE tricks and goodies, a bazillion links on ImageX, DISM, and virtual VHD file mounting and manipulations.

Stay tuned…

--Claus V.

1 comment:

Gianchi said...

Hi, I am Giancarlo Giustini, CAINE project manager and developer... Hope you will enjoy my distribution and I hope you will review CAINE in the future!

Great blog!