Wednesday, April 22, 2009

Weird but Fixed

Most of the desktop support stuff that crosses my desk turns out to be pretty standard fare.

However from time to time I get my hands on an odd-duckling.

Last week the group-members were taking turns trying to address a stubborn Windows 2000 system.

Yeah…W2K…I know….

This particular system is an older Dell Latitude laptop that is special-purposed.  It doesn’t connect to our network and is used to run a portable ID making setup

Needless to say it is mission-critical hardware.

The user reported that they were suddenly unable to log onto the system.

The Problem

It would boot, take forever to reach the standard Windows 2000 login window (msgina) and toss the following error without allowing anyone a chance to actually attempt logon.

System Cannot Log You on Because Domain <Computername> Is Not Available

Where <Computername> held the device-specific name of this system.

The team determined it had various issues which they addressed and repaired; bad sectors, blank/reset of the administrator password, etc.

Alas they still couldn’t get past the primary logon barrier.

General consensus was that it was still some kind of password error but the only solution appeared to be a complete wipe/rebuild.  They had managed to off-load the key data from the system…just in case.

So it was placed on my desk for a solutioning attempt.

The Solution

My goal was to get it operational again without having to reinstall all the applications and database information currently on it.

Normally, when I have “GINA” issue on our W2K/XP systems, I just swap GINA files; either by replacing the msgina with the Novell Netware nwgina file or vise-versa.  That usually gets me around those issue so I can at least get to the desktop so I can do software/configuration cleanup.

In this case though, since the system never connects to our network, my go-to files weren’t installed.  Nothing could be done to get past the error and reach an account profile.  It even occurred in Safe Mode.

I could use my Windows PE disks to poke around on the drive contents, but nothing seemed amiss.

I hit the Google and found others (way back when W2K was heavily deployed) who ran into the issue and though reports of success were low, the suggestions helped point me in the right direction.

I went back into the CD archives and extracted my old Windows 2000 Setup disk with the SP4 slipstream.

I popped it in and ran a Windows “Fast Repair” on the operating system.  I ran through the options, let it scan the system, rebooted, and repeated…with it doing the actual file-replacements the second-go-round.

Rebooted again.

The Windows GINA popped up almost immediately and I was able to log on to the desktop with no errors.  Applications and data all present and accounted for.

Victory!

Cleanup…

I knew this action had rolled back all the security patches and updates and left it at a fresh SP4 state.

To avoid having to connect it to our network, I just ran the most recent Heise Offline Update tool on my own system, selected the options necessary to build a Windows 2000 OS update CD, let it run and pull down the updates and create the CD ISO file.  I then mounted the ISO as a virtual drive and copied the folder structure to my USB stick.

Then I popped the USB stick onto the system and ran the “offline" updater tool.

Three more reboots/reruns later and the system was as patched as it could be.

(I chose to do this instead of burning the ISO to a hard-CD as it seemed wasteful for a one-shot system fix.)

Now that everything was repaired and stable, I tweaked out the login controls to force the OS to require a CTRL-ALT-DEL key-press before starting the login procedure as well as setting the option to require the user to enter an id/password to log into the system (I know, I was surprised as well this hadn’t been done by whoever had set up such a critical system.)

Since everyone had also been diagnosing that the drive was failing (because they had earlier found file-system errors) I took a moment to look at that.

The disk-health parameters reported by the SMART system on the drive all came back nominal.

I also ran a sector-error scan and none were found.

While these are no guarantees of future performance, it seems that things are currently well enough to send it back to the user.

Once assured that all was back to normal I shut it down, rebooted, and captured an image of the system, just in case.

Based on what I observed, it appears that for some reason some key networking files on the OS had become corrupted/scrambled. 

The system-repair set things in order again.

In the meantime, we are requisitioning a new laptop to replace this old one.  This way we can get an updated OS (XP Pro) on it, get it locked down and secured, whole-disk-encrypted, and be more confident that hardware issues won’t come back to bite us again with it.

--Claus V.

Clever Printing Tricks

What a past week it has been.

Been sick for the past week.  Coughing up a few lungs and small animals. 

Over the past Friday/Saturday, the Houston area was treated to an rainstorm of near biblical proportions again.

Our particular homestead area saw cumulative 24-hour total rainfall amounts of almost 8”.

I made it home from work Friday night safely. But barely.

I had to make a number of detours due to street flooding, and while I am hyper-conservative about putting the Saturn Ion in water more than two to three inches deep at one point I had (truly) no choice but to make a quick dive into a parking-lot to safely avoid rising water in a city street.

I was able to turn around and after assessing the situation for about fifteen minutes was able to get back out to high-ground/streets.

However at one point on my short and hairy-exit I recalled a quote from Risky Business:

“Who’s the U-Boat commander?”

The Saturn and I got home safely (yet again) with no harm done and we all stayed sequestered in the house listening to the rain pour down and (unfortunately) my hacking cough.

Sunday brought clear and cool skies (but no relief to my chest) and hope that things would turn better soon.

To the Post

At the shop, we are getting ready to open up a brand-new office for our customers.

One of my duties is handling the network cabling orders.

I’ve been getting CAD layouts from the design team, re-marking them to the icons we use for our cabling system, and sharing them with the various members of our IT project team.

We don’t have easy access to a large-scale “sheet” printer and while I have no trouble converting the CAD files into Visio, then into PDF for distribution, a full-sized (say 3’ x 3’) printout on the wall goes a long way to helping with various planning activities.

I’ve used some commercial products before to “posterize” a printout, but I needed a solution that was fast and free.

By posterize, I mean I will use the program to expand/enlarge the printed page across multiple letter-sized sheets, which then can be trimmed down and pasted together to make an oversized printout when down.

Here’s what I did.

Capture It

All of the programs I will mention in a bit require the file to be in an “image” type file format.  While I suppose you could always just use a screen-capture tool to capture your output, this may result in blocky image quality when expanded.

Instead, it works better if you can directly convert your original printed output directly into an image-file format.

First I downloaded and installed (on XP Pro system) the Virtual Image Printer driver from Sourceforge.

What this package does is to create a virtual printer driver (XP only supported for now) that you can print to.  It takes your printed output and converts it into an image file (say BMP, JPEG, TIFF, etc.).

It is free and worked great.

Installation was a pain for a while on my system until I worked out the issue.

It kept failing.  First it seemed to fail partway through until I ran it as “administrator”.  Then it got further along but kept failing when it tried to run some command-line installation steps.

I had almost given up but then when looking through the project comments found the issue:

Turns out there is an installation issue if the faxsvc.exe process was conflicting with it.  I keep it running on my laptop so I can do poor-man’s scanning by faxing material inside our office to my laptop via the second analog line connected to the modem.

Anyway, I disabled it with Autoruns, rebooted, and this time Virtual Image Printer installed with no issues.  I then re-enabled the fax service process and all is well.

For a fantastic commercial product ($) I trialed before finding this freeware solution, check out Zan Image Printer it is reasonably priced and supports a wide variety of Windows systems including Vista.  I didn’t have any installation issues and it comes with a lot of more advanced options.

Print It

Next I turned to my particular freeware favorite for “posterizing” images on the grand scale.

Posteriza - (freeware) – Is very easy to use.  It comes in both “installable” and “portable” versions.  Select your image file to multi-page print, add text (if desired), select how many pages you want the sheet to cover, adjust your margins/cut-lines, and print-away!  It is tiny, fast and very dependable.

In no time I had printed a thee-sheet by three-sheet poster of the site floor plan with cabling markups, trimmed it, rubber-cemented the sheets together, and had it tacked to the project board.

Output was very crisp and much of the CAD detail came through just fine for this “big-picture” planning work.

Here are some “alternatives” to Posteriza I found.

PosteRazor - (freeware) – Very similar to Posteriza in operation but has one neat difference.  Instead of directly outputting the image to the printer, you save the output as a multi-page PDF file.  This can then be printed, cut, assembled and mounted.  However the benefit of this particular utility is that you can send the PDF to others so they also can assemble their own.  Really handy when your team is sharing a plan but are not all centrally located.  Also small and distributed in both “install” or “portable” program formats.

The Rasterbator - (freeware) – Aside from the double-entendre’ish name, this is a neat tool as well.  It differs from the above mentioned products in that it creates a rastorized multi-paged version of an image.  This is an important distinction.  It functions in either a local (portable/download) mode or you can use it “on-line” in the cloud. In my work, the output is very similar to the images seen close-up in newspaper print images; varying sizes of dots/colors that from a distance blend together by the eye into a single detailed image.  Not really what you want for CAD technical drawings, perhaps, but good for more traditional image-display. It also outputs the results into a PDF file for followup printing and assembly.

Certainly, none of these methods can compare to the single-page output of a good-quality, single-page large-format printer.

However, where resources are limited, and you need a fast, quick, and utilitarian solution to poster-sized print generation, this might be an acceptable workaround.

Cheers!

--Claus V.

Sunday, April 12, 2009

Security and Utility Linkfest Smackdown

I really want to fully dual-boot my Gateway MT6451 Notebook with Windows 7 but it only has a 120 GB Hitachi 4500 rpm drive and I am finding the free-space dwindling fast.

Between all the VHD’s and utilities I keep on it, there isn’t a lot of room for a 2nd OS, even if I go with the Dual Boot Windows 7 on Vista via VHD method.

Because it uses the “older” ATA-6 format drive support, I’m not left with many upgrade options that will give me both performance and space.  At the moment this Newegg.com offered Western Digital WD3200BEVE 320GB 5400 RPM 2.5" ATA-6 Notebook Hard Drive looks to be the best option as it give me the space bump I need as well as some speed increase; and the $99.00 price point is very reasonable.

Alvis and Lavie have some fiscal responsibilities that need to be met first before I can budget for “toys” but I might have to do my part to stimulate this sector of the economy very soon.

New and Improved

  • Autoruns v9.41 – Microsoft Sysinternals - “This release fixes a bug with the hide-Microsoft images options when the signature verification option is enabled.”
  • WhatInStartup – Nirsoft – It was a bit ironic seeing this new tool from Nir Sofer’s factory come out the same time the almighty Autoruns got a version upgrade.  In my mind, Autoruns is hands-down the best autostart entry explorer/tweaker there is.  However, that said, Nir’s tool does bring something special to the table.  While it doesn’t attempt to scan and display the full depth possible that Autoruns does, it does address all the most common areas that most users will need to be poking around in.  Furthermore, it can set to monitor the system and delete pesky auto-run items that will attempt to re-insert themselves back in. Or as Nir Sofer put’s it, “WhatInStartup also supports a special "Permanent Disabling" feature - If a program that you previously disabled added itself again to the startup list of Windows, WhatInStartup will automatically detect the change and disable it again.”  That could be handy when dealing with certain kinds of malware that attempt to re-spawn after removal and reboot. Well worth checking out and getting familiar with.
  • Spybot Search & Destroy competitors are trying to force its removal -- Security News – Betanews – Poor Spybot.  Once the darling of the malware-busting world, it has been a victim of it’s own success with a flooded anti-malware product market and now taking licks from large commercial anti-malware/anti-virus product corporations that seem to bully users into removing Spybot before installing their products. In some cases there may be some feature overlap which could cause conflict, but in most it seems to be scare-tactics.  While I don’t normally reach for Spybot any more on my cleaning jobs, it has been a rare product that has remained free and non-commercialized for a considerable length of time.  For that alone I keep a version updated and handy on my USB stick and keep an eye out for new releases.  With the team hard at work on the 2.0 release, I’m hoping they push through this name-calling and hit the next one out of the park.
  • Malwarebytes’ Anti-Malware version 1.36 – New version does some fixes and adds some more threat detections.  In my own malware incident response work, I prefer to assess the running processes and network connections, grab an image of the system/memory for later analysis, reboot with WinPE in “off-line” mode to manually clean-out the system.  However, if I am in a hurry Malwarebytes is the first anti-malware tool I generally reach for now.  I’ve had excellent success ripping out pesky stuff with this one on home service calls.  Couple this one with an USB based AV/AM Tool (such as VIPRE PC Rescue, or Kaspersky Virus Removal Tool, or the latest find, Prevx Edge) and you have a pretty powerful smackdown to share with the malware.
  • SpywareBlaster v4.2 – While this tool doesn’t “remove” malware from a system, it goes a long way to helping prevent it from taking root in the first place.  This new version works with Internet Explorer 8 and Windows 7 builds.  Other changes: K-Meleon support, Interface improvements, Enhanced support for Flock 2.x , Significantly faster "Disable All Protection" operation , Fixed recurring "run from Admin account" error, Fixed problems detecting some Firefox (and other Gecko-based browser) profiles, and additional small bug fixes, tweaks, and optimizations.
  • Wireshark 1.0.7 – This favorite packet-capture tool just received a good polishing to remove numerous bugs and vulnerabilities.  Nothing new in the feature department but enough was added to make it worthwhile to drop in and upgrade to this newest version.
  • VirtualBox 2.2.0 – While I do prefer VirtualPC 2007 for my workplace virtualizations (we are a Microsoft shop), there are time when I must have USB support (something VPC doesn’t offer) or I need to run Linux distros and certain ones just done behave under VPC.  That’s when VirtualBox really shines.  The last VirtualBox upgrade was a doozie and really whacked out much of what I had gotten comfortable with.  So I was prepared for more of the same. Fortunately, this upgrade/usage was much smoother.  Read the change-log for all gory details.  Suffice it to say that this is truly a major version upgrade with many, many performance improvements, feature additions, and the mandatory bug-fixes.
  • Parted Magic 4.0 – This Linux “LiveCD” distro recently got dusted off and jam-packed with some major fixes and upgrades.Hop the link to read over them all.  Well worth the time to download, burn, and add to your CD case.
  • SystemRescueCd v1.1.7 – This is another amazing “must have” utility LiveCD disk for system administrators.  It has a bazillion tools and useful things to keep systems up and running and to perform CPR in the event something really bad happens. ChangeLog covers the gamut of updates and enhancements added to this latest build.

For Sysadmins Only

  • Two Minute Drill: Performance Analysis of Logs Tool (PAL) – Ask the Performance Team blog – All you could possibly want to know and then some regarding the PAL tool.  From the post introduction: “Reviewing Performance Monitor Logs can be one of the most daunting tasks for an administrator, especially if it’s not something that you do on a regular basis.  The Performance Analysis of Logs (PAL) tool can read Performance Monitor counter logs and analyzes them based on some pre-defined thresholds.  PAL includes threshold definitions for most of the major Microsoft products such as IIS, SQL Server, BizTalk Server, Exchange Server and Active Directory.  PAL isn’t intended to replace traditional performance analysis – but, it can help to cut down on some of the analysis time.”
  • Engineering Windows 7 : Delivering a quality upgrade experience – All you want to know and then some regarding the upgrade options available to you under Windows 7.  XP to W7 upgrades aren’t possible…although (currently) one can do an in-place upgrade from Vista SP1 to W7 beta.  For many users, this means you have to transfer your files/settings to off-system storage media, do a clean install of W7, then put stuff back.  The upgrade process between W7 beta and W7 RC builds have also been set by Microsoft to require a clean install (in most cases).  However the post does detail a semi-involved process available (tentatively) to enterprise customers that will allow a bypass of the version pre-install check and allow a build-to-build upgrade in place.

For Hard-Drive Heads

In my recent Cleaning up the Attic: Convert command post, I documented converting (in place, files and all) three partitions on my desktop system from FAT32 to NTFS.

It was easy and painless.

However, Ronald and JC encouraged me to check the cluster size on the new NTFS partitions.  As Ronald pointed out (Default cluster size for FAT and NTFS – MS KB 140365) that using the convert command on some FAT32 formatted partitions results in sectors of 512 byte sizes, and not the default 4K size.  While generally not that big of a deal for home users, moving to the 4K sector size can enhance performance with copy/move file activity.

To perform the cluster size check I ran the "chkdsk X:" command where "X" was the drive letter.

As typical in this case, the covert command did NTFS format all my drives at the 512 byte size. My original NTFS system partition was already at the standard 4K cluster size.

One volume at a time, I copied the files off each volume, then reformatted each volume: format x: /fs:ntfs /v:label /q /y /x

Then I copied the files back.

The copy rate difference was amazingly (not really with the cluster size change) faster going back to the 4K cluster size partition than it was between the 512 byte cluster sized partitions.

I say all that to get to this point: while the chkdsk command is always present and handy for XP/Vista users, you may get some additional information in using it.  Depending on the condition and size of your drive, this can take a lot of time to complete.  It’s a bit of overkill when you just quickly and simply want to get some NTFS drive geometry data.

So I just so happened to be be covering the drive-storage chapter in my Microsoft Windows Internals (4th Edition) book this week and lo-and-behold I found a few more great tools:

  • NTFSInfo – Microsoft Sysinternals – This command-line tool quickly and easily shows you great information regarding your NTFS drives.  The command is simple: NTFSINFO [drive letter]  Then BAM! That’s it.  Take a look below at the instant data I got on my laptop’s system drive:
    • C:\>ntfsinfo c

      NTFS Information Dump V1.01
      Copyright (C) 1997 Mark Russinovich
      http://www.sysinternals.com

      Volume Size
      -----------
      Volume size            : 104328 MB
      Total sectors          : 213664499
      Total clusters         : 26708062
      Free clusters          : 14782470
      Free space             : 57744 MB (55% of drive)

      Allocation Size
      ----------------
      Bytes per sector       : 512
      Bytes per cluster      : 4096
      Bytes per MFT record   : 1024
      Clusters per MFT record: 0

      MFT Information
      ---------------
      MFT size               : 205 MB (0% of drive)
      MFT start cluster      : 786432
      MFT zone clusters      : 20116800 - 20168032
      MFT zone size          : 200 MB (0% of drive)
      MFT mirror start       : 13354031

      Meta-Data files
      ---------------

  • DiskView – Microsoft Sysinternals – Another great tool for looking into files/sectors/and disk-space usage.  This one is GUI based.  From the description, “DiskView shows you a graphical map of your disk, allowing you to determine where a file is located or, by clicking on a cluster, seeing which file occupies it. Double-click to get more information about a file to which a cluster is allocated.”  Want to take a look at the specific sector a file is sitting on? browse to the location and it will point out the details.  Then you can use a HDD sector viewing tool to quickly drill down to that particular section on the drive for eyes-on review.  Pretty cool.
  • Windows NT File System (NTFS) File Sector Information (NFI) Utility – This is another really cool command-line based micro-tool I discovered in the Windows Internal book.  Download and unzip the utility pack from the link above.  The NFI tool is “…used to dump information about an NTFS volume, and determine which volume and file contains a particular sector.”  run the nfi /? command to list the arguments and full roundup of features.  However, among the great things it can provide is the specific sector location of a file/directory (either contiguous or non-contiguous).  For an example, see the output when I wanted to see where the cmd.exe file is located:
    • C:\>nfi c:\windows\system32\cmd.exe
      NTFS File Sector Information Utility.
      Copyright (C) Microsoft Corporation 1999. All rights reserved.

      \Windows\System32\cmd.exe
          $STANDARD_INFORMATION (resident)
          $FILE_NAME (resident)
          $FILE_NAME (resident)
          $DATA (nonresident)
              logical sectors 4807656-4808279 (0x495be8-0x495e57)
          Attribute Type 0x100 $TXF_DATA (resident)

  • DiskEdit - Vienna Computer Products – While DiskEdit is a Microsoft product, it is a pain to get, extract, and then port to a portable version.  Vienna Computer Products’ Peter Kleissner did all the work for us and packaged up everything you need to get it going.  Thanks Peter!
  • Wayne’s World of IT: Viewing NTFS information with nfi and diskedit – Fast and easy to follow post that covers some more examples of nfi and diskedit tool usage.

Forensics and First Responder Finds

DEFT v4.2 DEFT Linux - Computer Forensics live cd – Hot off the presses.

I’m very impressed with this distro.

I’ve got another post building on this from a system-administrator’s perspective.  This version contains the DEFT Extra 1.0 (Gui, Forensics tools for Microsoft Windows and much more) tool on a Windows “auto-run” menu side.  This feature is in line with those that the original Helix CD’s contained.  Enhanced form of which can also be found on the CAINE Live CD.

Anyway…back to those in a future post.

While exploring the DEFT Extra utility inclusions I did spot two programs that I hadn’t seen before and were fascinating enough to want to break-out here for focus.

  • "PC On/Off Time" – freeware - Neuber software – This tool allows a 3-week window view of the system on and off times in an easy to read graphical view.  while not providing specific time information (down to minute/seconds) it does provide a fast way to assess system operational times.  For more detailed information you will have to drill into the System Event logs and/or registry. (RegRipper or Evidence Collector)
  • Nigilant32 - Agile Risk Management LLC – freeware – Very interesting tool that is designed to capture lots of information on a running system with minimal impact.  Includes the SnapShot to “…review and save a report of the running system that includes Processes, Services, User accounts, Scheduled Tasks, Network Ports, etc.” Then there is the Filesystem Review used to “…explore the file system and possibly locate hidden files or folders, recently deleted content, or extract files for offline analysis with limited risk of contamination.” And finally it has Active Memory Imaging to “…image the active physical memory (RAM) of the suspect workstation or server to secure portable media.”  All great tools during incident response and malware event capture and analysis. 

Oh yeah.  Did I mention it runs off a single ~750 kB exe?  Perfectly portable! 

For more awesome incident responder tools similar to nigilant32, check out MANDIANT’s Free Software roundup which includes incident first-responder tools such as memoryze, Red Curtain, and First Response.  All free and quite sophisticated.

Whew!

That was quite a roundup!

Happy Easter Greetings.

--Claus V.

Secure Drive Wiping postscript…

In a very recent GSD post Economic Stimulus Package Linkfest I covered the following items related to secure free-space disk wiping:

  • Eraser – Freeware secure erasing tool has gotten a radical site update.
  • Eraser 6-rc4 released! – Amazing new and fresh GUI to Eraser. Still has some bugs to be worked out. Looks like it will be a great update when finally released. Not sure if it will survive in a “portable” mode release as I think .NET will be required moving forward.
  • InstallingBetas – Eraser – Read this page as well as you need to download a signed security certificate to install the latest Eraser beta versions. Not that big a deal, but a bit of work.
  • Disk Redactor – New free disk freespace wiping tool (portable) that I found this week. I like the interface and it seems to run very fast.

Side note: Is it just me or do none of these freespace wiping program tools seem to work under Vista very well. I think I’m missing something here. I’ve been playing with them and I can run DiskDigger and find a large number of deleted (but recoverable) files. Then I do a freespace wipe (as admin level) using either of these tools. Then I rerun DiskDigger and the files are still all there and recoverable. Surely I’m doing something wrong? It’s not just the “names” but the actual files themselves as I can preview most of them just fine in the clear. Thoughts?

It took me a while but I eventually worked it out. Turns out I didn’t RTFM closely enough:

Turns out this issue looks like a "Doh!"moment. I went back and re-read the DiskDigger product info and on the page (linked above) found this tidbit: "Because DiskDigger bypasses the file system of the device being read, it will detect files that haven’t been deleted in addition to files that have. This means that you might have to sift through files that still “exist” in the file system before you find a file that’s actually been deleted. However, the Preview feature makes this process quick and painless."

Looks like the freespace was probably getting wiped effectively after all. DiskDigger is just displaying all files it finds. I'm going to have to retest with Recuva as I believe it only reports truly "deleted" files. That and do some sector-based testing as well (create file, observe sector location, delete file, wipe freespace, go back with sector viewer tool and see if now gone).

I did—in fact—go back and use Recuva to test a number of free-space wiping tools.

Turns out that Eraser appeared to offer the most effective free-space wiping solution when using Recuva to count the number of files that could be potentially recovered after free-space wiping.  There wasn’t much left to see after Eraser chewed on things.

In getting to that point as I was doing research, I located yet another tiny tool that could be used to clear free-space on a drive.

SDelete – Microsoft Sysinternals – This is a command-line only tool that has a number of flexible options for secure wiping and cleaning of free space.  It is tiny and relatively fast at what it does.  Mark Russinovich also goes into great detail explaining just what the tool does and why it is good information to know about.  Read the page closely to understand the command-line arguments particular to it as well as the method it uses.

Then there is the previously described…

cipher.exe -- nV News Forums.  Another command-line only tool that should be present on most XP/Vista systems, this Microsoft utility can also wipe out deleted files and remnants from free-space on a drive.  The basic command is CIPHER /W:directory  so to wipe the free space on your C: partition you would issue the command CIPHER /W:C:

Add these tools to the CLI tools those I have also mentioned here for whole disk wiping:

Team up XP/Vista’s DISKPART and the “clean all” command to zero out a physical drive, or try “wipe.exe” which is included as part of the Forensic Acquisition Utilities package offered by George M. Garner Jr.  I spent some time a few weeks ago playing with this one and it is very fast and full-featured. (for example: use the command: wipe –w 00 \\.\PhysicalDrive0 to irrevocably zero out the primary physical drive.)

Yes there are lots of other larger, GUI-based tools to secure wipe a disk/system/freespace, but with proper usage, these free and tiny CLI tools should cover most of your storage sanitization needs pretty well.

Want more information?

Secure Wipe/Delete Utilities - Provider Wiki – University of Pennsylvania information page.  Great overview discussion on secure wipe/delete tools with lots of great links.

Looking for something with more a more technical bent?

SANS white paper - Secure Deleting – Excellent paper from John R. Mallery and SANS Institute that details the whole package relating to secure deleting of file information on storage media.  Covers unallocated space, slack space, common files created by the system and applications that may contain useful information for forensic investigators and system administrators, methods of erasing data securely, verification methods, discussion of legal and ethical issues, and a lot of great links and reference material to pursue further.

Additional Grand Stream Dreams Subject Reading

Partition and Disk Management: Part IV – Secure Wiping – Grand Stream Dreams blog

Secure Disk-wiping Software – Grand Stream Dreams blog

Security and Forensics Roundup #4: Eyes on you – Grand Stream Dreams blog

Cheers.

--Claus V.

Chrome/Chromium Theming…maturing nicely.

hot-rod-chromium

cc photo credit: flickr by mikebaird

I’ve been still using Chromium for my side-browsing endeavors.

Daily trips to the nightly updates are a cinch with Dirhael’s Chromium Nightly Updater tool.

While I miss the power that Firefox Add-on extensions give me, I do really, really like the simple interface that Chrome/Chromium presents pages in.  It’s my #1 go-to when I need to leave a particular page up for a long time for the crew to view, or to do web-browsing within during a presentation.

The only “gripe” I generally have is that the default “blue” theme is just too darn bright and not sophisticated enough.

So I had found a nice black theme and replaced the default.dll file that runs the theme.

Turns out there are a lot of nice alternative themes and tools for custom theme building Chrome/Chromium.

You just need to know where to look.

Note: you have to be careful and know the build version of your particular Chrome/Chromium program.  If you don’t get the right version theme for your particular build, it might not be supported and will render your Chrome “chrome” a brilliant zombified “red” color.  That’s bad.

Chromium Theme Creator v2 - Google Chrome Forum – Great free tool that will not only teach you the inner workings of the Chrome “chrome” themes, but you can build your own and/or apply others you find.

How to create themes for Google Chrome – Chromable – Some basic info then links to some of the tools listed here.

Chrome Theme Updater v2 - Google Chrome Forum – Free utility that converts “most” older custom Chrome themes to a version that is compatible with newer Chrome builds.

[Tool] XChrome V6 - Google Chrome Forum – This freeware jim-dandy allows you to switch between various Chrome themes without having to do the manual default.dll file replacement normally required for Chrome theme switching. 

Cthemes beta - Themes 4 all – Large selection of pre-packaged Chrome themes.  Nice and polished.

Chromium Themes - Amazing collection of themes from Google‎. NHL team themes, NFL team themes. Vibrant color-scheme themes.

Google Chrome Themes – Previously linked collection of Google themes.  Got a really variety here.

True Live 2.5- Simple Beautiful Working Themes For Google Chrome - Chrome Plugins – This is ultimately where I got my black theme from. This was great for me as the themes are simple, monochromatic and come in three build versions; one for the current Chrome releases, one for early “nightly” Chromium builds, and one for more recent Chromium builds.  Pick the download pack you need and one download brings all the colors with it.

Google Chrome Plugins and Themes – Good third-party website for news on Google Chrome.

Google Chrome Addons, Themes, and Plugins – Another website which follows a small but growing number of “add-ons” to Chrome.

Chrome Addon: AdSweep a Chrome ad blocker – While not offering quite the aplomb and finish of Firefox’s Ad-Block Plus, this excellent work shows that hope is on the way.  Definitely worth looking into for hard-core Chrome users.

Chrome Bookmark Sorter Rearranges Bookmarks Recursively – Lifehacker – Developed by James Burgess, this tool lets one do a little bit more automated bookmark sorting in Google Chrome.  Sure you can still drag-n-drop them yourself all over the place, but if you need to do some bulk-resorting of your Chrome bookmarks, this might save you some time.

--Claus V.

Sunday, April 05, 2009

Economic Stimulus Package Linkfest

Lots of links. Just spreading the wealth around…

Side note: Is it just me or do none of these freespace wiping program tools seem to work under Vista very well. I think I’m missing something here. I’ve been playing with them and I can run DiskDigger and find a large number of deleted (but recoverable) files. Then I do a freespace wipe (as admin level) using either of these tools. Then I rerun DiskDigger and the files are still all there and recoverable. Surely I’m doing something wrong? It’s not just the “names” but the actual files themselves as I can preview most of them just fine in the clear. Thoughts?

Update -- Turns out this issue looks like a "Doh!"moment. I went back and re-read the DiskDigger product info and on the page (linked above) found this tidbit: "Because DiskDigger bypasses the file system of the device being read, it will detect files that haven’t been deleted in addition to files that have. This means that you might have to sift through files that still “exist” in the file system before you find a file that’s actually been deleted. However, the Preview feature makes this process quick and painless."

Looks like the freespace was probably getting wiped effectively after all. DiskDigger is just displaying all files it finds. I'm going to have to retest with Recuva as I believe it only reports truly "deleted" files. That and do some sector-based testing as well (create file, observe sector location, delete file, wipe freespace, go back with sector viewer tool and see if now gone).

  • HelixCE Community Edition - Download HelixCE200401brc1.iso RC1!!! – The community edition of Helix looks to be near relase. For some reason the ISO link isn’t working at the moment. Maybe it will be up early this week? Looking forward to seeing how the efforts are playing out here.

  • DEFT Extra (Windows Forensics GUI 1.0) and DEFT v4.2 DEFT Linux - Computer Forensics live cd – The DEFT crew is getting ready to release what looks to be a bang-up version this week. Looks to have an exciting “run-on-Windows” launching tool like CAINE or HELIX3 both have.

  • Ophcrack – New version with some new features is released.

  • Offline NT Password & Registry Editor – If you can’t crack it, reset it. I somehow missed that an updated version of this Windows 2000/XP/Vista/(Windows 7?) tool got released in August 08. Had to snag this newer version.

  • Offline-Update 5.2 with Internet Explorer 8 – New version now supports IE8 deployments (or not). Arguably one of the two or three best off-line Windows system updating and patching tools out there. If you are a sysadmin, you had better be familiar with this tool. If you are the family-IT support guy or gal, it is well recommended to keep an updated and packed version handy on your USB stick or CD before you go visiting.

  • PDFiD « Didier Stevens – Neat free tool to look for exploits in PDF files. Cool!

See ya!

--Claus

Clever Card Design

I was tasked with working up a new set of business cards the other day.

We’ve got some high-profile projects and are meeting with various vendors and the exchange of business cards seems to be in vogue again.

Were it up to me, I’d just write my name and phone # on a length of Cat-6 cable.  Pricy but does the trick.

Alas I was encouraged to look deeper for inspiration.

In that search I found these sites that offered some creative and out-of-the-box business card designs.  I’ve seen a few of these before, but were price not a concern, I’d be hard-pressed to not attempt at least a few of these cards.

I’ve since come up with some designs for our group’s business card with the helpful input of some colleagues.

Nothing near as fancy, but definitely an improvement over Cat-6 cables…

--Claus V.

Give IT a Break!

I read this news report the other day.

Then I made the mistake of reading the comments. Gratefully there were just a few.

I ended up with a super-long blog-post full of insightful commentary and inside perspective.

I scrubbed it.  Figured these things really won’t matter much in the big scheme of things.

Rest assured citizens of the State of Texas, I can’t speak for everything and everyone, but it is my personal opinion that your state IT shops and their dedicated staff are on top of things, making sure you get the most bang-for-your-tax-bucks.

We got you (the public) and the state employees who use IT hardware and software technology to serve you covered.  Whatever the operating system is, or must, or could yet be.

We get IT. And we make IT work for you.

It’s our job.

We do it very well and very professionally.

--Claus

Saturday, April 04, 2009

Cleaning up the Attic: Convert command

For logic that now seems a bit fuzzy to me, I made the decision when my XP desktop system hard-drive failed, to continue with the four-partition model.

C: = system drive - NTFS

D: = pictures – FAT32

E: = music – FAT32

F: = storage – FAT32

Long time ago we used to have dual-partitioned systems at work as the standard with the system partition being NTFS and the other being FAT32.  We did this as (at the time) there was a dearth of boot tools that could read NTFS volumes “off-line” for file recovery, but could handle FAT32 just fine.

So we would set the user’s “My Documents” folder to that partition so we could always recover them.

Then Linux allowed reading of NTFS volumes.

Then Win PE came along.

So it didn’t really matter anymore.

I think I probably kept with that model at home.

Anyway, these three volumes are the only ones left at home that remain FAT32.  All the other systems are NTFS now…all the way, baby.

So I decided to convert them to NTFS.

First I ran a defrag session on them.

Then I launched a CMD (command line) window.

Off the C: prompt I typed:

DISKPART

DISKPART > list volume

That 2nd command at the Diskpart prompt listed all the volumes/partitions on my system as well as the “labels” given to each one.

I then exited out of diskpart and ran the following commands, waiting until each had completed before doing the next.

convert d: /fs:ntfs

convert e: /fs:ntfs

convert f: /fs:ntfs

At each point after some checks were done, I had to enter the label of the volume.  I just referenced and used the information gathered from DISKPART.

Each volume took just under five minutes to complete.  No reboot necessary in my case.

When I was done, all my partitions are now running with NTFS formatting.

And in my case, no data was lost in translation!

Sweet.

More linkage

--Claus V.