Sunday, August 29, 2010

This Week in Security and Forensics: Beware the cake!


Cube Party! image used with permission from John Walker at ""

Yeah, the cake is a Portal thing.  Let’s dispense with introductions and get right down into it this week before GLaDOS barges in.


Not new but I think it is worthwhile to reflect on the impact rogue/fake AV products have.  Not only did I get the joy of cleaning one such infection off my own dad’s system, last week I painfully listened to another dear friend tell of dropping almost $400 to local PC shops to remove another such infection…in the end they just reinstalled Windows for him.  I told him to call me first next time.  My local pizza house rates are much cheaper, and I find it perversely fun to hunt and clean this stuff off a system.


Communicate. Luckily its victims were visiting, so we could pass along updates in near real time. Google and Bing helped track down users posting questions to online forums. I responded to each question with any information I had at the time.

People don’t run AV software. Seriously — you should at least be running something like MS Security Essentials by now.

Even cake is dangerous. One of the infections apparently happened while looking for pictures of cake on Flickr.

It’s my understanding that the free VIPRE Rescue tool can also cleanse it from a system.

The winnersMicrosoft Security Essentials, AntiVir, Avast, Agnitum, AVG, EmsiSoft, Eset, Kaspersky, Symantec, PC Tools, Check Point, Lavasoft Ad-Aware, Kaspersky and of course, Sunbelt and many others. 

  • Clam AntiVirus - Recently released in version 2.0.  This is not your father’s ClamAV any longer.  Now includes “cloud-based” protection engine and many more enhanced features.  See also VRT: ClamAV Release Announcements for a full detailing of the little devil.
  • Alureon Evolves to 64 Bit - Microsoft Malware Protection Center - This was fascinating and a sure sign of the growing prevalence of x64 bit systems.  Alureon is a rootkit that has commonly targeted x32 bit Windows systems.  Security teams noted the inclusion of an inert file called ldr64 as part of the file system.  Lately it now has morphed into an active version that can infect 64-bit systems.  Fortunately, it’s presence is detected by Microsoft Security Essentials and evidence is easy to find manually if running.  The Disk Management pane of Computer Managmenet console will be blank of all local HDD and DiskPart command doesn’t locate any disks when “list disk” is run.

Tips and Techniques

Making Material

  • Fundamental Computer Investigation Guide for Windows -- Microsoft TechNet -- Not sure where I came up with this. Dated back from 2007 but still is a small free resource zip file to download, read, and archive. Besides the primary information document, it also contains some DOC files to use as worksheets and templates…or as inspirations to design your own. Download

The Fundamental Computer Investigation Guide for Windows discusses processes and tools for use in internal computer investigations. It introduces a multi-phase model that is based on well-accepted procedures in the computer investigation community. It also presents an applied scenario example of an internal investigation in an environment that includes Microsoft® Windows®–based computers. The investigation uses Windows Sysinternals tools (advanced utilities that can be used to examine Windows–based computers) as well commonly available Windows commands and tools.

  • I’m not sure where I found the link from, but the US Justice Department’s CyberCrime Laboratory created an awesome Digital Forensic Analysis Methodology Flowchart (PDF link).  Print this one out. Study it, and keep it handy for review.
  • Just dropping this older GSD Post Focus on Forensics Linkfest in the mix here as it contains links to multiple templates and forms for chain of evidence recording and such.
  • Intro to Report Writing for Digital Forensics -- SANS Computer Forensic Investigations and Incident Response Blog -- Must read because it never is enough just to dig up the pieces during an investigation, to be successful you must document your process as well as present it in an understandable manner for non-technical folks to understand and technical folks to be able to validate.

Tools and Utilities

  • Quickpost: .LNK Template Update -- Didier Stevens -- tool update to now identify well-known Shell GUID’s as well.  See also his .LNK template post for additional info.
  • Fget -- (freeware) -- HBGary tool “…The fget tool forensically extracts files from raw NTFS volumes on remote windows systems in your domain. This tool works over the network and can extract any file (including those that are locked and in-use) in a forensically sound manner, without altering target filetimes or attributes. In particular, the tool can be used to extract files that are critical to timeline reconstruction.”  Spotted via this FGET: Network-capable forensic data acquisition tool post at Help Net Security.
  • Fingerprint -- (freeware) -- HBGary tool “…framework for scanning binaries (preferably binaries extracted from memory so they are already unpacked). It allows scanning for ascii/wide strings and byte patterns, then annotating results. Results are saved in an xml format and can be compared to previous results. The goal is to allow quick development of new search patterns and easy comparison to previous binaries.” Spotted in a great write up Open Source Malware Fingerprinting – Free Tool at the ESET ThreatBlog.
  • Historian -- (freeware) -- Reads history, bookmark, cookie and cache information for raw browser files from Gaijin software.  Recently updated to version 1.4.4.  While there are lots and lots of tools now to help with browser history examination, I still like having different ones at my disposal to give me flexibility in both analysis and reporting.
  • RegFileExport -- (freeware) -- It’s a new NirSoft tool!  This gem is a CLI tool to “…easily extract data from offline Registry file located on another disk drive. RegFileExport read the Registry file, ananlyze it, and then export the Registry data into a standard .reg file of Windows. You can export the entire Registry file, or only a specific Registry key.  RegFileExport may also be able to export some of the Registry data even when the Registry file is corrupted and cannot be loaded by Windows.  Check out the whole page to get the usage and “more information” areas understood as well.  It can even handle extraction of Registry data from XP restore points!  “You can find the Registry files of every restore point under C:\System Volume Information\_restore{guid}\RPxxx\snapshot. However, you must change the permissions of this folder in order to access these files, or alternatively, you can run cmd.exe as a SYSTEM account (with 'at' command), and then you'll be able to access this folder and the Registry files that are stored in it. Be aware that the _restore{guid} subfolder also has 'hidden' attribute.”  Sweet!
  • TinEye Reverse Image Search -- I thought this was cool.  Suppose you come up with a image file that appears to have been downloaded from the web, but you don’t have a context for the source?  You could try TinEye to see if you could find locations where the file came from on the Web.  While it would be difficult to say with certainty that was the source, it might help provide some interesting information especially if taken as part of a larger context of data.  via Idée Labs

Mostly Wireless

I had spotted that the next two items were recently updated and then decided to go ahead and list other wireless-related utilites since birds of a feather…well…you know…

Oh those DLL eyes

  • It’s those darned DLLs again... -- Windows Incident Response blog -- Probably the very best roundup and review of the latest DLL “vulnerability” now capturing the attention of the for/sec groups since the .LNK brouhaha. 
  • Malware Persistence without the Windows Registry -- M-unition Blog -- Noted here both for the great technical explanation of the issue as well as the provision of a free tool to help assess the situation on a system.  From Nick Harbour’s post:

I’ve written a program to identify all locations and filenames that a DLL could be placed to achieve persistence on a given system.  The idea is that you can run this program on a clean (Gold Image) system and forensically search for any DLL name listed in the output on a machine you suspect of being compromised with this method of persistence. 

The program examines running processes and determines hijackable DLL locations by the following properties (applied to each loaded dll in every running process in the system):

  1. The process executable that loaded the DLL is not located in the System32 folder
  2. The DLL name is not found in the KnownDlls object
  3. The DLL is not found in the same directory as the executable

Any loaded DLL that contains all three properties is susceptible to being trumped by search order hijacking.

The tool (compiled and source) to identify possibly malicious 32-bit DLL locations from a clean system can be found here.

You have to run it from the command line and it requires "elevated" or administrator privileges to run.

Also, the output will be to the CLI window. Depending on how much data you have you may not be able to see all the results.

Try "piping" the output to text with a command similar to below. Then when done open the resulting text file in notepad.

finddllhijack.exe > dllwatchlist.txt

Worked great on my x64 Windows 7 Home Premium system and I got output of a total of 560 different dll files/locations to keep an eye on.

"Here be Dragons" caution: This tool doesn't provide a "smoking gun" to any actual malware-based dll's or vulnerabilities. So please don't go deleting stuff just because it shows up here. That's not the point of the tool. It does help collect information about potential targets for the examiner to then consider with the points made by Mandiant above.

Returning to the linkage roundup…

Finally let’s let Microsoft give us all the remaining bits of the scoop from their perspective.

As well as their tool to help mitigate the issue (platform specific tool download links at the bottom of the page).  Just read well to understand the tool and how it works before using!

And if you haven’t guessed it, this is just a new resurgence in an old exploit.

Yes my friend, only eat the cake if you dare….

--Claus V.

Saturday, August 28, 2010

Oh for the love of Pete!

Seriously Dell.

So about two weeks ago I assisted a dear older friend of mine with setting up his new Dell Studio 16 system.  What followed was almost a repeat of Dealing with the Dell … 2010 Edition that I had done for his Inspiron desktop system back in March 2010.

We didn’t touch that system but only copied his user folder files (my documents, my pictures, etc.) over to this new system.

Case closed.

Only he called me back the next day to report his desktop system wouldn’t turn on. Something about it coming up in “power-save” mode on the monitor and then nothing.

I swung back over the following night after work and took a look.

The “power-save” mode message was a red-herring as that was his LCD display displaying that message.

He said the day after I had left, he came in to find it just dead.

I hit the power-button and got the BIOS, then it went into the Windows 7 “Safe Boot/Normal Boot” option.  Then it went dark.

No biggie, I punched the power button again but got nothing this time, not even BIOS.


Suspecting a loose power-cord I eased the unit out of the desk cubby to pull/replug the power plug into the PSU, only I heard a strange deep grinding noise.  Odd.

So I unplugged all the cabling, set the case on the side, and opened it up to inspect.

Everything looked OK, but then my eagle-eyes caught that the heat sink seemed a bit off-kilter.

Closer inspection found this indeed was the issue.  It looked like the clip holding the fan/heat sink to the core had popped loose.  The loose heat sink banging against the case lid was the noise I had heard.Photo0349

I went to reattach it and found the core problem.

If you look at the image to the left, the top area outlined in green shows the plastic knuckle the single spring-clip attaches to on one side of the core.

On the bottom can be seen the second mounting point…only the plastic knuckle for the clip has broken off.  (I found it after a bit of searching in the case.)

So the final root cause analysis is that the plastic knuckle failed (defect?) causing the heat sink clip to no longer apply tension to the heat sink/cpu.

The contact had become loose enough now that the CPU could not cool and at boot, got hot and tripped the thermal safety fuse, shutting down the system and preventing boot.

No telling how long things had been this way.  Since the orientation of this desktop model is tower-based, the system board is vertical so it is possible that gravity and thermal-paste adhesion allowed the heat sink to make just enough contact for the heat-transfer to continue for some time.  Just fortunate the other clip end held to keep the block of aluminum from crashing loose down the system board all this time, including my blind removal of the unit from the desk cubby.

It was late so I gave him all the information to provide to Dell support (it was under warranty) the next day. Serial Number/Service Tag, Express Service Code; tell them the plastic mounting bracket that attaches to the system board has failed, heat sink not coupling to CPU causing the failure and you need a replacement. The fact that I initially saw a normal BIOS/Windows boot recovery screen made me feel the CPU itself hadn’t burned up earlier. Case closed. 

FAIL #1 -  My dear friend called Dell the next day and spent an hour with tech-support. They were following the handbook troubleshooting flowchart and wanted him to allow them to remote attach to the system so they could diagnose what was failing themselves remotely.  Goodness.  No boot.  Good luck with the remote attach and control there Dell overseas support.  He gave up in frustration.

I came back again later the next day and made the call myself.  When we finally got our call picked up, I passed the information over to the dear Dell support rep for the system, then simply explained what the issue was, that I needed a replacement mounting bracket. “We’ll send a motherboard, memory, PSU as well just to be safe.” was the reply. 

My friend was amazed.  I guess I deal with enough PC support vendors at work that I just talk the geek-talk directly with authority and am not challenged. Five minute discussion with me verses a hour for him. Go figure.

Two days later the Dell tech contractor rolled out and changed out the motherboard entirely, and PSU for good measure.  This set the stage for…

(Note: Fail # 1.5 -- the Dell rep didn’t bring out any fresh thermal paste with him.  When challenged by my friend on this (since I had mentioned it to him) the rep said something to the effect that there was enough still on the pieces anyway and that removing the paste already on there to put fresh paste on would lower the thermal performance. WTF?)

FAIL #2 -  My dear friend called Lavie the next day asking if I could help him again as now he has a black desktop wallpaper and the system says it is running counterfeit software!

As Lavie repeated their conversation I knew exactly what happened.  Sweet Jebus, Dell!

Stopping by again on the way home, my friend explained how he had spent another hour + with Dell trying to solve this on his own with them.

After repeated attempts by him to enter his Windows 7 key code (copied from the label on the case) he and the Dell rep gave up as it wouldn’t “take” for some reason.  The Dell rep then had him boot into the Dell recovery/diagnostic partition and told him to do a system restore.  Thank goodness my friend had the presence of mind to ask “Won’t this delete all my data?”

Yep. Said the Dell rep. But it was the only way to get his system back again since there obviously was an issue with the product key.

So my friend hung up and called Lavie to send me over.

I got there, fired up the system, went to the product (re) activation area on the system properties window and selected “activate by phone”.

Awed, my friend watched as I fed in the numeric code the system had presented me and then entered in the response code echoed by the automated Microsoft system.

Accepted, activated. Rebooted. Done.  Moving on.

Because Dell had chosen to replace the entire motherboard, rather than just taking off the plastic mounting bracket from the good motherboard and swapping it for the bad one, the system board had changed tripping Windows 7 internal anti-piracy measures and required a product reactivation.

To make matters worse, neither Dell rep (in person or on the phone support line) had even suggested he just attempt to activate over the phone when the on-line method failed.

So now he is up and moving along just fine again, and swears he will call me first before calling Dell ever again.

How’s that for customer service?  I’m sure my check from Dell is in the mail right now.

--Claus V.

Windows Utility Toy-Chest Roundup

Way back when I was a little tot, we got hauled every six months to the family dentist.

After a cleaning/filing as needed, we got the joy of picking something out of cardboard “toy-chest”.  It had the usual toothbrushes and dye pills to see what a sorry brushing job you did (great for Halloween and vampire play) along with some cheesy plastic toys, pencils, and if you were really lucky, you might be able to find a tiny (but functional) sytro-plane to punch-out and play with.

So this will be a real grab-bag of sorts, but I’m sure there is something here for everyone!

Video (mostly Flash)

I continue in my search to find a good/quality way to convert the standard-capture direct-to-DVD video output we are collecting at the sound/video desk at church into a more web/user friendly format.

For each service we capture video/audio feed and pipe it through a mid-level video mixing board into a DVD recorder which writes it to the disk; finalizing after the service.  I suppose we will eventually pipe the output instead into our PC system digitally and then edit/press it to DVD for church members when requested…but for now, I’m working with reprocessing already pressed DVD disks.

So what I have to do is to rip the DVD back into a digital video format, edit it in some cases, then resave in a more web/PC friendly file format.  I had been trying to convert into Windows Movie Maker friendly format but the quality is still not yet what I want.

So I decided to see if converting to a Flash format would work better, and in many ways I am much more pleased with the results, though it does bring new ones.

(Tips and suggestions welcome here from the GSD fans in the know of such things….)

Generally what I do currently is to import/convert the DVD Video_TS file into a FLV file.  Then I use an FLV editing app to trim it up a bit (or extract the message section if just that needed). Then I re-save and share the resulting FLV file.

While it is a bit different from my Windows Movie Maker work, I have found at least two decent freeware tools that allow simple editing of Flash video files:

  • RichFLV – Apollo FLV Editing Tool and RichFLV – Apollo app updated - This is cool in that it is an Adobe Air based solution.  The results are quite good and it is fairly intuitive to work with.
  • Moyea FLV Editor Lite - Also free and has quite a lot of features to do basic/medium-level FLV file editing.  The interface is easy to work with.
  • Adobe - Flash Quick Starts: Using Adobe Media Encoder CS4 - NOT free and not really a FLV file editor, however leave it to Adobe to deliver a pretty powerful solution to import and encode video media into FLV format.
  • Format Factory - I have traditionally used this program for my DVD to video file format converting. It is updated regularly but I am still trying to dial in the best conversion settings for best quality.
  • Koyote Soft - Offering both a free FLV converter as well as a more robust Video converter application, I’m trying to see if these provide any better quality.
  • Freemake Video Converter - Another free DVD ripper/file-converter I’m fiddling with.  Review here from Freewaregenius.
  • Pazera Video Converters Suite 1.2 - This is amazing.  I have used other Pazera video converting software before (MP4-AVI) but this suite gives you everything for free.  They don’t use a lot of eye-candy but the no-nonsense approach gets the job done in a well organized manner..  Definitely worth keeping in your kit.
  • Hamster - Another oft-mentioned freeware video format converter. Added to my download pile to review and testdrive soon.
  • XMedia Recode (Google Page Translate) - Freeware German (English language support included) that is recently updated.  Features include auto-cropping, color correcting, drag-n-drop encoding, zooming (none, letterbox, media, pan/scan, fit-to-screen), volume correction/normalization, and many more). In both an installable and “portable” edition. Cool.
  • WinFF - Free Video Converter - The real plus on this one is that it supports both Windows and various *Nix versions. It’s actually a GUI wrapper for the CLI video converter FFMPEG
  • HandBrake - One of the major players in video conversion. New builds include x64 support. Drawback is that newer version also outputs to MP4 format so other desired video file outputs are not available, or have to be re-converted.  Earlier versions can still be found with wider output support, but without the enhancements from the newest versions.  But hey, it seems to be primarily geared to the Apple playback device support.
  • Free FLV Player for Mac and PC - I love keeping this gem on my USB stick for fast FLV file playbacks.

For the Sysadmins

Laptop Lust

I’ve been on the prowl for a new higher-end laptop for home to replace my bedraggled Gateway MT6451 Notebook.

I’ve actually bit the bullet and after much work, saving, and research picked out what I hope to be a portable-powerhouse.  I’m saving the big announcement for when it has arrived but until then, here are some systems I considered along with laptop review sources I found beneficial.

…and I’m finding it really hard to wait on FedEx!  Delivery may be mid-week.

In my research and work I was particularly impressed by the following laptop review sites.  They were exceedingly thorough and helped me to make my final decision.

Misc Utilities of Note this week

Sound(s) Great!

Nature Sounds - Fun and clever (and easy to use) nature-sound generator.  Build your mix then export to file.  My favorite mix was “Creek” + “Darth Vader” + “Children Giggles” + “Cat Purr”. I could just imagine Vader sitting in a public park alongside a creek, chillin out watching kids play on the playground, chatting up with the moms, and petting his cat fluffy.  Spotted via Download Squad.

That post then introduced me to SimplyNoise - “The Best Free White Noise Generator on the Internet”.  Besides the quick white, pink, and brown noise generations, they also have some free “advanced” download file Soundscape - Thunderstorm (60m) for relaxation as well as others for a donate+download availability.

Browser News


--Claus V.

Saturday, August 21, 2010

Making Material and a PSA video

This past week (as well as the prior one) have been fairly slow on the “new app” front.

I’ve been collecting these links for a bit so here you go. Pick ‘em over, yard-sale style.  No rush.


For social American cultural redemption from the above Elyse Porterfield and Angelina Jolie yumminess link and comments, I offer you this video.

Soldiers returning from war surprise kids, loved ones. NSFW b/c you will bawl your eyes out (video) - TheChive

FYI, the song synced in the video is "Praan," by Garry Schyman.  Interesting but wonderful choice.

Saw this one at my bro’s last week with my mom and had to fight back the man-eye-sweating.  Damn, hate it when that happens.

Back to normal Linkfest programming…

  • Introduction to the new Sysinternals tool: RAMMap - Ask the Performance Team -Granted RAMMap isn’t really that new anymore but this is indeed a great introductory post on the utility.
  • The Mystery of the Missing Memory -or- It Pays to Know Your Hardware  - Ask the Performance Team - Awesome troubleshooting post that introduced me to the Redundant Memory, or RAS Memory Mirroring feature supported in some server hardware BIOS systems. Cool!
  • OutlookStatView -- NirSoft utility updates.  “Added 'Add Header Line To CSV/Tab-Delimited File' option. When this option is turned on, the column names are added as the first line when you export to csv or tab-delimited file.” and “Added 2 new columns: 'Average Incoming Messages Size' and 'Average Outgoing Messages Size'.”
  • OutlookAttachView -- NirSoft utility update.  “Added support for embedded message attachments (attachments of another message). These attachments are saved as .msg files that can be opened by Outlook.”
  • NK2Edit -- NirSoft utility update.  “Added 'NK2 Control Center' which allows companies to watch the status and the location of Outlook AutoComplete files (NK2) in all computers.”
  • Roadkil’s Unstoppable Copier -- Recently bumped up to v5.0 “· Now supports unicode, automatical system shutdown and basic context menu integration.”
  • FileZilla - The free FTP solution and FileZilla Portable. I’m having to play with this tool now a bit at work and also found this recent post Top 3 FTP Applications for your Windows PC | The Windows Club offered some alternatives as well.
  • SunlitGreen -- is a new source that has some light-weight freeware photo image management tools well worth checking out. Lifehacker featured SunlitGreen Photo Editor in a recent article.
  • WirelessNetView -- Nir Sofer tool update.
  • altdrag - was a tiny tool highlighted by CyberNet News to help manage “lost” windows that open on a phantom position when you have removed a dual monitor output.  Sure if you are in Windows 7 you can do that natively.  My favorite freeware power-tool to do this is Window Seizer. Works on all my systems from XP to Win 7 x64 just fine. It has lots of other features as well for Windowed management.  See also: WinSize2 and the WindowPad projects.

Windows Program Launch tools

Note: I know there are LOTS of other great app-launchers, not just these.  I’m only focusing on “dock” style launchers in this conversation.

Nexus -- I’m going to follow up to this blip in a later detailed post but for now, know that I have upgraded my Windows dock utility from the GSD-beloved free RocketDock application to the spanking hot Nexus dock system on my Windows 7 x64 platform which I had to destroy as noted in my last post.  RocketDock is not specifically offered as Windows 7 compatible, though it generally plays well on my system, it is prone to issues with startup and shutdown of the system.

So I did some research and came up with Nexus.  It is very mature and come is both a free (full featured!) version and a “Ultimate” for $ version.

It supports Windows 7, has all the eye-candy and high-res icon support you can want. Nice defaut skins and icon-action management options.

For a tiny version on Windows 7 systems, check out Ali’s Dünnpfiff’s free Jumplist-Launcher.  It took me a while to get familiar with it (not because it is technically hard, just a different way of interacting with an power-icon).  It is now my preferred quick-pick launching solution on business systems I use as it is more sedate but just as useful as the eye-candy of Nexus.

Of course you can still go “old-school” even in Windows 7 and use a Win2k/XP style “quick-launch” toolbar on your taskbar/superbar. Quick Launch - Enable or Disable - Windows 7 Forums

Want more options?

Finally, not related, but I found this tool as well supporting customization of Win 7 logon screens.

It has a lot more options and logon screen control setting tuning options than my oft-usedWindows 7 Logon Background Changer tool.  I still also deploy the FxVisor Shortcut Arrow (method two) tool to minimize but retain the Windows Shortcut symbol applied to shortcut icons.  Frameworxx looks to have disappeared but the VistaForums hosted downloads are still kickin.


--Claus V.

Bending “Bend” and Related Miscellanea

A few posts back I made note of a sexy new notepad application for Windows 7 systems

Bend - A modern text editor -- (freeware) -- a positively beautiful GUI with an almost zen-like quality.  Spotted via Tenniswood Blog.  Windows 7 only.  Stunning.

The ever practical How-To Geek has a detailed walkthrough as well with lots of images : Edit Your Text in Style With Bend.

Granted, it was a bit slow on launch (at least on my Win7 system), coders reported some of the supported syntax highlighting was off, and internal search didn’t quite deliver all the goods.

Overlooking those minor quibbles, it is a great first-delivery in a new application GUI design paradigm for most users.  It simply looks stunning in simplicity and breaks decidedly with the typical Windows application form, including the Ribbon style.

Only one thing.  You can’t officially have it any more.

In echoes of Right Said Fred, “Bend’s too sexy for my Window, too sexy for my Windows, too sexy it hurts….”

Seriously, not too later following Bend’s public splash and meteoric rise on it's home on CodePlex, this mysterious notice appeared on the How-To Geek’s post.

*Update* – It looks like the developer has removed Bend from the CodePlex page. We are trying to find out what happened and will keep you updated!

Hmm…Indeed, for days the Bend link would only return directly to CodePlex home page.

Now, it at least falls on a Unpublished Project Page for Bend.

The mystery swirls!  Was it powered with escaped alien technology? The MiB? Did the Men from Redmond find it was too sexy and violated Windows development EULAS?  Did Apple perform a buyout to prevent Windows from moving in the All Things Beautiful™ land that they own for computing resources?  Where is the Mystery, Inc! gang when we really need them!

The Windows world needs more application design like Bend!

Lacking any news on what happened with the developer and the project pull, I set about working on an alternate mystery…where was the application stored on my system…and could I possibly port this Windows 7 goodness over to my XP system?

The Bend download actually appears to consist of a web-based “seed” installer that is reminiscent of the Windows Live mechanisms.  Once executed it retrieve the main file set from the Net.

Unfortunately for me, I had done a CCleaner and CleanAfterMe pass on my system shortly after installing and scrubbed all these juicy bits away.  I suppose I could have dived into my Shadow Volume stores but this is more fun.

I figured, maybe I can just copy the program’s folder to a USB stick and fire her up on my XP system.

The quickest way I know how to find the executable on a installed program is simply look at the target properties for the shortcut icon placed in the start menu list.

However this doesn’t help with Bend as it is really a “break-the-mold” app.

Turns out this icon is a “ClickOnce Application Reference (.appref-ms)” link.  Goodness.  That means if you follow the target path you will end up at somewhere like

C:\Users\profilename\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Bend\Bend\Bend.appref-ms

Decidedly not helpful and a portent of new kinds of shortcut links to come (and more headaches for examiners and sysadmins no doubt.)

Aside #1 - ClickOnce Application Reference (.appref-ms)

Nir (not That one) describes it thusly:

If you open the appref-ms file in a text editor you'll see it contains the Url for the application, culture, processor architecture and key used to sign the application, so yes, it's just a link.

The difference between those "Application Reference" files and shortcuts (.lnk) is that the application reference points to the original application Url and not the location of the exe on disk, when you run the appref-ms file the system knows how to find the copy of the program on the local disk and run it from there without accessing the Url (this is not accurate and depends on settings in the ClickOnce manifest, but its a close approximation).

DotWhat.Net has more:

The APPREF-MS file is an application reference file that is used by the Microsoft ClickOnce deployment system in order to install, update, and run remote or local applications.

The APPREF-MS file and the correspoding APPLICATION file is part of the .NET framework and give the remote or local link to the application that is to be run; this link also contains information relating to the updates for the application.

These files are created by the Microsoft Visual Studio software for application development.

Johnny Coder has great info on how this interfaces with AutoStart: ClickOnce Run at Startup

Finally, CODE Magazine - Article: Welcome to the Future of Deployment has on page #3 a more detailed presentation by Craig S. Boyd.

In the case of an installed, offline-available, ClickOnce application, the ClickOnce installs the application in the user’s profile directory. Every user that installs the application on a given computer will end up with their own profile’s isolated installation. The directory into which an offline-available ClickOnce application is installed looks very similar to the following:

C:\Documents and Settings\Profile Name\Local Settings\Apps\2.0

ClickOnce’s installation routine does not simply creating an application directory based on the Product Name and install all of the application bits into it. That would have been too easy. The scheme that Microsoft has devised is much more complex and it involves having the components that make up the application installed in a lot of different directories and subdirectories beneath the 2.0 folder shown above. ClickOnce installs the application in one location, the data in another, and the manifests in yet another. The install is essentially compartmentalized.

Back to White Rabbits and Alien Ninjas

Opening up the Bend.appref-ms reference found on my system, in Bend, resulted in this:, Culture=neutral, PublicKeyToken=0000000000000000, processorArchitecture=x86

Yes Sally, that was a non-local hyperlink reference.  Clearly this is subversive alien technology (or for you few Last Exile fans, maybe Guild managed) released from 1 Infinite Loop, Cupertino, California Area 51 designed to phone home at launch.

I suppose I could have done the easy thing and just launched Bend and peeked at it’s image path in Process Explorer.

Nay. I launched Process Monitor and launched Bend to arrive at the location on my own system:


That’s exactly where any user would have expected it to be!

Underneath there are four more alien technology based directories containing various files:


And of course, logically we will find the application executable under the clearly named bend.exe_0000000000000000_0000.0008_none_fc971fb0826fb84c (nope) bend..tion_0000000000000000_0000.0008_bb2abada039deb14 folder!

Having read all the above side-bits on this appref-ms file stuff, I clearly realized just how important all those other folders really were.  So I copied the main 3KOVR9H8.BMY folder and subs to my USB flash drive.

Then making sure that my XP Pro system was able to receive the alien technology (it was, having the required .NET 4.0 installed), plugged it up and drilled down and launched the Bend.exe file.

It worked, and did launch much faster than on the Win7 system.

So yes, if you have these files, and .NET 4.0 you can take Bend with you to Vista/XP just fine.

Unfortunately, if you just have the Bend installer, you don’t have Jack as the Bend source server isn’t available to pass you the files once run.

I suppose I could package up these files from my system and give them too you, but I’m worried for my safety now that I’ve shared all this fascinating goodness.

So I’m going to let them chase “Juan” from the How-To Geek post’s comments who said this:


Hey, I got it when it was still from Codeplex, though this is not the installation, it is the actual contents from the app. Enjoy!

I checked Juan’s file/contents, and at the time of my access, it did match the contents of my own bend.exe_0000000000000000_0000.0008_none_fc971fb0826fb84c directly perfectly, though Juan did not bother kindly to include all the other alien technology folders as well.  Seemed to work OK though without them.

At the same time I have been writing this post, I have also been concurrently performing the Gutmann method, burning, shredding, and letting a 2-year old borrowed neighborhood child with loosely attached sippy-cup lid to render my blogging system laptop non-functional at the time of writing this post.  Oh, I’m also right now tossing it into my father-in-law’s fish-pond with the old DISH Network disk to swim with the catfish.  This should sufficiently ensure that alien ninjas nor MiB nor Apple execs will not be concerned and disappear me like they did Bend’s developer.  Like I said, go find Juan.

Don’t feel bad for the loss of my laptop.  I’m waiting on a humble little new Dell i7 core laptop so I can putter around safely…free of this heady ClickOnce Application Reference stuff.

Then again, maybe the developer got CodePlex servers hammered with the downloads and distribution/ ClickOnce Application Reference design model and had to yank everything and regroup.

Nahh..that would be crazy talk.  I like Apple alien ninjas better.

More Notepad / Notetaking Software


Bend really is spectacularly sexy in design and getting there in function.

That said, I can’t see any way I currently could leave my trusted and highly-recommended high-production text editors for it anytime soon.

None of these are particularly sexy though they are all very robust.

If you do want a deliverable Notepad alternative that is more “girl-next-door sexy (SFW)” than the sophisticated “Euro/Metro sexiness (SFW)” of Bend, consider bringing FluentNotepad home to meet the folks at Sunday brunch.

It does have that pleasant and predictable Windows Ribbon working for it grandma likes.

See also:

Then there are these spinoffs that aren’t notepad apps, but do have the minimalist form for text composition:


--Claus V.

Thursday, August 19, 2010


The other night I heard something come matter-of-factly out of my dear teen daughter’s mouth I never thought I would hear.

”Dad, I’ll need some help getting the meat off the door hinge.”


I had been working later than normal that night and Alvis was hungry.  So she decided to cook a full spaghetti dinner (it was ymmers btw) instead of waiting for me to get home and cook as I typically do. 

So she did. 

The post culinary creation in the kitchen was quite high with pots, pans, etc.  So as I looked at it upon coming home, she assured me that she would be cleaning it up shortly (I later helped), but wanted to know she did experience some meat-loss during the meatball production process. 

Apparently one escaped in the forming process and fell down the cabinet front clipping a cabinet door hinge in the process.

By the time we got to cleaning the meaty bit had dried enough to be popped off the hinge with no fuss. A spray down with some bleach countertop disinfectant spray sealed the deal.


That’s my Alvis…

--Claus V.

Saturday, August 14, 2010

Browser Quick List: [Ref Only]

It’s been a while since I posted a single-source reference for web-browsers I use and deploy.

Dumping these links here for reference only.

Use them as you will.

That should do it for now.  May be updated later.

Since you scrolled down this far:

Claus V.

Sunday, August 08, 2010

Security and Forensic Link Roundup: Floating Lantern Style


cc attribution: “Hiroshima Day at Töölönlahti, Helsinki” by /kallu on flickr

Well dear friends, I find that another weekend has slipped through my tippity-tappity fingers.  What with being on call-duty, the usual round of household chores, and a good two-hours of application crash-dump generating under various circumstances, where does the time go?

Here’s a last round of posting of a more security/forensics bent, offered like one of those little lantern boats released on the water at night.

Forensic Thoughts

Seems like newer blog template updates have been popping up in more than a few places.  Eric Huber at A Fistful of Dongles also updated the look of his blog…in no small part spurring me on to even greater tweakage this weekend here on GSD.

Eric didn’t let that stop him from making some great posts…such as Stop, Children, What’s That Sound? touching on Super Timeline perspectives.

Hard-drive gurus may want to take notes in this SANS Computer Forensics Investigations and Incident Response blog (can we find an acronym; SANS-CFIIR blog ?) Windows MBR and Advanced Format Drives (e512).  Great additional documentation links at the bottom.  While the Trusting Your Tools article by Joe Garcia reminds us all that you really need to know, understand, and be intimately familiar with the tools that you apply to your work.  I really like how Joe points out that it is good practice to test output by comparing the results from several similar tools.  If you are expecting the same thing but getting different results either the tools are actually operating differently or something else may be afoot!

Harlan Carvey is back fresh from a mission of mercy and his Updates post over at the Windows Incident Response blog is great.  Chock full of examples, analysis and encouragement for responders to keep their best sword sharp by taking advantage of “practicals”.  As I’m getting my feet a bit wet in the network area, I’m finding tons of challenges and puzzles offered by the best teachers there are.  These are great ways to learn and stay sharp.  And Harlan ties up the recent Stuxnet/LNK mess with some artifacts to dial in on.  While you may not run into this, the lesson and principles are great to keep in mind for future encounters of all kinds.


CSI:Internet – PDF timebomb - The H Security -- Great multi-page case illustration of a PDF based malware “attack”.

Hidden past Twitter-talk post Tweeting Forensicators, Eric Huber slips in another sad lesson to be learned in his “Reason #217 Why You Shouldn’t Hire A “Computer Guy” To Do A Forensic Examination”.  Linking to Lee Whitfield’s How to do the Worst Job Possible post, we see in all the sad glory yet another mixed up “incident analysis” by an IT professional who knows too much of nothing for our own good.  This is a topic that Harlan has mentioned as well.  It is a drum I beat on over and over in our own IT shop.  The IT guys and gals who are the foot-soldiers run across more than their share of incidents almost daily.  In most cases because there is sadly no real “incident response plan” or framework in the organization, it usually boils down to them pulling the network cable, maybe collecting a system log file, wiping the system and putting a fresh image on. The the system (and user) is put back into service. Production is king.  There needs to be a plan in all IT shops, everyone needs to know what it is and how to execute it--autonomously if need be--and where their skill set begins and where it ends in application.

I’ve been begging for a while for a chance to take some SANS incident responder courses.  As we don’t have a training budget, I remain waiting for one to roll though Metropolis here again and hope the budget gods will bless me.

Eric’s link jarringly reminded me fresh of the “expert” testimony given in the infamous Julie Amero case. Fortunately, Alex Eckelberry and team were able to provide a good example of what true incident responders are capable of: Sunbelt Blog: The Julie Amero forensic analysis.  A review of their top-shelf work here (pdf) still is worth reading almost two years later. I think that was a watermark event and it now is featured in more than one forensic book: Sunbelt Blog: Julie Amero case featured in new forensic book (…the section on Julie’s case is available as a free download here (pdf) starting around page 34.)

And “sausage maker” DC1743 shares great detail in his real-world work place blog pieces:

Digital Resources

Staying current with forensics news and information is both easy and challenging.  Easy in that the Web (and those kind folks/companies who toil at their keyboards uploading their field notes and practical information) creates an open classroom for learning and information exchange, challenging in both finding new and fresh material, but even more so in the growing mass of flotsam and jetsam the rising Web tide brings in.

Here are a few digital resources (most all free) that I look forward to regularly to help me stay current with security and forensic trends and news.

  1. Into The Boxes - “…an e-magazine covering issues concerning Digital Forensics and Incident Response.  <snip> Into the Boxes will provide technical and managerial articles and information relating to as many challenges facing the security community as possible.”  Check out Issue 0×1 (pdf) and Issue 0×0 (pdf).
  2. Hakin9 :: Magazine - great incident and security perspectives and material.
  3. (IN)SECURE Magazine - covers a wide range of inward and outward facing security news and information.
  4. TechNet Magazine Home Page - I’m including Microsoft’s Windows-centric technical journal here because as a sysadmin, I believe that it isn’t just enough to know how to respond when an incident arises, you really need to understand the larger environment that Windows system exists in…and truth be told they always have lots of cool tools and Windows system tips as well.
  5. Digital Forensics Magazine - OK, this one isn’t free (except for their DFM-Issue1 (flash viewer driven)).  However they clearly are locked in on the forensics arena.  I’ve not got a subscription yet, but I’m thinking that this is one periodical that will be will worth the price of admission to access.

If you are aware of any other regularly published (and current) digital forensics/security sources, please drop a tip in the comments!

New Tools of the Week (and one red-herring shark-style!)

SANS Computer Forensics Investigations and Incident Response blog (can we find an acronym; SANS-CFIIR blog ?) Digital Forensics Case Leads: SQLite changes may impact your processes post points us to some great tools including the free Paraben’s P2 Explorer to do drive-image mounting.

Not content to hide his plans for world-domination in the forensic blog arena, our faithful Fistful of Dongles bloggist Eric Huber now is clearly ready to Go After The Flank with two (new to me) tools I got excited to find:

  • HSTEX - Digital Detective’s tool by Craig Wilson to be used to extract web browser history. Not free but you get a 30-day unlimited feature trial period to decide if it can do magic for you.
  • PALADIN - This is a new (free) forensic LiveCD project based on Ubuntu I hadn’t heard of before (and I know more than a few!)  Check out some of the advertised features:
    • PALADIN will work on any computer or hardware that is supported by Ubuntu Linux.
    • PALADIN allows a user to safely image and preview internal hard drives without having to disassemble the computer or laptop.
    • PALADIN has been modified to write-protect all attached media upon boot thereby preventing accidental writes or having to use expensive physical write-blockers.
    • Boot standard PCs and Intel Macs in a forensically sound manner (including the MacBook Air)
    • Image to several formats including Expert Witness (.E01), Apple Disk Image (.dmg) and Raw (.dd)
    • Clone devices
    • Create two forensic images or clones at the same time
    • Image across a network
    • Format any drive as NTFS, HFS+, FAT32 or EXT3
    • Create a forensic image of only the Unallocated Space, Free Space and File Slack
    • Quickly wipe (sterilize), verify and hash media
    • Automatically update via Internet
    • Search and preview media by file name, keywords or MIME types

And they have a cool logo as well!  I’ve downloaded the ISO file and packed it onto my iodd device for testing if this week’s schedule is kind to me.

I’ll share my thoughts on it in the near future.  The forensic LiveCD bar is pretty high already with hot projects such as CAINE, DEFT, WinFE, and Raptor to name my fav’s.

Speaking of DEFT, the crew recently posted their DEFT Linux 6, roadmap and features plans.  I’m not sure I can wait till December!  Christmas was hard enough to handle the excitement of.  The integration of WINE in the distro to support native Windows apps is super-cool. “Here are the main features of Linux DEFT 6 and the road map.”


- Based on Lubuntu 10.10 and DEFT Extra 2.1 (Windows side)
- Linux Kernel 2.6.35
- Dhash 2.1
- Xplico DEFT edition
- TSK 3.1.3 (or the latest stable version at the date of release)
- Autopsy 2.24 (or the latest stable version at the date of release)
- Log2timeline 0.50
- Afflib 3.5.12 (or the latest stable version at the date of release)
- Foremost 1.5.7 with a new extended list of header and footer
- Wine 1.2 for the implementation of tools for Windows-based Computer Forensic
- ClamAV Anti Virus / Malware 0.9.6
- Mount Manager 0.2.6
- TrID 2.0


- Feature freeze – September 2010
- CF tools test – September 2010
- Software developed by the DEFT team test and beta releases – October 2010
- Kernel freeze – October 2010
- Extra DEFT test – October 2010
- Wine tools testing – October 2010
- Documentation (beta) – November 2010
- Beta release – November 2010
- Documentation DEFT stable – December 2, 2010
- DEFT Linux 6 stable – December 2, 2010

PrefetchForensics v1.0.2 -- woanware - Mark Woan has updated his free Windows prefetch analysis tool with some really handy features including time management, exporting corrections and enhancements, and pre-population of the “import” location window to a default.  If you haven’t added Mark’s spectacular woanware forensic/network/utility tool site to your regular watch-list, then you are definitely missing out of some of the best tools there are for incident response and forensics!

Fresh from the wild savanna of Las Vegas and the BlackHat / Defcon / BSides events this year, at least two cool new species of tools have been spotted that may be of interest to forensic/sysadmin folks.

Never one to stay still, Didier Stevens offers us two special-niche tools in his Quickpost: 2 .LNK Tools post. First one is a 010 Editor template file for the .LNK binary file format the other is a ClamAV signature file to find all .LNK shortcuts (good or bad). Read the post for usage details on both.

Now for the stinky fish courtesy of the white sands of Florida and Tom Kelchner (via Francis Montesino desk work) :

Oh yea, right! A rogue named “Wireshark” -- Sunbelt Blog   (not to be confused at all with the legit Wire Shark network analyzer)

I want to say “who gets fooled by these stupid clearly fake/rouge malware scams” and infects their PC?

Then I had to say to myself, “Self!  Wait…didn’t you just spend all day this past Wednesday on your rare ‘odd-day-off” remotely scouring your dad’s PC from a very similar thing and repairing all the bad things it did to make their life in Vista miserable?”  (I did do a cursory mini-incident response analysis but promised to wipe the results to qualify for free pizza from an un-named parental family member this week!)

Hello minions:

Yep.  Pretty much a whole day, though all is well and back to normal again now.

Enough said.

--Claus V.