Sunday, October 17, 2010

Books, Networks, Security, and Forensics

The little-brother endowment for big-brother improvement has allowed for the recent expansion of my technical library by three more volumes.

I have just ordered the following books after a long wait in my wish-list pile:

I had flirted with also picking up the Wireshark Network Analysis: The Official Wireshark Certified Network Analyst Study Guide by Laura Chappell, Gerald Combs ( but decided instead to invest in a Canon Speedlite 270EX Flash ( for our Canon Rebel DSLR as all work and no play makes Claus a cranky boy.

The first two selections reflect an expansion and recognition that understanding and analyzing network traffic can not only complement Windows systems forensics and incident response, but in some cases be the canary in the mine that signals something much larger is going on worthy of focused investigation at the machine level.

A recent series of events have driven both these points home to me in a very powerful way.  So I really am excited waiting for their arrival.

As for Harlan’s book, it really is one of the cornerstone books of Windows forensics and I’ve really felt weaker for not having read it yet.  I’m truly honored and stoked to be adding it to my bookshelf.

The nature of my work demands that I approach things from an holistic approach and I really hope that the combination of these materials gives me a sharper edge in analysis as well as how all the parts can better fit together.

In the News:

(IN)SECURE Magazine issue 27 released - Great security and risk-management articles in portable PDF reading format.  I’m always waiting for the next edition!

Hiberfil Xpress and FTK Imager 3 posts - Forensics from the sausage factory.  DC1743 tears into the Hiberfil and touches on it’s compression as well as new support (script) for examination via EnCase.  The second post points out the awesome and free forensic image capture tool (and then some!) FTK Imager 3 is now out from AccessData.  This newest version does require a system-install, but they have also released a bumped version of their free/portable “Lite” version to 2.9.0. Go get’em!  AccessData Product Downloads

CAINE 2.0 Live CD - “NewLight” computer forensics digital forensics - LiveCD Distro - I was unexpectedly surprised to discover CAINE 2.0 “NewLight” was released in the past few weeks.  CAINE and DEFT both are my current favorites for Linux-based “LiveCD” distros and are jam-packed with complimentary toolsets.  CAINE 2.0 has a fresh look and updated features all the way around.  I’ll save post-space here by not posting a list of all the new and updated feature-sets, but suffice it to say, it really  is super-slick and just like mighty-mouse, lots of power in a small size!

Gift Card FAIL: What do sequential numbers and shopping sprees have in common? - PaulDotCom - Yeah…worrying.  Besides the obvious issues, what really stands out to me is that I’m not the only one who can’t seem to turn their brain off from security/incident response musings…even when off-the-clock.  Every situation and every place presents opportunities for mental security pushup work.

Asset Tags For Dummies - Liquidmatrix Security Digest.  Part II from the theme above.  Really, we also stick honking-big asset tag stickers prominently on our equipment that can be read from 10 yards or greater away, with enterprise name and everything.  Plus the brand of our whole-disk encryption provider on a separate sticker.  “So we can tell which systems are whole-disk-encrypted” easily by just looking at the case.  At least that was the justification provided.  Really?  Can we?

Memory forensics on Windows 7 (x86 and x64) and Windows 2008 x64 and Avoid the Knee Jerk Reaction -M-unition Blog.  Two great posts from the MANDIANT gang including the announcement of the release of Memoryze 1.4.2900 which has added support for Windows 7 64-bit, Windows 7 32-bit, and Windows 2008 64-bit along with the previously supported platforms.

Free Malicious PDF Analysis E-book - Didier Stevens.  Go grab it now!

FireMaster : The Firefox Master Password Recovery Tool - SecurityXploded.  Free tool to recover the master password from Firefox.

Symantec’s w32_stuxnet_dossier (PDF) is a perfect model of how a incident/threat analysis report should be written.  It seems to set a new gold-standard for informative analysis and technical writing for malware/threats.  Wow!

Tshark/Wireshark SSL Decryption - Lessons Learned - PaulDotCom - Mark Baggett has written a great tutorial on how to configure Wireshark to decrypt SSL packets.  Great stuff.

PrefetchForensics v1.0.3 : woanware - Mark Woan has made some improvements to this free Windows Prefetch file analysis tool.  Update your copy now!

Forensic analysis of "Frozen" hard drive using Deep Freeze - Computer Forensics, Malware Analysis & Digital Investigations.  Deep Freeze is one of several “steady-state” system solutions that “restore” a Windows system back to a predefined configuration when the user’s session is over.  In theory this should erase all tracks, but as all good forensicators know, there’s gold in in the streambed one you dig just under the surface a bit!

Xplico » Xplico 0.6.0 - Just released!  Xplico is a Linux-based tool that allows for reassembly of network traffic browsing sessions.  I’ve been having to use it quite a bit lately and find as I get to know its capabilities better, I am floored by the power and benefit having this tool in my arsenal brings me.  I’m planning a followup post on Xplico very soon here at GSD.  Stay tuned!

Happy Digging!

--Claus V.

Mostly Minor Network Notes

Here are some minor tweaks and features, mostly of a network nature.

Manual Uninstall of the Cisco VPN Client « Mobile Expertise -- because sometimes the uninstaller just doesn’t work, and the new installer won’t put it on, particularly with that stubborn Deterministic Networks package present.

Get the Classic Style Network Activity Indicator Back in Windows 7 - How-To Geek.  I’ve not been impressed with the lack of network activity indication on Windows 7.  Sure, it is a very weak and basic way to see if and when you are having network issues, but it can be a good first warning.  This Network Activity Indicator for Windows 7 via IT Samples is a very good approximation to the XP system tray indicator.

How to Optimize Network Connections in Windows XP - Windows Networking - On my XP system at work, I’ve got several network connections available, though some are used more regularly than others, and within them, some bindings will not be used ever.  So it seemed to me that it would be nice to rearrange the preferred order of the network connections, and disable any unneeded bindings for good measure.  This article was perfect.  In no time I had resorted and tweaked them.  Subjectively I think it helped a bit, but I didn’t actually benchmark before/after performance.

While useful at work and easy to do on the XP systems, before long I was wondering if I could do this same thing on my home Windows 7 laptop.  For my own system, depending on where I am sitting in the house and what I am doing, I may prefer to hook up via a wired Ethernet cable rather than using wireless…watching videos or downloading mega-files (Windows Updates, software packages, virtual appliances, Live CD ISO’s, etc.).  However, I was getting frustrated as despite plugging in the network cable pre-boot, I always seemed to be defaulting to my wireless connection instead!

So I had been manually disabling the Wi-Fi then forcing it to go to the Ethernet cable.  But that just didn’t seem right.

I already knew I set a preferred order for network devices in XP, but I just couldn’t find it in Windows 7 as easily.

Then I found this.

How to Change the Priority of Wired/Wireless Network Cards in Windows - How-To Geek

Better, and interesting.   But what about GUI only lovers?

Change Wireless Network Priority to Make Windows 7 Choose the Right Network First - How-To Geek.

Making progress but this is for prioritizing your Wi-Fi network connections, not for juggling both your wired/wired network connections.

So I ended up pulling all the pieces together for a Windows 7 system; and using the “XP” method noted earlier.

Start/Control Panel --> Network and Sharing Center.

On the left side-bar, select “Change adapter settings”


On the menu-bar, choose, “Advanced” and from the drop-down menu “Advanced settings”


Then in the resulting dialog window, select the network connection(s) and using the green arrow on the right, change them in order up or down accordingly.  Save your changes when done.


In my case, I have the Local Area Connection (my wired Ethernet port) set at the top as my preferred item, then my home Wireless Network Connection second.

This way, if I plug in and boot, the LAC takes precedence and connection gets established before Wi-Fi.  If it isn’t plugged in, then the Wi-Fi connection takes over.

Non-Network Tweaks

One of the remaining pet-peeves I’ve had with Tatiana, my new Dell Studio 15 laptop, has been the sensitivity of the touch-pad.  I’ve had to put with with automatic text zooming when I brush against it or hover my thumb over it.  Touching the side/bottom scroll zones on the touch-pad sent web-pages flying up/down & left/right.  It was like trying to manage the throttle of a Mustang 5.0 on a slippery-as-glass wet roadway!

Fortunately, I’m not the first who has found this default Dell touchpad behavior, really, really annoying.

How do I change my Dell Touchpad settings and preferences?  -- Ask Dave Taylor!

Turns out Dell has an embedded “Dell Touchpad” management utility tab embedded in the mouse settings.

Poking around in there, I set the pad sensitivity from “hair-trigger” down closer to heavier touch, I disabled the text-zooming feature, and set the scroll-zones on the touch-pad to be much narrower than default.

A few more fine tuning tests and the touchpad is now no longer a bad-actor but well groomed thespian.

Finally, I added a System Restore Point Shortcut - Windows 7 Forums - great tips on how to make a shortcut to fire off an System Restore Point rather than the longer method.


--Claus V.

Sunday, October 03, 2010

Just a Note or Two and some SteamPunk


cc attribution: Notebooks by See-ming Lee 李思明 via flickr

Wow.  Can’t believe it has been this long since the last post!  What’s sad is that very little of it has been spent on the new laptop.

Mostly bad-crazy work stuff leading me to be exhausted by the time I get home from work. Then honoring time and family commitments on the weekends.  So much to post…so little time.

On the plus-side I’ve been able to really put some of the tools and techniques I blog about into incident response action lately.  While it is never a “fun” thing to have to do, it is pretty cool when you get to apply your knowledgebase in extreme situations.  While (unfortunately) it’s very doubtful I will share any information at all, I do expect to share some more information on tools and techniques I found valuable in the process.

I’m taking a break at the moment from technology posts to go a bit “old-school”.

While I generally use QCC’s freeware tool CaseNotes to document my incident response activities, and find it really does an excellent job fitting my needs I almost always keep a pen and micro-sized paper notebook on my person as well.  Beats writing on my hand and is great for jotting down phone numbers, bits of data, field observations, quotes, URL links, etc.

I’ve been thinking of this lately as I saw some Moleskine mini-notebooks a few weeks ago when visiting the bookstore with mom.  I didn’t pick any up but they did catch my attention.

Then The Art of Manliness blog ran a series of articles that really encouraged me to use them that much more:

The comments in the first post were a treasure-trove of links and materials for the notebook carrying fan.  I found a number of great sources for fun and functional mini-notebooks.

Field Notes - Seemed to be one of the most popular sources for no-frills “common-man” notebooks.

Rite in the Rain - Was praised by field workers, outdoorsmen, military/LE, and other extreme environment folks.

Moleskine - This brand seems to have splashed onto the market with much fan-fare.  The quality and variety seems to make them very popular with note-takers and artists alike.

Right now, I am using these Top Flight Sewn Mini-Marble Composition Books ( that Alvis tossed my way.  They fit unobtrusively in my front pocket and are surprisingly durable.  They are very cheap…so I tend to toss them when all the note taking is over and they are filled up.  Not really archival material.

I had been using these Mead Wirebound Memo Books ( but the wire ring would get crushed after a few days in my pocket and the pages tore out too easily.  So I just keep one in my car only for quick notes but that’s it.  It will likely be replaced soon.

These Writersblok Bamboo Mini Notebooks looked like a cheap and nice alternative to my current notebook fare. Made by K I K K E R L A N D, they seem high quality and fit the quirky and fun other products offered by them.

Turns out there is a whole fan-following of notebook bearers!

I’ve scored a few new RSS links for some sites that live and breath all things creative and useful with notetaking and notebooks.

The Little Black Book by Pad&Quill - This was pretty clever…and inspired me.  I’m overwhelmed at the moment with ballistic nylon carrying cases for all my portable hard drives and gizmos.  After looking at this, I was struck with how easy it would be to stop by ye-old/used-bookstore and pick up some tomes that had outward character to their binding and cover.  Then hollow them out to make carry-cases for the portable USB HDD I carry.  Some glue and some tiny metal/magnets to hold the lid shut and bam--pretty neat carry-case!

SteamPunk Resources

As a Sherlock Holmes fan, I appreciate the romantic notion of the Victorian era (but accept the Dickensian reality).  Add to that the fact that Last Exile is based heavily on a “SteamPunk” styling and my artistic eye is smitten.

Turns out there is a whole fan-base devoted to making and living SteamPunk style.

Steampunk Wallpaper is a very recent find that has provided a ton of awesome high-quality desktop wallpapers in the SteamPunk/grungish style.  Really stunning work here by the artists.  Even if you aren’t a fan, you are bound to find something appealing.

The Steampunk Workshop | Technology & Romance - Fashion, Style, & Science - Ongoing web-site filled with the very best examples and guides to SteamPunk hardware and software.

The Steampunk Home - Neat ways to add that anachronistic touch of class to your home; many with commonly available materials repurposed.

SteamPunk Magazine » Downloads - Free PDF downloads of SteamPunk Magazine.   Very interesting articles and perspecitves…to say the least!

Happy notetaking and jotting!

--Claus V.