Saturday, March 10, 2012

Backup Material

It has been quite a while since I specifically visited the subject of Sync & Backup Tools (freeware).

Since then there have been lots of new tools and applications developed so I thought I would return with a link-dump of sorts.

Generally, my own personal backup strategy remains a bit pragmatic. Wish I could be much more organized like ComptuerZen’s Scott Hanselman.

Here then are a few simple routines I use for different purposes, followed by a list-of-lists of various freeware backup programs.

Collections to USB

I have a few “production” folders on my main system that contain a deep collection of portable applications, how-to documents, reference materials, common third-party browser plugin updates, and incident response checklists and guides. These are replicated to a number of USB sticks and portable USB hard-drives for use in the field.

For this type of situation, what I need more is a synchronization program rather than a true “backup” application.

The one I always reach for is DSYNCHRONIZE from Dimo’s Tools. It has lots of options and is quite fast. AddictiveTips blog has recent post going over its finer points: Perform Real Time Sync, Backup Large Storage Mediums With DSynchronize.

This is the easiest by far type of “backup” process I have. I’m just replicating the master set of folders and files onto the USB sticks as needed and DSynchronize cleans up the changes I make in the main folders to the replicated spawn quite nicely.

“My Documents” to USB HDD Storage

The next set of things I have to back up are the “My Documents” folder for myself and the girls, as well as related personal files and folders.

This is where things get a bit more complicated.

I have a few USB hard-disk drives for backup duties. Each one is formatted into two partitions. The first partition is usually just around 100 MB or less. The second volume is the remaining GB’s.

I format the first partition NFTS and load it with a few critical portable software applications; most important of which is TrueCrypt.

The idea behind this first volume is that in the event I ever have to grab-n-get with the drive, all the tools I need to restore data from the drive to another system are on the drive itself. No hunting around.

I then use TrueCrypt to create an encrypted partition out of that second volume. The first partition is relatively tiny as it only needs to keep a few tools in the clear and helps keep me from being tempted with putting any important docs in the free and clear there. The second volume is fully encrypted and that’s where all the good stuff stays. I also put a copy of my portable backup application on it as well.

I then just need to attach the USB device to my system(s), allow it to find the first partition, run TrueCrypt and mount the second volume and attach to it. Then I can run my backup tool and put the backup files into the encrypted volume.

For the backup program itself, I’ve come to rely upon Back4Sure by Ulrich Krebs.

TinyApps recommended Back4Sure some time ago and that was good enough for me to check it out. I’ve become very pleased with it’s ease of use and reliability.  If I had to go with a second, Create Synchronicity might be a close second also recommended by TinyApps: Backup to drive label instead of drive letter.

Whole System Backup

This is kinda cheating, but once in blue-moon I will also use ImageX to create a full-disk image of my primary system and dump the image file into one of those TrueCrypt volumes as well.

This takes lots longer but is a good option for a catastrophic system failure.

Although I could use one of the more regular data backups to get another system going again, this allows me to hunt down and extract any bits-n-pieces of data that get scattered sometimes in weird places if the need ever arises.

List of Backup/Sync Tools

Here below is a list of additional freeware backup tools, programs, utilities and the like. Some are quite new and others are quite old. They are not really listed in any particular order. Take some time and click around. Sometimes the trick is finding one that has the right balance of ease-of-use with options needed for a particular job. Like me, you may find that using a combo of tools for different purposes may be the best solution.

These first ones are more in the class of focused file set backups. Though some could probably handle a system-wide backup job, they mostly would be better suited for backing up a specific subset of files/folders from a system rather than the whole enchilada.

These next ones are more of the specialty enchilada menu-fare. These will cover more of a whole-drive backup rather than limited file/folder sets. That said, they still primarily run within the existing Windows system so should be familiar and dependable for geeks and grannies alike.

Finally, we can step off the well tread path and go to more geeky options that are system-backup and imaging tools for the tech-crowd.

I suppose if you were super-geeky or a forensicator, you could also use any of the various tools you probably are aware of for making sector-based drive images. However for personal “backups” I prefer to use file-based backup methods as having a forensically sound exact duplicate of my drive isn’t as critical as having the files I need available for easy restore or off-loading.

More information:

Back it up,

Encrypt it if it’s personal (or even it it isn’t),


--Claus V.

Incident Response Toolsets and Checklists

A few months ago I was reading this Digital Forensics Case Leads: ReFS, Ex01, and DFIROnline post and came across the following bit under the Tools section:

Michael Ahrendt recently released an interesting looking "Automated Triage Utility," written in the AutoIT scripting language. It is a GUI-driven data collection utility designed for live system response. In this regard, it reminds me a lot of Monty McDougal's Windows Forensic Toolchest. They differ in UI and programming language, but aim at the same objective.

I hopped over to take a look at Michael’s Automated Triage Utility and it is pretty cool. You do have some "light” building work to do to seed the structure Michael provides with some extra applications but in total it provides a responder a great set of information logs and evidence collection.

While one-click incident assessments are no substitute to a detailed and focused analysis and pick-apart, these toolsets and first-responses may be of significant benefit getting some assessment data to determine scope of impact and breadth incident. With the core data collected an analyst or response team can then plan out additional responses.

Of course, use of these tools on a live system may have an impact of their own on that system. If possible it might be best to first try to capture both system and memory images if possible to preserve volatile system state information. That said, if the threat is significant enough and risk of critical data loss high, then it might be wise to isolate the system from the network immediately if your response protocol allows. Detailed documentation of response actions and tools run will also help in the post-mortem.

Here are some other related tools and resources that came to my mind after looking at the Automated Triage Utility Toolset.

RegRipper - Harlan Carvey’s Perl-based toolset for picking apart critical registry locations and data for a forensic response. Addition of additional community-based scripts extends the features wonderfully.

RegExtract - Mark Woan’s own take of RegRipper that uses a Windows binary with other 70 plugins to assess system information.

BinPack -Godai Group - a portable application storehouse with over 100 security tools for security assessment and pen-testing.

MIR-ROR - CodePlex project from Russ McRee and Troy Larson. MIR-ROR = Motile Incident Response - Responde Objectively, Remediate. Customized CLI script that uses Windows Sysinternals tools and others to do live-system captures. More info here at HolisticInfoSec’s Toolsmith: (PDF) June 2009 - MIR-ROR: Motile Incident Response - Respond Objectively, Remediate.

Confessor - CodePlex project built from the concepts of MIR-ROR. This allows remote intel gathering on a host of systems in an AD environment. Pretty cool stuff. More info here at HolisticInfoSec’s Toolsmith: (PDF) November 2010- Confessor & MOLE

Registry Decoder Digital Forensics Software - registrydecoder & regdecoderlive - Automated, live acquisition of registry files - via Google Project Hosting. Some of the previous tools listed work on Windows Registry hives that have already been collected. This one is a bit different in that it can be used against live registry files as well as historical ones. More info here at HolisticInfoSec’s Toolsmith: (PDF) December 2011 - Registry Decoder

MANDIANT: Intelligent Information Security has an outstanding collection of free software for incident response and malware analysis. In particular, their Redline utility does some super-awesome host triaging work. See also: IOC Finder

Security Database IT Watching - Evidence Collector - Not supported from some time, but still a very clever and useful “command and control center” tool that leverages other applications in collecting information from systems being assessed.

OSForensics - PassMark Software’s tool can be used to build a portable version to do extensive system information and analysis.

ESET Sysinspector - Neat tool to collect details on a running system, then perform heuristic analysis for risk level labeling of captured components. Makes it easy to begin a top-down assessment of a system.

Nigilant32 - Agile Risk Management LLC. Tiny tool to create a report snapshot of critical live-system processes, services, accounts, tasks, ports, and so on, as well as file-system review tool and active memory imaging support.

rapier - First Responders Info Gathering Tool - Google Project Hosting - RAPIER stands for Rapid Assessment & Potential Incident Examination Report tool. It doesn’t appear to be active since early 2008 but there may be some good material left in this tool. Check the “Downloads” page for some additional PDF and presentation material regarding the toolset. Based on the Intel (R) RPIER project. Added to post list 04-21-12

Response Checklists

Of course, just because you got some tools in your box doesn’t mean that you should just run rough-shod onto a system that is the target of some evilness. Hopefully you and/or your organization has a well-documented incident response framework already in place to guide and shape your response activities in a meaningful and effective way.

Here is a collection of some good ones you may want to consider.

Information and Security Cheat Sheet and Checklist References - Lenny Zeltser. Serious collection of cheat sheets and checklists for IT security response pros. Look carefully at the bottom of the page as Lenny offers some additional cheat sheets form others as well. - Checklists galore!

Incident Response Checklist (PDF) - via

Procedure for Windows Incident Response (PDF) - via

Request for Forensic Examination (PDF) - via

Computer Security Incident Handling Guide (PDF) - NIST

An Incident Handling Process for Small and Medium Businesses - SANS Institute. Page 39 in particular has a good “Checklist for incident response capability”

Malware Detection Checklist - GoogleDocs - Instrument developed by Harlan Carvey and posted in this DFIROnline: Detecting Malware in an Acquired Image in Windows Incident Response blog post.

His work was expanded a bit in these posts:

Cheat Sheets - Packet Life - For the network incident response crew.

More resources:

Simple Malware Research Tools - ISC Diary. Some fresh tools from the SANS gang.

Can we believe our eyes? Another story - Microsoft Malware Protection Center

Malware Analysis Blog - Great new blog (to me) covering malware review and study.

PXE Boot Server in a Malware Lab - Malware Analysis Blog

Using Free Windows XP Mode as a VMWare Virtual Machine - Lenny Zeltser on Information Security blog

US-CERT: United States Computer Emergency Readiness Team - 2011 GFIRST 2011 Conference papers and materials. So much goodness!


--Claus V.

Rain-Delay Linkfest

After an exceptional season of drought here in Texas, it looks like things are starting to change. We are facing at least five days of rain; heavy downpours mixed with long periods of light grey drizzles.

Planned yard-work long since abandoned.

Perfect weather for emptying the “to-be-blogged” hopper.

System Security

Time for new Flash updates. These are for the mainstream 11.1.x line of Flash builds. If you are running the 11.2.x line of beta Flash, I figure you are keeping up with those already.

Flash vulnerability exploited to deliver malware - Help Net Security has some good details about a threat that was patched as well as how it was flagged and described by security researcher Mila Parkour. While this Adobe rushes out critical Flash update post over at Ars Technica has some more details about “…the vulnerability, discovered by Tavis Ormandy and Fermin Serna of Google's security team, affects Flash players on Windows, Mac OS X, Linux, and Solaris operating systems, as well as Google Chrome and Android.”

I use these links from File Hippo for my Flash updating needs. Whatever source you prefer to use go get’em.

PSI 3.0 Beta Launch -Secunia is rebuilding their Personal Software Inspector tool to now not only find and notify you about missing security updates and patches needed for applications and plug-ins on your system, but also make it easier to apply those found patches and updates in-application rather than hunting them out yourself. It is still a work in progress but should provide a good tool to help in the process.

Microsoft Security Bulletin Advance Notification for March 2012 - Microsoft Security TechCenter. MS Windows updates coming soon to a system near you!

Getting Inside the evil

I’ve really been enjoying Troy Hunt’s writings, both current and browsing through the archive material. These two posts were exceptionally eye-opening. Troy does an excellent job showing the process by which these scams work. Get out the notepad.

Introducing Adobe SWF Investigator - Adobe Developer Connection. New beta tool making the rounds on various security sites. Based on the Adobe AIR platform, it will help with SWF analysis from both static and dynamic angles.

Examining VSCs with GUI Tools - Journey Into Incident Response blog. Corey Harrell does a great job in showing methods to work with Volume Shadow Copies containers.

Browser Things

Password Generation - The Chromium Projects. We’ve touched on passwords here at GSD quite recently. This new component of Chrome development is pretty interesting. Having the built-in-browser ability to quickly and easily generate complex passwords is pretty cool. I hope some form of this feature matures into the mainstream builds.

Speaking of Chrome, for the longest time I have been using a portable build of Chromium (DEV builds)coupled with an updater application from Caschys Blog. Once a week or so I hit the updater and it finds and downloads/installs the newest version available from the source repositories. Unfortunately I wasn’t paying attention to what (or what not) was actually happening. When I recently saw the latest DEV build level in a RSS feed, I finally went back and checked what my Chrome DEV build was and it was WAY behind. Seriously WAY WAY behind. Bother. So now I am using this Google Chrome Portable page and scrolling down the the portable DEV build link. Updating is just a matter of downloading the file, and pointing it to the exiting location and overwriting it. If you are porting over your profile and extensions over from a previous portable version, the location they go into turned out to be quite different from the earlier portable DEV build I had been using.

It is now located in this folder location: “ …\GoogleChromePortableDev\Data\profile\Default”

Once I had my Chrome profile ported out of the old DEV version and into the new one, the difference in the builds was significant.

Mozilla’s Collusion tells who’s tracking you - Mozilla Links. Worth a look.

2-step verification - Google Apps Help. Google has a optional 2-step verification option to enhance the security of your account login process. FYI.

Freeware of Note

usboblivion - Google Project Hosting. Anti-forensics-like tool to purge USB history of USB-connected drives from Windows registry. Question: does use of the tool leave any tracks of its own behind? Spotted via this Addictive Tips blog post: Delete Record Of Previously Connected USB Devices Using USBOblivion

Rufus - Create bootable USB drives - Really neat and slick bootable USB creator tool. More details on these pages: Rufus and Rufus (introduction topic).

NTFS Permissions Reporter - Cjwdev - offered in both free and $ versions. Windows already has built-in methods to look at NTFS permissions but this is a nice GUI tool that some might find more useful at providing a wider-view on the permissions. Spotted via this Addictive Tips blog post: NTFS Permissions Reporter: View Access Permissions Applied On Folders.

regshot - Via SourceForge. Another tool to do before and after registry diff’ing. More details at this CybernetNews post: Monitor Registry Changes in Windows.

File Extension Monitor - NoVirusThanks - free/portable tool that allows real-time monitoring and logging of files created in the system. Great to run during setup files or to trace droppers/activity. Spotted via this Addictive Tips blog post: Monitor File Creation Activity Across Disk Volumes With File Extension Monitor.

HijackThis was my #1 go-to malware busting tool in the very early days of my IT career. I would use it slice-n-dice auto-run entries and bring back law-and-order to a malware-hijacked system. Over the years as my knowledge and skillset grew and tools matured, I’ve come to rely much more now on the Sysinternals Utilities. A one-two punch with Autoruns and Process Explorer coupled with the all-seeing-eye of Process Monitor typically provides me the hammer needed to bust into a hijacked system. So it was with fondness that I read this HijackThis now open source post at The H Security. I really hope that this move now gives new life and capability to this classic tool.

Peeking at NAFT - Didier Stevens is going crazy teasing us with a new project; a new forensic toolkit he is developing the “Network Appliance Forensic Toolkit (NAFT)”. Ooohhh!

Ezvid - Free Movie Maker and Slideshow Creator For YouTube. Spotted via this Addictive Tips blog post: Create Image & Video Slideshows With Narration Using ezvid.

Microsoft Research Cliplets - Neat project from MS Research that takes a digital video short, and allows you to isolate just a section of the motion. When exported the result is a static image with a section of movement. It’s a cool effect.

Multi-Image Fusion - This Microsoft Research project appears to be aiming as the next generation of Microsoft Image Composite Editor, or ICE. They have a 305-image composite on the page as a teaser. I love ICE but sometimes when I have a complex series of images and try to drag/drop them into ICE, it cannot stich non-sequential images into a composite. Related: Hugin - Panorama photo stitcher

For Sysadmins

BETA: PowerShell v3 Technical Guide (CTP2) - Kurt Shintaku's Blog

Service overview and network port requirements for the Windows Server system - Microsoft Support Article ID 832017.

[Review] God's Jury: The Inquisition, IT & Privacy - ReadWriteWeb. Curt Hopkins has a book review. What is really fascinating to me is how new technology can make the evils of dark history past relevant and accessible again with the dizzying pace (again) of information aggregation. Amazon has a Kindle version that will soon be making an appearance here in the Valca home.

Network Stuff

Nmap 5.61TEST5 released with 43 new scripts,improved OS & version detection, and more available for download - ISC Diary

Wireshark and Pcap-ng - Wireshark blog - news that Wireshark 1.8.0 will have two new features: concurrent capture from multiple interfaces and packet annotation. These changes appear to rely on pcap-ng file formats. Hopefully applications that rely on the pcap format will adjust and add compatibility for the pcap-ng format but if not, be sure you save your captures in a format that can be imported (or exported into) a file format compatible with your NFA tools.

Detecting sniffers with HSD - Hexacorn blog. Free tools and techniques for detecting the presence of network sniffing activity.

Tony Fortunato over at the LoveMyTool community blog has a video showing Using Pathtest for Performance Measurement. PathTest is a free tool to test network bandwidth capacity between two endpoints using packet-flooding techniques. This is a serious tool so use carefully and during non-production hours unless you (and your customers) really, really know what you are doing and why you need to do so. Cool tool!


--Claus V.