Monday, May 28, 2012

Memorial Day Moment of Thanks - 2012

WWIIMemorialWall VietnamMemWall

World War II Memorial and Vietnam Memorial, Washington, D.C.,

cc credits: flickr Jeff Kubina

It would be a great wrong for me to allow today to pass without pausing to thank the families (current and past) who have lost loved ones in the defense of our country. 

I seem to have been hit harder and become much more sensitized to the commercialism that today (and this weekend) has been draped with this year for some reason.

To help, I have spent some time over the weekend at the following places on the web using the time I have been granted off from work to consider and reflect what this day means for myself, my family, and my communities.

Thank you for your sacrifices, they are not -- and will not be -- forgotten in our home.

--Claus V.

A “Monday off” Linkfest

Here is a quick hodge-podge of linkage this somber day off for some of us.

Everything you ever wanted to know about building a secure password reset feature - Troy Hunt’s blog - wonderfully deep post on strategies for designing a “reset password” feature.

Serva 32/64 - free/portable multi-server platform.

TFTPD32 - opensource IPv6 ready TFTP server/service for windows

Critical hole in Seagate BlackArmor NAS - The H Security: News and Features - oh snap!

OutlookAddressBookView - NirSoft - new/free tool to display and export Outlook Address book information.

MRTG Quickstart (by Tony Fortunato) - LoveMyTool blog.

New version of Nmap out:

Am I pwn3d? Windows *Native* Tool Triage - Open Security Research blog

NetCalc v1.1.0 - updated - woanware

Deny and allow workstation logons with Group Policy - 4sysops

How To: Read CID on SD card - GetUSBInfo blog. Very interesting information.

Windows credentials dumper - tippage via TinyApps bloggist to the Quarks PwDump tool. Read the QuarksLAB Blog for more information. One of the reasons I’ve wanted to build a new virtualized session of XP recently.

Notification Area Cleaner for Windows 7 - IT Samples - free and works for me! - As spotted in this AddictiveTips post: Remove All Windows System Tray Icons Left By Uninstalled Applications - Notification Area Cleaner

Data Recovery SOS - Eassos interesting freeware tool for recovery of lost/deleted files. I’ve got more than a free excellent freeware file-recovery tools and this has been added to that pile. Spotted in this AddictiveTips post: Eassos Recovery: Recover Lost Partitions & Deleted Data From Hard Disk.

Bonus find, Eassos PartitionGuru Free (link at the bottom of the page). Really slick and neat tool for both file and partition well as some additional disk info/tool features.

How to find computer model name or serial number in Windows 7 - Windows Club tip. From CMD “wmic csproduct get name” done.

SysExporter - v1.60 update by NirSoft - “Added support for DirectUI control, which is used to display files and folders on Explorer Windows of Windows 7.”

Directory Monitor - freeware - BrutalDeveloper - Another interesting tool to monitor changes to a folder and can run as a service. Reminded me of Track Folder Changes.

Precision and purpose: Ubuntu 12.04 and the Unity HUD reviewed - Ars Technica - As I’ve been getting ready for my updated Xplico post, I’ve been working in the latest builds of Ubuntu, which use the “Unity” interface. It has taken a while to get used to, but is very slick and handy.

And then there was AD…

I’m still getting up to speed in Active Directory administration and operations. I’ve come a long way but have a long way to go in feeling more comfortable in my day-to-day operations support. If anyone has any tips, book (or e-book) recommendations, or virtual server/lab resources they could recommend, I would be grateful. I’m less interested (for now) in building/deploying AD environments from the ground up, and more focused on how to actually improve my reporting and object administration in the immediacy.

I’ve been working through/with the following freeware resources and find them very helpful, but I really need to have a safe way to practice and poke things (as in not on our live domain) as well as find a more formalized and structured study process to get up to speed in “boots on the ground” AD administration.

Cheers and thanks.

--Claus V.

Virtual Solutions

Continuing in the troubleshooting theme today, here are a couple of solutions I worked out playing with some virtualization software and machines this weekend.

Tip # 1 - Microsoft Tester VHD images still available

When I moved to my “then new” laptop, I ended up discarding a lot of virtual machine images I had been keeping around to testing and lab-work. One of which was an XP tester build in Microsoft’s Windows Virtual PC.

While Virtual PC on XP had been pretty easy to use, the “embedded” operation of it in Windows 7 is a bit more of a headache. (Note: I wonder if Windows 8 will retain an “XP Mode” feature? Anybody know?). So I had dumped them when I started using Oracle VM VirtualBox.

Last week I needed to do some work in XP again and decided to grab one of Microsoft’s IE App Compat VHD’s over at the Microsoft Download Center.  I snagged the tiny (by comparison Windows_XP_IE6.exe) package. They also have some larger Vista/Win7 VHD packages also.

While these do time out/expire (they can be “re-armed” following the instructions on the download page above), they provide a quick and easy way to grab and run XP for testing purposes.

Tip # 2 - Converting other virtual disks to VMware format

(Alert: dead-end coming)

While I was able to get the XP VHD working just fine in Virtual PC on my Windows 8 system, I wondered if the performance would be better in VMware Player. It also has slick support for “Unity” which is a “XP Mode” feature that doesn’t require you to be using Windows 7 in Professional/Ultimate builds.

So I figured I would just convert the VHD file and convert it to the VMWare format and roll on.

First I tried StarWind Free V2V converter. Downloaded and installed OK with no fuss, however when I tried to launch the converted VMDK file in VMware, it bombed out.  That said, I’m still keeping it around as I suspect something else was going on and it wasn’t an issue with the software.

Next I read about WinImage which per a handy post from VMpros, can convert VHD to VMDK. However since it is trial-ware, I decided to skip that option.

Finally, I settled on the free VMware vCenter Converter. Download requires registration with VMware but it was painless and the application was a breeze to use. In no-time it converted my VHD file to VMDK format and I had it running in VMware Player. For a good walkthrough check out this AddictiveTips post Convert & Use Your Physical Machine In VMware, VirtualBox & Virtual PC.

Well…not really.  See as I found out (and should have remembered but it has been too long) the Microsoft IE Tester images are set up only for Virtual PC specific “hardware”. By that I mean while you can convert them to another virtualization platform, XP will then see that your “hardware” has changed and require re-activation and require you to put in a fresh product key from scratch to activate it.  I suppose a clever person could work around it and get it working in VMware, but that would seemingly violate the EULA agreement for these packages.

Like I said, this lead to a dead-end, but it was fruitful in finding the Microsoft IE Tester packages are still available for use and (for a bit longer) still offer XP as an option.  Also, I found the VMware vCenter Converter software to be wonderful to use and am sure I will rely on it more in the future.

Tip # 3 - Don’t Forget your old install media

After the dead-end above, I remembered I still had an old XP Home (SP1a) install disk and license I had bought when I built my first small-form-factor desktop. Since that time, all the newer systems we bought came pre-loaded with Vista/7 so eventually that SFF system (and the XP load) were wiped clean and while the SFF box patiently waits re-purposing to FreeNAS one day, the XP Home OS has not been used since.

So I used it to build/activate a fresh install directly in VMware Player and got it fully patched/updated and running smoothly for all my XP testing needs.

Tip # 4 - Getting ChromiumOS (Hexxeh’s Vanilla builds) running in VirtualBox

After all the fun I was having getting these virtual systems tweaked, on a whim I decided I wanted to check out Chromium OS.

I decided to take the easy way out and use a “Vanilla” build of the Chromium OS builds by Hexxeh. I downloaded the VirtualBox file, got it configured in VirtualBox and launched away.

Only while it ran fine, I couldn’t get though the first-launch setup landing page I because the “network” was unavailable and no networks were offered. I was using “NAT” setting but no dice.

I did some digging and found that there were a number of folks with Questions Tagged With network - CrOS QA in the forums.

Took a while but I finally figured out the trick (at least if you NAT for network connection on VirtualBox).

Go into the Network settings for your ChromiumOS virtual machine. if you NAT by default it should look like this.


Next click the “Advanced” triangle (as shown above) to expand it.

Change the adapter type to an appropriate "Intel PRO” interface. Your options may appear differently from the one I selected below.


Save your settings and re-launch the virtual machine.

This time the network was available and I was able to complete the setup and running of Hexxeh’s ChromiumOS build with no issues.

I need to play more with it before posting my opinions but it worked just fine.

Tip # 5 - VirtualBox supports Windows 8 “natively” now.

In my recent Windows 8 GSD blog post I bemoaned being able to successfully install the VirtualBox additions into my Windows 8 Consumer Preview build in VirtualBox.

Thanks to the comments of a kind anonymous tipster, I realized many older “how-to” instructions on the process on the web recommended selecting “Windows 7” as the OS type during the creation process, then running the VirtualBox Additions in “Compatibility Mode” to install. The newer versions of VirtualBox now offer “Windows 8” as an OS type during the virtual machine setup process and if done so, you can just run the Additions “as-is” with no need to do so in Compatibility mode. They go on just fine.


Anyway…by the time I had already figured this out I had since followed an Install Windows 8 Consumer Preview on VMware Player that worked so seamlessly I don’t think I’ll use VirtualBox for Windows 8 testing at this time. YMMV.

Tip # 5.5 - VirtualBox now out

On 2012-05-22 Oracle released a new version of VirtualBox: Changelog – Oracle VM VirtualBox

Get the Download – Oracle VM VirtualBox along with the matching VirtualBox 4.1.16 Oracle VM VirtualBox Extension Pack that is also on that page.

Tip # 6 - More Virtualization Tippage sites/blogs

By no means complete, these sites seem to have great tips on virtualization platforms.


--Claus V.

Resolving a Logitech SetPoint Installation Headache

Earlier this week I built a fresh virtual machine of Windows XP Home for use in long-term XP fiddling.

I wanted to use my Logitech Cordless Desktop LX 710 laser keyboard/mouse set with it; specifically the LX7 mouse which has handy left-wheel & right-wheel click support. I think these are called the “Tilt-wheel plus” feature. I set these to copy & paste functions and can really scream through work. It takes Logitech SetPoint software drivers to enable these extra click-button features fully.


So I hopped over to the page above and then to the downloads link,stepped through the options, and came up to the XP SetPoint 6.32 download page for this particular model (which I suspect it is for most all SetPoint hardware…).

Downloaded the file (setpoint632_smart.exe) and proceeded with the install.

The first time I ran it, I got an error “SetPoint failed to install.  Please restart your computer and try again.  (223,224,225,221,222)”


Rinse/repeat. This time it went on “successfully.” However when I went to configure the click buttons, the options weren’t there.

Curiously, I now had the Logitech folder in my Program list, but the “Mouse and Keyboard” launch icon pointed to nowhere.

Tried a few more times and each time resulted in either the same error as before, or a “successful” install with no actual installation of the core SetPoint application into my Program Files folder.

Getting a bit frustrated, I checked out a few things.

First I chased the SetPoint software location via the application shortcut being created. It kept pointing to a non-existent “C:\Program Files\Logitech” folder. Hmm. For some reason it appears the folder wasn’t being made.

So I next ran Process Monitor and was able to trace the unpacking of the (setpoint632_smart.exe) location as it worked.  On 32-bit XP systems, it appears to unpack a primary temporary installation folder to “C:\Documents and Settings\userprofile\Local Settings\Temp\Logitech”

At first a folder “SetPointSI_1” is created, followed by a secondary “SetPointSI32_1” folder, then contents of which are pulled down from the web. Once the installation process is completed, the contents of these folders are removed.  I also found that during the installation process you can copy these folders/contents to another location to preserve them after the installation completes and the originals are removed.

Unfortunately, manually running these “recovered” installers didn’t result in getting SetPoint correctly installed on my XP system, nor did trying to manually install the drivers. I really needed the SetPoint application itself to install.

A long survey on Google found quite a lot of users on the web (not just XP users) who just could not get SetPoint to install on their systems using the intelligent/web-based SetPoint installer download; along with many very clever…but usually ineffective tips on getting it going.

Eventually I found this post in a Logitech forum: Unable to install Setpoint 6.32 on Windows 7 x64 - Logitech Forums.

“Meltech” recommended installing in a Clean Boot mode. I didn’t feel like trying that, however the poster also offered 32/64 bit download links.

Interestingly, these were not the setpoint632_smart.exe file, but links to the standard SetPoint installation packages.  I downloaded and used the 32-bit (setpoint632.exe) file.

It went on with no drama and voilà, this SetPoint installer created the missing C:\Program Files\Logitech” folder with all the contents. I was able to then set my mouse-wheel-tilt-clicky buttons just fine!

Repeating the process and carefully keeping an eye on it, this installer unpacks itself to “C:\Documents and Settings\userprofile\Local Settings\Temp\Logitech” and creates a “SetPoint_1” folder.

Comparing this folder against the “SetPointSI32_1” folder from the other installer finds a lot of similarities and differences. Bottom line is that the “full” installer brings a lot more files to the party than the web-based intelligent installer.

(Actually, there are LOT more folders and stuff (hopefully) created in both installation events. Use of Mirekusoft Install Monitor or another similar tool like Directory Monitor or Track Folder Changes will ferret them all out for you.)

One file to look for with great information is the installation log file found on XP at

C:\Documents and Settings\userprofile\Application Data\Logishrd\sp6_log\sp6_setup.log

Anyway…to sum up a short-blog post getting longer than intended…

If you are having issues with the Logitech intelligent/web-based “Smart installer package”, try the “full” version instead. Yes it is a larger download, but doesn’t seem to present any installation issues.

You can either look in the Logitech FTP site for the latest SetPoint installer file(s): Index of 

(note: the files with a “j” in the name are Japanese versions.)

Or…you can carefully read the Logitech download page for your specific product (doh!) and get it directly from that page (example below).


Hopefully this post will help someone else who is struggling to get a “clean” install of Logitech SetPoint running on their Windows system; just give the “Full” version a try.


--Claus V.

Sunday, May 20, 2012

So Many Links…So Little Time!

Busy day today. Chores to do inside the house and out. And links galore spilling out of my Firefox sidebar, ripe for posting.

Critical Updates

New Place to Report Fake Tech Support Scam Calls

As if the usual bane of telemarketers isn’t enough to wade through almost every day and night, now we are seeing a renewed push of the fake-tech-support calls. Enterprise IT shops are even having to now send notices across their employee-base to remind them that they haven’t been outsourced to these callers and that employees should always make sure they are talking to the right IT guys and gals. Some places are event starting to black-list some of these third-party remote control sites to clamp-down the borders against these calls.

Troy Hunt has a series of great posts that tell you just about everything you need to know about these scams. I’ve posted them before but Troy’s writings are so good, they need another mention.

The guys and gals over at SANS have gotten into the game as well.

They have opened up two (same) locations for you to report any fake-tech-support calls you may get for intel-gathering purposes. Knowledge is power!

For the SysAdmins in the Audience

Kyle Beckman has written an outstanding series of posts at 4Sysops blog on folder redirection in Windows. Definitely worth taking some notes from.

In other news…

FREE: Veeam ONE Free Edition – Real-time Hyper-V and VMware monitoring - 4sysops

"Could not reconnect all network drives" - TinyApps.Org. Great tip and trick for delaying (slightly) the mapping of network drives until the network is fully available after login.

Windows Error Lookup Tool Portable 3.0.4 (get details on Windows error codes) Released -

Batch-Convert XLSX To XLS Without MS Excel Or An Online Converter - New tool reviewed by AddictiveTips.  Get the tool here from the author.

Jarfix - free tool to fix broken “jar” file associations in Windows.  I needed this after the last Java Runtime update I applied to my system. After installation, I could no longer run the Java-based Software Protection Initiative - Encryption Wizard tool as I had before. I tried several times to update the file-associations but no dice. Then I found this tool, and once executed…problem solved!

Likewise, a few months ago I had re-installed Google Earth but for some reason, lost all indications on how to launch it…no icon on the desktop. None in my “Start” list. Nada. Uninstalled/reinstalled. Still the launcher icon was no-where to be found.  Finally found this link: Google Earth icon has disappeared from my PC : Fix my problem - Google Earth Help  Downloaded the Google Earth Icon Restorer and ran it. Again, problem solved!

Mirekusoft Install Monitor -freeware Installation management software. (Note site down at time of posting) - I have a number of system change monitor/detectors I rely on to monitor how and where a software install impacts a system. Each one takes slightly different approaches. So I read with interest about this new installation monitor/logger. It runs as a service so it catches all installations and documents where in the file-system and registry the bits go. Drawbacks? Maybe a bit unstable and if a program was already installed prior to installing this tool, it doesn’t well-catch the updated installation bits. All that said, it might be worth looking into…particularly in a lab/test-bench setting where you need to document where install bits go before deploying them.  See this CSArchive.Net Mirekusoft Install Monitor post for some screenshots while the main site is down. Alternative programs to consider: Total Uninstaller by (free-trial/$) or Revo Uninstaller Freeware.

Leelu Soft: Watch 4 Folder 2.3 and Track Folder Changes are two other utilities you may want to check out.

I’m not sure why I’m on this theme this week, but the freeware app GeekUninstaller came to my attention this week also. Free and available in both installable and portable versions, helps remove installed applications.  For a few more details and screen-caps, see this AddictiveTIps post: Geek Uninstaller Lets You Completely Wipe Off Any Application From PC

VMware Workstation Player 4.0.3 released / Workstation 8.0.3 - Born and Windows IT Blog - My own recent experience using VMWare Player 4.0.3 for a Win 8 CP run was outstanding. Definitely worth getting these updated bits. VMware Player 4.0

Group Policy Central - new blog to me about Group Policy topics, including some Win 8 items and findings. Doesn’t appear to be updated quite as frequently as I would like, but since it is new, I’ll probably find more than enough material here to keep me busy until the next post comes out.

Network Nuggets of Gold!

NetBScanner - New tool from NirSoft - NetBIOS scanner. Provide a IP range and get IP addresses, WS Names, Workgroup membership as well as MAC address. Super nice GUI. Add this right now to your network toolbox!  Reminds me of the CLI tools (work good for me) NBTScan and the similarly named nbtscan. More info on NetBScanner at this AddictiveTips review. 

wpic v1.0.0 - woanware - A “simple console web page capture tool based on Chromium project that captures an entire web-page. Reminded me of IECapt which is an IE based web-page capture tool that I use daily for some data archiving.

NETRESEC CapLoader - Not free - interesting tool to process large network PCAP files and filter flows of interest. See this CapLoader Demo - YouTube for more info.

Curiously, there was this related post The Adventures of Packet Tracy, PI over at wirewatcher blog on parsing down large PCAP sets for URLs of interest.

HolisticInfoSec: toolsmith: Buster Sandbox Anayzer - Detailed information and walkthrough regarding a new release of Buster Sandbox Analyzer back in April.

In a GSD post On the Hunt… I detailed a quite involved process in hunting down/validating network connections and mapping them to specific switch ports. Over at LoveMyTool blog, Tony Fortunato posted a short video on how to find out which switch port the client is connected to. Pretty standard stuff.  However, I’m always putting a sharp eye on these just in case I find a new or better technique. And I did! For whatever reason (Cisco IOS updates?) we’ve seriously lost our ability to search for MAC addresses in the Cisco Network Assistant product. We are not alone as others are encountering issues as well. Anyway, we have some workarounds in the GUI but they are a bit time intensive looking through many, many switch port connections.  So like Tony, I find it (generally) faster to just telnet to each switch, run a “show mac address-table” and list the MAC/Port associations and look for the target MAC. On 48-port switches, that is a lot of searching. Tony’s video taught me the following trick; “show mac address-table |include <mac address>”  Including the pipe-include lets me pop just the single MAC I want. Sweet!

More here: Cisco IOS "include" filter.  And for the full list of powerful Cisco CLI options, check out this Cisco IOS Terminal Services Configuration Guide, Release 12.2 - Regular Expressions  [Cisco IOS Software Releases 12.2 Mainline] at Cisco Systems . Note your Cisco IOS version may render some of these commands a bit different, if supported at all. You probably also want to tuck away this Regular Expressions (PDF) for reference as well.

Finally, over at Anything About IT blog, Alex Verboon posted this Script for finding Executables that are command-line programs via a free utility IsCommandLineApp by Helge Klein. Might be useful in incident-response.

For the ForSec crewmates

In my recent Forensically Sound: Quick Post #3 I posted a number of links touching on early forensic surveys of Windows 8 “release” builds. I warned that none of these observations are 100% guaranteed to be present and accounted for in the final baked version, but they are good starting points. Troy Larson wisely commented on that post “Regarding Windows 8 forensics: I would be careful of relying too much on the public preview versions for detailed forensic analysis. Offsets and formats can still change.” Noted! So with Troy’s perspective firmly fixed in mind, here are a few more links touching on early (very early) Win 8 forensic notes and observations.

Portable Agents to QuickScans: Tips on Using the Latest Version of Redline - Mandiant M-unition blog

SANS DFIR Wall Poster Preview - SANS

File Formats ZOO - Hexacorn blog - file sector header information for common file formats.

File Formats ZOO – Installers - Hexacorn blog - likewise for software installer files.

The Curious Case of the Forensic Artifact - Hexacorn blog - in which the process of solving a curiosity is illuminated.

RegRipper: Update, Road Map, How not to get p0wned by RR v2.5, and Approximating Program Execution via VSC Analysis with RegRipper - Windows Incident Response blog -- my o my how RegRipper has grown!

More About Volume Shadow Copies - Journey Into Incident Response:  Corey Harrell dishes more on VSCs.

Related…VSC Toolset Update: Browsing Shadow Copies - Digital Forensics Stream post by Jason Hale with interesting comment thread follow up.

TypedURLs (Part 1) and TypedURLs (Part 2) - Crucial Security Forensics Blog posts by Paul Nichols.

Addressing Malware Issues from an Operational Perspective - Crucial Security Forensics Blog post by Michael Robinson. Great quick read on malware in the organization and changes that may be needed in operations.

Resurrecting “Dead” Images for Live Analysis - Crucial Security Forensics Blog post by Mark A. Wade.

Old Servers never die – unfortunately - Forensics from the sausage factory. Great “how-to” tips and results on imaging a server/system over the network, when you must…

Digital Forensics with Open Source Tools (Amazon link) - New book by Cory Altheide, Harlan Carvey. It’s a book after my own heart! Open Source/freeware (closed-source) tools for for/secs.

Windows Live Messenger – MessengerCache folder  Forensics from the sausage factory. This post was very interesting as it took a fresh look at what may be a commonly used application on some Windows systems.

“You Can’t See Me”…(my bad…I guess you can…)

A recent round of migrating users into a new AD domain (and some folder rcopy/redirection work on the side) has left a few users with missing data post-migration. I have tons and tons of tools to recover deleted data from a drive. The sysadmin I was working with reached for a new one to me in our troubleshooting work together, FreeUndelete over at Did the job nicely and the customer had their files restored in no time. I offered my own recommendations in thank-you. In doing so I spotted that Kickass Undelete recently got bumped up to 1.3 beta version. Others I like include Recuva. I also learned (via this AddictiveTips blog post) about Orion File Recover Software Free. I also saw this review at AddictiveTips blog for Wise Data Recovery freeware software. For even more tools, check out this GSD post File Recovery Extravaganza.

PhotoGrok / Java

PhotoGrok: EXIF-Based Image & File Viewer With Metadata Filters - AddictiveTips blog. I have more than enough EXIF-data/File-Viewer apps than I really need, but I’m a sucker for a new utility so I went ahead and downloaded the PhotoGrok tool and was quite pleased with the effort. It’s a nice tool. However, when I went to try to uninstall it, it wasn’t listed in my Add/Remove program (errr, make that Programs and Features) list. Nor could I find a link to an uninstaller in my program file list.

Checking the desktop shortcut target location led me to

“C:\Windows\SysWOW64\javaws.exe -localfile -J-Djnlp.application.href= "C:\Users\profilename\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37\3b46d1a5-79989755"”

Now how do we uninstall this?  Unfortunately, the otherwise well-written FAQ didn’t seem to spell out the method. Yikes. Time for some deeper digging.

Turns out PhotoGrok is a Java WebStart application.

To remove you can follow the principle outlined in this post: How to Clear the Java Web Start Cache as explained by a different software vendor. This post Clearing the Java WebStart Cache by NGS has some better screen-captures (although they may be outdated a bit if you have a more recent Java build on your system…it should work well enough to get you what you need to know). Still not sure? See this final set of screen-caps for a newer Java build: Java Web Start 1.6 beta2 Review courtesy of

See, no need to panic! Easy-peasy if you want to strike it from your system.

Reset that Windows Password! (or crack it with a new release of Ophcrack…)

So last week--a tech was having some issues having a pushed application install on their system. Turns out their domain account didn’t have admin group membership and was causing the bomb-out. No problem, let’s just add you to the…hmm…for some reason all the admin account passwords are different from our standard and the “fail-safe” account is disabled. Oh snap. I hear the drumbeats of a system reload! Can you say “too-bad, doo-dad?”

Luckily, I had a backup plan.  Booted the system in my custom WinPE, used the embedded tools to off-line authenticate to the whole-disk encrypted system drive, then used NTPWEdit 0.3 to update the Admin password accordingly. Reboot. On the local system admin account now, added tech to the admin group. enabled the disabled account, good to go.

See also Password Renew at sala source (which I understand doesn’t play well under WinPE).

Related: Ophcrack LiveCD updated May 15th. More news about this build here: Distribution Release: Ophcrack LiveCD 3.4.0

"This new live CD includes the latest version of ophcrack 3.4.0. It is built on Slitaz GNU/Linux 4.0, the latest version of this great live CD. Christophe Lincoln from Slitaz helped us to enhance the scripts for partitions and tables detection. A new ncurses interface is also available to help users look for tables on other drives or interact with ophcrack. Finally a live CD without tables has been released as well for users that already downloaded or bought tables. The directory containing the table files must be placed inside another directory called tables in order for ophcrack to find them automatically."

More Ophcrack release news here: news page

Now where’s my mop?


--Claus V.

Saturday, May 19, 2012

Windows 8 Linkage: “Metro Santiago” edition

cc image credit image by Víctor Espinoza on flickr


Last weekend I finally got around to installing the latest Windows 8 Consumer Preview version (x32 flavor) in a virtual machine.

Overall the process went very smooth, however for some reason I never could get the latest version of VBox Additions installed in it.  Everything seemed to go OK but eventually it appears the associated PnP drivers would fail installation and it would roll back. Yes, I was installing them in “Windows 7” compatibility mode. Yes, I tried installing them in safe-mode. Yes, I even tried unpacking the virtual additions exe and manually installed the drivers in “legacy mode” via the hardware and devices module. No dice.  I don’t recall having any problems under the Developer’s Version of Win8.

All that said, I do have a fully working version of Win 8 CP now and I’m getting more familiar with navigating around in it. It is not quite fully intuitive yet swapping around between the “Metro” interface and the desktop and the different “tile” applications.  However I’m getting a bit better at it. Practice makes perfect.

I’m keeping the topic heading structure from the last post. Seems to break things down logically and well and makes managing my to-be-blogged pile for Windows 8 much easier to handle.

Windows 8 “Release Preview” Version - Coming Soon

Windows 8 - Related Betas

Windows 8 - Install It

As I mentioned in the opening, I ran into some issues attempting to get the latest VirtualBox additions working in Windows 8 Consumer Preview version. Here is some related linkage I ran down in the troubleshooting/recovery process. (I got much more familiar with getting the system to start in safe/recovery mode that I had planned!)

Next up…trying to install Windows 8 in VMware Player.  I’ve heard good performance can be had in this system.  May try the Win 8 CP x64 flavor this time for a bit of contrast to my x32 version in VirtualBox

Post Update - The night of this post I went ahead and did install Windows 8 CP in VMWare Player. I ended up just loading a fresh install of x32 bits as I got a bad SHA1 hash match after the first download of x64 ISO attempt. I didn’t feel like burning into my monthly ISP bandwidth quota sucking down another attempt.  I’ll save the x64 for the “Release Preview” version next month. The setup was easy-peasy on VMWare using the WIndows 8 Forums walkthrough post linked above. I had NO issues installing the VMWare Tools pack once I had the OS running. Win 8 performance in VMWare was simply amazing in comparison to the VirtualBox load. Both are set to two processors, both are set to 2 GB system RAM, the only real “difference” is that the VirtualBox graphics is set to 256 MB while the VMWare is using 896 MB. I’m not certain if that alone is enough to describe the difference in feeling between them. I do know that I feel much more positive in how the Win 8 OS responds and operates in VMWare. I’m a Microsoft Virtual PC guy, followed by VirtualBox--primarily for Linux builds. That said, while I have used VMWare Player before, it was mostly just using VMWare pre-built system packages I had downloaded. Based on my new experience with VMWare Player and Windows 8, I’m going to seriously have to consider which platform I want to use next virtualized system I need to build. This is in line with the a previous Win8 linkpost comment left by “Anonymous” last month also touting the surprising performance difference in VMWare over VirtualBox. I can now independently confirm that tippage.  VMWare Player + Windows 8 previews--highly Valca recommended!

Other bits…

Product Key:   DNJXJ-7XBW8-2378T-X22TX-BKG7J

Windows 8 - Under the Hood Stuff

Quite a few new articles on new features and functions in Windows 8.

Windows 8 - To Go

Windows “To Go” is basically a feature in Windows 8 that allows it to run “full OS” from a supported USB storage device like a flash drive or external hard-disk drive. Here’s new news on the topic.

Windows 8 - Tweakages

Even more tweaking tips these past few weeks!

Windows 8 - Deeper Insights

Windows 8 - Usage Tips

Windows 8 - Miscellanea & Rumor Mongering

The first link is almost a manifesto on the new “Metro” interface. Probably will take most folks a long time read-though and may need several passes to fully digest. Gotta hand it to Microsoft, they’ve committed to the new interface…like-it-or-not.

I figured it’s a great starting point and provides a fair context for the follow-on links that consider that new Windows 8 GUI. I’m still not sold, but I’m going take an “okra” approach. I like okra but it took me a long time getting to that point. Now I can’t imagine not having it in my gumbo or fried on the side along with catfish fillets. I really like the under-the-hood improvements I have read so far that are being served up in Windows 8. So it seems that to get them, I’m going to have to learn to tolerate the slime-factor as I prepare/tweak/bend Windows 8 to my own enjoyment.

Windows 8 - GSD Previously Posted


--Claus V.

Sunday, May 06, 2012

Oldies But Goodies - Linkfest

Progress is being made on several piles of links I’ve come across but haven’t posted yet. It is actually turning out to be a good thing culling them down like these.

The links below were in a For/Sec/Net folder I was using to hold blog material under that subject until it got too full and too old for me to continue dropping items in there. Some went back to late 2011!

Yesterday I decided to do some Spring cleaning and deal with it.  I dumped a LOT of links that seemed either dated or just not as important now as they seemed to be back then.

What remains below are links that I still wanted to document for research/reference. I did update/supplement some of them with some new material if applications the original links I captured have been updated.

Anyway, here you go if you are interested.

Watching the Networks

Tips, Tricks,and other Material

Scan it & Dump it!

Tools and Utilities

Live ForSec CD’s

  • CAINE Live CD - computer forensics digital forensics - “SuperNova” version 2.5.1 has been out.
  • DEFT 7.1 ready for download - Released April 2nd with more than a few updated packages and fixes.
  • Ubuntu - Now at 12.04 release version. I prefer to use this for my own self-installations of Xplico and Network Miner packages.
  • Ubuntu 12.04 and VirtualBox Image - Xplico team has released a VirtualBox image built on Ubuntu 12.04 which includes their Xplico 1.0.0 version (if you don’t want to build it yourself!).
  • ubuntu [Xplico Wiki] - Now you can use the Xplico Repository or one of several terminal scripts to easily (and I mean REALLY EASILY) get the Xplico NFAT application going! Super sweet.


I first learned about Maltego when I read this fun post Using Maltego CaseFile to map The Spy Hunter at the wirewatcher blog.

Basically this tool lets you organize your intelligence and forensic investigation information in new and graphical manners to better show relationship between elements. Check out the bottom of this page for some screenshots and links to more presentations.

It comes in both a commercial and community edition.

Note: I’m still playing with the version 1.0 beta version and haven’t upgraded yet to the version 3.1.1 community edition.  The version 1.0 so far has been meeting my basic “play and learn” needs, FWIW.


I feel better now.

Next up…new material fresh out of the bakery ovens.


--Claus V.