Sunday, October 20, 2013

Forensic News Flashes - New Projects and learning opportunities galore!

It’s late and has been a super-long weekend.

Lavie isn’t too impressed I’m still sitting at my desk working on posts.

In the meantime, I’m commited to getting this last bit of ForSec linkage collected over the past few weeks out the door so you can have fun reviewing it this week.

Those young and crazy pups over at the Computer & Digital Forensics at Champlain program have clearly caught their dean napping. In an interesting series of posts, they attempt to wreak havoc on different hard-drives and then try to put humpty-dumpty back together again.

MantaRay Forensics - anTech Triage & Analysis System. As far as I can tell, this is the first time I have posted any mention of MantaRay Forensics here at GSD.  Spotted in this C&DF@C post Swimming with MantaRay Forensics

MantaRay was designed to automate processing forensic images, directories and individual files with open source tools. With support for numerous image formats, this tool provides a scalable base to utilize open source and custom exploitation tools. MantaRay was developed by two forensic analysts, Doug Koster and Kevin Murphy.

ForGe Forensic test image generator v1.1 - Git Hub project page. from the Overview description:

ForGe is a tool designed to build computer forensic test images. It was done as a MSc project for the University of Westminster. Its main features include:

  • Web browser user interface
  • Rapid batch image creation (only NTFS supported)
  • Possibility to define a scenario including trivial and hidden items on images
  • Variance between images. For example, if ForGe was told to put 10-20 picture files to a directory /holiday and create 10 images, all these images would have random pictures pulled from repository.
  • Variance in timestamps. Each trivial and hidden file can be timestamped to a specific time. Each scenario is given a time variance parameter in weeks. If this is set to 0, every image receives an identical timeline. If nonzero, a random amount of weeks up to the maximum set is added to each file on each image
  • Can modify timestamps to simulate certain disk actions (move, copy, rename, delete)
  • Implements several data hiding methods: Alternate data streams, extension change, file deletion, concatenation of files and file slack space.
  • New data hiding methods can be easily implemented. Adding a new file system is also documented.

Developer Hannu Visti goes shares a great post over the features and background of this tool over at Forensic Focus. ForGe – Computer Forensic Test Image Generator.  This could be a really fresh and innovative tool to help with both simulating forensic images for training and drill purposes. Very interesting and well worth the time to check out. It’s beyond my skill set to review and comment on but if any of the ForSec pros out there have any thoughts or comments, please feel free to drop them in the comments here for our community education.

Linkz 4 Free Infosec and IT Training - Journey Into Incident Response - Corey Harrell goes above and beyond with an outstanding listing of trainings, exercises, and learning resources that are ForSec focused and absolutely-friggin-free for the taking!  Corey promises to keep the listing updated so bookmark the page and check back often. I’m particularly interested in the CSIRT-like topics and materials listed like those in the ENISA CERT linkage. I’ve downloaded most all of the PDF versions already to review this week as time allows!

Many of these trainings have supplemental videos and VM’s for download too!

Other specific courses from Corey’s post I’m listing below so I can find them quickly…

What 'tier 2' & 'tier 3' tools do you load on your forensic workstation(s)? - ForensicKB blog - Lance Mueller has a great list of Tier 2 and Tier 3 apps he considers. I’m pleased to find more than a few in my toolkit already. Note that not all of the software listed here is necessarily free or open-source. More than a few are commercial applications. That’s not at all a bad thing, but just something to be aware of.

 Windows Incident Response: Shell Item Artifacts, Reloaded - Harlan Carvey undertakes some very methodical validation exercises on Windows shell item artifacts. Definitely worth reading.

Meanwhile, from another ForSec guy who appears to never sleep… Brett Shavers has been in a posing frenzy over at his Windows Forensic Environment blog site.

Best publicly available testing of WinFE I’ve seen to date - Windows Forensic Environment (Note post info is good but link in it has been superseded by one found in post below.

Updated link on the Mistype project - Windows Forensic Environment

WinFE - direct link to the article mentioned. I agree, it is a truly fascinating read for WinFE aficionados. I’m coming back to read this one carefully this week.

Mini-WinFE - Windows Forensic Environment - This post has tons and tons of screenshots to illustrate the new Mini-WinFE project as well as an introduction that goes over the project features. Very basically, this specific project (1 of 3 promised for alternative WinFE building) allows you to roll your own WinFE boot disk in a “minimal” configuration with FAU utilities, FTK Imager and support for X-Ways Forensics. Total build time is estimated at 10 minutes from start to media in your hand.

Mini-WinFE is out of beta! - Windows Forensic Environment - See you waited too long! The first link was requesting Beta testers. Now it is released!  Direct project link here via and extensive Mini-WinFE project documentation from Misty is linked here.

Quick video on building a Mini-WinFE - Windows Forensic Environment - a very short (3:33 min) YouTube video is available on this post page for those who want to check out the building process.

Since we are on a WinFE bender, let’s shift gears slightly and use that excuse to post a link on the WinFE’s kissable cousin for sysadmins who aren’t quite as focused on disk read-only preservation, WinPE.

How to Customize Windows PE Boot Images to Use in Configuration Manager - Chris Nackers Blog. Chris links to this Microsoft TechNet resource How to Customize Windows PE Boot Images to Use in Configuration Manager

New website and project roadmap - DEFT Linux - Computer Forensics live CD - The DEFT development team has put some fresh paint on their website as well as outlined where they plan to head in the coming months. Congratulations to DEFTA President Stefano Fratepietro and all the community and project contributors who have worked hard to make DEFT Linux a premiere Forensic live CD resource! From that post..

Here follows the forthcoming milestones concerning the new versions of DEFT 8, Virtual Appliance and User Manual.

  • DEFT Linux 8.1 with relevant news for Mobile Forensics – November 2013
  • DEFT 8 VMware Virtual Appliance – late November 2013
  • Roadmap of projects supported by donations – December 2013
  • DEFT 8 User Manual – February 2014
  • Third Italian National Conference DEFTCON 2014  – Polytechnic of Milano, April 11, 2014

Installing VMware Tools on Kali Linux and Some Debugging Basics - SpiderLabs Anterior - Christophe De La Fuente goes to the mat to show some advanced debugging skills in getting VMware Tools onto Kali Linux. As is pointed out in the comments, there are easier ways to do it, but the experience shared of the road taken makes us all a bit wiser. Which this post then led me to discover and add to my RSS feed pile…

Computer Howto's by Lewis Encarnacion - Lewis’s posts are great. Covering not just Windows 7 topics, but also some of the finer points in using and getting comfortable in Kali Linux.

FAU -version - Speaking of the Forensic Acquisition Utilities (FAU) it seems a new version came out in August 2013. I don’t think I caught that release. The link has a “what’s new” jump as well as the new binary set download link but for the lazy…from that source:

  • Volume_dump and DD now recognize drives with BusTypeSata as devices supporting the ATA feature set.  ATA specific attributes are reported for these drives.
  • Fixed a problem with the DD --verify option when writing an image to certain to certain drives.  Under certain circumstances the DD --verify option reported a spurious failure even though the reimaging of the target drive succeeded and the cryptographic checksum of the destination drive was in fact identical to the cryptographic checksum source image file or drive.  This problem did not affect the accuracy of the reimaged drive but required that the user to validate the target drive after the imaging process was complete.  Thanks to Suman Beros for reporting this problem.
  • When acquiring a physical drive DD now drops the block size down to the device block size when approaching the putative end of the source drive.  Hard drives often misreport their capacity either by over estimating or under estimating the true size.  The only reliable way to image a hard drive is to attempt to acquire beyond the purported end of the drive and see if valid data is returned.  However, we have encountered a few drives that freeze or hang the imaging process if you attempt to read beyond the end of the drive with a block size that is greater than the device block size.  Needless to say, this can be disconcerting when you have already read 1 TiB of data only to have the whole process hang on the last few sectors.  Dropping down to the device block size when approaching the end of a drive should produce more reliable acquisitions.  A disadvantage is that drive acquisition will be slower at the end of the drive.
  • Examples have been added to the DD help text which show how to acquire a physical drive.

That’s all for tonight!

Cheers my friends.

Claus Valca

Security Tidbits

And here are some security related links that caught my fancy this week.

Vulnerabilities Discovered in Global Vessel Tracking Systems - Trend Micro’s Security Intelligence Blog - Super study that sent chills down my spine reading. We take so many critical infrastructure systems for granted. I hear the next block-buster action novel waiting to pounce on this for the storyline.

Cryptolocker Prevention - Foolish IT LLC bloc - information on a new freeware tool to lock down any Windows OS (preventively) to block infection from the Cryptolocker malware/ransomeware. When infection occurs it encrypts personal files then offers to decrypt them for a paid ransom. More details on the utility here: CryptoPrevent. And the attack details courtesy of Ars Technica: You’re infected—if you want to see your data again, pay us $300 in Bitcoins.

Tools for reviewing infected websites - ISC Diary. They listed four and there are some more suggestions in the comment thread. Back in January 2012 I posted this fairly extensive roundup: Interesting Malware in Email Attempt - URL Scanner Links. I’ve not checked recently but hopefully more than a few of these are still active.

Learn By Example - The Hacker Factor Blog - Dr. Neal Krawetz has some wise words and poor examples of a generation that doesn’t seem to see the concern with publically posting tweeted photos of their debit/credit cards online. I’m clueless how someone can be so ill-informed. This is just one example. I see the commercials showing banking apps for smartphones that let people take a photo of a check and deposit it in their account. I also wonder if this is common as well…or even health-coverage ID/Info cards perhaps?  I suspect this is just the tip of the iceberg.

40 inappropriate actions to take against an unlocked PC - Troy Hunt’s blog - As a sysadmin, all I can say is that it is probably a violation of several computer usage agreements in the workplace to walk away from your computing device without first locking the screen to prevent unauthorized access. At the same time, it is probably a violation of additional computer usage agreements in the workplace to tamper with someone else’s computer -- even if they were a bonehead in the first place and left it unlocked. Instead what you need to do is take a photo of their unlocked screen and tweet it to everyone in the workplace. No wait…I just learned by example in the previous post that probably isn’t wise to do either. Never mind. Help us all out and just pull the power-cord out slightly to kill power to the system and make them call the sysadmins when it won’t power back on. No don’t do that either after further consideration. That might kill the system/drive and lead to a charge of wonton destruction of corporate resources; or at the very least prevent someone's unsaved labor of love on the critical TPS reports for the day. That would be bad too. OK…I give up.

Contrary to public claims, Apple can read your iMessages - Ars Technica

Experian Sold Consumer Data to ID Theft Service - Krebs on Security - Seriously, if you can’t trust the data broker companies who hold all your credit and personal financial data history records (and who they sell that data to) then who can you trust with it? Time go start digging out that backyard bunker again. Go read the article. Then get mad.

New effort to fully audit TrueCrypt raises $16,000+ in a few short weeks - Ars Technica

For your security, please email your credit card and driver’s license (and what PCI has to say about that) - Troy Hunt’s blog. See, it’s only a crazy idiotic thing to tweet your CC information if you don’t have a really important reason to do it. If you do it is stupidly insecure. However, if you are a big corporate entity (or govermint agency/official) then you can have something call “a policy” to require your customers to photocopy items critical to establishing and proving your identify and they can do whatever they want…oh, and by the way…please dent them to us via unencrypted email communications because like, nobody can sniff that traffic while it winds it’s way from your laptop to our desks. Sheesh. Needless to say, Troy goes to town on this one and why it is a Bad Thing™.

Please be wise, be patient, and be proactively safe.

Claus Valca

New or Updated App Linkfest for the week

OK kiddos.  Here is an eclectic roundup of all kinds of freeware software and utility goodies that has been collected these past weeks.

I’m sure you can find something here for the little kid or serious sysadmin in you.

LightZone - Open-source digital darkroom software for Windows/Mac/Linux - free open-source alternative to Adobe LightRoom. Actively developed and supported by a very large community. If you do digital photography, then this is well worth the time to check out. Note that free registration is required to download the software. Spotted via this Noupe blog post LightZone: Totally Free Photo Lab lets you Forget Adobe Lightroom.

The Photographer's Ephemeris - free Win/Mac desktop app versions (AdobeAir based) and for $ supports smartphone/pad devices as well.  This super cool application lets photographers (film/digital) plan outdoor photography shots with natural (sun/moon) lighting conditions in mind.  Basically you provide the time and place and it will show how the light falls on your scene. I can’t believe this is free and I haven’t found it until now!  Spotted via a reference in this amazing Sean Goebel Photography: Timelapse post where Sean explains the techniques used to capture his time-lapse photo video among the observatory telescopes up on Mauna Kea, Hawaii.  Totally worth the time invested to both view the video (it even has lasers!) and read his well composed post.

Inno Setup - jrsoftware - just got a version 5.5.4 release last week. If you do Windows application/software packaging for setup and distribution this might be of interest to you. However, I don’t but it was still of interest to me. I then checked innounp, the Inno Setup Unpacker which is a sourceforge project to see if it was updated. It isn’t quite as current but is at version 0.39 supporting Inno Setup versions 2.0.8 through 5.5.3. Why do I care about innounp you ask?  Well, see I lean heavily on Universal Extractor to unpack various software package files in attempt to make semi-portable versions of them rather than fully installed versions on my system. One of the most popular packagers I run into is Inno Setup. Many developers use the latest versions of Inno Setup.  Jared Breland of created Universal Extractor but it hasn’t been updated in quite some time. Fortunately, what Jared has done is leverage many of the individual unpacker binaries in his application. So if you can find that one of the supported unpacker binaries has been updated, I find I can generally just replace the older version in UE with the newer one and keep up with the times!  So now you see why this is a good tip for you UE users.

InDeep File List Maker: List files & folders in Windows - Link and review via The Windows Club. Interesting little portable app to create listings of files in your Windows systems including removable drives and optical drive media.

Phrozen Windows File Monitor v1.0 - PhrozenSoft Blog - another neat little utility to monitor and select changes in your file system. This is an early version and the developer plans to add additional features moving forward. I really like it and the fact that you can switch between both list and tree-views. Spotted in this BetaNews post review: Phrozen Windows File Monitor lets you watch file system activity in real time. See also this Ghacks blog review: Windows Files Monitor records any file system change in its interface.

That product and those reviews then led me to find PRIMO (version 2.7.3 released Feb 27, 2012). PRIMO was developed to monitor program installs on Windows systems from Win2000, XP, Vista, & 7.

I’ve got lots of freeware utilities to monitor and log system changes, but for now we are keeping the discussion just on utilities that monitor (primarily) folder changes. Accordingly other tools you may want to check out are NirSoft’s FolderChangesView, Brutal Developer’s Directory Monitor, Leelu Soft: Watch 4 Folder 2.3 and Track Folder Changes. Do you have any other recommendations?

Oracle VM VirtualBox - Version 4.3 released on Oct 15, 2013.


--Claus Valca

In the SysAdmin Lounge

Tips, trainings and warnings for the sysadmins in IT.

Starting on December 1st, Universities that license Office Education for their faculty and staff can offer students Office 365 ProPlus for free thanks to a new program called Student Advantage. For students at these institutions, that means free access to Word, PowerPoint, Excel, OneNote, Outlook, Access, Publisher, and Lync. While many cheaper alternatives to Office have sprung up, many students still rely on Redmond’s good ol’ productivity tools.

Microsoft’s Virtual Academy has published a training course specifically for SysInternals Tools, including Process Explorer, ProcessMonitor, PS Tools, PsTools, Autoruns, etc.

Microsoft Premier Field Engineers step through a technical deep dive on utilizing SysInternals tools. This course focuses on key administrative and diagnostic utilities and addresses key insights, and best practices.


Claus Valca

Saturday, October 19, 2013

Micro Network News linkfest

Just a small collection of network-minded links of interest this week.

Free Network Sniffers, Analyzers and Stumbers - - I saw some oldies-but-goodies in the list, some new ones (to me), most I was familiar with, and surprisingly missing from the list, Microsoft Message Analyzer. A lot more of the micro-sniffers/NFAT tools out there also got left off but the list seems a bit short to me and misses quite a few more worthy contenders.

Remote Capture with Message Analyzer and Windows 8.1 - MessageAnalyzer blog. Speaking of Message Analyzer, you now can remotely capture traffic with this tool (on supported target systems) without even needing a copy of Message Analyzer installed on them. Neat!  For more info see Using the Network Tracing Features over at TechNet.

Tweaking Wireshark Columns and Decodes - Packet Foo blog

We’re switching to Qt. - Sniff free or die - A development version of Wireshark 1.11.0 has been released that opens the door to using Qt for the user interface library.  The development version has some basic things working, but much of what you love about Wireshark does not. It’s a quick and interesting read.

D-Link Router backdoor vulnerability discovered - TechGeek

D-Link Router Backdoor - Schneier on Security blog

Old D-Link routers with coded backdoor - ISC Diary post

Oh my.

--Claus Valca

Windows 8.1 Links, links, and more links

Funny thing is I still have a “to-blog” folder filled with additional Windows 8 linkage I’ve collected and never got around to posting.

So I’m leap-frogging over those (for now) and getting this breaking collecting of Windows 8.1 references out.

Lavie’s laptop is the only daily-driver we have around here with Windows 8 on it. Eventually I’ll need to get it updated but there is no immediate rush.

I do have that Windows 8 Enterprise IETester VM I keep around but I also have a Windows 8.1 Preview Enterprise IETester VM as well but I don’t see any benefit to upgrading either one. I’m sure eventually a fully built VM of Win8.1 will be offered at modern.IE (as of the time of this post only the Win8.1 Preview is listed).

So in the meantime, here is the most interesting or useful-looking posts this week on Windows 8.1 now that it has been publically released.

In some subtle order that I can tell…


Claus Valca

Microsoft Remote Desktop for iOS

At work we cannot (yet) use Microsoft Remote Desktop for iOS to connect to end-user systems for troubleshooting support.

At home, the Windows versions we have for daily use are “Home” editions and really don’t support Microsoft Remote Desktop sessions…at least not without some clever hacks that I don’t really need or care to implement.

So for now, at work remote control of end user systems from iOS devices remains a dream.

And at home, I find that running TightVNC works super-spiffy and that the Mocha VNC iOS app works just fine to allow me to remote-control our home Windows systems at will from my iPhone 5.

So for now, I really don’t have an environment where I can give the newly acquired/released Microsoft Remote Desktop client for iOS devices a shake. Maybe I’ll see if it can get it going with one of the Win7/8 Enterprise IETester virtual machines I have and use for testing at home.

So, if you are curious, here are some links regarding the subject.

And if you want some interesting background, according to Kurt Shintaku, the app came from iTap via HLW Software Development which had been kicking around for a while, and was bought  by Microsoft.

INFO: Yeah, the Remote Desktop apps for Mac OS X, iOS & Android came from iTap technology acquired from HLW - Kurt Shintaku's Blog

Very interesting…

Claus Valca

Back to MS-Security Essentials for now…

In the last GSD post, I made note that I had made the change from Microsoft Security Essentials to Bitdefender Antivirus Free._2013-10-04_19-24-14

The installation process went smoothly. Once on my Win 7 x64 bit system seemed a bit “peppier” after reboots.  For the first week or two I really didn’t notice any issues at all.

Then about two-three weeks in to using it I noticed a little notification that I had 15 files quarantined.


A quick review of the log found that I hadn’t succumbed to an onslaught of malware and viruses due to sloppy computing habits.

No. Bitdefender finally got around to scanning my collection of Windows utilities and found it ripe with all kinds of potentially unwanted software applications. Bad stuff.  Things from NirSoft that let me recover passwords and other things from beloved family members’ systems when they forget their system and email and other account passwords -- among other things. Oh my!

Bitdefender Antivirus Free Edition - Logs_2013-10-04_19-25-21

Here is what a Bitdefender quarantined file looks like.

asterisk logger - FreeCommander XE_2013-10-04_19-27-37

Well, we can’t have that!  So I went though the process of un-quarantining them.

Bitdefender Antivirus Free Edition - Logs_2013-10-04_19-26-00

And quickly I was done.



asterisk logger - FreeCommander XE_2013-10-04_19-28-07

Only when I went to use one of them, the executable file refused to run!  Blocked!

Nothing I could do could get it running. It was showing “Excluded” but I just couldn’t run it.

To complicate matters, after a reboot (troubleshooting) Bitdefender appeared to be trying to do a pre-Windows clean and file removal too. Hmm. Turns out that while I was working on that issue, it also found a USB stick I carry these tools on as well and had gone to town on the same file sets on it as well. I had removed the USB stick before reboot so it couldn’t find the files it was looking for. Fortunately the system came up no worse for wear despite some fairly scary language, but my attempts to later un-quarantine the files on the USB drive failed horribly and it refused to find/see them when I tried to exclude them.  Right-clicking the quarantined files and trying to restore them wasn’t successful on the USB drive either.

So I figured I would just re-download the handful of them from Nir Sofer’s website, delete my original files on my C: and USB drives, and put them back in.

Except I was met with a very frightening and ugly warning message in my browser that Bitdefender had identified the NirSoft website as a dodgy and dangerous location and didn’t really want me going there. In fairness, on the Bitdefender Free website, if you dig down on the page it does clearly say that the product does the following:

HTTP Scanning - Protects you from scams such as credit card phishing attempts, Bitdefender Antivirus Free Edition scans all the links you access from your browser and blocks them when they prove to be unsafe.

Unfortunately for me, that was the final straw.

So I uninstalled Bitdefender and reinstalled Microsoft Security Essentials.

Then I had to delete the still not really working “excluded/quarantined” files shown above off both my local hard drive and my USB drive. Luckily I could do that once Bitdefender had been removed and the system rebooted.

Then I downloaded all the “lost” files again from their sources. MSSE caught a few of the Nir Soft downloads but they alerted immediately and I was able to restore/exclude them with no fuss and about 30 minutes later had everything put back together again.


So, I must really be unhappy with Bitdefender right?

Well, it was an inconvenience to say the least, but I’m really not bummed out. If Bitdefender were to make some minor changes to their product, it might still win me back. I really, really, really liked the fast speed and light resources it displayed; particularly in that it made my post-boot and Windows login experience must faster and responsive that when using MSSE.

What I would like to see is a better set of options for controlling and enabling/disabling/fine-tuning features in Bitdefender free.  Unless they are there and I’m totally overlooking them…

  • I want to be able to disable the HTTP scanning.
  • When I restore/exclude a file, I want it to return to full functionality and remain whitelisted for future downloads and execution.
  • I want to exclude portable/external drives from scans when I feel like it.
  • I would like to know when Bitdefender finds something with a real-time pop-up alert and ask me what I want to do then and there…not let me find out about it later.
  • I really would like Bitdefender to warn me at a system shutdown if it has any “pending actions” that it plans to take on the reboot…and let me decide to follow-through with those actions or postpone or cancel that activity.

I guess I just want somewhat more advanced technical control over the operations and fewer headaches putting things back to normal.

Even “basic” MSSE allows me to…

  • Disable scanning of removable drives,
  • Exclude specific running processes from scans,
  • Exclude specific file-types from a scan,
  • Exclude specific files and locations from a scan, and,
  • not fiddle with monitoring and intercepting HTTP traffic to and from my web browser.

Hopefully future versions of Bitdefender Free can incorporate these items.  If so then I’m game and open to give it another shot.

Until then, I’m sticking with MSSE and continuing to recommend it to my own family and IT-support provided friends…unless they are horribly poor with their computing activity and I have to clean their systems more than a few times in a row…only then will I recommend they go to a more powerful (and less flexible) AV/AM solution, and that would be Bitdefender Free over most of the other free AV/AM offerings for Windows systems.

At least for now….

Possibly related:


--Claus Valca