Showing posts with label boot-cd's. Show all posts
Showing posts with label boot-cd's. Show all posts

Monday, September 05, 2016

Lenovo Y50 Hard Drive Replacement and Windows 10

About a month ago I was asked by a family at the church-house if I could give them some advice about their son’s two-year-old Lenovo Y50 laptop.

Apparently the hard-drive had failed and time was short before he headed off to college out of state.

They had purchased a new 1 TB Western Digital laptop drive similar to the one in it but despite good effort had been unable to get Windows 10 reloaded on the device. They suspected more was wrong with the system and wanted to confirm before picking up a new laptop before he shipped out.  Basically, they said the BIOS detected the HDD but they could not get Windows 10 reloaded on the laptop.

I asked them to let me look at the system along with the bits and pieces and then I would let them know.

So, armed with my various troubleshooting tool kits and USB sticks I sat down in our sound-booth with it and ran a quick assessment.

I’m more of a Dell-guy and hadn’t had much experience with the Lenovo line. As such, getting into the BIOS took a bit of research.

The trick was something called the “NOVO” button.

I booted into the BIOS (on the Y50 using the NOVO button to the immediate left of the power button) and checked a few things.

I was able to confirm the BIOS was picking up the new HDD. 

I look under the boot tab options and saw that it was set to EUFI.

I changed it temporarily to “Legacy” and saved. I needed it that way for the next step to work more smoothly in my troubleshooting assessment. 

I attached one of my custom USB sticks that I can use to boot a system and load/run an OS (Windows/Linux/Whatever) directly from the USB stick and not off the local HDD. 

I then hit the NOVO button again and selected to boot from my USB stick. That allowed me to load a WinPE build and run some commands to…

  1. confirm that I could see the new HDD,
  2. confirm that it was a 1 TB drive,
  3. rebuild the drive partition configuration (MBR type) and make it bootable, and then
  4. formatted it as NTFS using DiskPart from a command prompt window.

        1. Diskpart
        2. > select disk 0
        3. > clean
        4. > create partition primary
        5. > active
        6. > assign letter = C
        7. > exit

Followed up by a final

format C: /fs:ntfs /q /y

It worked perfectly. That confirmed the laptop recognized the drive while running under a Windows OS and it was working as expected. Now I needed to get the Win 10 OS loaded on the hard drive.

I shut it down and rebooted it again with the NOVO button. I went back in to the boot options tab and set it back to UEFI, saved the changes and rebooted. 

This time I had swapped USB sticks and now used a Windows 10 Installation Media USB that I had previously built when I was working on my own laptops a while back.

The Win 10 lnstaller loaded and the setup wizard started.

Only I had forgotten that the HDD was still configured as MBR with my pre-testing. 

Win 10 and UEFI BIOS support enabled didn’t like each other and the wizard refused to continue with the installation. So at that point in the installation options I had to just delete the MBR partition I had made so Win 10 could automagically create the partition again as a GPT type which it required. 

It did and then the rest was just watching Win 10 install, reboot a few times, creating a local user account, and dumping on the OS updates. 

Because it had Win 10 on before, it automatically loaded the license key from BIOS storage and activated Win 10 once fully installed and after I connected it to the Internet. 

Done. The Y50 was a sharp looking (and running) laptop and I was impressed during my short service time with it.

Note: I had planned on looking at the failed hard-drive to see if any data could be recovered and ported back over onto the new drive, but they said that wasn’t needed and would just go with a fresh-start. I left it to them to follow up with any remaining software application reinstalls as well.

I didn’t kick off the new Win 10 "Anniversary Edition" build update release since this was to be just a short “assessment” service but told them that it should eventually auto update in a week or so. I also let them know they could force it on early by heading over to this Microsoft site page and following the instructions. 

And I advised them to keep these link handy as well. 

                The family didn’t have to shell out for a new laptop and all was well.

                Cheers.

                Claus Valca

                 

                Additional reference notes:

                Saturday, April 30, 2016

                Possible Windows 10 Alternative Install?

                I’m not sure anyone really knows what Microsoft will do once the “free upgrade” period to Windows 10 expires.

                Will folks who haven’t upgraded their systems get a second chance from Microsoft and still be able to attempt a free upgrade after that point?

                Will Microsoft remove the “free” offer and require purchase of future Windows 10 upgrades for supported OS’s?

                If so, will Microsoft uninstall/strip out all their “Get Windows 10” software dumped on Windows 7/8/8.1 systems and their browsers?

                I guess we will find out in a few months.

                So I was wondering if there could be a backup plan to get Windows 10 safely and stably installed on our seemingly incompatible laptops before that time limted offer expires – just in case.

                My thought was to take a backup of our Windows systems (see previous post), then wipe out Windows entirely and reload a clean build of a Linux OS version.

                All of these come in (or support) the Cinnamon desktop theme that I like best.

                I’ve already been able to run all of them on my laptops via Easy2Boot to confirm they all work just fine (actually stupid-fast and stable unlike Windows 10) on our laptop hardware and WiFi network.

                Once I have Linux running, I can then either install VMware Workstation Player or Oracle VM VirtualBox.

                Next I should then be able to create a VM and just do a clean install of Windows 10 into it and activate it. I’ve been running the free Windows 10 VM’s offered by Microsoft for some time in both just fine.

                I guess the only serious drawback is figuring out how to “secure” the Linux OS – or if I really need to!  I’m so conditioned to have so many firewalls, anti-exploit, anti-malware, and anti-crypto-locker layers running on my Windows systems I’m honestly not sure what to do. It’s one thing for a Windows guy or gal to play with and use various Linux distros in a “LiveCD” type of manner, it’s another thing to load them on your hardware and depend on them as your daily driver OS.

                There really just aren’t the same number of Linux AV/AM products out there – because they really aren’t needed? To a Windows sysadmin running an OS without that protection in place just seems like going out in public naked!

                Does anyone have any thoughts, links, or software recommendations regarding setting up a layered security approach on a home-user’s Linux OS system? Or it is really just not needed?

                Cinnamon Extras:

                Easy2Boot Extras:

                Cheers,

                --Claus Valca

                Saturday, October 31, 2015

                Updating Dell BIOS using WinPE

                TinyApps.org blog recently posted his interesting situation.

                Short post shorter, after a recent hardware change, issues were encountered on a Dell system until the BIOS was updated.

                I’ve been seeing an increased pattern of issues after hardware is replaced or upgraded on Dell systems. They usually clear up after the BIOS gets updated.

                Unfortunately, Dell seems to only be offering BIOS update files for most systems via an EXE deployment solution.

                The idea is that you would download the Dell BIOS EXE update file to your Windows system, run the file, then the system reboots and the BIOS gets flashed/updated.

                That makes sense unless you are sitting on a system (or hundreds) that don’t yet have a Windows OS installed, or have replaced the HDD in the system and don’t have an OS on it. Or maybe you do have a flaky system with a Windows OS but can’t keep it stable enough to run the BIOS EXE update file.

                This week I had that very problem and wondered if I could perhaps deploy the BIOS EXE file via a WinPE environment and bypass the “installed” Windows need totally.

                In my case…for the particular Dell systems I was working on, I could, I did, and it worked perfectly.

                Your mileage may vary, proceed at your own risk, etc.

                The “trick” seems to be that you have to use an x86 WinPE OS architecture build, rather than a x64 WinPE flavor. More details on “why” here if you are curious.

                If you already have a working WinPE build and want to confirm (maybe you didn’t build it yourself) just run the following command in your loaded WinPE environment from a command prompt:

                wmic OS get OSArchitecture

                Sadly, the Dell LTI bootable flash drive I had was running a x64 version.

                Luckily I still had one of my trusty custom WinPE CD disks I built a long time ago and I had built it using the x86 package so I was set.

                So here is what I did to flash the Dell BIOS with no loaded HDD:

                1. I downloaded the BIOS update needed for my specific Dell system from Drivers & Downloads | Dell US using another system after confirming by entering the system’s ServiceTag/Serial number on the page.
                2. I copied it to a USB drive.
                3. I booted the target Dell system with my (x86) WinPE boot CD and had the USB flash drive with the BIOS update file also connected to the system.
                4. Once WinPE had loaded, I navigated to the BIOS EXE file on the USB drive and ran it.
                5. It executed with no errors and the system rebooted, applied the update, and rebooted again.
                6. I hit F12 and confirmed the BIOS version updated, the hardware was detected in the BIOS, and that the ePSA diagnostics all ran normally.

                Done!

                That saved almost 1.5 hours of otherwise deploying (if I could) an image to the system and getting it configured enough to be operational for just a BIOS EXE deployment run.

                I’ve posted a lot of write-ups here on GSD blog regarding custom WinPE disks. You can go crazy or super-simple.

                If you don’t feel like reviewing all those posts, here are some tools or basic steps in building your own WinPE boot tool:

                It’s been quite a while since I built a WinPE disk/USB. The ones I’ve made in the past still keep on loading and working for my off-line system booting needs I really haven’t had a need to update them at all.

                I think the last one I built was based on a pre-release WAIK version for Windows 8 (WinPE 4.0).

                I might need to add making a fresh Win10 WAIK-based WinPE build to my considerable “to-do” list so I can try out the changes to WinBuilder and some of these other “newer” WinPE building tools that have come along since I last fiddled with things.

                Hope this helps.

                Cheers,

                Claus Valca

                Sunday, April 12, 2015

                New (borrowed) life for the Shuttle SK41G

                A few weeks ago I dug my old Shuttle SK41G system out of mothballs.

                It was my very first “homebrew” custom build back in the very early part of 2004 and I was very proud of it.

                I had to RMA it as soon as it came in for a replacement due to a no-boot issue. The replacement unit did just fine.

                In Summer 2006 I upgraded it to 1 GB of system RAM from the original (amazing) 512 MB of RAM I built it with. I think the HDD was a 120 GB PATA drive. And it had a 512 MB AGP graphics card.

                In Fall of 2006 I ended up replacing the PSU due to bad capacitors. I somehow crammed an oversized Shuttle form-factor 250W unit it to upgrade it from the 200W stock one I was using.

                A few weeks later I hacked another couple of case-fans onto it to make a Frankenstein-ish monster of case cooling. It helped.

                In Summer of 2007 I had to reformat and reload my Windows XP OS and upgraded to a 500 GB HDD.

                In Summer 2008 I then maxed the RAM out to 2 GB.

                Somewhere before 2010 I upgraded it from XP to Windows 7.

                I used it a while longer but it eventually got shoved aside as we adopted more modern hardware and laptop platforms. Eventually I wiped the drive, buried it in the closet and forgot about it.

                Fast forward to the present.

                I wanted to set up a “guest” computer for the in-laws to use when they came to stay with us for a few weeks. So the Shuttle got hauled out, dusted off, and pressed back into service.

                The first good sign was that it booted right up…well the hardware did, no OS as the drive was wiped.

                I first ran a LiveCD of LXDE Desktop » PCLinuxOS that loaded just fine and confirmed the hardware was very functional.

                I thought I would be really cool to put Windows 10 TP on it, right?

                Only it has a CD-ROM drive so I couldn’t use a DVD for Windows 10.

                No problem.  I followed this guide along with Rufus and in a few hours has Windows 10 TP loading up.

                Well, I guess there was that little problem about not being able to boot from a USB flash drive no matter what device boot options I chose.  Apparently back in the heyday booting from CD’s was all the rage and standard and I wasn’t so much into needing to boot the Shuttle from a flash drive.

                That took more research until I hit on this article: BIOS: Phoenix-Award (Shuttle SB83G5), boot from USB-stick via “Live USB | dual boot” blog.

                Conclusion

                The boot setting for this system should be:

                • First Boot Device: USB-ZIP
                • Second Boot Device: CDROM
                • Third Boot Device: HD
                • Boot Other Device: Enabled

                Finally I was able to rock on forward with the Windows 10 TP installer booting/loading from my USB stick.

                Until I hit this error.

                 k3ew24xs.lrx

                I guess I shouldn’t be surprised. The CPU I had bought was an Athlon XP Socket A (462) model. It was pretty good for the time of my original system build and struck a compromise between performance and value but it’s not so modern now.

                So I pulled out my Windows 7 OS upgrade disks, ripped an ISO copy of it, and more Rufus time. I’m still good on my licenses so I had some to spare. I had to do the clean install Win 7, then turn around and upgrade the clean Win 7 install again to Win 7 so I could activate it, but it did activate with no issues.  That took more time that needed.

                Apparently I’ve misplaced my both my 120 GB and 500 GB HDD’s that were in it previously. Well, I know where they are but I just grabbed a spare 40 GB PATA drive I had sitting on my desk at the rebuild. It worked fine and since it is to be a guest PC, I didn’t care about having lots of space.

                Strangely, as I was trying to download and install software on it after it was up and running I kept getting all manner of certificate errors! It was so bad I could hardly browse the web.

                Turns out this article held the key: Why am I getting security certificate errors? - Ask Leo!

                Yep, by BIOS battery had died and the BIOS kept resetting the clock-time to the caveman epoch on each time I pulled the power-cord to fiddle with the hardware. Seriously.

                Some more searching and I found that the Shuttle system takes a CR2032 button battery. (PDF file link from Shuttle’s FAQ page)

                I just happened to be at Lowes that same weekend picking up a new clothes dryer unit (it transpired that the magic smoke I was vaguely smelling wasn’t coming from the Shuttle but the dryer as it slowly died) when I spotted a checkout station end-cap display that had a pack of CR2032 batteries. Handy.

                With that swapped out and the BIOS time/date clock set current and holding, all the certificate errors went away and I could finish out the updating/software-loading/security perimeter placements.

                I hoped that the ATI-512MB AGP card would be a good fit but the Win 7 driver support for it now is horrible. I wasn’t in the least impressed with it. So I swapped it out for a 512 MB NVidia “Doom” AGP card that had better driver support…only it barely does.  I may yet yank it out and go with the stock VGA onboard video and be done with it.

                I did some minor tweaks to the wallpaper selection, the login screen, etc.; going with a giraffe theme as that was Alvis’s favorite animal and her (now deserted) room is filled with the giraffes that she collected growing up. (sniffle).

                Windows 7 is running stably and is pretty snappy considering it is operating on a single core CPU, with 2 GB RAM on a 40 GB HDD. It’s the OS that our family members are most comfortable with so there is that.

                However, I’m seriously considering blowing it out and going to a 32-bit version of The LXLE Desktop Linux distro. I haven’t done a LiveCD boot of this OS yet on it as I don’t have a DVD ROM drive, and don’t really care to add one at this point. So it will be another adventure with Rufus and the LXLE Desktop ISO. I tried an Ubuntu LiveCD OS load on it but it just sat there and blinked at me so I think it also wasn’t too impressed with the older hardware. I did get PCLinuxOS going on it initially so I remain positive I’ll find an OS package that is both light, stable, and modern.

                In the meantime all the case-fans I’ve added to it over the years are still breathing new life into it and it spins on.

                Now I’ve also got to change out that crazy anime-themed custom front panel insert I did with a giraffe-themed one. Seriously…WTF was I thinking back then?!!!

                In one final note, it’s good to see that the Shuttle company is still alive and thriving. Shuttle Computer US Website. I’ve got a long-term project to build a standalone network firewall and intrusion detection system (or maybe fiddle with Kali and Snort) for the Valca micro-ranch…but I’m pretty sure a Raspberry Pi would be a more economical solution.

                Ahh, memories.

                Normal people pull out scrapbooks & geeks pull out the hardware in their closets.

                The adventure continues…

                --Claus Valca

                Monday, February 16, 2015

                Presidential (Day) Sysadmin Links

                Yes indeed. It is Washington’s Birthday Day (a.k.a.Presidents’ Day ) here stateside.

                So while I try to find balance on this odd day off (but on call), running errands around town, lightly blogging, and doing “honey-please-do-for-me’s” around the house, I thought I would “celebrate” by dropping some linkage for the sysadmin crowd.

                Enjoy.

                I’ve been using a very old x64 build release with no issues, but decided it was finally time to go back to the updated x32 release line. So, Saturday I downloaded the FreeCommander PortableApps version and got busy rebuilding my FreeCommanderXE + Total7zip Plugin mods. Worked just fine when I was finally done.

                • DriverBackup! - SourceForge.net - New driver backup utility find.
                • Double Driver - BooZet Freeware - Old standby to backup and restore installed drivers.

                I mention these as while it is always a good idea to do a full system backup periodically, and make sure you have valid OS re-installation media, the core installation media will not usually have all the custom drivers for your system and unless you do a driver back up in advance, you will spend tons of time tracking down needed drives when you restore your system. Just saying.

                Looking at the Korora project got me thinking about the many, many various Linux LiveCD and desktop project out there. I recently downloaded a “lite” distro LiveCD to give to a family friend in case the old Windows (Vista) PC they pulled out of mothballs (when their primary system got handed to me for service) didn’t load. These are the ones that I recommend and carry an ISO for around with me; just in case.

                • PCLinuxOS - In KDE, LXDE, MATE, or “FullMonty” desktop editions.
                • Ubuntu PC operating system -Well rounded and very compatible.
                • Linux Mint - In Cinnamon, MATE, KDE, and Xfce versions
                • SymphonyOS - uses the Mezzo desktop
                • Kali Linux - Advanced Penetration Testing Distribution - Not for general users but is super-powerful when you need extra tools for sysadmin/sec work.

                Cheers!

                --Claus V.

                Sunday, February 08, 2015

                System Stress Testing – 2015 Edition

                Was it almost 5 years ago when I last posted some system stress testing tools? Wow!

                grand stream dreams: System Stress Testing Suites

                Since that time I still find myself reaching for specialized tools to stress test system hardware and components when troubleshooting a system.

                Being able to stress a system when you are looking for performance or stability issues is critical. Having tools that you can run while monitoring the system are super-useful to see if you can force a problem to exhibit or if you want to be certain your solution has fixed the issue.

                Back in the day, I recommended Bart's Stuff Test 5 but it doesn’t say it supports “modern” Windows systems any longer.

                Funnily enough, this post What is New in Windows Application Execution? from the SANS Digital Forensics and Incident Response Blog jogged my memory when it mentioned a new-to-me SuperFetch parsing tool.

                That tool doesn’t necessarily apply here, but the developer TMurgent does provide a ton of updated free tools that fit great with performance testing and stressing Windows systems.

                New and Updated (Free) Tools – Confessions of a Guru blog

                Performance tools – TMurgent Technologies

                Here are the other stress testing tools I keep on my USB stick

                More sources where I found some of these tools listed:

                In addition to these Windows platform tools, LiveCD packages are available to boot your hardware system with a Linux-based OS and run additional stress test suites.

                Happy Stressing!

                --Claus Valca

                Misc PXE/USB/HDD booting tips and tricks – Linkfest

                Here is a mini linkfest of articles I have collected over the past month.

                They generally deal with “specialized” booting of Windows systems.

                Note: I love Kanguru flash drives, primarily because of the physical read/write lock switch their models provide. It is IMHO a must-have when responding to incidents or cleaning infected systems.

                The last link above is more of a product announcement but it does claim to address one new trend in USB technology – BadUSB attacks where the USB firmware is compromised when the USB stick is attached to an infected host. What I don’t know is if their FlashTrust technology still allows the drive to be configured as a “bootable” USB drive or not. I’ve found that some natively (firmware/hardware based) encrypted USB flash drives cannot be used as bootable USB drives for – say – WinPE building and boot usage.

                I don’t have a Kanguru FlashTrust drive to test drive or review for you but I’ll be looking to add one to my collection since my trusted 16 GB Kanguru Flashblu II 2.0 device is getting filled close to max capacity. This new USB 3.0 drive looks really nice and a 32 GB version should do nicely.

                Cheers!

                --Claus Valca.

                Getting at your Windows 8 OS key

                This was new to me!

                Up until a few weeks ago, my experience with Windows license keys has been either to get it in the retail box, access it from the COA sticker on the OEM PC case, find it on the underside of the laptop or in the battery well. Of course if you are doing an enterprise-wide deployment you probably already know your volume activation product key as part of your support documentation.

                But where do you find the OS license key on a Windows 8 system?

                Turns out, it goes along with something I had missed during the Windows 8 rollout – it typically is now embedded in the BIOS of modern system boards once installed.

                If you haven’t run into this problem because your Win 8 systems are running fine, then there is a good chance – like me – your first introduction to this new model can be a bit shocking.

                If it is OEM purchase (Dell/HP/etc.) then you probably won’t find it on a sticker any longer, however, you can use NirSoft’s ProduKey to get it before hand for archival purposes in case you need to reinstall the OS.

                This happed to a co-worker so here are the specifics.

                The user had purchased a OEM Windows 8 system from a big-box store.  The HDD had failed miserably so there was no chance at even trying to get the key from the OS using ProduKey.

                The user didn’t have any system restore or OS restore disks. And you can’t easily download the Windows OS install disks from DigitalRiver like you can for Windows 7 OS systems.

                Option 1) – Build a WinPE boot disk and then download RWEverything | Read & Write Everything utility and stick it on a USB key. Then boot the (former) Win 8/8.1 system with the WinPE disk and run the RWEverything app from the USB to access and note the Win 8/8.1 BIOS-embedded OS key. Then download the Windows 8/8.1 ISO file from Microsoft and use the recovered key to enable the download to occur.

                Option 2) – Download the Windows 8/8.1 ISO file and use the appropriate Windows 8/8.1 “trial” key to get the ISO file. Then when you go to activate the product, it should pick up the original OEM key embedded in the BIOS.

                Option 3) – Just download and build a Windows 8.1 installation set using the Windows Installation Media Creation Tool. Boot the impacted system, install Windows, once running it should pick up the BIOS embedded Windows 8/8.1 license key and keep moving.

                Because my friend already had a WinPE-based boot disk, he went with Option 1 and was eventually able to download the Windows 8 ISO files needed to set the system up, activate it again, then spend tons of time trolling the OEM’s site downloading the additional custom drivers needed to clear the issues in the device manager. It was a hassle but it was possible.

                So now I have backed up Lavie’s new’ish Dell laptop Win 8 key to save future headaches. And I have stowed a portable version of RWEverything on my WinPE bootable service USB stick.

                More resources and references for Win 8 BIOS-embedded keys, key recovery tools, and Windows 8 ISO download links and trial keys.

                Super-special hat tip to Philip Yip who produces amazing Windows support guides over on his Unofficial Windows Guides blog. Extensive documentation and support material is here – very well organized – a must-bookmark site for anyone supporting Windows OS’s.

                Cheers,

                --Claus Valca

                Saturday, December 20, 2014

                Sysadmin Links - QuickPost

                Stand back from your browser! Here comes a messy GSD Quickpost with tons of linkage for sysadmins….

                New or Useful Software

                PowerShell

                Windows Diagnostic tool “PerfView”

                • Download PerfView - Microsoft Download Center - This little gem of a Windows performance collection tool is sweet! I’m really loving the easy of its data collection.
                • PerfView Tutorial - Channel 9 - Different video series than the “Defag Tools” listed below, Vance Morrison has some short mini-videos reviewing the tool, its usage, and some example applications. Good stuff!

                Additional videos that are longer and more detailed on the tool.

                Tips and Tricks

                Windows 10

                Windows/Updating

                Network Nuggets

                Cheers!

                Claus Valca

                Saturday, October 04, 2014

                New and Improved Utilities

                Network Stuff Found and Updated

                Which brings me back to the pretty cool Windows “firewall” application GlassWire. Previously featured via tinyapps.org, I spotted a new review of it that had some fresh examples of its usefulness; illustrating alert event marking for later examination. In one case, it helped a user discover network activity from malware that had gone undetected.

                Then in those comments there was a reference to the KDE application KNemo - Network Monitor.

                Utilities of Usefulness

                • AOMEI PE Builder - I’m always keeping one eye open on new WinPE building tools and this seems useful for the non-tech crowd who may not be up to taking on a project from the WinBuilder tool or one of the many specialized building sets at reboot.pro. For someone just getting their feet wet, this might be a good place to get started.
                • OPSWAT AppRemover - I keep rediscovering this tool every year or so. It is updated regularly and can aid in the removal of many Supported Applications. Good for a first-pass on a new OEM system.
                • GEGeek Tech Toolkit - Considering the work I do finding and maintaining all the tools and utilities on my own USB stick, this seems like a cheat, but if you are lazy, here you go. Related are the NirLauncher package builder and KLS Soft’s WSCC - Windows System Control Center (also update to version 2.3.0.1 as of Sept 2014).
                • OpenSaveFilesView - NirSoft - new utility that displays files previously opened with the open/save dialog box. More on NirBlog.  Spotted via this Betanews post.
                • FixWin v 2 for Windows 8, Windows 8.1 - The Windows Club - Easy but powerful tool to fix common Windows issues. Use with caution. Similar tool may be (the no longer developed but still available) d7 Free tool from Foolish IT LLC.

                Lights, Sound, Action!

                Cheers,

                Claus Valca

                Sunday, September 14, 2014

                WinFE LinkFest

                It really hurts to get behind in my postings.  Brett Shavers has been running in overdrive mode lately over at the WinFE blog.

                In case you have been living under a rock, or just been busy and harried like me, here is a sampling of the exciting news and events over at WinFE blog.

                Which was quickly followed by new update posts…

                WinFE Course and Free WinFE course, and finally the big announcement Windows Forensic Environment – WinFE Online Course Now Available - WinFE blog

                Just in case anyone isn’t clear, the course page is linked below so everyone can find is easily. I’m probably blind this morning but didn’t seem able to find a big/direct course-reference link from the drop-down menu options or displayed prominently on the side-bar.

                Note: There are two “preview” course sections you can look at without first having to sign up if you are curious.

                WinFE blog points to this course review by Ken Pryor at the Digital Forensics Blog if you are curious on what to expect before signing up: Windows Forensic Environment Training Course Review

                And a review of these posts should bring pretty current one current on the WinFE world.

                Kudos to Brett Shavers and all the hard work he is doing for the community!

                Cheers,

                --Claus Valca

                IsoStick & Zalman/IODD enclosures

                Update: I really hate when I loose a primary source that inspires me to write a post to begin with! The following Malwarebytes Unpacked blog post was the genesis of this entire post. Not only does it provide good context for the IsoStick’s usage but also a great “Pros/Cons” roundup as well. - CV

                I have two main hardware data-storage platforms I prefer to use. Both carry my library of “portable” sysadmin & for/sec tools and utilities when working with systems. The other also carries ISO files of LiveCD’s and other ISO-packaged installation media. Both are LiveOS bootable; however the first is limited to WinPE type loads while the second gives me an expansive array of LiveBoot options.

                The first is my trusty Kanguru Solutions brand (write-block switched) 16 GB Kanguru USB flash drive. The latest iteration are call “FlashBlu30” and use the USB 3.0 format. Mine is a older 2.0 version but is still very spiffy. Unfortunately, despite all the house-cleaning, I’ve only got less than 2 GB of free space remaining so I’m trying to decide if I want to invest in a 32GB or 64 GB newer version. Decisions!

                The second is my faithful iodd : Multi-boot madness! external hard drive enclosure. It has gone through a lot of changes since first coming out and the current distributor/name is Zalman. Long story short, these external HDD drive enclosures allow for storage of ISO files and then loading/launching them as virtualized drives. Basically, instead of carrying a large stack of CD/DVD media with you, just load your ISO images of them on the drive and then select/boot accordingly from your external drive enclosure. Cool! Amazon has a large select of Zalman enclosures at crazy-cheap prices, including USB 3.0 models. And who doesn’t have some spare 2.5” hdd’s lying around these days to drop into one?  I personally like the ZM-VE300 and ZM-HE130 models. Oh, one more thing, they also have physical write-block switches to protect your drive from write-back if used on a questionable (infected) system.

                So with those preferences in mind, I’ve been watching the steady development and growth of a product that seeks to marry the convenient-carry of a USB stick with the ability to load ISO files via a virtualized optical drive like the IODD/Zalman enclosures.

                So how does it work? Basically when you purchase the ISOSTICK, you are getting a USB stick “enclosure” in which you can load/swap microSDXC cards. Seems more convenient in some ways to the IODD/Zalman approach. It does require use of the FAT32 format but can split ISO files so the 4 GB limit isn’t an issue. (With later firmware updates, the IODD/Zalmans could support NTFS formatted partitions.) And it also comes with a hardware read-only switch. Available in the US from Amazon.com: isostick for under $100.

                If you are looking at -- or already using -- an ISOSTICK, I recently spotted this project worth exploring.

                And the reboot.pro forums have a lot of good resources for general ISOstick users and the curious: ISOstick - reboot.pro

                Cheers,

                --Claus Valca

                For/Pen/Sec LiveCD Updates

                Here are some updates regarding forensic/pen-test/security aligned LiveCD projects released over the past several weeks.

                Kali Tools Website Launched, 1.0.9 Released - Kali Linux - The latest release version of Kali is 1.0.9. Also now available is their Kali Linux Tools which documents all the tools included in Kali, including descriptions, link-back to the tool’s main-page, and sample output from the tool. Very helpful stuff.

                Kali Linux 1.0.8 Released - EFI Boot Support - Kali Linux - Previous release information (July 2014).

                Kali Linux 1.0.7 Released - Kali Linux - Previous release information (May 2014)

                Official Kali Linux Downloads - Kali Linux - ISO/torrent download page

                Offensive Security Kali Linux ARM and VMWare Images - Alternative builds download page

                New Release of REMnux Linux Distro for Malware Analysis - Lenny Zeltser on Information Security - from the linked post, “The new release adds lots of exciting free tools for examining malicious software. It also updates many of the utilities that have already been present in the distro.”  The post has a great listing of the added tools with link-backs. ISO/virtual-appliance downloads and details at REMnux.

                DEFT 8.2 ready for download - DEFT Linux - Computer Forensics live CD - some bug fixes and Ubuntu package updates.

                PALADIN EDGE and Creating a USB - SUMURI LLC - PALADIN EDGE is based on the current Ubuntu release and will not contain their “Forensic Toolchest” package. Their PALADIAN build will continue to have the package and is based on the long-term-support (LTS) version of Ubuntu.

                Cheers,

                --Claus Valca

                Saturday, April 26, 2014

                ForSec Linkpost

                …and here is a hand-picked selection of particularly practical and informative ForSec links.

                I’ve been very busy these last several months as we have worked almost non-stop at the office to migrate our platforms from Windows XP to Windows 7 so my energy level and free-time is only now catching back up in my personal life.  New books to read and review, stuff like that.

                Whew!

                Hopefully some more normal and original (as in “contributory” rather than re-linking) GSD blog-content posting will follow moving forward.

                And now for a change of pace…

                • DEFT 8.1 and DART 2 2014 - DEFT Linux - new version releases of the LiveCD platform and accessories.
                • Index of /files/dart - So DART 2 2014 is basically a collection of Windows applications bundled in a slick and well-organized launching platform that can help with some forsec activities if you aren’t using the Linux DEFT bootable OS. Use of these tools on a life system in most cases will not be forensically sound “out of the box” but the situation may call for their usage. Certainly they present a convenient and well-rounded way for knowledgeable sysadmins and responders to have a great collection of tools in one place.
                • CAINE Live CD/DVD - Alternative project to DEFT but similar in the approach. I mention it because previous versions were bundled with a DART-like Windows package called…
                • WinTaylor - (scroll down a bit to see/download the files), only WinTaylor has been superseded by the new…
                • Win-UFO package now included in CAINE.  Which leads us to this…
                • Win-UFO v4 Introduction (by Casey Mullis) over at LoveMyTool which provides a nice video introduction to this specialized Windows utility packaging.
                • WinFE Success Story - WinFE blog
                • Mini-WinFE Updated - WinFE blog. Brett Shavers highlights some exciting going-on’s in the WinFE world with the Mini-WinFE project.  Check out the comments on the post as Troy (Larson) makes mention on the benefits of “Windows to Go” as a  Win FE platform plus more as well as support in WinPE 5.1 for the “WimBoot” feature. And I had previously found this What is Windows Image Boot (WIMBoot)? post and shared in in my sysadmin-related post. Interesting options! Can’t wait to see where these new off-shoots might take us!

                Cheers!

                --Claus V.

                Sunday, March 09, 2014

                Boot Me: LiveCD’s/WinPE/WinFE and other things…

                Quick-post for the offline system booting and LiveCD/USB-booting crowd.

                “One of our goals when developing Kali Linux was to provide multiple metapackages that would allow us to easily install subsets of tools based on their particular needs. Until recently, we only had a handful of these meta packages but we have since expanded the metapackage list to include far more options:

                • kali-linux
                • kali-linux-all
                • kali-linux-forensic
                • kali-linux-full
                • kali-linux-gpu
                • kali-linux-pwtools
                • kali-linux-rfid
                • kali-linux-sdr
                • kali-linux-top10
                • kali-linux-voip
                • kali-linux-web
                • kali-linux-wireless

                “These metapackages allow for easy installation of certain tools in a specific field, or alternatively, for the installation of a full Kali suite. “

                Cheers!

                --Claus Valca

                Saturday, January 11, 2014

                ForSec News SuperPost

                I’m really embarrassed I let this collection of ForSec posts grow this large. There really aren’t any good excuses.

                Honestly.

                If it were any other weekend, I might take the time to break them down into a series of smaller posts, but the weather is super-nice after our recent Gulf-Coast hard-freeze and I really want to get outside and play for a bit.

                So either set aside a lot of time before you get started, get a nice beverage handy, or just bookmark the monster that it is and come back when the weather outside is frightful.

                Seriously, it’s that big but the material posted is also that good.

                Warm Up Exercises

                Practical Cyber Security Training Techniques for New IT Support Employees - (PDF link) - SANS Reading Room paper.

                (IN)SECURE Magazine - Issue 40 (December 2013) Released including topics

                • Testing anti-malware products
                • Using Tshark for malware detection
                • 5 questions for the head of a malware research team
                • Malware analysis on a shoestring budget
                • Report: Virus Bulletin 2013
                • Digital ship pirates: Researchers crack vessel tracking system
                • Exploring the challenges of malware analysis
                • Evading file-based sandboxes

                Doing things faster - Hexacorn blog - nice summary of personal tools and techniques used to improve your IT workflow.

                Hacked Via RDP: Really Dumb Passwords — Krebs on Security

                All About the Windows AutoRun

                The ISC Diary has been running a series of posts on Windows auto-run techniques.

                These reminded me of a very long-running series of related (and highly-detailed) posts over at the Hexacorn blog that started back in 2012 with the most recent (Part 6) posted yesterday.

                Well worth bookmarking for reading and refreshing.

                Blog Posts from the Forensic Experts

                Holidays and crazy winter weather hasn’t slowed the blogging production of these masters of the forsec world.

                Speaking of RegRipper…

                Moving down the road a bit

                And over in the factory

                And one last interesting post…

                Case Studies

                Sharpen your saw on these fascinating breakdowns of malware and incident responses.

                Speaking of malware analysis, I recently found a new (to me) blog that has some great analysis posts.

                The posts are quite detailed and richly illustrated. Definitely worth checking out and adding to your RSS feed pile as I have done.

                Meanwhile, over at the Open Security Research blog, a new series has been started on using the debugging tool WinDBG.

                WinFE News

                It has been forever since I last built my WinFE. I’m hoping to update it by walking through a fresh build in the next month or so. Brett Shaver’s blog site is rich with great tips and tools and documentation that makes rolling your own (stock or custom) WinFE package a piece of cake.

                More ForSec LiveCD News

                Back when I started blogging a lifetime ago, there were really just less than a single handful of useful forensic-focused LiveCD builds available. Most have disappeared but luckily a wealth of others sprung up to take their place. It’s all I can to do to stay on top of all the updates and releases of my favorites.

                Hackage & Pwnage (and other almost depressing news of late for consumers and from the thin front line)

                Like about most every American, we woke up to very bad news around Christmastime with the announcement that Target had been seriously breached. The post-mortem work appears to be silently continuing but the news has been saturated with corporate data and account breaches lately. We are still waiting for our replacement cards to come in. What a drag but small price to pay. It seem like things are getting worse, but what is discouraging is that these are probably the only ones main-stream media is focusing on and people are paying attention to. These smaller breaches occur daily at businesses large and small. My only hope is that not only will excellent forensic analysis lead to applicable lessons learned to improve things (if actually deployed) but that the public will understand the sharper and narrower razor’s edge we seem to be walking down with our personal data and the dependency of data security. Of course this whole “NSA” backdrop is another fine mess but I’ll leave that for another day.

                First the bad news recorded here for posterity.

                And woe the consumer…

                …and what about those SnapChat users?

                Of course if you try to do the right thing…expect possible whack-a-mole response to your head…

                Talk about frustrating…

                Have I been pwned?

                Meanwhile, leave it to an Aussie to continue to fight the good fight for consumer security.

                Have I been pwned? -  Check if your email has been compromised in a data breach

                It’s not only a great way to stay personally informed about any security breaches but it’s a good way to show non-technical family and friends this really does impact them. Family and friends may shake their heads at the news stories, but when you have them type one of their email addresses into here and it (unfortunately) shows up…it becomes much more personal.

                A few odds-and-ends in closing…

                Just some odds and ends I’ve found these past weeks

                Avira PC Cleaner – a second opinion scanner - Avira – TechBlog. Spotted via this BetaNews blog post, Avira reveals stand-alone Avira PC Cleaner.

                FBCacheView - NirSoft - Shows Facebook images stored in the cache of your Web browser

                Security Essentials for Windows XP will die when the OS does - Ars Technica - Really? Like anybody was surprised by this news.

                Cheers!

                --Claus Valca