Showing posts with label imagex. Show all posts
Showing posts with label imagex. Show all posts

Sunday, March 09, 2014

All Kinds of USB Cloning Challenges…

Part one of this story…

One of the duties I have in the shop is take an image of a bootable USB master stick we get and clone that image to our team’s USB sticks for a project.

We then use that USB to image our systems.

In the past I have requested purchase of a dedicated USB duplication device such as this Aleratec 1:10 USB 3.0 Copy Cruiser Mini Duplicator. It’s a very cool tool and has some good supporting software and can handle a lot of concurrent image restorations efficiently.

That never passed though the approval process so I’ve been left with using a poor-man’s solution.

First, find a good multi-port USB hub. They are pretty inexpensive so you could get a bunch. I particularly like these as the capacity is high with 10 USB ports.

You can find some with up to 25 USB ports if you search deeply enough.  What I liked about these were that the ports seem pretty widely spaced to allow for oversized USB stick cases. That isn’t always the case.

Tip: If you pick up ones with the ports too closely spaced, then you are left either not using all the ports due to clearance issues or having to pick up a bunch of 1.5ft USB 2.0 A Male to A Female Extension cables to get them all plugged in with the clearance issue worked around.

OK. Now that the hardware is set up, the imaging software.

There are a lot of free USB imaging tools out there.

For one-off imaging work I prefer to use Alex’s USB Image Tool. It can capture an image, it can restore an image, you can take a full device image or a partition image.  What I really like is that it also provides additional details about the device such as the serial number and other coded information. That’s helpful if you want to log each device for tracking.  However I don’t find it quite as well suited for restoring the same image to multiple sticks concurrently.

Instead I like to use the free PassMark Software ImageUSB utility.

It captures a BIN file format of the entire USB device (rather than the partition).

And it can restore the image concurrently to as many USB sticks as you want with nary a fuss or hiccup.

It doesn’t give you the same amount of device details (serial numbers/etc.) that the USB Image Tool does, but that’s why having a few different tools in your toolbox is helpful.

So here’s the recipe for the poor man’s multi-USB duplicator:

Use ImageUSB to capture your USB stick to an image file.

Connect up your multi-port USB hub(s) as needed to your system.

Plug in your target USB drives to the hub ports.

Use ImageUSB to write your USB image to the USB sticks.

Done.

Important Note: The capacity of the USB sticks you are putting the image onto need either be equal to, or in excess of the capacity size of the original “master” USB stick. If not, you will either end up truncating your image and risking data loss, or (depending on the software) it won’t write the image at all.

This is important as not all USB sticks that say they have “X” capacity the same, actually have the same amount of accessible space on them. That leads us to…

Part 2 of this story.

See, the above process has been rolling on quite well for some months now.

Only we needed more USB sticks for each team-member to carry with the same image build to hike up multi-tasking efficiencies.

And the purchaser ended up selecting and buying USB sticks that were a different mode/make.  Even though they both were USB 3.0 sticks, and even though they were both “64 GB” capacity sticks, when I went to put the image taken from the original stick model on the new one, the accessible capacity of the second USB stick was significantly lower enough to not allow me to safely or confidently put the image on it without risking truncating the image/data in the process.

That’s not good.

So this is what I ended up doing on my x64 bit Win 7 system…

(Method 1)

I first captured an ImageX (file-based) image of one of my larger cloned USB sticks.

I used the x64 version imagex binary as found in the latest Windows Assessment and Deployment Kit (Windows ADK) (GSD blog link).

Depending on your drive letterings, the command-line may vary but the basic structure is thus:

imagex /capture E: c:\temp\USB_Image.wim “USB Image base”

where “E:” is the USB drive letter and “C:” is my local system hard drive.

This captured all the files on the (larger 64 GB) USB drive into a WIM format image.

Then I removed my larger master USB stick.

I then connected the other (smaller 64 GB) USB drive to my system.

And did this from the command line window.

>DISKPART

DISKPART>LIST DISK

note: this was to confirm which disk number the USB drive was showing at…in this case the USB stick was disk 1 as my system disk was disk 0. Be sure you get this part identified correctly or bad things can happen! Your system will almost certainly vary!

DISKPART>SELECT DISK 1

DISKPART>CLEAN

DISKPART>CREATE PARTITION PRIMARY

DISKPART>ACTIVE

DISKPART>ASSIGN LETTER = E

DISKPART>EXIT

>format E: /fs:ntfs /q /y

note: at this point I have a freshly formatted (smaller) USB stick that is empty. Next I need to make it “bootable” so the USB stick will work as designed for system booting/imaging after the files are restored. I used the bootsect.exe tool to do this. You should be able to find it under the Windows ADK that you probably installed to get to this point to first have snagged imagex.

> bootsect /NT60 E:

note: now it is a “bootable” USB stick we need to put the files back on it again with the imagex utility.

imagex /apply c:\temp\USB_Image.wim 1 E:

Great!

At this point I now have the original USB file sets from the larger bootable USB stick ported over to the smaller (also now bootable) USB stick.

I then used ImageUSB to capture a fresh (and smaller) device-based image file of that USB stick.

I then wrote that image to all of the smaller USB sticks.

Done and they all worked just like their bigger brothers.

Now I have two image files to use depending on the target drive’s capacity.

Had the original image been from the smaller drive then I could have put it on the larger drive with no worries or concerns as I would not have faced data truncation in that instance. If the tiny bit of capacity difference mattered, I could have used something like gparted to then expand the partition to take in the remaining unused capacity.

But if you don’t want to do all this stuff, there was another path I could have taken (I’m not sure it was any less work though).

(Method 2)

In this path, I would have first taken a volume-based image of the larger USB stick first using the USB Image Tool.

This doesn’t get me any of the magic code that makes the device bootable, just captures all the partition files instead of using ImageX.

Then I would have removed the master stick, placed in the smaller target stick, still done the whole DISKPART & format & bootsect steps in method 1.

Then I would have used the USB Image Tool to put the volume image back on the USB stick.

Then I would have captured the device image using the ImageUSB utility, and used it to put that image on the remaining (smaller) USB sticks I needed to clone.

Lesson to be learned?

Well, not all 64 GB USB sticks are the same. And if you have a big project that requires cloning a lot of USB drives, it might be wise to stick with the same exact USB make/model/capacity for the project to avoid having to create multiple images to handle the different stick capacities.

Bonus Tip:

Once you have the image file captured, if you don’t want to plug in your USB stick but want to reference the files/structure in it, you can use any of a number of tools to mount that image for review:

The WIM file can be addressed all number of manners with Windows tools and utilities. Most are fun and geeky. But for a fast, no-fuss solution, PeaZip can be used to open/extract WIM files no problem.

If you have a BIN or IMG image file, then you have some other options as well.

OSFMount - from PassMark Software maker of ImageUSB we have been discussing has a free tool that handles all kinds of image files for mounting and some manipulations.

It is based on the ImDisk Virtual Disk Driver coded by Olof Lagerkvist.

There is also the amazing Gizmo Drive software that is free and handles mounting of a crazy-wide number of image file formats.

Then there is my other long-time favorite virtual drive mounting tool; SlySoft Virtual CloneDrive.

Happy USB cloning!

Claus Valca

03/11/14 post update -- Correction made to references. PassMark Software is maker of ImageUSB utility. Previously had noted it was OSForensics, which is their URL and also the name of their free/$$ multi-feature computer forensics application. Credit to Steve Si for catching my error and alerting me.

Also, check out Steve Si’s timely post Bulk duplication of USB drive images over at his RMPrepUSB, Easy2Boot and USB Booting… blog. Steve goes into great detail about the differences in storage capacity that can be found, even between the same USB devices from the same maker.  He also includes a tutorial on using his RMPrepUSB tool to handle the image capture portion rather than relying on some potential gotchas that lurk with using the ImageUSB tool. Check it out and his comment to this post below.

Sunday, February 16, 2014

Windows Assessment and Deployment Kit (Windows ADK)

Yes. Yes. I know.

It has actually been out for quite a while now.

(I’m specifically referring to the release version for Windows 8 & 8.1.

For some reason this small bundle of ADK links got lost in the pile I’d planned to post here as a reference.

But then I just found it so here they are.

…moving on…

--Claus V.

Sunday, September 09, 2012

Scratching at a SCSI Drive Itch - Part II - WinPE Redux

In the first installment, Scratching at a SCSI Drive Itch - Part I - Hello Ubuntu, we were siting on this problem:

  1. I had a bevy of Dell PowerEdge servers to secure wipe.
  2. Each sever used a SCSI controller board and held two SCDI drives of varying size.
  3. I was using DBAN / Darik's Boot And Nuke to do a DoD 3-pass short wipe pattern on them.
  4. I was seeing random “non-fatal” error reports when wiping was done.
  5. I wanted to perform a secondary sector-based verification of the wipe efficacy.
  6. My custom WinPE 3.0 boot-CD disk didn’t have the needed drivers and I was having great difficulty finding them.
  7. I worked out using Ubuntu to accomplish the task, but it wasn’t time-efficient.
  8. A storm was brewing and development time for a solution was short.

The Rub…as they say…

was in the particular set of Adaptec SCSI controller drivers I needed.

The bad news was that I had a collection of Dell PowerEdge server models from 1300’s to a 2800, and just about all steps in between.

The good news is that in using DBAN, during the system and SCSI hardware boot process, they listed themselves. I noted they were the following:

  • Adaptec AIC-7890
  • Adaptec AHA-2940
  • Adaptec AIC-7860

At least I had something more specific to search for…now could I just find them in a WinPE 3.0 compatible driver format?

WinPE Revisited…Tip #1

Apparently, I wasn’t the only one who had encountered this problem finding WinPE drivers for Dell servers.

Chris Osborn had also run into a similar challenge and documented it in his fairly recent post Insentricity :: Installing Windows 7 Without a DVD Drive ::

In his case he was trying to install Windows 7 on a Dell PowerEdge sever (different model from my collection) via USB from a WinPXE source. Only it didn’t have the Adaptec SCSI controller drivers needed. Sounded familiar.

In Chris’s case, he was able to track down the specific Adaptec AIC driver file source.

The problem after booting the WinPE was that it refused to see the HD. After lots of googling trying to figure out how to add drivers to the WinPE image I finally found the secret incantation. It actually wasn't too bad, the real trick was figuring out what to download from Dell. Even with the service tag entered on their site, they give you back an abundance of "things" that may or may not be the driver you're looking for. When I tried the first SCSI driver I downloaded it didn't work so I spent a long time trying to figure out how to convince the WinPE to load the driver. I then decided to try a different driver from Dell, and sure enough, it worked right away.

I could do all that I suppose, but trying to figure out which was the correct Adaptec driver I needed from each of the Dell PowerEdge server driver pages, unpack the Dell driver executable package, and then drop them into a LiveCD to test each time (hoping they would work under PE 3.0) still seemed like a lot of work. Though it did leave me hopeful.

WinPE Revisited…Tip #2

Next I stumbled upon Dell’s AppAssure product page while searching for Adaptec SCSI drivers in the particular models I had.

This page, Protecting and recovering an EFI system looked promising and seemed to use a custom WinPE platform Replay Recover Anywhere (RRA) to accomplish its mission. Additional digging on the site led me to a PDF file of the tool that talked about both the “RAA Driver Library” and listed the ones provided. Sure enough, there on page 22 were the SCSI Adaptec drivers I was looking for…and then some!

Basically the process was thus, download the Boot CD Builder. Next, get the driver download package for the Replay 4 Boot CD Builder and unpack them.

Then, install the RRA Boot CD builder and inject the readied driver pack. Burn the CD. Done.

Simple, right?

Well, not exactly. Turns out as cool as the RAA building tool is for us WinPE geeks, it requires provision of a product License Key to work.

Not so good, but not a total loss as I got some good takeaways.

  • Even if it can’t be used directly, you can download/install and get all kinds of components out of the BootCD building package including some drivers, some interesting WIM files to pick around, and it was interesting learning and exploring the building tool’s file structure and components.

    Below you can see the folder structure for the AppAssure Boot CD Builder installation.

    hz5x40er.h0a
  • The collection of controller drivers for WinPE was golden and too vast to list. It was freely accessible and was easily downloaded, unpacked, and readied for use as needed in this project. Some of these may or may not work under WinPE 3.0, but it’s a good place to start in a single location for a wide range of hardware. Below you can see a list of the folders (and sub-folder “AlternateDrivers”) that the package provides.

5lyslzrj.tw3

WinPE Revisited…Tip #3

I next found this forum thread for someone looking for Windows 7 (WinPE 3.0) Adaptec driver.

Unable to locate Windows 7 compatible driver for Adaptec AIC-7892 - Microsoft Answers

Seemed a stupid thing, but I popped over and dug around on Adaptec’s site. I won’t link to everything I chased but the following should get interested folks started.

It took me a while but I quickly confirmed that it pretty didn’t much matter what family/driver I needed, they were bundled together and all paths led to a few Roman cities, and Windows 7 was listed as a supported driver! Yea!

I also found that the driver packages themselves, being both small in number and small in size, and Windows 7 supported, would not add too much size to my pre-existing custom WinPE 2.0 build.

So for good measure I went ahead and snagged every Adaptec “Ultra” SCSI driver hardware pack download I could find along with the 2940 Family pack. I think I also grabbed the “SAS-4000, SAS-4800SAS, SAS-4805SAS” pack as well. It may sound like a lot but in the end it resulted in just 4 or 5 zip file packages to unpack and tuck away. Just pay attention to the ultimate pack filenames and you will see what I am talking about.

I finally had my WinPE 3.0 Adaptec drivers! Success was in reach.

By the way, did I mention I also found this?

Dell Driver CAB files for Enterprise Client OS Deployment - Enterprise Client - Enterprise Client - Dell Community TechCenter

At the very top of the page you will find WinPE 2.0 and WinPE 3.0 Driver CABs for Dell Enterprise class systems (Latitude, Optiplex, Precision). The WinPE 3.0 collection is very fresh (07/2012).

The log-jam had broken and the flood was coming!

Inject Me!

Next we have to get the drivers added into the existing WinPE boot.wim file.

I’ve mentioned it before, but “wmmayms” had a great, well-illustrated guide that walks one through the process.

Guide: Adding drivers to a custom winPE (3.0) - boot images - Windows-Noob. This post explains just about everything you need to know about the manual/command-line process. It uses the DISM.exe tool and is pure command-prompt based, baby.

Then these additional guides are great and clear supplements.

DISM - WinPE 3.1 Boot Environment - The IT Bros. In this alternative guide and building method, Brian Jackson takes us on a most-excellent walkthough from start to finish. Not only does he help us from the very start in collecting our materials, but besides the command-prompt, Brian offers some custom WinPE 3.1 Scripts of his own and then leverages one of my favorite WinPE wrangling tools, GImageX.

You might also want to compare both of these methods with this Create a WinPE Bootable disk to Support Dell Hardware (NIC, Mass Storage Injection) - OS and Applications - Dell Community TechCenter article as well. Give your attention to the “Winpe” section at the top. This outlines a slightly different technique using imagex.exe.

Of course, this assumes your system has all the bits needed. While I have all my previous custom WinPE files/folder structure handy I ran into a problem.

For some reason, even though my latest custom boot disk was a WinPE build, somehow my work system was still loaded with the Vista (WinPE 2.0) WAIK kit.  As such I was missing the DISM tool that first made it’s appearance in the Windows 7 (WinPE 3.0) WAIK.  You may want to follow up with the Windows 7 WAIK Supplement for Win 7 SP1 if desired. I didn’t.

So I uninstalled the Vista WAIK, rebooted, and then considered the System requirements for the Win 7 WAIK. I noticed XP wasn’t listed and my work system is still running Windows XP Pro SP3. Would it balk and make me move my building to a Win 7 lab PC? Nope. Installed and worked just fine, thank you very much.

Note: there are a number of ways to build a WinPE boot disk without all the WAIK overhead if you desire. This takes it’s own amount of work and dancing. I've used the WAIK for so long it is second nature to me but you may want to consider it if this is new to you.

Now I could have stopped here and followed wmmayms’ guide and after some CLI-fu had it up and running.

But where’s the fun and discovery in that?

Cool Tool MegaFind!

See, in my Google-work I had run across a super-cool -- and new to me -- GUI front-end for manipulating the DISM and injecting drivers into a WIM file.

OMG! Bonus score!

DISM GUI - CodePlex project page developed by mikecel79 (Mike Celone). Mike's Blog

DISM GUI is a graphical interface for the DISM command line utility written in the .NET.  DISM GUI allows you to mount and dismount WIMs, manager drivers, features and packages.

I didn’t find any documentation on using the took, however, if you are even reading this post or know what the DISM.exe file is/does, then you already pretty much know what you need to know.

Here’s a brief walkthrough just in case.

Download the file linked above at CodePlex

Extract the ZIP file contents. You will get a single file called “DISM GUI.exe”

Move/Copy it into the location where your appropriate DISM.EXE file is. On my Windows 7 x64 system it is showing in four locations:

  • C:\Program Files\Windows AIK\Tools\Servicing\Dism.exe
  • C:\Program Files\Windows AIK\Tools\x86\Servicing\Dism.exe
  • C:\Program Files\Windows AIK\Tools\amd64\Servicing\Dism.exe
  • C:\Program Files\Windows AIK\Tools\ia64\Servicing\Dism.exe

Since my WinPE 3.0 building is to support x32 systems, I picked the x86\Servicing location.

I already extracted all my special driver packages which had been downloaded. In my C:\winpe_x86 building folder, I created a folder called “Drivers-To-Inject” and dumped the unpacked folders/contents into it.

Launch “DISM GUI.exe” from the shortcut you made. I ran mine as Administrator, though that may not be necessary depending on your system particulars.

On the first tab, “Mount Control” select your WIM location to mount. In my case I just have a single index build, so I left the index location alone.

Next select the Mount Location where the WIM will be “unpacked” to temporarily.

Finally click the “Mount WIM” button to get started.

gsx0pmra.hql

You should see some output of the commands in the bottom pane. Hopefully it was successful. Depending on how large your wim file is, it may take a while. Be patient.

Next, let’s add our drivers.

Select the “Driver Management” tab.

Click the “Choose Driver Folder” button and browse to the location you put your drivers in. In my case I created a folder called “Driver-To-Inject” and then there is a sub-folder for the Adaptec drivers, a sub-folder for the Dell WinPE 3.0 drivers, and a third sub-folder for the Dell AppAssurance driver collection.

Since I had the “Recurse” check-box selected, it will add ALL the drivers it finds under the main folder. Doing it this way saves a lot of time if you have a lot of separate driver packs to add.

Once you have everything…just click the “Add Drivers” button to inject them into your mounted WIM.

zcgfehz4.l13

Again, that process may take a while to complete depending on the number of drivers you are adding. Be patient and once done you should see the output in the window pane below. Your results may vary based on the drivers you install.

vu0df3kx.z33

Once all is done, you need to dismount and commit the changes you made to your WIM file.

Go back to the first tab “Display WIM Info” and punch the “Dismount WIM” button. You will then be presented with an additional dialog window confirming you want to commit (save) the changes made to your WIM. Select “YES”

13iuzskb.mij

It will take a while again, but once done, your WIM should now be packed with all the additional drivers injected into it to work as needed when you boot your mastered WinPE disk/USB.

The DISM GUI tool makes this entire process a breeze.

Other similar tools I’ve mentioned here at GSD during my previous WinPE building posts worth reminding you about are:

  • GImageX - AutoItScript. This is a great GUI tool that makes working with the WAIK’s Imagex.exe file tool so much simpler.
  • Je Jin's DISM Tool - Another (not so intuitive but pretty powerful) GUI front end for DISM.exe.
  • GUI Dism ELDI v3.0.2 - Early Java version by ELDI developer. His main website is down (or very slow loading). However his latest version appears to be hosted at this MediaFire link and contains several packages that I understand now support the WinPE 4.0 (Win8) WAIK PE’s. unlike the v3 build that is based on Java, this newer one uses .NET. I’ve not played with them. See this GDism ELDI v6.2 forum post for the access bits you need for the MediaFire downloads as well as running discussion on the tool.

Additional notes,

It also supports adding in additional “packages”. See this TechNet page for more on those; Add a Package to a Windows PE Image.

It can also install additional “features” packages as well such as the WinPE-WMI Feature pack, language packs, and the WinPE-Scripting Feature pack. My needs are pretty simple so I skip these. The tabs and controls are very intuitive so if you know you want them, you should be able to figure out how to use this tool to get them in with no issues.

Almost Done!

Now in my case, I already had a lot of bells and whistles added into my previously built WinPE 3.0 building structure.

Besides all the custom apps I had previously included, I also dropped the following apps/folders into my c:\Temp\winpe_x86\ISO folder location so they would be included and accessible off the WinPE CD specific to my needs for this project. Remember the whole point is to use a GUI-sector editor to check the drive sectors out for confirmation of wiping efficacy.

  • HxD - Freeware Hex Editor and Disk Editor’ - mh-nexus
  • wxHexEditor - a Free Hex Editor / Disk Editor for Huge Files or Devices. This is the Windows binary previously discovered in the last post.
  • Forensic Acquisition Utilities - George M. Garner Jr.s awesome command-line collection. Selected as it has a Windows “dd” equivalent just in case as well as the “Volume_Dump.exe” tool to provide volume and drive information.
  • dcfldd - another Windows binary written by Nicholas Harbour which has some “dd” command ability..and then some.
  • TestDisk - CGSecurity. This was added because TestDisk will discover and report all drives and drive path formats it finds. Helpful for quickly confirming your drives are visible and attached, and what size they are. Something FAU’s “Volume_Dump.exe” also does handily.
  • DHE Drive Info - Dipl.-Phys. Dirk Hauschild. This is a super nice tool for getting all kinds of drive info from a system. It does require the MSVBVM60.DLL file to run, so if you add this app to your WinPE disk, be sure to find and copy “MSVBVM60.DLL” from your system along with it to run properly.
  • Drive Manager - A freeware disk-info tool from Alex Nolan.
  • DiskSmartView - NirSoft. Also provides disk info, I was using it to confirm sector information.
  • HDD Wipe Tool - HDDGuru. Just in case…

Feel free to add additional ones depending on your needs. If you aren’t getting too crazy and are just using the base WinPE image WIM file, you should be aware you only boot to a simple Command Prompt window interface. If CLI navigation isn’t your thing, you may want to also add a simple windows file explorer like Explorer++ or My Commander to the root of your disk (copy the binary into the ISO folder). Then when you get to the WinPE command window, just type D:\EXPLORER++.EXE (or whatever the application name is) and get navigating in a handy GUI to browse to your tools.

Depending on the issues seen (for example the drive was not zero-out as believed) I could then use the WinPE embedded command DISKPART> clean all to zero out the drive again, or the FAU’s “dd” or DCFLDD to zero it out as well. The options are many.

Note: if you are using a WinPE CD format, then you may need to confirm they will work off a CD OK. If they need to read/write, you will have to do some other things, like dropping them into your “mounted” WIM before dismounting/committing it so they will be on the X: “RAM Drive” and can operate properly. Some may also require some additional dll dependencies that you will need to find/copy over from your system for them to run properly as well.

Wrapping it all up...

The last thing we need to do is “master” the WinPE package into an ISO file.

Go to the Start menu and under All Programs find the Microsoft Windows AIK folder and launch Windows PE Tools Command Prompt, or open a command prompt and type

cd c:\program files\Windows AIK\Tools\PETools.

Then, type (note your correct paths and change accordingly, mine for this particular project are listed below).

oscdimg -n -bc:\winpe_x86\etfsboot.com c:\temp\winpe_x86\ISO c:\temp\winpe_x86\winpe_x86_Injected.iso

(all one line)

In my case, a WinPE 3.0 bootable ISO file named “winpe_x86_Injected.iso” was created inside the c:\temp\winpe_86 folder.

With the ISO image file created, you can now burn the image file to CD.

I personally stick with the CD sized builds as almost every system we touch (old and new) comes with a CD-ROM drive. This is particularly true with these servers. If you try to burn a DVD sized ISO with the normal instructions above it will error out.  You must use the undocumented "-m" argument in your string to force it to build the ISO over the normal CD-sized ISO size.  Use the -m switch to override the creation of ISO images larger than 700 MB.

oscdimg -n -h -m -bc:\winpe_x86\etfsboot.com c:\temp\winpe_x86\ISO c:\temp\winpe_x86\winpe_x86_Injected.iso

Deploy! Boot! Verify!

Once the work was done, I used the disk to boot one of the now DBAN DoD 3-pass short wiped/zero’ed Dell servers.

The server booted, the WinPE boot disk was accepted and booted the system.

The driver/hardware discovery process completed and WinPE was up and running.

I launched TestDisk to quickly see if both drives were visible;

  • Disk /dev/sda
  • Disk /dev/sdb

…were both reporting. I noted the location naming path and the sizes.

I then launched HXD, my favorite GUI-sector editor. I mounted /dev/sda and quickly scrolled through the display to confirm all zero’s were showing and no non-00 data was present. Good.

I then launched wxHexEditor and repeated the process for both disks. Great.

Zero’s across all sectors as far as the eye could see.

At this stage I was pretty sure DBAN had done the job.

1fttbckp.5ps

Not my actual custom WinPE disk, but a serviceable basic WinPE 3.0 facsimile for illustrative purposes running in a VirtualBox session. Hopefully you get the idea.

Shut down the WinPE session, eject the disk, confirm one more time the physical drives found inside the server chassis matched the number confirmed wiped as above.

Repeat for the next server…

The newly updated WinPE 3.0 (now SCSI controller supported) disk had saved the day again.

Mischief managed.

--Claus V.

 

Bonus Linkage: Additional Valca custom WinPE building blog-post links to check out in case you are just joining the Grand Stream Dreams blog fan club. All organized in one place for quick research and reference.

WinPE 2.0, 3.0 (Win 7), and 4.0 (Win 8) super freaky/tweaky custom building posts

These posts move on beyond CD/DVD media WinPE formats to bootable WinPE USB platforms. These are much faster loading and can make use of “portable” application access from your WinPE OS much more simple.  I also show how to multi-boot a WinPE device on USB and CD/DVD media.

WinPE 2.0 (Vista WAIK based) building posts

For dead-simple custom WinPE 2.0 / 3.0 building projects, check out WinBuilder package tools over at their Projects - reboot.pro pages.

Note WinPE 1.0 (XP WAIK based) is very outdated. I cut my WinPE teeth using old BartPE building tool to make custom WinPE boot CD’s. It worked great and was very slick but Microsoft’s WinPE 1.0 license restrictions were very tight. It has been mentioned glowingly in the way-past here at GSD but, seriously, it’s time to move on…

--CV

Saturday, August 25, 2012

Power Pile of Links

Chain links _ Flickr - Photo Sharing!_2012-08-25_17-32-04CC attribution: "Chain links" by HowardLake on flickr.

Got to go into the office tomorrow for one of those rare (for me) weekend special project rotations.

So I’m afraid a have just a bit less time that usual to spend on the blogging front.

Today’s offering is a large mix that covers LiveCD’s, some WinPE stuff, virtualization, new utility “how to” videos, third-party plugin updates, browser bits, networking, admin tips, password hint leakage, forsec, and a bit of graphical goodies.

ForSec LiveCD’s 

PALADIN 3.0.1 Forensic Software - Paladin just released version 3.0 of their LiveCD. You must have set up a free user account first and log in to access the PALADIN Download page. Changes in 3.0 & 3.0.1 are:

Version 3.0 New Features -

-- PALADIN Toolbox has been ported to Ubuntu 12.04

-- Network Share Icon has been added to the desktop to access network volumes that have been added via the MOUNT Tab

-- Boot support for current Intel Macs (including the newer MacBook Airs)

Release Notes

3.0.1 - Fixed issue where Unallocated Image function was producing 0 byte files.

Road to DEFT 7.2 and more DEFT Linux - Computer Forensics live cd - Deft 7.2 is scheduled for release in September 2012 and will mark a milestone of sorts. It will be the last x32-bit system release. Starting with 8.0 builds, they are going for x64 system support builds only. Shouldn’t be a deal-breaker, just keep a 7.x version handy as well.

DEFT 7 Cyber Forensic Tool Overview (by Casey Mullis) - LoveMyTool blog. Since we were speaking of DEFT, Casey Mullis gives a nice walkabout of DEFT 7 with nice screenshots if you are interested.

ESSPEE - Penetration Testing & Forensics - SourceForge.net - Updated to “R1 x86”. This is a new distro to me and is based on BackTrack 5 for pentest/for/sec work. Uses the “Unity” desktop interface.

Back|Track 5 R3 - new release. More details BackTrack 5 R3 Released!, BackTrack 5 R3! — PenTestIT, and from this H Security: News and Features post, BackTrack 5 R3 adds tools for Arduino and Teensy attacks. Choose your path carefully! Available in both KDE or Gnome flavors, with x32 or x64 platforms. In case you can’t decide, you may want to first look at this general KDE and Gnome Comparison post by ubuntucat.

WinPE Stuff

The few of you who regularly read this humble blog may have seen some recent activity in the comments sidebar. Turns out we had a recent celebrity visitor "Steve” from RMPrepUSB who posts a crazy-number of posts and tips on WinPE and USB booting in general.

Steve left a tip regarding use of the imagex.exe argument “/norpfix” switch when capturing images…specifically as it applies to junctions when the image is applied to a differently-named volume.

What is /norpfix switch, and what does it do? - Blogs from Zhou, Minxiao

In case you are interested, RMPrepUSB is a super cool tool to format and create bootable USB media. Lots of bells and whistles here and extreme tippage and tutorials for you WinPE fans.

If I’m not careful I can loose hours at a time gong though Steve’s extensive tutorials. Here are justa few you might find interesting:

Windows 8 and WinFE - Windows Forensic Environment blog. Brett Shavers tips us to a cmd script from Troy Larson (The WinFE dude) that allows creation of a WinFE build from Windows 8 RTM. New to WinFE building? Well then, see also:

How to sync time in Windows PE - WindowsNetworking.com

VirtualBox and VMware Player updates

Pretty good synchronization getting these updates out guys!

First up, VirtualBox 4.1.20 is out.

Next, VMwarePlayer is rolled up to v5.0 with some significant changes.

For VirtualBox, be sure you download and upgrade your Oracle VM VirtualBox Extension Pack at the same time. Likewise VMware users should also be sure to install the latest VMware Tools in your VMware hosted virtualized client OS for peak performance.

Defrag Tools Video

Defrag Tools - Microsoft Channel 9 - neat source for fresh reviews of MS tools and techniques now has two more quality videos up.

Update those Browser Plugins!

I’m thinking I’ve put in close to three hours this past week updating our home systems as well as Dad’s system to ensure they have the latest Flash/Java/etc. updates.

Adobe closes numerous critical holes in Reader and Acrobat - Update - The H Security: News and Features

There are lots of places and ways to download and get the updates; inside app updaters, direct from the software builder’s site, or from third-party locations like filehippo or majorgeeks.

I generally tend to just rock over to filehippo and pull them down. I suppose there is a risk they could have been corrupted or “seeded” with unwanted bits, but so far I’ve not had any problems and their Plugins Downloads page makes nice “one-stop” shopping.

At work it is hard keeping up with what “build” version we need to upgrade these to as for Flash there are both 11.3.x and 11.4.x versions which may cause problems for certain in-house software applications if compatibility is not verified first. However, most home-users should probably be on the 11.4.x run right now.

Likewise there are both Java 1.6.x builds and 1.7.x build branches. Again, most home-users should probably be on the 1.7.x builds.

Regardless, once you are done with your patching, hop your Windows IE, Mozilla Firefox, and Google Chrome browser(s) over to Qualys BrowserCheck and run a quick free check to make sure they are sufficiently patched.

Additional Browser Notes

In my recent post Greased Monkey Business I celebrated the joy of finally finding a custom Grease Monkey script I could use that would justify adding it to my Firefox browser; Removing UTM data from URLs automatically for cleaner bookmarks. It has been a lifesaver to my blogging work.

So this past week I gave a second banana to the Monkey; Scrub Google Redirect Links for Greasemonkey from “ping”.

Check out this MakeUseOf post that goes into the details: How To Copy Crap-Free URLs From Google’s Search Results

Comodo IceDragon 14.0 released -- get it NOW! - BetaNews notice of the Comodo tweaked Firefox 14 browser release. (actually it is version 14.0.3). Direct download is available from this Comodo forums link: Comodo IceDragon ver. 14.0.3 is now available for download!!

BrowsingHistoryView - Nirsoft - Version 1.0 new utility release to view browsing history of all your web browsers. Nir Sofer has been offering browser-specific utilities to view browsing history, but this gem covers the four major ones at once; Internet Explorer, Mozilla Firefox, Google Chrome, and Safari. New Web browser history viewer - NirBlog

Network Fun

NetworkMiner 1.4 Released - NETRESEC Blog - New release improves handling of fragmented IPv4 packets. Hurray! Also no longer checks for pcap extension; works as long as it is a valid libpcap file, DHCP options are extracted, new parser for a particular protocol. There are also some nice GUI improvements.

Trace File Case Files - Sharkfest 2012 (by Jasper Bongertz) - video presentation of using Wireshark to trace out real-world problems and solve them.

Wireshark Security Update - ISC Diary. Wireshark builds got updated to squash bugs and patch vulnerabilities. Go get busy…Wireshark · Download

Notes for the Sysadmins

Simple but Extremely Useful Windows Tricks - Open Security Research - Nice list of handy Windows tips.

Why The Size of My Partition is Maxed Out at 2 Terabyte and How to Get Over it - Windows7hacker. Just guided Dad though adding a second internal HDD to his Vista system. He’s getting into digital photography and while he has lots of room left on his OEM primary HDD, adding a 2nd drive gives him an exclusive place to drop the files. I guess we could have gone with a external USB drive, but the internal was faster in the long run for large file transfers. Talked him into a 7200 RMP 1TB SATA drive. With some guidance got him to get it successfully installed. Then via a quick remote-control session, got it formatted, labeled, and added to the OS fine. Considered going for a 2+TB drive for a few more bucks, but this was easy enough. Next time I will have to follow the link tippage and set up a GPT disk if the conditions warrant.

Microsoft updated SkyDrive.com - Borns IT & WIndows Blog (Google Translated) - Nice review of the new SkyDrive updates.

RegKeyFixer - reboot.pro - sweet little tool by Joakim similar to Sysinternal’s RegDelNull. Related: Reghide

ForSec Links

Password hints easily extracted from Windows 7, 8 - Ars Technica

All Your Password Hints Are Belong to Us - SpiderLabs Anterior

A Fistful of Dongles: AFoD Interview with Eric Zimmerman - A Fistful of Dongles - Eric Huber interviews F.B.I Special Agent Eric Zimmerman. Great article (and Eric wears a mean flat-top to boot!). Many years ago I had applied to the F.B.I. hoping for a career there following in the steps of my grandfather who was a former Special Agent under Hoover. Alas…it was a path not to be.

ShellBag Analysis - Windows Incident Response Blog

SetRegTime - Windows Incident Response Blog

Linkz for Tools - Journey Into Incident Response Blog - Corey Harrell has some info on this post, particularly those tipping us time-challenged guys to the Time Zone Converter – Time Difference Calculator and Time Zone Map. Also valuable is the final section “Process, Process, Process” which strikes home the critical value of knowing in advance HOW you are going to do exactly WHAT it is you want to accomplish; supporting examples include links to the Forensic Process Lifecycle (PDF) from Lance Mueller at ForensicKB, the previously GSD blogged SANS DFIR Poster 2012 (PDF) download, and Corey’s own Journey into IR Methodology scratchpad.

Man versus AntiVirus Scanner - Journey Into Incident Response Blog - Corey shows of the value of having skillz and technique and a rock-solid process in a John Henry’esqe dance against an anti-malware scanner. Really a great tutorial and exercise.

Registry Decoder 1.4 Released and Updated Registry Decoder Live - New versions are available. I noticed that in the past separate downloads were available for x32 and x64 however I don’t see that in this release. I’ve not followed up yet to see if the newer version handles both automatically or not.

Generating computer forensic supertimelines under Linux: A comprehensive guide for Windows-based disk images - Forensic Focus. ForenicsRichard has also released the Shell (Bash) and C Source code as well.

Finding Smoking Gun and going beyond that – Helpful Forensic Artifacts - Hexacorn blog - another strong article supporting previously mentioned themes of having a process to use in looking for clues which here are referred to has HFA’s (Helpful Forensic Artifacts) to guide the overall investigative and analysis journey and discovery.

HexDive 0.4 - New update at Hexacorn to a tool which extracts strings from a file/sample for additional review. Corey recommends using BinText or Strings to further review the output.

The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 1) - Mandiant M-unition blog

The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 2) - Mandiant M-unition blog

Grab Bag

Change the Windows Logon Screen Background - CybernetNews tips us to Luke Payne Software » Logon Screen Rotator. While I do rotate my Win 7 desktop login picture periodically, (right now it it Tardis based), generally I keep it stable. This is a cool tool however for those who like a bit more variety.

Organize & Manage Huge Photo & Video Databases Using Snaps - AddictiveTips reviews the Snaps - Photo management application.

Microsoft Reimagines Paint - Next at Microsoft - New “version” of the perennial “Paint” app. (Win 8 only).

Tip o' the Week #133 - The Art of Cut n' Paste - The Electric Wand

Cheers!

--Claus V.

Sunday, April 15, 2012

Bits and Pieces: Mini Link Rundown

I probably should be pleased to have crammed in three posts this weekend.

Alas I am not. I’d intended to get one more “biggie” out the door this weekend…aimed for all you sysadmins. I have in mind a “Case of the Unexplained…” type theme on running down some crazy Windows 7 system behavior on a system at the church-house, multi-GB trace file captures, and sundry stuff like chasing a white rabbit down CPU process utilization percentages and disk utilization by process IO type.

I’m back from that chase with lots of notes, but to do it justice, I’ve got to wait till next week.

So let’s just enjoy our company at final call over these late-breaking weekend links. Hopefully they will carry us into the week with some inspiration and a few shiny new utility toys to play with at our desks.

Adobe April 2012 Black Tuesday Update - ISC Diary - In case you missed it, there were a number of critical Adobe patch updates this week

APSB12-08 - Security updates available for Adobe Reader and Acrobat - Adobe Security Bulletin - Updates now to 9.5.1 and 10.1.3. This goes for both the PDF “reader” versions as well as the “full” Acrobat PDF generating software application. Patch!

At the end of last month some Adobe Flash Player updates came out, one feature of which is to now include an “auto-updater” feature for Flash Player (if so selected in the options). That release back on March 29th was 11.2.202.228.

Guess what snuck out of Adobe Friday (the 13th?). Version 11.2.202.233 of Flash Player.

  • 4/13/2012 - Flash Player Update - Adobe Forums
  • Flash Player 11.2, AIR 3.2 - Adobe Release Notes
  • Adobe - Flash Player - Lists your installed version (check page with each browser you use) and a table of the current version for all platforms.
  • Installation problems | Flash Player | Windows - Adobe. I dropped over to this page, then scrolled just a bit lower to the “Install in a firewall proxy server environment” section to grab all of the direct download installer links there.  It’s a one-stop shopping session!  Then I spent some time manually updating my portable browser plugins to all the newest versions. Sheesh. Sadly I’m getting very good at it and have now even crafted a custom batch-file to auto-copy/overwrite the new Flash/Reader version DLL’s to the plugin directories in my browsers to save me time.

If in doubt, try running Qualys BrowserCheck page in each of your web-browsers to check your patch-level or use the Secunia Online Software Inspector (OSI). Either of these tools will help tell you if your browsers are securely patched.

Download just imagex.exe (568k) - TinyApps blog. I LOVE Microsoft’s ImageX.exe imaging tool. It has become second-nature for me to use. If you do a lot of WinPE building and use you probably have already extracted it and keep it handy.  However, if not, TinyApps blog shares a quick tip on getting your hands on it from the WAIK without all the drama of installing the WAIK on your system.

Increase hard disk size in VirtualBox 4.x - TinyApps blog. I know no-one actually creates a virtual hard-drive without first considering (and allocating) all the size they will every need (and then some) before they first get started. Right? TinyApps bloggist has a great walk-though on how to enlarge your drive size without having to mail off for sketchy blue pills. Lots of supporting linkage at the end as well.

Value of Targeted Timeline Analysis in Research - Windows Incident Response blog - Keydet89 provides a great post on the work that goes in towards gaining a better understanding of event timelines and Windows behavior. It’s through detailed work like this that our knowledge gets sharper.

Challenge: What can you do with funky directory names? - ISC Diary post - Mark Baggett warns us to beware those funky file/directory names in Windows! Check out the comments carefully for more feedback. On a related note, the Hexacorn Blog Forensic Riddles posts contain a whole lot more of file-name and directory name tricky shenanigans to be aware of!

NetworkMiner 1.3 Released - NetRecSec has released v1.3 of the amazing (and still free) NetworkMiner NFAT. This release contains a number of new parsing and extraction features. Go get it now! Of course, if you are lucky enough to be able to purchase a copy of the NetworkMiner Professional version -- sadly I’m not ;-( -- that too has been updated and you can get your upgraded version for free from their customer portal with login. Happy upgrading free and pro’s alike!

eXtra Buttons: utility buttons in the title of the window - freeware - clever little utility that adds a few extra option buttons to your Windows windows. The default windows options in the top-right corner are minimize, maximize, and close. This app gives you up to thirteen options for managing your window, including roll-up/unroll the window at the caption bar, minimize to System Tray, transparency effects, and minimize to a predefined box area on your desktop. I don’t usually use windows tweaking utilities, but this one could be very useful for you multi-window-multi-taskers.

Synkron - freeware - Folder synchronization application. Yeah, I hear you. Claus, really? After that super-long roundup of sync/backup apps you recently posted? Just had to add another one? Yep. This one has a pretty intuitive interface and also comes in a Synkron Portable | PortableApps version as well. More details in this older AddictiveTips blog post.

Colasoft Ping Tool - freeware - Colasoft has a great and super-handy ping tool that supports pinging multiple IP addresses as well as useful charting tools for monitoring and analysis.

Anti-virus scanning exclusions - ISC Diary post - Daniel Wesemann kickstarts a discussion on setting exclusions in your AV scanning policies. Some vendors have recommendations on file/folder exclusions to improve system performance. On the other hand, the thought of creating “safe-zones” that could be exploited by malware for APT landing could outweigh the benefits of following the recommendations. Check out the post and the lively comments that follow. Do you even know if/what your own (or your customers’) policies are regarding AV exclusion settings? Worth looking into.

Malware blocks booting - The H Security. News post about a pretty new ransomware attack that hits the MBR discovered by TrendLabs. While the vector itself isn’t necessarily anything new (messing around with the MBR) apparently the combination of using it in a ransomware attack is. Trend Micros also has instructions for removing the infection if you encounter this bad-boy.

And then there was this “bad news getting worse” over the weekend:

Medicaid hack update: 500,000 records and 280,000 SSNs stolen - ZDNet Zero Day blog.  Original post here: Medicaid hacked: over 181,000 records and 25,000 SSNs stolen.

Expect the fallout from this one to be pretty massive. Quoting from Emil Protalinski’s article linked above:

DTS had recently moved the claims records to a new server, which had a configuration error at the password authentication level, allowing hackers to circumvent the security system. DTS says it shut down the affected server, implemented new security measures, is reviewing every server in the state to ensure proper security measures are in place, identified where the breakdown occurred, and has implemented new processes to ensure this type of breach will not happen again.

It was just a year ago we were dealing with a similar mess here in Texas. Although in that case, it seemed to be more an issues of inside IT data mismanagement rather than a hacker attack. 

Hoping the week ahead gets better even though it hasn’t started yet.

Hang tough and remember “Constant Vigilance!”

--Claus V.

Saturday, June 25, 2011

Skirmish 1: A Rouge Security Software battle

Note: while some may find this a helpful guide, it is not a “cure-all” malware cleaning process. Every infection is somewhat different.  What I hope to offer is a process I have used to successfully clean a specific infection from a home-user’s system. Your mileage may vary.

More than many weeks ago, my video-desk buddy at the church asked me for advice about what virus-cleaning product I recommended.

In my experience that means two things, someone actually has a compromised system and that any singular answer I provide will be inadequate to solve their problem if attempted.  So I probed further so I could provide a better (more detailed) answer.

Turns out the user was reacting to a report that popped up on their computer warning them they had a whole bunch of infected system files and that their PC was going to perform worse unless they purchased the offered program.

He then proceeded to show me a long list of “infected files” all with crazy names and locations.  He had done some Google work on the files listed but hadn’t made any progress.

Well, I agreed he did have a serious issue, but likely those “files” were just a sham and in fact the security warning/program was the problem.

I told him I’d prefer to have him haul his system up to the church early so I could (off the network) hook it up to a spare monitor/keyboard and take a quick-peek.  He readily agreed.

That afternoon we met up and after what seemed like a ten-minute bootup I agreed his system was running super-slow.  This was a Windows XP system and after I launched the task-manager and it eventually appeared, a number of suspicious running processes were visible.  On top of things, the CPU fan was roaring like a jet taking off. Yes…my friend reported…this behavior had been happening recently also.

I was able to identify and disable the main rogue security app “loader” but significant problems remained and I suspected other stuff was lurking unseen at first glance.

Attempts to run any .exe application executable failed.  Attempts to run CMD failed as well.  The Control Panel was MIA. Bad things were afoot.

This quick-peek told me enough to confirm that my friend had indeed been hit by a scareware/rogue-security “product” infection and was in some serious hurt.

He trusted me to bring his system home and throw it on my workbench to attempt a full cleaning.

So is set the stage.

The battle begins

First thing I did was to off-line boot the system.  This was a bit more challenging than one would expect.

Although it was a nice mini-case IBM ThinkCentre unit, alas, it did not appear to support USB flash drive booting.

So I used one of my WinPE ISO files loaded on my iodd device (with the write-block switch thrown) to get the system up and running with me in control.  I then plugged in my 2GB USB stick that I had preloaded with various utilities and malware-busting tools. (note: because I didn’t yet have my Kanguru Flashblu II drive, I used usbdummyprotect to fill the remaining free space on the drive to avoid a potential write-back infection).

I then ran VIPRE Rescue overnight against the system.  When done it had located and isolated the following infections (and associated bits) in multiple locations:

  • Trojan.Boot.Alureon.Gen (v)
  • Trojan-Dropper.Win32.TDSS.cfvs (v)
  • FraudTool.Win32.FakeRean.e (v)

After rebooting I had a lot of work to do.

Next since the System Properties and Control Panel weren’t working, I discovered that rundll32.exe had been renamed to rundll.exe.  An examination of that file convinced me it was the original file, so I renamed it back and those items worked again.

Since any attempt to launch an application failed, I had to repair that.  This was made pretty easy by using the correct REG file fix found in this Broken EXE Association page.  Fixed.

Because the system was still crawling in terms of performance, I had to start addressing that or else it might take a month to get it running better.

The system was running on 1GB of RAM (2 512MB mismatched speed sticks) with a 40 GB (5400 RPM) HDD at almost 90% filled. Yikes!

The virtual memory settings had a very large custom valued set, so I rolled that back to let the system manage it instead.  I turned off start-menu animations.

Next, I ensured that all the user’s documents and other files were present and the start-menu lists appeared normal and unaffected by this malware version. Only after that had been established and I had collected some web-browsing log files to see if I could learn the infection point, I ran both CCleaner and CleanAfterMe to neaten things up and gain some additional free hard-drive space.

Disk fragmentation was horrible (although my friend appears to have been dutifully defragging his registry based on a desktop program that I found installed).  So I used JkDefrag Portable to clean that up.

Now that things were running (a bit) snappier, I returned to the infection cleaning.

I used the installed (but apparently was overwhelmed) Microsoft Security Essentials tool to re-scan the system.  It didn’t find anything, but now that it was running again, the history showed its battle at the time of the infection to keep the system clean.

  • Exploit: Java/CVE-2010-4452
  • Trojan: DOS/Alureon.A
  • Trojan: Java/Clagent.B

Still not convinced, I next ran Malwarebytes : Malwarebytes Anti-Malware Free which found 15 more bits and pieces.

I then sought-out and installed all the most current Browser Plugin Updates as the installed ones were woefully outdated…hence the vector for the infection in the first place.

Next?  I downloaded and ran Hitman Pro 3 from SurfRight.  It revealed some more stuff remaining that indicated a boot-loader infection. Bad-stuff man.  Hitman Pro did it’s thing and cleaned up that mess.

I recovered both the admin password and OS key as the user had lost those and documented those for him.

Windows Updates had also been borked.  As this was a Windows XP system, I found that running the following command in a (now working again) CMD window got them flowing again.  More info and methods in this Microsoft KB883821 bulletin

To register the Wuaueng.dll file, follow these steps:

  1. Click Start, click Run, type regsvr32 Wuaueng.dll, and then click OK.
  2. When you receive the following message, click OK:

    DllRegisterServer in Wuaueng.dll succeeded.

Now that the Windows updates were all on successfully, I upgraded the browser to IE8 from IE6. Also found installed (and so updated) were Safari for Windows and Firefox..

I removed the registry defragger and installed Defraggler to provide this user a more friendly tool.  The outdated version of Adobe Reader got removed and replaced with Adobe Reader X instead. Apple Quicktime was updated.

From here I took the system outside and opened up the case.

Loads of dust-bunnies and the foam-intake filter was completely obstructed with dust buildup.  Much cleaning later, the system now was purring quietly along.  All the dust was restricting the cool-air intake over the CPU heatsink (also caked in dust) causing the CPU to run hotter, causing the fans to go into overdrive causing the system fan-noise to require ear-protection.

I turned off System Restore so it would dump all the restore-points, some of which had copies of the infected files. This also added a bit more free-disk space.

I ran both Process Explorer (making sure no other rouge processes were found) as well as Autoruns for Windows (which I used to disable/remove some non-necessary helper services).

I then searched out and updated all the device drivers from the IBM/Intel sites I could find that applied to this particular system. For this particular IBM system, I located this ThinkVantage System Update utility that was a really big help in the process.

A full scan with MS Security Essentials and MalwareBytes AntiMalware both came back 100% clean.

For extra measure I also ran both Kaspersky’s Anti-rootkit utility TDSSKiller and Norton’s Power Eraser. Both also reported no issues found.

I flushed the DNS cache and cleared the Java cache.  HOSTS file looked normal.

Things were looking up.

I dug around on the spec page for this system and found it could support up to 2 GB of system RAM on the mainboard.  It just so happened that I had a pair of matched 1 GB PC2700 333MZ DDR sticks laying around.  I pulled the original ones and dropped these in.  I think I could hear the system actually taking a deep breath and shudder with relief once again.  Performance was much more nimble now!

Alas, I didn’t have a spare drive, but did pass on a note for my recommendation to upgrade to a larger capacity/faster RPM PATA hard-drive as well.

Done.

Time invested? Approximately 10 hours (not counting unattended overnight scanning) spread over a week.

Return on investment from gratefully shining face of owner? Priceless.

Lessons learned

Reviewing all the logs, it seemed clear that the user had browsed across an maliciously-coded web-page in a unpatched browser running unpatched/outdated browser plug-ins.  I suspect the java exploit got the ball started and once the actual malware installer app had been dropped/executed on the system. all bets were off despite MSSE’s attempts to protect the system.  For additional information on these things these references might be helpful..

I guess in some ways since the system was in the state it was, the slowness of the performance may have kept things from getting worse or the user being able to continue to work with the infection running in the background. In this case, the scareware/malware only helped cause the system to grind down even slower.

No one single anti-malware app fixed the problem.  Because the malware compromised/changed some key Windows filenames and settings, additional manual remediation work had to be performed.

There are a lot of great cleaning tools out there, the challenge is being familiar with the best of them and knowing which ones are the most effect to apply.

The whole process is quite involved and must be taken through logically, building on each success.

Next post -- same thing but with a twist -- Dad’s PC infection.

I’ll also do a standalone post linkfest listing these and other tools/resources I found helpful or came across in these skirmishes.

Cheers.

--Claus V.

Saturday, January 01, 2011

New Year’s Day - First Post 2011

Same day I came out with my first post after a long drought, I fell upon this article Blogging Seems To Have Peaked, Says Pew Report over at ReadWriteWeb.  According to the study, blogging activity on-line has heavily dropped, while on-line content consumption has continued to grow.  Looking back at my side-bar, I have to confess that my raw content-generation post numbers have declined since my high-water mark in 2007.  However I would like to argue that while volume has decreased, quality has increased slightly.

Of course, the amount of leisure time I have available has also decreased which accounts for much of the decline in GSD posting.  At the same time, I could probably work on being more disciplined with some of my time.  Couple that with our “study” slowly turning into a laundry-room/super-closet of sorts and my blogging desk hidey-hole has disappeared. Yesterday I took down and stored away the Christmas decorations for another year (almost two-weeks early from my usual procrastinations).  This brought on a major re-setting of the living/family room area and I now have a micro-desk area set up there instead.  Maybe that will stimulate the blogging juices as well.

In the meantime, here is a getting-the-new-year started linkfest of new applications and neat utilities to jump-start the effort to push the GSD post-count for 2011 upward again.

FreeCommander XE Beta now public

FreeCommander remains my #1 top go-to dual-pane file manager.  I’ve tried tons of other file-managers and while there are many great options out there now, IMHO, none come close to the features and flexibility of FreeCommander.  It just works with the way I jockey files all day.

The developer, Marek Jasinski, was kind enough to give me private access to the alpha builds of the next generation of FreeCommander and I have been diligently putting them through the paces.

So it just in the last week or two that he posted the first publically available release of FreeCommander XE.  While it retains the same form and function of FreeCommander, the style has been seriously updated and the fine-tuning control is greatly enhanced.  You can get both the install version or a “portable” zip file version from that page.  Just be aware that it is still clearly a developmental “preview” release so while most of the features will work as planned, you might be a bit frustrated with what still does not if you are a power FreeCommander user.  I’m still not ready to replace the latest stable version of the “old” FreeCommander with this version just yet.  But it is a nice look at what is to come.

Other related tips that might be of use to you if you are both a FC user and a TeraCopy user.

Run Command Links

When I am setting up special purpose XP systems, sometimes I have to make some tweaks to system settings.  Going the long way through menu systems to get to a particular windows is time consuming, so pulling it up via a run line is a big time-saver.  I’ve memorized many of them, but every now and then I can’t recall and Windows doesn’t make it easy to access the commands if you don’t know what they are to start.

Here are three bookmark-worthy resources for just when you need them most (XP/Win7).

VirtualBox 4.0 Final

Oracle has now released the final public release of VirtualBox now sitting at 4.0 - Downloads - VirtualBox.

You can also get it via their ftp page: Index of /virtualbox/

Brett Shavers of WinFE Blog fame recently reminded me of the MobaLiveCD tool.  While not related to VirtualBox, it does provide a clever and portable Qemu package to run virtual sessions of LiveCD’s for down-n-dirty testing.  It worked on my rippin-fast Win7 x64 laptop, but was very, very slow in performance.  So while handy in a portable pinch, it probably isn’t useful for production-level virtualization work.

There is also vbox.me ‘s Portable-VirtualBox project.  As I understand it currently, while there is a v4.0.0 new release support out, Oracle has now required the developer to remove direct inclusions of VirtualBox items from the package, and it is now set up in a manner that first downloads the VBox binaries then unpacks them for the portable setup process. And USB support still is in works as well at the moment.  YMMV.  See also How To Make Portable VirtualBox 4.0 For Windows at addictivetips.com

Network Briefs

Always a great source of personal tippage, TinyApps passed on a lead to the Dualcomm Mini USB Powered 5-Port 10/100 Ethernet Switch TAP.  How cool is this at less than $100? They also offer this larger Dualcomm USB Powered Gigabit Ethernet Switch TAP at a $150 price point.  In both cases Port #1 is mirrored to Port #5.  See also this brief post by George Starcher » Review – DualComm – Ethernet Tap.

Speaking of taps, in a former GSD post on the subject I offered these references:

As such here are some related materials on that subject for future reference when needed.

…But first, read and review this brief TaoSecurity post on SPANs versus Taps: TaoSecurity: Expert Commentary on SPAN and RSPAN Weaknesses

It links to two MOST Excellent articles on the issues of using spanned switch ports for collecting your network capture data, both form Tim O’Neill:

OK, now the linkage on SPAN’ing

And my oldies but goodies favorites:

CDP - What Switch Am I Connected To? and Monitoring Traffic with Span Ports – SynJunkie.  Two really great posts out of series of ones touching on network monitoring, and Cisco switch/router configuration techniques.  I’m singling these out in particular as they are of interest to sysadmin troubleshooting on the network as well as traffic captures.

And recently found this Wireshark Wiki article as well -- CaptureSetup/Ethernet.

Which is neat as I just ordered up some additional reference for the new year: Wireshark Network Analysis: The Official Wireshark Certified Network Analyst Study Guide by Laura Chappell, Gerald Combs.  I sooo can’t wait for this one to arrive!

Finally, the Microsoft Network Monitor blog has this new post: Filtering On Timestamps which is good information to know if you prefer Network Monitor or NMcap (CLI) for your traffic capture handling.  Don’t miss the tip link to the online Date format converter page to assist in your conversion work.

Utility Roundup

Via the German blogger Caschy (through Google Translate magic), CopyTrans TuneSwift.  There are more than a few ways to move your iTunes stores from one system/location to another…though they all have their own quirks and shortcomings.

Check out either the CopyTrans Suite of tools or the CopyTrans specific utility as it may have a full-featured backup/transfer/restore solution you are looking for for iTunes/iPod management and recovery.  Currently CopyTrans is being offered for free, but will switch to a pay-version 03/15/2011.  You will need an unlock code so either use the one Caschy has provided on his page or the direct one on this CopyTrans page.

Because I never can remember the conversion rates for bps to Bps to Mbps as I deal with various network bandwidth graphs I’ve settled on Converber Portable over at PortableApps.com to prove me a super-handy tool for all my IT figure conversion needs.  Tip: While it can do so much more, just set the “Category” field to “Computer” to filter down the list of over 1324 various units of measure in 38 categories to just those used in the IT field.  It’s much less overwhelming that way!

ImageX GUI (GImageX) still remains my fav ImageX CLI Gui-based tool for super-fast WIM management.  However, 4SYSOPS recently posted about an alternative ImageX gui manager GDism ELDI v3.0.2. As Michael Pietroforte points out, the strongest feature/drawback might be the fact that it is a Java application so depending on your viewpoint on Java, that may or may not be a good thing.  That said it is a nice alternative. (Note: the CGI ‘avatar’ figure displayed on the ELDI page might be a bit racy for some so depending on policy standards, you may want to check the page out at home first before hitting it from work…just to be safe.)

First there was Orca for picking apart and manipulating MSI packages. Then came InstEd It! which seriously seemed to expand the options available.  Then I really fell in love with the light but perfectly handy (for me) lessmsi tool (still alive and cool). Now comes wind from Kurt Shintaku via his blog post RELEASE: MSI Explorer – Inspection Tool for .MSI installation packages of yet another MSI package inspection/change tool; MSI Explorer coded by Sateesh Arveti.

Ryan at CyberNet News seems to have slowed down on the blogging as well, but his post Stress Test a PC with HeavyLoad offers an additional (portable) freeware tool that can be used to put the heavy on a system for load-testing and performance monitoring.  Don’t forget other beefier tools such as the Phoronix Test Suite and Inquisitor. MakeUseOf blog also offered a while back The 5 Best Free Benchmark Programs for Windows.

See also the JAM Software - FileList CLI tool (freeware) for generating file-lists in a given directory.  Check out the ReadMe for additional CLI arguments.

What the Web Says…

Sometimes you have to go to the Web to find out just what is what and where stuff is ranked.  These were pretty cool finds this past week.

Browserscope - From the web-page “Browserscope is a community-driven project for profiling web browsers. The goals are to foster innovation by tracking browser functionality and to be a resource for web developers.”

namebench - From the project page “It hunts down the fastest DNS servers available for your computer to use. namebench runs a fair and thorough benchmark using your web browser history, tcpdump output, or standardized datasets in order to provide an individualized recommendation.”

See also the super-tiny, fully portable GRC’s DNS Nameserver Performance Benchmark utility for a no-install alternative.

Finally, got an Intel chip-based Windows system? You might want to hop over and try the Intel Driver Update Utility.  Ed Bott gets the hat-tip and has more information on his How to update Intel drivers automatically blog post.  I found a very new wired Ethernet port driver update for my new Laptop.  Please carefully note this one item from the Intel page easily overlooked:

Intel® Wired Networking note: If the Intel Driver Update Utility shows your Intel wired networking product ending in '(OEM)', Intel recommends you use the networking software provided by your computer manufacturer. OEMs may have optimized the drivers for your system.

Happy New Year!

Claus V.