 Feedage Forager
Rating: 71
Member since: 2009-07-24
Feeds: 1
Bookmarks
Categories
|
Preview: grand stream dreams
grand stream dreamsUpdated: 2009-11-21T10:29:31.350-06:00
One Windows 7 Upgrade down, two (maybe three) to go… 2009-11-17T21:33:27.282-06:00 Whew! Been working on getting my own laptop upgraded from Windows Vista Home Premium x32 to Windows 7 Home Premium x64 (via Family Pack) just about all day long. Too tired to post a full post-mortem on the job. Suffice it to say it wasn’t so much of a technical-challenge as it was a volume-challenge due to my own configurations. I had purchased a new Western Digital 320 GB laptop drive in anticipation of this day. That was a needed upgrade over the 120 GB stock one originally shipped with the system. I decided that I really wanted to do a true “clean install” rather than an in place upgrade. And so I did. In the end I had to do an un-activated clean install (custom) of Windows 7 on my bare drive (after some quick DiskPart work), then re-run the Win7 setup and do an “upgrade” install of the clean install. I know. Crazy, right? Once that was on (the second taking much longer than the first…even from the USB-based media I was using) and all the updates loaded, the update key worked fine. For more on the technique I used see this Paul Thurrott post Clean Install Windows 7 with Upgrade Media. Then most of rest of the day was spent copying my files from both the mounted VHD-based Win7 RC I had been using as well as the Vista sourced user-data files from the old hdd via a USB adapter cable. I’ve gotten about 90% of the applications re-installed and set back up at this point. I didn’t really have any terrible challenges. My Logitech SetPoint software still wouldn’t work (allow the custom click-button options to operate as set) until I configured it to run with administrator rights after login event under a “scheduled task” as I had done previously with Vista (despite downloading the Windows7 x64 software from Logitech). Startup Program Unblocker (for Vista) might work as well but I haven’t tried it on Windows 7. The only other “serious” issue I had was with the ImDisk Virtual Disk Drive app. It is “supported” for Windows 7 as well as x64 bit deployments…only you have to jump through some hoops due to driver signing. In my case I did all the tricks documented on the page, but it still would fail when I tried to mount supported files via the right-click context shell. However, if I launched the ImDisk Control Panel applet, then used it to mount the target files, it worked fine. Strange. So for now, I just have a shortcut to that particular CPL icon on my desktop that am using instead. No biggie but just not quite as convenient. I’ll slay that dragon later. update: finally got ImDisk working Sunday. Had to re-download the test certificate from Olof Lagerkvist again and probably did overkill but imported it into multiple certificate store locations for good measure. Collected even more links/tips/techniques regarding this as I expect x64 bit life will be a bit of a headache when it comes to loading/running drivers and the need for certificates….cv In better news, the VHD Attach utility at Medo’s Home Page is working perfectly saving me from batch-file voodoo or using the storage-manager MMC snap-in to manage and mount the many VHD files I’ve got. And both the ImageX GUI (GImageX) utility for WIM file handing as well as Je Jin’s DISM Tool for toying around with DISM-based hacking on WIM files work great as well so far. I learned that for maximum Java compatibility, it’s best to co-install both the x64 and x32 bit versions concurrently. Sun provides two helpful posts: Which version of Java should I download for my Windows 64-bit operating system? and Why do I need Java 6 Update 10 and above for Firefox 3.6 and later versions? which may or may not help clear things up for you. Also, there still is no Flash Player support on 64-bit operating systems though it may be coming very soon. When I installed Apple’s Safari/Quicktime combo, the install failed. However after I uninstalled it, and first installed the standalone version of Quicktime, the[...]
Oops! Spilled COFEE, USB flash write/block thoughts, and nice tips 2009-11-08T22:02:41.500-06:00 “spilled the goodness” flickr cc image by Fricke_K In case you haven’t seen it yet… Siren.gif: Microsoft COFEE law enforcement tool leaks all over the Internet~! - CrunchGear Microsoft COFEE, Some of the Most Illegal Software You Can Pirate - Gizmodo COFEE stands for the Computer Online Forensic Evidence Extractor which is a forensics tool made by Microsoft and distributed to law-enforcement groups. As such it seems to have a strange aura about it and sometimes generates discussions along the lines of the MiB. AFAIK, it is just another tool that builds on Win PE technology and incorporates some automated tools (many of which are reported to be commonly available and free system and forensics utilities). For most non-law-enforcement folks it is something like “dark-magic”. I suspect for most forensics pros, it’s just one of many tools in the toolbox. Anyway, seems that it accidentally got leaked onto the Net via a/some Torrent sites and is now in the wild. And it seems it is providing more yawns than MiB snatchings from those who have cared to download it. So far, only Martin over on his Network Security Blog has posted a thoughtful consideration on the impact, if any, this spill has: » Ethics of spilled COFEE I’ve not bothered to download it, and probably won’t. I’ve already got more than enough Windows PE boot systems, Linux Forensic LiveCD distros, and freeware forensics and system utilities that allow me more than enough avenues to take while assessing and analyzing a system; some but not all of which are automated. In the end, while such tools can greatly aid the investigator sorting through ever-growing drive content volume, discovery and accurate analysis remain the domain not of automated tools, but of the skill and understanding of forensic investigators. Even the best tools can often lead justice astray in the name of forensics investigations of Windows systems if the investigator isn’t fully clued in to what they are observing. Topic Shift…USB storage write-blocking solutions WiebeTech Micro Storage Solutions - USB WriteBlocker™ - Forensic in-line USB Write-Blocker Miles over at the wonderfully informative and inspirational TinyApps.Org Blog tipped me off to the above forensic WriteBlocker. At around $199, it is quite a nice pricepoint and doesn’t require the normal slew of cables and connectors other write-block devices frequently require. Miles noted this product in particular not just for the write-block protection it can provide in imaging seized USB storage devices during an investigation or incident response, but as an alternative to a endangered tech species: USB flash drives with write/lock switches. My work-issued Kangaroo brand drive has a write-block switch on it. Miles has found a few others. The value of these is that they allow us to attach a USB stick loaded with tools/utilities to a suspect or infected system without fear of cross-contamination of the USB. It’s a critical feature that is getting harder and harder to find on USB sticks. Thus this tool might provide an (albeit expensive) solution for that bleak future. One alternative might be to pick up a SD flash card as many of these still have write-block switches on them. Couple that with a SD card reader or USB SD card housing and you might hack-n-stien one together in a pinch. Update: TinyApps bloggist Miles quickly responded with some valuable experiences and research on the effectiveness (or lack thereof) of the SD write/no-write switch. TinyApps.Org Blog : Installing CHDK on a Canon PowerShot A540 – TinyApps tackles some cool Canon Powershot / Digital IXUS cameras firmware hacking and in the process demonstrates that a w/p SD card can still be written to just fine with the correct software. Why don’t they make USB keys with write protect anymore? - dslreports.com – fascinating thread (with some usual forum chest thumping) that goes into specifics on SD write prot[...]
Super-Duper-duper Linkfest 2009-11-08T16:06:48.872-06:00 Whole lot of link-dumping going on. Mostly applications and utilities of note released this week. TeamViewer Portable 4.1.6911 Released - PortableApps.com - Portable software for USB drives. Appears to be another nice and free (for personal use) remote-control/support application. My fave remains ShowMyPC. Will download and play with a bit in the coming week. 2X Client Portable 7.3.743 Released - PortableApps.com. Described as a free “..remote server/desktop access client that allows you to connect to all your servers using a single client. It works seamlessly with the 2X ApplicationServer as well as with native Remote Desktop Protocol built into your Windows PC.” I’m wondering if this could help me on a number of test-bed/remote system deployments I work with. Toucan 2.2.0 Released - PortableApps.com – Described as a major update to the file backup/sync utility. A Windows 7 Launch Party Trick! - Didier Stevens. Actually Didier is releasing a “UserAssist” tool that works with Windows 7. Free and worthy of snagging and adding to your incident-response USB stick. Spotted off PenTestIT blog. DevManView - (freeware) – New Nirsoft alternative to device manager of Windows. I like the report output ability and property detail this tool provides. It’s a lot easier to cull through the info than the default Windows provided tool. RegScanner Tool - (freeware) – Really fast and sophisticated alternative to RegEdit find/search of Windows. This updated version now allows direct jumps to edit/delete displayed search items. Second Beta of NirLauncher package is available to download. Nir’s NirLauncher rounds up all of his tools and utilities along with those for Microsoft Sysinterals. See this Beta version of NirLauncher package is available to download post for extensive details on the tool.. Awesome and handy launcher. Sysinternals Site Discussion : Updates: Disk2vhd v1.1, ZoomIt v4.1, Coreinfo v2.0, VMMap v2.4. All of these are great tools and must-keep on USB sticks for sysadmins. Sysinternals Site Discussion : Updates: Disk2vhd v1.2. Sysinternals Site Discussion : Updates: Disk2vhd v1.3, Sigcheck v1.61, Process Monitor v2.8, LiveKd v3.12 and a new Mark’s blog post. Mark’s Blog : The Machine SID Duplication Myth and Aaron Margosis’ Machine SIDs and Domain SIDs – Two earth-shattering posts that rock the foundations of sysprep fun by explaining why duplicate SID’s for local systems on a network is, in-fact, a myth and fallacy. Alas, since Mark and Aaron have done all the mythbusting, I guess there is now no chance of seeing this same submission of mine to Jamie and Adam of Mythbusters ever seeing the light of day. Drat. I really wanted to see Carrie and Tory take this one one personally with some C4 applied for good measure. Wireshark and Wireshark for Windows 7 - The H Security: News and Features. Yep Now updated to release 1.2.3 (stable) which adds in enhanced stability and support for execution on Windows 7 systems. Available in install, portable, and non-Windows flavors. MyDefrag v4.2.4 - (freeware) – my favorite Windows defragger, JkDefrag now had a major redesign and renaming to MyDefrag. It runs great and seems to pack a few more features. The GUI progress display is zoomable and much more stable in my testing. GUI-wrappers for it are slowly being written as well (though it does fine on its own; MyDefragGUI or MyDefrag GUI wrapper or Emiel Wieldraaijer’s "MyDefrag PowerGUI" (still not available for download but looking nice in the meantime…). Using a Windows System Image backup to transfer a configuration between computers. – Mark Wilson’s blog. Not a utility but great information on how to use a system image backup in Windows 7 to migrate a system to a different platform. BETA: Visio 2010 Beta coming… s[...]
Windows 7 Resources – Hot off the DVD Presses! 2009-11-08T15:05:41.047-06:00 Geeklet and I were out running errands Saturday and I decided to see if I could snag a copy of Windows 7 Family pack (W7-FP). We are running W7 Ultimate (RC) versions of 32/64 bit loads on all our laptops. It is rock-solid and approved by both the ladies over Vista. While there is no hurry to repave to the RTM version, I figure I would do well to get the final disk set in my hands so I could re-deploy as time allowed. Alvis even sounded enthusiastic when I suggested letting her do her own system install this time. Alas, the first location we tried had quite a few “shell” display boxes of W7-FP but a search through the inventory found the actual product was out of stock. Later Lavie and I went out on a second mission together and I dropped in at the local big-box electronics store. Also holding many W7-FP display boxes on the shelf, but again I was told there were none in stock….this time with a cheerful “we are out of them across the district area” to boot. No, thank you, I didn’t want any of the widely in-stock W7 Professional or Ultimate single-license upgrade DVDs. So the search continues. Either it really was a limited-time release (if so Epic Fail, MS!) or hopefully more are in the pipes. I’m going to widen my search this week with some more locations in Houston proper. I might be able to find an on-line download/purchase but after the fits some EDU student license users reported having, I’m a bit hesitant to go that route for now. That said, with a soured economy, and the bargain price of 3 CALs (actually one to cover three systems) for about $150, I’m not surprised this is a hard item to find. Here are a lot of Windows 7 related links in the meantime to wet your appetite. Windows 7 Arrives Today With New Offers, New PCs, And More! - The Windows Blog It’s here: Windows 7 for sale - TechBlog Migrating from Windows XP to Windows 7 - Springboard Series Blog. Master post with links to five how-to technical posts on how to migrate a system from XP to W7. Good overview of deeper issues and tricks that most folks probably won’t bother to consider. Do due-diligence and review first. You might be glad you did. Clean Install Windows 7 with Upgrade Media - Paul Thurrott’s SuperSite for Windows. Great and clear guide for doing a “clean-install” upgrade of W7. It’s my preference to always do a clean install rather than an overlay-upgrade between OS levels. Clean Install Windows 7 with Upgrade Media: The Answer - SuperSite Blog. Abbreviated version. How to clean install from Windows 7 Upgrade media - Windows 7 News. More assurance that this will work. But remember, you must still be legally eligible to apply the “upgrade” media which generally means owning a previous and legit copy of a qualifying Windows OS load first. Identity of the Windows 7 Upgrade “Hack” Revealed and more! and Regardless of what any hack says, a Windows 7 Upgrade is an Upgrade. What you need to know. - Microsoft SMB Community Blog. For some reason this “technique” has generated some controversy. Microsoft confirms Windows 7 install trick is legal – ComputerWorld. Yes. It is. Says MS, "To use upgrade software, you must first be licensed for the software that is eligible for the upgrade. After you upgrade, you may no longer use the software you upgraded from," the EULA states.” Mkay? Not sure why any Vista users upgrading to W7 would want to go back and use Vista on another system…just walk away, my friends, just walk away. Creating Bootable Windows 7 Install USB Flash Drive or DVD Using Windows 7 USB/DVD Download Tool - Windows 7 hacker. I definitely plan to do my system installs from USB flash drive, rather than optical media. If you aren’t comfortable hand-making your own bootable USB stic[...]
A bright new toy…Fenix LD 20 LED light 2009-11-08T15:06:28.344-06:00 So about a week ago I was crawling in ceiling space inspecting new network cabling and removing old. Somewhere along the way I misplaced the datacomm/telecom scissors out of my Paladin GripPack SurePunch Technician’s kit. Bummer. I spent quite a lot more time then trying to hunt them back up to no avail. In the end I had to pop onto Amazon and order a replacement set. However while there I learned that I had a bit of un-used Amazon gift-certificate $ on my account that I had forgotten so I figured a new flashlight was in order as well. I had been looking at LED based lights for some time. I have a 2-D cell Maglite in my larger tool kit, and there is the 2-AA Maglite in my cabling kit mentioned above. I then have a 3-D cell Maglite at home and yet another 2-AA Maglite as well. I also have a micro single AAA keychain Maglite in my car’s center console. Like most male Americans, the Maglite has been the ubiquitous flashlight of choice in our home. However, after Hurricane Ike hit and Lavie stocked us up with two LED based Coleman lanterns, I couldn’t quite get the nice white LED light and performance out of my mind. And the cable inspection and work in attic ceiling space with the Maglite really left me a bit unsatisfied. The light wasn’t as intense and it was very hard to shoot a tight beam past 10 or 15 yards. So I started looking at a LED light upgrade. With no real experience or knowledge about them to guide me. I initially set my eyes on this Smith and Wesson Fluxion Rebel 5 Watt Tactical Flashlight. It seemed to get good reviews, was at a nice price-point, and had a handy barrel clip. It looked geeky and cool. However after reading the customer reviews on the page, I saw more than a few recommendations for Fenix brand LED lights. So I looked some more on Amazon and found this Fenix L2D 6 Level High Performance Cree LED Flashlight. It was more expensive and didn’t have the handy clip, but wider reviews on the Net seemed very positive. Not only that, but it had six different light-output levels. I had almost clicked “add to cart” when I spotted in the sidebar a recommendation for the Fenix LD 20 6 Level High Performance Cree LED Flashlight. It was again, about $5.00 more expensive than the LD 2 model. Hmm. So I hit the wider Net for some understanding on the difference (if any) between them. And soon learned that the Fenix (pronounced “phoenix”) LD 20 was a no-brainer choice. Fenix LD20 Review – Flashlight Reviews. Fenix L2D-CE Comparison Review - CandlePowerForums. Fenix L2D or LD20 - CandlePowerForums. Fenix LD20 vs. L2D - CandlePowerForums. NiteCore D20 Review - 2xAA - RUNTIMES, BEAMSHOTS, DETAILED PICS and more! - CandlePowerForums. 2xAA Round-up Review: Fenix, Nitecore, Olight, ITP, Eagletac, Jetbeam, Mag ... - CandlePowerForums. 2xAA Round-up Review: Fenix, Nitecore, Olight, ITP, Eagletac, Jetbeam, Mag .... - CandlePowerForums. Fenix LD20 Review – Light Reviews Fenix LD20 LED Flashlight Review — The Gadgeteer. Fenix Lights LD20 Review – Woods Monkey. Fenix LD 20 - Google Video Reviews. In all the reviews it was clear that the LD-20 provided a brighter, tighter beam at almost the same price as the previous model, and the Fenix was a up and coming line to watch. So I ordered it. (Note: this was paid for out of our own $. No loaner or freebee provided for this post.) And when it came in Alvis and Lavie both quickly attempted to appropriate it from me. After reading the reviews linked above, it is clear that there is tremendous technology packed in these little lights. And the pros who review them really have a language of their own. So for the non-luminary geeks who are wondering about a Fenix LD 20, here are my obse[...]
Fast Forensics Touch-and-Go 2009-11-01T21:36:45.295-06:00 “C-17 Touch and Go” flickr cc image by vortran69 That last post, Sexy USB Boots (Win PE style) and the DST “fall-back” have taken a toll on me. I had hoped to spend more time crafting this post, but I need to turn in now to be functional for when I report for duty tomorrow morning. So here is a quick flyby of forensics related posts I have collected over the past two weeks. Enjoy. Windows 7 and the Future of Forensic Analysis – Windows Incident Response blog – nice touch-n-go on forensics in the new dawn of Windows 7. Fortunately, Windows 7 adopts many of the habits of Vista which has already been in the wild for a while so it isn’t like everyone is starting from scratch. That said, the continued proliferation and relatively slow adoption rate of Vista means that XP has been a much more comfortable realm for many incident responders to work in. Windows 7 will probably see a faster upgrade and saturation level so it’s time we all get prepared for what it brings to the table. Timeline Creation Tools – Windows Incident Response blog – Harlan build on the challenges and techniques of timeline building in incident response. I’m still going back and rereading all his posts on this subject and others such as this Registry Analysis post from SANS Computer Forensics, Investigation, and Response blog. Windows 7 Computer Forensics – SANS Computer Forensics, Investigation, and Response blog. Returning to Harlan’s first post above, this must be bookmarked as it contains some excellent material for reference, not just for forensic guys and gals but also for sysadmins of Windows 7 systems. Great stuff! Free Tools – Windows Incident Response blog – I’m so jealous of Harlan for getting this one up! He has thrown down the gauntlet and provides a great intro listing of wonderful free (and many portable) utilities of interest for forensic examiners. I’ve got many of these tools in my toolbox, plus a whole stable of many more as well. Now I’m feeling guilty for not have the time at the moment to get them all cataloged and back-linked to share as a resource for the forensics community. Harlan has shamed me into dealing with this so my goal is to get it up before the year is out. I’m probably going to have to take a few days off work to get it done. Tableau Forensic Products - TIM. – Tableau is teasing us with their own imaging solution that promises to be fast and easy and rock-solid. I’m intrigued and hope they offer a beta-download to play with soon. I also hope it is USB portable for use under Win PE booting. 8 bits: View the contents of a DD image while it’s being made. I’m not sure how regularly applicable this information is, but for someone who occasionally does make dd-format images, it is cool anyway to know. CAINE Live CD. – Version 1.0 released! – new release in both a boot disk ISO and a USB bootable device image doesn’t seem to bring any radical changes or features, mostly just bug fixes. Still, if you are using CAINE (and you should be familiar with it) as a forensic LiveCD to offline boot/image/inspect a system, you will definitely want to update to this version. DEFT v4.2.1 release DEFT Linux - Computer Forensics live cd. Likewise, this also excellent forensic LiveCD distro also got a minor bug-fix update. So update to this DEFT version as well. This isn’t related to the promised DEFT Linux v5 road map and features which promises to bring some more bells-n-whistles to this fine forensics LiveCD distro. No word when beta releases will be available but I suspect the critical bug fixes to v4 DEFT led to some delays in getting work on v5 completed. JADsoftware - EDD home page. Jad has been hard at work updating his Encrypted Disk [...]
Sexy USB Boots (Win PE style) 2009-11-01T20:58:04.773-06:00 “Tiffany’s New Boots” flickr cc image by akseez Due to a generous birthday-fun contribution from my little bro I recently picked up a Patriot Xporter XT Boost 16GB flash drive stick for my personal use. I’ve got a number of 512 MB ones scattered around, as well as my dependable 2 GB one, but after the latest round of family IT support service calls, I really wanted one with enough room that I could store all my portable utilities on; and still have enough room for a few ISO files. More importantly I wanted a fairly-fast USB stick I could configure to use as a Win PE boot device. Not that I have anything against bootable CD/DVD media. It certainly has its place, but having a Win PE boot stick is just so much more sexy. Not only is it wicked-fast for off-line booting a Windows system for response and support, but it also allows me to save log data or recovered files directly to, rather than try to offload them to a network share, the Net, or a non-booting USB storage device. I’ve already covered this ground before at work with my current “for work purposes only” 8 GB USB stick. For that I used PurvianceCS’s post on how to Create a Bootable VistaPE USB Hard Drive or Flashdrive. Because this was based on my earlier VistaPE building work, it was a natural progression and worked flawlessly. It does use GRUB as the bootloader for the Win PE WIM handoff. That’s no problem and GRUB has an amazing amount of flexibility for multi-booting USB devices. However, to be honest, I never use any of the additional boot options it provides. I just boot to the Win PE WIM file and continue on. I had in the past posted a few link round-ups to various ways and tools and techniques for making USB devices bootable. QuickPost: Bootable USB Stick – Grand Stream Dreams blog USB Tricks for Vista and Windows 7 – Grand Stream Dreams blog They all are good and provide lots of great background but I really wanted a solution that was dead-fast, simple, and rock-solid for setting up a (supported) USB storage device to be used as a boot device for Win PE builds. This was particularly important for me as well since in our IT shop we now have over twenty-five portable Western Digital external hard drives that I keep updated with ImageX-based WIM images of our various hardware systems. When I hand them out on projects, a folder goes with them containing CD-ROM’s of my custom Win PE boot disk along with a Clonezilla disk as well (images for those are on the drives as well). Wouldn’t it be nice if the CD drive was funky or problematic to allow the techs to boot directly from the same device the images were stored on? Yep. So after some brief work and experimentation, I found the following technique worked “bestest and fastest” for not only making my personal USB device quickly bootable, but all these external USB hard drives as well. And all done with my own hands! Creating Bootable Vista / Windows 7 USB Flash Drive – Kevin’s Blog How to Create Bootable USB Drive to Install Windows Vista? – Tweaking with Vishal The Technique This assumes a few things first, so let’s get those out of the way. There is nothing now on the drive you want to save (or you have backed it up already). The drive is (or will be) NTFS formatted. (I’m not sure this is a requirement but it seems to improve speed.) The USB storage device supports USB booting (not all do). You are reasonably comfortable with CLI work, including DISKPART. You already know that to use the thing, you may have to set your BIOS to the “boot from USB” option (or select it in a one-time boot option at BIOS startup…). I actually found this easiest to do while running under a Win PE 2.0 (Vista) or Win PE 3.0 (Win7) session, though you can do it from an administrator-elevated command prompt sess[...]
Final Push Linkfest 2009-10-18T22:39:57.383-05:00 Just a few more links to wrap up a delightful weekend. Native boot from VHD on a Windows XP computer – Mark Wilson’s blog – Mark has brilliantly worked out a solution to native booting that I haven’t seen yet. Windows 7 allows you to Boot to VHD with just a modicum of effort and run your VHD system on the physical hardware layer rather than a virtualized one. Then some clever folks figured out how you can Dual Boot Windows 7 on Vista via VHD file by swapping Vista’s boot manager file version with the one from Windows 7 which does support VHD booting. I’ve been running Windows 7 RC x64 on both my and Lavie’s personal laptops for some time this way all the while preserving our existing Vista installs until Windows 7 final comes out. I had hoped to do the same thing in keeping a native XP system in place and then boot Windows 7 from a VHD but XP didn’t seem able to be VHD booted under W7. Mark’s solution doesn’t change my issue (Windows 7 as the base install and XP in the VHD being booted). Instead he just simply reverses the equation. Keep XP as the base install, do some freaky (but clever) boot chain-loading configuring. This gets around both issues. First the Windows 7 bootloader is forced upon the native XP system. Then the Windows 7 VHD system is attached and set to be a native booting option. Finally the legacy (XP) boot settings are chained to the boot loader configuration. Like I said, very clever and this solution method actually works. F-SECURE Releases New Rescue CD – CyberSec blog. According to the release notes, it is based on Knoppix and contains a minimal set of tools to off-line scan a system against malware/viruses. It also now contains a few tools to recover deleted files and messed up partitions and check the S.M.A.R.T data of the local hard-drive. DAT files can be accessed/updated using a prepped USB stick. More Info from the F-Secure blog: What is F-Secure Rescue CD? and Rescue CD 3.11 EraserDrop Portable - PortableApps.com. I love Heidi Eraser for secure file erasing and zero-ing out freespace on a drive. as well as the Eraser Portable version. However it isn’t always the most convenient tool to use as you have to drag files into a schedule task, then run the task. EraserDrop takes the nuissance out of it by displaying an icon on the desktop to which you just drag-drop-n-secure-erase your files on the fly. Sysinternals Site Discussion : Updates: Autoruns v9.56. “Autoruns v9.56: This update enables Autoruns to view registry entries that have permissions only allowing the System account access and fixes a bug that caused some rundll32-hosted entries to not display correctly.” Internet Evidence Finder – Updated – JADsoftware. “Version 2.0.5 updates: Fixed bug where physical locations of located artifacts beyond 4GB were sometimes incorrect. IEF is also now compatible with Mount Image Pro! Tested/verified with version 3.26.522.” Patch Registration Cleanup Tool – Microsoft Download Center. “Brief Description: On a computer that has a Windows Installer based product installed, you may receive an error while installing an update for the product and the installation of the update may fail.” See KB976220 for more information. Microsoft SharedView – Version 1.0 Release – Spotted via Mark Wilson’s blog post SharedView: Free desktop sharing across the ‘net. Take a look at the extensive release notes for a roundup of the bug-fixes and compatibility enhancements. As Mark kindly noted, I’ve posted about it on GSD (Microsoft SharedView: OMG this is Free?!!!) and while it is no replacement for a dedicated remote control client solution (Remote Desktop or ShowMyPC), for collaboration efforts with severa[...]
Tracking down a pagefile.sys mystery 2009-10-17T22:40:36.518-05:00 A Prologue About every four months, I build updated base images for our technicians. We have about ten different hardware platforms current deployed for our end-user desktop and laptop systems. It’s a touch time-consuming but the following procedure works well and gives us flexibility and redundancy. I take the “official” company image and apply it to a cleaned and formatted system drive. I then apply a round of Microsoft updates, plug-in updates, and a few others to the system, add in any system configuration or policy tweaks that we have discovered are needed or desired since the last image-build. I run CCleaner to dump temp files and stuff. I finally sysprep it and shut it down. I then capture the image using both ImageX and Clonezilla. ImageX (and the WinPE disk) seem to like 512 MB RAM or better to function. Clonezilla can tolerate 512 or less. I know it’s kinda silly to have the same image in two different formats but the guys seem to enjoy the flexibility and with large USB hard-drives cheap, space isn’t an issue. I could (and have) make a multi-image ImageX single WIM that contained all of the different systems in one WIM but it wasn’t very popular. So I just stick with what works. So this go-round I had prepped and captured a system WIM and was shocked to find that the size had jumped from about a 2.6 GB WIM file image to over 4 GB. While there were over 34 Microsoft patches to deploy in October alone, I didn’t expect to see that big of an incremental jump. Something seemed very, very off here. Why the big jump? I mounted up the WIM file on my main system and then tossed SpaceSniffer at the mount folder. Immediately I found the issue; a 1.6 GB file called “pagingfile.sys”. But the standard Windows pagefile.sys should be excluded by ImageX by default capture parameters. What was going on? That was the mystery to be solved. Chapter One: “Fraternal Twins” At first I thought I must have made some really bone-headed mistake during my system image preparation. So I cleaned the last system I was building, rolled back to the original image, and went through the process again. Before I ran sysprep I checked the root and looked for any hidden system page files. Curiously, I found not only “pagefile.sys” with an early time/date stamp but also the “pagingfile.sys” file as well with a later time stamp. Both were approximately the same 1.6 GB size for a combined total of just over 3 GB of drive-space taken up. Hmmm. Chapter Two: “A Windows Page File by Any Other Name…” While I have from time to time “tweaked” a Windows system to adjust the page file I’ve never attempted to change the name of it and didn’t have a clue how that was done. Turns out it is not controlled from a GUI but rather from the SYSTEM Registry hive. How to Move or Rename Your Paging File in Your Runtime – MSDN Regarding the paging file, an uncommon question in the past has been "How can I rename the page file from 'pagefile.sys' to something like 'andy.sys'?" A more common question on the pagefile has been "How can I relocate pagefile.sys to another partition that is not protected by EWF?" The information for both of these questions can be found and changed at the following registry key: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management Name: PagingFiles Type: REG_MULT_SZ Data: C:\pagefile.sys 150 500 Within that Data field you can adjust the NAME of the pagefile, its LOCATION and its MINIMUM & MAXIMUM values. I off-line booted the system with my custom Win PE 3.0 bootable USB stick, loaded up the SYSTEM registry hive (how-to link #1 and how-to link #2) and inspected the key value. Sure enough, it was set to “C:\pagingfile.s[...]
Update: Never thought I would see the day… 2009-10-18T12:40:16.001-05:00
On a beautifully cool and refreshing fall Saturday, Alvis and I ran some errands around town. She needed to cobble together the components to make her Halloween costume; a Tour Guide Barbie (from Toy Story 2). Her other high-school friends are also adopting the characters of Toy Story. Ought to be fun. Since we were in the neighborhood and neither of us was quite ready to head home, we dropped in to Best Buy to look for an Enchanted DVD (found), and see what other goodies were to be had. While I was there price comparing a 2.5” IDE 350 GB laptop drive ($110) against the NewEgg one I’ve been eyeing ($90) for a pre-Win7 upgrade, I was really blown away by what I didn’t see. Almost no laptops or PC’s were available or on display. Normally when I have been in Best Buy, just about every horizontal surface in the computer area is covered by laptops or desktop. Today? Only four netbooks and two full size laptops. I saw only two desktop systems. When we dropped in to Office Depot it was even worse. Two laptops and no desktops on display. Is the economy that bad that no-one even wants to carry this merchandise on the shelves? It was really funny seeing how BB was trying to hide the missing items with all kinds of mice, USB sticks and other small-box products artfully arranged on all the surfaces. No. I suspect that all these (Vista) systems have been pulled and I am only observing the lull before the Windows 7 release storm. I imagine that by next weekend the shelves will be full again, but this time with newly deployed laptops and desktops armed with Windows 7 operating systems. They are probably already in the back waiting deployment. No doubt the crack team of sales specialists have been hard at work training on the finer selling points for Windows 7. It was just kinda freaky to walk into these spaces and not see hardly any computers this go round. Really freaky. --Claus V. 
Mostly for the Forensics Crew: A rapid-fire linkfest 2009-10-11T16:03:37.844-05:00 Here’s a collection of links that is 90% + aimed at the Windows forensics crowd. Got to drop off daughter for pre-Sunday PM service activities and get some groceries bought before it gets too late! ChromeForensics v1.0.1 : woanware. Mark Woan had kindly supported my fumbling foray into ChromeForensics a few weeks ago. We ended up working my knucklehead-ed-ness out and he ended up updating this with a nice Help file. I checked it closely and made a suggestion that he added in. He graciously gave me unneeded credit for the tip. Windows Incident Response: Linkity-Link. Harlan Carvey’s nice well-rounded linkpost regarding some assorted forensic topics including a tease on WiFi geolocation in forensics. Forensics from the sausage factory: Windows Photo Gallery. – In that post, Harlan pointed to this fascinating post by DC1473 on forensics clues from Windows Photo Gallery usage. Windows Incident Response: Where was Waldo?. Then Harlan later came back with an amazingly neat follow-up post on WiFi geolocation and forensic bits extracted from the Registry. This is really cool stuff and even sysadmins may find it useful. Suppose you have a policy against WiFi usage of work laptops/systems. During a system audit you could use RegRipper to discover WiFi connections as well as possible connection point history. Using Harlan’s technique, you might also be able to discover where it was used at (home, work, public library, etc.). Not only does this provide great data for the analysis, but it could provide context for system activity observed as well expand the information available for the response. Really neat stuff. CDP - What Switch Am I Connected To? and Monitoring Traffic with Span Ports – SynJunkie. Two really great posts out of series of ones touching on network monitoring, and Cisco switch/router configuration techniques. I’m singling these out in particular as they are of interest to sysadmin troubleshooting on the network as well as traffic captures. Forensically interesting spots in the Windows 7, Vista and XP file system and registry (and anti-forensics). IronGeek. Useful list of Registry locations worth taking a look into, as well as some background info on them. Though not nearly as complete as Windows Forensic Analysis DVD Toolkit, Second Edition. JADsoftware’s Internet Evidence Finder. Updated to version 2.0.4. Change Log Windows Incident Response: Hakin9 articles. Harlan goes on in this new post to discuss some timeline creation and analysis thoughts. This is an ongoing theme on his WindowsIR blog. I recently had to construct just such a thing and am coming to appreciate the issues facing those needing to present highly detailed technical information on incident response in a manner that doesn’t cause non-technical managers’ eyes to glaze over and miss the impact of the information presented. Disk2vhd. Sysinternals has just released a new freeware tool. This utility could be of great benefit to both sysadmins as well as forensics folks. I use Virtual PC as my preferred platform for virtualization and while there are many tools that will convert a system image to VMWare machine, this could be a great tool for doing a similar thing for VPC. From the description: “Disk2vhd is a utility that creates VHD (Virtual Hard Disk - Microsoft’s Virtual Machine disk format) versions of physical disks for use in Microsoft Virtual PC or Microsoft Hyper-V virtual machines (VMs). The difference between Disk2vhd and other physical-to-virtual tools is that you can run Disk2vhd on a system that’s online. Disk2vhd uses Windows’ Volume Snapshot capability, introduced in Window[...]
First Fatal KSOD on Vista 2009-10-11T15:06:37.904-05:00 To summarize: XP Home on our SFF Shuttle desktop system. Vista Home Premium (x32) on both our laptops. Win 7 RC Ultimate (x64) (VHD booted) on both of those same laptops. Win 7 RC Ultimate on Alvis’s laptop (native install). The XP system has seen a few BSOD’s over the years, but always I have been able to recover the system and get past it. The Vista systems have seen more than a few BSOD over the past year. Almost exclusively they have been related to video-driver updates. There have also been a handful of times that I thought I was getting one of Vista’s blacK Screens Of Death (KSOD) after reboots from Windows Updates. However in the first case, judicious use of the System Restore point or “Last Known Good Configuration” has always saved my bacon. In the latter case, patience was the key and after leaving it on the black screen with the cursor on reboot eventually (up to 30 min sometimes) the system eventually completed it’s updating and progressed on normally. I’ve never seen any KSOD or BSOD on either of the Win 7 systems during booting or as a crash. Ever. So when little bro texted me earlier last week saying he was rolling in from the Red Baton with his Dell XPS system stuck on a KSOD I couldn’t help but get a little excited. Yesterday, from 3:30 to 8:00 PM we watched football, had guy-talk, ate Sonic, and had a grand ole time as I attempted to get the system and his data safely back in operation. Oh yeah, Mom and her four-legged white-shag carpet hung out as well enjoying her sons’ banter. Digger had already done all the right things up to that point to attempt to restore the Vista system to good graces. Unfortunately it just wasn’t cooperative. The patient was a still-young Dell XPS system, quad Intel cores, 4 GB RAM, with two appx 500 GB HDD’s. It was last seen functioning fine on Wed. when he returned it was locked up and rebooting into Vista brought up the green loading bard which progressed to a black screen with no cursor movement. Leaving in this state for hours brought no changes. So I sat down and evaluated the situation with him. It wasn’t a boot-loader issue as he could successfully get to the Vista loading process displays. And, since I had set it up to dual-boot Win 7 RC (x64) via VHD earlier in the year, that system was still loading with no complaints..allowing him to function just fine (though his user-data was still in the Vista system). It saw that Vista system as a “D” drive but was “inaccessible” due to not setting security permissions to allow him access to it via Win 7. Certainly we could have done that (as I have done on our own dual-boot laptops) but I was still in the initial troubleshooting stages and didn’t want to complicate things. I had brought over with me my custom Win PE 3.0 bootable USB stick so I booted the system with it, and then just copied his Vista “user” folder over to his secondary hard-drive to “rescue” his personal files, music, etc. Just over 130 GB in data. Sheesh! With that safely tucked away, were were now good to proceed with attempting to get the main system going again. Based on his trouble description and what I was seeing, I was suspecting that he was encountering some kind of driver loading error. Maybe an update was recently applied that killed it during the loading process, or some kind of service was failing to load. I tried to use Nir Sofer’s Drop-Dead-Quick Blue Screen of Death Diagnosis Utility but unfortunately, though bro is a geek, he hadn’t configured his system to save crash-dumps automatically. So even though he had briefly seen a BSOD flash once during one reboot attempt, we couldn’t access any clues from it. The vari[...]
Fixing a fun little problem: FF to IE bookmark import 2009-10-10T23:13:03.871-05:00 For a number of not so complex reasons, I decided to try rolling back to the dark-side at work and migrate back from Firefox to Internet Explorer as my primary web-browser there.. While I did use IE (version 8) periodically and kept a smattering of “Favorites” bookmarks, it wasn’t my daily browser. That was reserved for Firefox. In Firefox I had amassed quite a large and sophisticated collection of bookmarks in a highly organized folder structure. So naturally I wanted to bring them over into IE. So from the file-menu in Firefox I just did the “Bookmarks” –> “Organize Bookmarks” –> “Import and Backup” –> “Export HTML” routine. That generated a “bookmarks.html” file. Easy peasy. At first I “cheated” and just opened that file in IE and make a Favorites link to it on my favorites bar. When clicked, it opened the list as a single HTML formatted page and I would just scroll down to find the link I was looking for. This worked well enough but there were a lot of links and a lot of scrolling. I eventually decided it was time to import them directly into IE as “real” folders/favorites. So in IE I created a new “FF Imported” folder and then went through the “File” –> “Import and Export” –> “Import from a File” –> “Favorites” –> and selected the bookmarks.html file Firefox exported. In the past I’ve always had a 100% success rate and didn’t expect any issues. However this time it ran for a few seconds, then generated a failure error. What? Never had that issue before. Looking in my importation folder I found that some of the bookmarks/folders had imported but only about 10% or so. Strange. So I went to delete the folder and start again. Only one Favorites folder wouldn’t budge. No matter which of multiple techniques I attempted to ply. It was named “Holding..” and had nothing (really, nothing) inside it. It was actually a subfolder but I couldn’t delete the parent folder either. Eventually I decided that the double-periods might be mucking things up and somehow making it be an “invalid” folder name thus giving the system fits dealing with it. I suppose I could have just left it but that seemed messy. Luckily I remembered an old GSD post where I had mentioned Delete FXP Files (free-edition) - This fantastically clever utility from JRTwine Software continues to amaze me. It isn't something most sysadmins will regularly need. See, every now and then you may come across a file or directory that somehow got named something that Windows just won't let you delete. It's not that it is "locked" per-se in the normal sense, but that the name itself makes Windows balk and your deletion request. I highly recommend this tool and suggest you keep it handy, just in case. So I popped over there and downloaded the old version, installed it, and in seconds, had the offending folder cleanly and decisively removed. No fuss. Delete FXP Files remains a fantastic tool that is probably almost never needed; but when you do, you really will be glad to have it handy. Note, I also found that there is a much enhanced Delete FXP Files 2009 version out now as well. Check it out! Well worth the value purchase price… Anyway, that fixed my initial headache, but didn’t bring me any closer to figuring out the importation failure. But I did have a clue. Somehow in the importation process, a folder had been created with an “invalid” folder name. Did maybe other shenanigans lurk in my bookmarks.html file? Not wanting to repeat the invalid folder name fiasco on my next attempt, I opened up the bookmarks.html file i[...]
Keep Alive Ping 2009-10-05T19:40:06.204-05:00 Yep. Still here. All is well. I came down with quite a cold-rebound two weeks ago. Lavie hauled me in to our family doctor and I ended up getting loaded down with a mess of antibiotics, nasal sprays, etc. Did a number on my system to get it fixed up again. Go figure. I was pretty drained and ended up unplugging and getting some much needed rest. Been spending extra time visiting with the extended family and watching cartoons and college football on the weekends with Lavie and Alvis. I think it fell at a relatively quiet time on the Webs as when I finally got around to popping my RSS feeds I didn’t see too much of remarkable interest. Rest assured, I still have some stuff in the blog hopper. I might have time this weekend to get one or two posts up. Cheers! Claus V. 
A Smackrel of Forensics Honey… 2009-09-13T23:39:40.397-05:00 I’m baiting this pot of honey with a reflective post by John Sawyer, All Forensic Investigators Are Not Created Equal at the Evil Bytes Blog. There are forensic "experts" who have a narrow specialization in investigating individuals. Some examples off the top of my head are law enforcement forensic examiners looking at a computer to see if it was used to send threatening e-mails, search for information on making bombs, or view child pornography. The primary, and often only, source of evidence is the suspect's computer that is sometimes accompanied with some corroborating information from the suspect's ISP or a Web/mail hosting provider. On the extreme opposite end of the spectrum, you have those who work on a much larger scale, taking into consideration many sources of information. I'm not sure there's a good term for them -- security investigator or enterprise incident responder or similar title -- but they go far beyond looking at just one system. Logs from routers, firewalls, and a numerous other types of systems all come into play in order for the investigator to crack the case. I can’t consider myself really in the same class as true/certified “forensics” specialists. If I had to place myself somewhere, I guess it would be with those in the second paragraph; one of those “enterprise incident responders.” I have to know enough about Windows systems, typical/non-typical user behaviors, network elements, and hardware stuff. Then I have to be able to successfully integrate all those elements together when I approach and analyze a system. Is it harmless? It is potentially criminal? I have to get hard-data to come to a supportable conclusion, then present that material in a manner that is clear, logical, and fair; often to folks who are not technical in their knowledge base. Since I don’t have any “formal” forensics training, I have to rely of the stream of material from the real experts and apply that information to our operational environments. We have a limited budget and a growing workload. Luckily I’ve been able to thrive with many freeware/Open Source tools shared kindly with the community by the developers bringing them to life. I’m very grateful for both the knowledge-sharing and the tool-sharing. That alone helps encourage and drive me to blog so tirelessly. It’s a way of paying it forward. In John’s post, he references this Infosecurity (UK) - The black art of digital forensics post by Steve Gold. Steve starts out with dissecting issues of timeline building and the conflicts that can arise when dates are disparate. Then he moves on to the new “GUI-based” (by that I think he is referring to all-in-one commercial forensic suites) that help “aid” the investigator by parsing out volumes of system data and auto-magically sorting it out (bow optional) for the investigator. He then counterpoints the benefits of such applications with leaving the investigator in a possibly weakened position if confronted by a skilled trial-lawyer who may bring doubt in if the investigation doesn’t know how the software arrived at the data. Finally he concludes with observing that many forensics experts have had to learn on their own how the systems are working, so they can parse out the data needed, interpret it accurately, and wrap it up. After the IPSEC steps, he claims, it’s usually a simple matter to classify the data collated and then analyze it fully. Good digital forensics, he says, is not rocket science, but it does take a lot of thought to be able to complete an investigation and research all the relevant angles thoroughly. [...]
Tool Stew 2009-09-13T16:17:24.632-05:00 I’m tired just looking at this list! So I’m passing these links on to you so we can share the burden together. Windows Base Windows 7 Logon Background Changer - (freeware/Open Source) - Julien-Manici has released what has to be one of the most elegant Windows 7 system tweakers I’ve seen yet! It only does one thing, and that is to allow a user to change the Windows 7 logon background to any other image they have a image file of. It does all the conversion, cropping, and heavy lifting. It is “standalone” in operation but it does come with both an exe-based and MSI based setup installer for those who like those things. Not only does it allow you to switch the logon background graphic, but it provides a slick gallery previewer of the images in the folder you are pointing it to as well as a pre-view of what the login background will look like. Simply amazing and I think all Win7 users should consider getting it and putting it to work. I can’t believe that MS allowed this option and didn’t include a tool like this one. For more information on just how Windows 7 is pulling off this trick see these Rafael Rivera Windows 7 to officially support logon UI background customization - Within Windows and Tweak your Windows 7 Logon UI “button set” - Within Windows posts. Disable the New Libraries Feature on Windows 7 - (tip) – Lifehacker – I don’t mind the “libraries” feature of Win7 but it does take a while to get used to. If you want to turn it off you can. XP and W2K3 Release Candidate Versions of PowerShell are Now Available for Download – Windows PowerShell Blog. Updated Windows Vista “seamless applications” package for Windows Virtual PC – Virtual PC Guy’s WebLog. Network Veggies The other day I mentioned NetGrok which is a clever Java-based network traffic visualizer. I never was able to get it working on my Win 7 system, nor the Vista builds. I spend some more time with it on my XP Pro system and still couldn’t get it working. The Java kept erroring a nullPointer message. I did load it up in a fresh XP Pro Virtual PC build and after following the steps and using the latest Java release I did get it working. Not sure where the conflict is. One of the tricks I learned is that the groups.ini file that controls the grouping display doesn’t use standard IP notation. Nope instead you have to set the IP addresses in Classless Inter-Domain Routing (CIDR) notation. I hadn’t ran into this format before but it was easy to follow. Do a CIDR Notation - Google Search and you should be set. One more thing, when you do get it running you will then need to use the menu-bar option to set your network adapter it should use. Once I got it working it was very slick and cool. Only it locked up after just 10 minutes of running. Maybe it was a VPC thing… Still hoping… NetGrok uses the Jpcap set. No changes with the version that is included in the setup package for it, but there is the link for the curious and watchful. Related, check out Analyzer: a public domain protocol analyzer. It worked pretty simply with no fuss. However, I think that while it has a few things that are interesting as a packet-sniffer, the usual ones such as Wireshark, NetWitness Investigator Software, and Microsoft Network Monitor 3.3 fit my needs better. For the full list see the recently GSD blogged Network Capture Tools and Utilities post. NetworkMiner Network Forensic Analysis Tool (NFA[...]
SOS Linkfest: Tools, Tips, Stuff + Recipe! 2009-09-12T20:51:59.821-05:00 It's Still Raining! For the past few days the upper Texas coast has been slogging through a series of rainstorms. Today we stayed pretty dry while the system move more over the “Golden-Triangle” area and East Texas, leaving metro-Houston area under a blanket of clouds and light precip. Great day for couch-surfing and college-ball watching. The Cougs walked away with an upset but ND gave up their battle in the end. SOS is the Best It’s no secret that my favorite meal of the day is breakfast. I’d eat traditional breakfast fare all day long if I could. However, my most craved “breakfast” dish growing up and to this day is what we call “chipped beef on toast”. Lavie will eat it though Alvis usually declines. Old military guys refer to it as SOS. A dreary and wet Saturday was an easy excuse to whip up a batch this morning. My recipe variation is dead-simple, super-quick, and feeds me (or me and Lavie). It is much lighter than this 1910 Manual for Army Cooks version that feeds 60 hungry troopers. 2 Tablespoons butter 2 Tablespoons all-purpose flour Pepper (large-grind is my preference) to taste Combine butter/flour/pepper in saucepan or medium-sized skillet over low to medium-low heat until melted. Stir well (I use a wire whisk) and let get “bubbly” for about 1-2 minutes. Watch carefully so the roux doesn’t burn, otherwise the gravy will not be white (though still good). Take 1 cup whole milk and add to roux. (to speed thing up, try microwaving the milk first for 30-45 sec.) Whisk well to combine and get roux fully incorporated. Bump up the heat to medium or a touch shy of medium. (your range may vary) Find as much thin-sliced ham or beef lunchmeat as you care for. For me usually two packages of “Buddings” brand does nicely. “cube” it up into fingernail-sized bits and add to gravy. Continue stirring gravy mix now until thickened and meat has had a chance to warm up. If it gets too thick (my preference is to be able to cling to a spoon held upside down) just add a bit more milk to thin (Lavie’s preference). While it can be served over whole pieces (shingles) of toast, I prefer to cube up the toast first. Makes it easier to get it into my pie-hole faster! In the past I used to tear the toast slices but I’ve found that using either of two tools can make fast and consistent work cubing up toast. Like Alton Brown of Good Eats! I like a kitchen multi-tasker. Try cubing the hot toast with either a pizza cutter or a chopper/scraper. Both work great! I don’t add salt as the meat takes care of that to my tastes. I do add the pepper immediately when making the roux as I think it brings out the oils in the pepper a bit and infuses the gravy better. Couple this with a few hard-fried eggs and some hot coffee. Yummers! Beautiful Gantts The Boss (the work one) requested that I convert my procedure checklist for our IT ops on opening up a new office (fulfilling and implementing the phones/network/server components) into more of a visual format so it was easier to see how all the different resources (IT staff) could be tracked. Sounded like the perfect excuse to put it into a Gantt chart. Among the various project management software items I posted before, I could have just reached for MS Office Project. Unfortunately, only a few of us at work have MS Project. I wanted something a bit more shareable. The freeware tool ΤΙΜΙΟΣ Gantt Chart Designer is mighty easy to us[...]
Thoughts on A Close Cut (or getting “decked” on purpose) 2009-09-07T15:17:31.679-05:00 vectorized version of Stewf’s cc Flickr photo:Official Hair Styles for Men and Boys Let’s take a diversion from the normal tech/info-sec related posting routing for a moment. I never paid much attention to my hair-cut growing up. It didn’t matter (and I had no choice) up until jr. high; up to then the little-boy’s ruled. Then began the constant battles between me and the parental units. I preferred a length that completely covered by ears and fell in the back to cover my collar. I wasn’t a “hippie” or anything, I just had some identity issues with my ears (they seemed to stick out too much) like many young men. In high-school I graduated to the “wing-cut” style for the first two years where you would carry that funky large-n-curvy “Goody-brand” styling comb and “flip” the sides over and back to give a “wing” effect. The crown was loosely parted down the middle. When not in use, the oversize comb was stuck in the jeans behind the wallet appearing about 1-2 “ above the pocket top. Sound familiar any of you 80’s youth? Then for my final two years in high-school I had more of what I would call a “spike” top of at least 1-1/2 inches, but the rest was fairly long. I guess that was the style in the mid ‘80’s. I don’t remember much about my college & early wedded bliss cut style though I guess Lavie might consider it to be (smirkingly) a short mullet style. For one brief summer in college the back did get long enough to put up in a mini-pony which Lavie continues to chastise me for even to this day. That “grew” out of a extended college group camping expedition to Big Bend Park in Texas. It has only been in the past 5 or so year that I have transitioned to a flat-top, much to most everyone’s approval. I say “most” everyone because Lavie is still of the opinion that I look much more handsome with a longer length haircut as well as “…missing running my fingers though your hair” stuff. I just say “rub my Buddha-man’s head for good luck". I made the change for a couple of reasons; first and foremost was the fact that it was much cooler in the summer. I have an oily skin type and since I shampoo daily, it helps with the oil-control Being an IT geek I sometimes am required to go into ceiling space or under/in IT equipment. In all those cases having the insulation, ceiling-panel bits, dust, etc. in my longer hair was maddening. With a flat-top it is just wipe and go. Rain is fun and not a distraction. Most of all however, I think it helps me feel more mentally focused, ready-for action, and outwardly coveys the inner-discipline I am constantly trying to project and improve on. Call me crazy (maybe the ladies can understand) but I can tell a real change in my mental-state when my hair grows out “too long”. I just don’t have the same energy level and attention to detail. Kinda like Sampson in reverse. I’ve never really considered if my flat-top style has any particular “official” name. My regular barber knows to “skin me on the back and sides” and make it super-short & flat on top. I went through a few cuts where he actually shaved down the sides but generally it was a slow evolutionary process to get comfortable going from the #1 or #2 blade on the sides down to my now-preferred #0 (or is it #000 or #00000) blade. I’m not certain if anything past a #000 makes that much of a difference though technically you can find blades that close. A good sca[...]
FireCAT 1.5 “Plus” Add-On Collection 2009-09-07T12:10:00.253-05:00 In yesterday’s GSD post I noted the following: Both of these tools brought be back to the excellent FireCAT 1.5 collection of Firefox add-ons used for security/network/pen-testing and other high-value activity in Firefox. FireCAT is maintained by Security Database Tools Watch. Check out this FireCAT 1.5 PDF for the full list and if you don’t want to pick-n-choose hop over to the lover-ly Firecat package for Firefox Files on SourceForge.net to get the whole collection at once. What surprises me is that no-one has yet submitted it as Firefox Add-ons Collection. Looks like I may need to crank up a “standalone” profile of Firefox called FireCAT, install them all, then upload the collection like I did for my Claus Valca’s Extension List (Home) What think thee? Useful perhaps? I has searched the Collections :: Add-ons for Firefox for a FireCAT set but didn’t find any. Sure you can hop over to the Security Database site for FireCAT (linked above) and download them individually via their great downloadable PDF sheet, or the HTML page, or even get (almost) the whole deck from the package put together by Jean-Nicolas. But a Mozilla Collection would make it easy to see them all and pick-n-choose quite nicely as well. Unfortunately I couldn’t find one. Well, this Labor Day holiday morning I pulled the trigger and did it, building a modified “plus” set after a bit of work. Full props to Security Database who maintains the project and Jean-Nicolas who combines (almost all of) them into a single downloadable ZIP file for making my effort much easier. I didn’t do the heavy-lifting. I just assembled the pieces over into the Mozilla Collection. I offer to you the… FireCAT 1.5 “Plus” Edition Add-ons for Firefox Collection! Some Very Important Considerations Neither this collection or Jean-Nicolas’s contain the full collection. You need to check the Security Database FireCAT 1.5 page to see the full list. There are some additional applications that need to be installed that leverage the power of one or two of these. Again, see the FireCAT 1.5 for the full scoop. I seriously don’t recommend installing all of them in your Firefox browser at one time. Really. Review them all and select only the ones you need. There is some serious fire-power here. You may throw the planets out of alignment if you try to do so. Don’t blame me if NASA comes looking for you afterward. To build this set, and ensure maximum compatibility (and not nuking out my daily Firefox browser build), I used the Portable Apps Portable Firefox 3.0.13 build. This allowed me to build an isolated version. You could also try the Portable Apps Portable Firefox 3.5.2 build. However some of the add-ons are not 3.5.x supported (and vise-versa). I also had to do some about:config tweaking (Updating add-ons - MozillaZine Knowledge Base) to disable compatibility checking and what-not. I did toss in a few other add-ons I just feel are germane as well; hence the “Plus” designation. These include (but are not limited to) the Enhanced History Manager (manage your history), CacheViewer (manage your cache), NoScript (manage your scripts when surfing), BetterPrivacy (Flash cookie LSO manager), Add-on Collector (to generate the list), Adblock Plus (nuke ads), Close'n forget (target-wipe tabs accessed), Microsoft .NET Framework Assistant (along for the free-ride), HttpFox (HTTP page sniffer), and the MR Tech Toolkit (to manage com[...]
Security and Forensics: Perimeter Edition 2009-09-06T13:02:47.886-05:00 Hold that line! Forensic Style Windows Incident Response: Virtualization – Windows Incident Response blog – Harlan Carvey takes a look at how virtualization is keeping the goal-posts moving for forensic examiners. Great supporting link-set to explore. Papers, Tools, and Such – Windows Incident Response blog – Harlan Carvey moves on with a round-up of various materials to enhance your forensic focus. Of particular interest was a note “…of master's thesis from Greg Roussas titled "Vizualization of Client-Side Web Browsing and Email Activity"..” (PDF). Pretty interesting stuff and the paper also contained quite a lot of current tools worth looking into specifically related to email-forensics. Goin’ commando – Windows Incident Response blog – Harlan Carvey’s third post ponders the thought on moving from a reliance on commercial-forensic suites for analysis to task-specific and/or freeware/Open Source tools. I certainly can say that there is no way I could justify our department outlying the cost of a full-bore commercial forensic suite. However with a good skill-set, and familiarity with the wonderful number of tools and scripts available for free due to the good-graces of the development community, as a system-administrator, I can take a pretty good assessment and analysis of a system at hand, anyway. Bravo! Flash Cookie Forensics – SANS Computer Forensics, Investigation, and Response blog – Really timely article on how to leverage the information in the “hidden” Flash cookies often overlooked by both user and analyst. Great info. For more info see this related GSD blog post: Tip: Managing Flash Cookies. Forensic PC anti-contamination procedures – Computer Forensics Forums – Fascinating discussion thread regarding if/how to “sanitize” a disk before re-using it to host a new imaged system. In my non-forensics IT work I still prefer to use Windows Diskpart to “clean /all” and zero out all the sectors on a drive to prepare it for the next usage. In fact, it is our policy that if we are going to re-issue a system from a previous owner to a new one, that we zero-out the drive before putting the fresh (file-based) image on it. Our thinking is that this scrubs the system of the prior user’s data as well as ensures that any activity (especially in the non-allocated space) can be attributed to actions taken while in the new-owner’s custody. Yes it adds a bit of time on the system prep but it could save a lot of explanation and analysis on the back-end if needed. While we use a “all-zero” pattern, I liked the thread post that mentioned using a particular key-word pattern instead. Funny. DEFT Linux v5 road map and features – DEFT Linux – Looks like this great forensics live cd is getting a fresh coat of paint and engine-work! Besides application version updates, there is a tease regarding “Dhash 2.0 (now with imaging tool)”. Expect a beta-release early October 2009 and a final release in November. I really like DEFT and a few other of the “forensic live cd 2.0” builds that have been released in the past year. Nice to see this line of tools is continuing to evolve and thrive. On the Network Web 2.0 for packets | pcapr – An additional packet-capture clearinghouse for folks looking to get sample/test network packet-capture data to work with. Left via the comment on my re[...]
Man Briefing #2 2009-09-05T17:50:49.669-05:00 cc photo credit Augapfel on flickr Not to say that the ladies aren’t welcome as well…just didn’t fit with the photo quite as nicely. Work has been quite busy at the moment. I’ve had a few pretty intense “special projects” I’ve been working on these past weeks. Today it’s serious “couch-time” watching Notre Dame’s college football opener. I enjoy (but am not rabid) about college football, preferring it much more over pro-ball games. I follow ND for sentimental reasons. I would often spend summers with my mom’s parents in their Airstream trailer touring the country as a child. On Saturdays, without fail, Grandma would be found tuning in to the small color TV in the trailer, Grandpa cranking up the roof-mounted antenna and twisting the tuning dial on the ceiling so she could watch her Fighting Irish. I will also watch the occasional UH Cougar game (when found) along with Army, Navy and UT-Austin games. Other than than, I really don’t care so much and any college game will do Saturday night when nothing else is to be found on TV. Good news on the requisition front. I had been looking at getting a Rosewill RCW-608 USB2.0 Adapter For IDE/SATA or a VANTEC CB-ISATAU2 SATA/IDE to USB 2.0 device adapter for work. Finally able to justify it and (though we had to go through an approved vendor) ended up with a pair of Tripp Lite U238-000 - USB 2.0 to SATA / IDE Combo adapters. I don’t care for one thing however. The dongle end has an embedded 2.5” IDE connector. To attach to a 3.5” IDE connection there is a loose adapter with the 2.5” connector mating pins (exposed) on one end and the 3.5” female end on the other. I worry about damage to the exposed pins. Other than that the kit seems pretty sturdy. On to the Briefs: The Art of Manliness – Great site with fun (and informative) posts on “being a man”. Runs the range of practical “man-tips” like How to Unclog a Toilet Like a Plumber to the critical and sensitive Dealing with Male Depression to the sublime Motivational Posters: Ernest Hemingway Edition. I really like the writing tone. Added to my RSS feed. (other recommended sites: BoingBoing & zen habits) BLDGBLOG: Fire Lookout Towers – BLDGBLOG is great in that the writer provides great analysis on the topic of focus. When I was growing up and we were on those annual family vacation car trips, we usually passed by a few of these towers. There is something magical about a tower in the woods. Nice trip down memory lane. Steampunk Art @ Oxford. Information on a Steampunk exhibit at Oxford. Too bad it isn’t closer. Preview audio from Scott Westerfeld’s steampunk YA novel Leviathan –via Boing Boing – Sounds like an interesting story. I’m going to have to see if the local library can find me a copy. XKCD Comic Solves Real World Tech Support Issue – Via Wired’s Geek Dad – So true. So true. Hulu video- Saturday Night Live skit: Giraffes! OK. Some background first. I grew up sneaking down the hall as a kid to watch/listen to those classic SNL skits (Belushi, Radner, Curtain, Chase, etc.). Don’t care for the new-stuff so much, but I do still drop in from time to time. So Alvis has a large collection (and love) for Giraffes as well. So when I saw this skit the other night it was pretty funny. Showed Alvis the [...]
Utility & Miscellany 2009-08-23T22:53:23.447-05:00 Too many chores this weekend. Spend last week out of town in a technical conference. Had a raging bout of the highly contagious and discomforting "Caribou Cold” while there and am still suffering the tail ends of it. Spent yesterday on my home “workbench” swapping out my system onto a new hard (larger/faster) laptop hard-drive which involved over 14 hours of work (mostly due to having to decrypt the whole-disk encryption prior to imaging it and porting it onto the new drive. Had hoped to post much more this weekend but was not to be the case. So here you go, semi-naked linkage. Utilities SuperCopier – One of my favorite specialized file-copy apps. Now active again at version 2.2 beta. TinyApps.Org Blog : Formatting partitions over 32GB as FAT32 in Windows XP – Link to the curiously useful fat32format tool. I suspect this could be useful on portable USB drives. Forensics Forensics: Mounting partitions from full-disk ‘dd’ images – Tip from SANS-ISC Handler’s Diary blog. Tools and Links – Lots of linkage to tools and techniques from the Windows Incident Response blog JADsoftware – EDD – Version 1.1.0 now released. EDD checks HDDs for encrypted partitions from various whole-disk encryption solutions. See also TechPathways ZeroView, and TCHunt Quickly Find TrueCrypt Volumes – 16 Systems, as well as the File Investigator TOOLS version 2.23 JADsoftware – IEF – Version 2.0 now out of the “Internet Evidence Finder”. Really nice and more full-featured tool. I quickly added this to my collection and tossed the older one. Forensics from the sausage factory: Vista Volume Shadow Copy issues – Great tips on how to access and manage the Vista Volume Shadow when inspecting the system. Automated Recovery of Multimedia from Unallocated Space - SANS Forensics blog. Good information to know. Primary information related to NFI Defraser at SourceForge.net Somehow that eventually led me to Csaba Barta website and a tool called ptfinder to carve out processes from memory images. “…ptfinder versions for Windows Server 2008 SP1, 2003 SP2 and Windows 7 beta are developed by me, and can be downloaded here. The details of the technique can be found here. Semi-Stealth Windows Live Updates I’ve been waiting for some time for an update to Windows Live Writer, my blogging platform software. After the information below came out that a new version was available (14.0.8089.726 (previous build was 14.0.8064.206)). I quickly launched my WLW and used the update tool to get the update. Curiously it said I was still using the latest update. I manually updated it (successfully) to the higher version noted but still have been unable to find a change-log detailing just what got improved/fixed/updated. RELEASE: Windows Live Essentials “Wave 3” updated - Windows Live. Windows Live Writer - Windows Live download. And fresh off my Video-Editing Resource Roundup post going over various builds and different downloads to get Windows Movie Maker installed on your XP/Vista/W7 system now there is this: Get The New Windows Live Movie Maker Today! - The Windows Blog. New Windows Live Movie Maker debuts, says good-bye to XP for good – Betanews. Windows Live Movie Maker Review – Paul Thurrott’s SuperSite for Windows. VHD booting and Virtual PC Stuff How to Boot from VHD (VHD booting re-visited.[...]
Network Capture Tools and Utilities 2009-08-23T21:50:06.839-05:00 At a conference this week, we had quite a section regarding network captures. The instructor was going on about how you can try to sort out users and what they are doing via Wireshark with the packet captures. He was really wanting to figure out who the largest users were and what they were doing to saturate the bandwidth. I politely asked if he was familiar with NetworkMiner Network Forensic Analysis Tool (NFAT) and Packet Sniffer. He was not. So I asked if I could come up and demo the one I had stowed on my USB stick. The rest of the lesson was filled with throwing the packet capture files he had brought at NetworkMiner and carving out the results. The instructor was amazed and grateful for the power that this tool was going to give him. I passed the download link around to the class attendees quite liberally afterward. It is an amazing tool. It was quite fun and informative for all. Later I saw (by chance) the Tools for extracting files from pcaps post at the ISC-SANS Handler’s Diary. It was filled with quite a number of other great suggestions for carving information out of pcap files. I’ve also downloaded NetWitness Investigator Software (free) which I understand has quite a collection of features as well. Registration is required to get it working so that will need to wait until tomorrow. Most of the ISC-SANS items are *nix based. I’m mostly (with the exception of Linux forensics LiveCD’s) Windows based exclusively. However, the packet analysis tool Xplico - Internet Traffic Decoder really seems outstanding and up my alley for needs. Fortunately, it is included in the DEFT Linux - Computer Forensics live cd. In addition to Wireshark, I generally keep a few other packet capture tools on my laptops, just in case. Most are pretty tiny and light for super-fast and flexible captures. One of those other larger tools for packet captures that I have installed is Microsoft Network Monitor 3.3. I hadn’t realized that it has arrived fairly recently, but that link has some more feature details. In addition, while reading the Network Monitor development blog I was pleased to find that there are some specialized plug-ins for it that might be darn useful: TCP Analyzer Expert: Make Your Network Run Faster – For Microsoft Network Monitor 3.3 Top Users Expert for Network Monitor 3.3 – For Microsoft Network Monitor 3.3 The first is a post describing the tool which can analyze and suggest issues with your network based on packet capture data. The second provides a report on which users are eating up all the bandwidth. Both are pretty cool. Check them out. Of course, you could also try a tool like ZNetWatch 1.01 (freeware) which also specifically sniffs network traffic and rats out who the biggest users are. While this could be caused by users looking at the latest YouTube videos or streaming radio (against network policy usage perhaps) it could also be caused by virus or malware command and control communications. As I said, it was a lot of fun tossing Network Miner at the packet capture sample files. If you don’t have any handy, but want to really test out these (or other) tools that can read and parse that data, here are two great starting places to get some pcap files of your own to play with. SampleCaptures - The Wireshark Wiki SourceForge.net: Publicly available PCAP files – networkminer Cheers. --Clau[...]
Java Silent Install Notes 2009-08-23T21:23:56.692-05:00 Just dropping some links from home so I can study them more at work later. Issue: Windows Java (JRE) versions frequently offer trialware or other products when ran at install/update time. End users are frequently seeing these Java Update requests and selecting them, installing the trialware in the process.
Idea is to do a “silent” install from the command line, as darned if I can find a setting in the Java Control Panel item that will allow automatic downloading and installing (without trialware) of fresh Java updates.
Moving on… --Claus V. 
Utility Gumbo 2009-08-16T23:35:02.405-05:00 There’s a lot in this pot. Probably something everyone can find to enjoy. I’m serving it up tonight out of the back of the truck on the side of the road. So it will be short on dialog, full on flavor. Feel free to pick-around. Just wash your hands first. And yes..bring your own bowl because unless noted, it’s all free RE: Windows Roux TinyApps.Org Blog : Computer hardware chart – Amazing find from TinyApps. Great image detailing lots of different forms of connectors, ports, memory chips, CPU’s, etc. Real work of love there. Download and keep that image handy. Mark’s Blog : The Case of the Temporary Registry Profiles. – More advanced than usual investigation of a software-error message. Great tutorial on advanced troubleshooting techniques. Debug 101: What does !analyze do? and Debug 101: What does !analyze do? – Ask the Performance Team blog continues its Debugging theme. Updates: Autoruns v9.52, VMMap v2.2, procdump v1.2, procmon v2.5 – Microsoft Sysinternals tools update notices. Updates: Autoruns v9.53, ProcDump v1.3, Process Monitor v2.6 – Microsoft Sysinternals tools update notices. Updates: Zoomit 4.0, procdump v1.2 – Microsoft Sysinternals tools update notices. Whew! Got em all? PowerGUI 1.9 RTMs - Dmitry’s PowerBlog: PowerShell and beyond. Much updated version of a GUI manager for Windows PowerShell script building and management. Upgrading from Windows 7 RC to RTM… you had to try it didn’t you? – MarkWilson.IT – Me? I’m planning on just copying my data off to a USB drive, doing a clean install, then reinstalling as needed. Though I will make an ImageX image of all my systems’ partitions. That way if I miss anything I can just mound the WIM’s and extract the data as needed. Clean installs are always the way to go in my book. WinFontsView: View samples of Windows fonts installed on your system. – New clever tool from NirSoft. Very fast and handy. I’ve personally been using the slick NexusFont tool but what Nir’s lacks in GUI polish it more than makes up in size and speed. Update: UserAssist Tool Version 2.4.3 and see also UserAssist -- Didier Stevens – “The UserAssist utility displays a table of programs executed on a Windows machine, complete with running count and last execution date and time. Windows Explorer maintains this information in the UserAssist registry entries. My program allows you to display and manipulate these entries.” Keep it handy as it’s portable. LockHunter – A freeware utility that comes in both x32 and x64 bit flavors to delete stubborn locked files. This version supports Win7. Runs as application directly or from the Windows Shell integration. For more locked file and process killers see grand stream dreams: I will kill thee a hundred and fifty ways ... post. Sunbelt Blog: The 40 Most Popular Tools for Your System Admin Bag. Excellent list and great descriptions. I’m saving this to go back and explore some more. Many tools are (proudly) found on my USB sticks. There are some that are new to me as well in this list. Can’t wait to start checking them out. One of these day’s I’m going to take up an off-line challenge and work with a fellow blogger to come up with [...] |
|||||||||||||||||||||||||||||||||
http://grandstreamdreams.blogspot.com/feeds/posts/default
Copyright 2006-2009 Feedage.com LLC
Privacy policy - Sitemap - Press - Terms of Service - Copyright information - Contact Us - About Us - Feedage
Website Design by: JMVMedia.com - Florida Search Engine Optimization
Language Detection Powered by
Privacy policy - Sitemap - Press - Terms of Service - Copyright information - Contact Us - About Us - Feedage
Website Design by: JMVMedia.com - Florida Search Engine Optimization
Language Detection Powered by