Playing Catch-up

Despite all my best wishes and efforts, I’ve really been under a tremendous production load of projects at work lately.

Hours stretched, long drives into field office locations for “in-the-trenches” work. Stuff like that.

I have still been checking my RSS feeds and building the linkage piles, but goodness, no time for weekend link posting of late.

One small benefit of the delays is that I will often go back now and re-consider that pile of 20+ links and after a week, find that some just weren’t worth posting comments on after all…so they will be struck.

This slow-simmering seems to result in a much tastier collection of tools and utilities.

So here you go.  About a month’s worth of slow-home-cooking served up for your dining pleasure.

Networking Link Portals

One of the things we have been doing lately is doing site-wide network traffic monitoring and analysis.  Our great network team has developed a pretty easy and deployable process to initiate a remote traffic capture and then internal analysis of the traffic/files.  Nothing super sophisticated but we can now pretty clearly generate a response report in record time.  That’s a small miracle in itself.

Here are three “portal” locations for great linkage and reference materials on Network traffic and analysis.

• Cheat Sheets - Packet Life. Great collection of free PDF-formatted reference sheets on many things network traffic related. This Wireshark Display Filters (PDF) page alone has been very useful.

• Network Monitoring Tools – Amazing collection of links maintained by Les Cottrell at Stanford.  Be careful. You could easily loose hours looking through the resources documented and organized here!

• WinPcap Network Tools and Links – Lots of great tools, reference materials, and what-not all lined up and linked regarding WinPcap-supported tools.

Remote System Auditing Tools

In aftermath of yet another incident project, I began looking for an efficient way to remotely audit the physical status and configuration of remote systems in our network.  We haven’t really had a need in the past to do so, and in the past year have only now been running post-deployment audit reports on systems that we initially set up to capture/document key hardware items. However it has become clear I needed the ability to do ad-hoc surveys and reporting on the status of Windows systems long-since deployed in the field.  Our network management infrastructure software can (in theory) do this, but it is non-intuitive and burdensome to do so.  In addition, it requires the workstation objects to have been correctly imported to the container in the first place to access.  Not done so?  No data.  So obviously I could have some big holes in my site/system audit reports.

So I started looking for a simpler reporting solution.

I found a number of great (and free) tools to do so but they were either much more robust that I needed, or required a client/server model of deployment, or the reporting was just not customizable out for rapid site-wide auditing and exportation for additional analysis in Excel/Access.

Some of those tools that “almost” fit the bill but eventually fouled out were:

• Total Network Monitor – freeware – Softinventive Labs.  Pretty full featured and awesome.

• Remote System Information 3.0 - (shareware) – nice and had much of the system hardware auditing stuff I needed but the reporting wasn’t robust enough nor was the fact it was shareware and I couldn’t find where the developers were still in business.

• Network Manager (NINO) - (open source) – Located this one on SourceForge and looks like a really heavy-duty network monitoring tool.  Ended up being too beefy for my targeted needs.

• OpenNMS – (Open Source) -  Another very robust network management platform.

• Lan Sweeper – (Free/$$ versions) – I really, really liked this one.  It covers so many of the mission-critical system auditing and monitoring points.  However it is based on a client/server type of model.  I wanted something that didn’t require me to deploy clients on all our systems in addition to the existing network client infrastructure in place.

• Zenoss – (Open Source) – Another very mature and polished network/systems monitoring platform.  Again, too robust for my needs.

• Network Inventory - (shareware/$) – Very nice but ultimately not free/OpenSource and cost is king now.

• Network Inventory Advisor - (free-trial/$) – Also nice, especially in that it was not agent/client based but again, the free trial period is limited and there is no $ in the budget for this project.

• AdvancedRemoteInfo - (freeware)  — Pet project of Matthias Zirngibl at masterbootrecord.de.  This was an unexpectedly special find from Germany.  Still in development, this beta level utility really has a lot of great bells and whistles.  It provided extensive information about remote system hardware/software and data-points.  It also allowed for some useful remote interactions with the target system and reporting was much better.  However, again, I needed something that let me manage reports on a site-wide number of systems, not one-system-at-a-time reporting.  Still, this is a great tool and I’m going to be keeping an eye on it in the future!

At this point, after almost an entire week of looking for just the right tool, I was almost ready to give up.  I checked in with Michael Pietroforte over at 4sysops.  He referred me to his lineups of Free Windows Networking Tools and Free Windows Inventory Tools  (in fact see his full selection of categorized Free Windows Admin Tools – 4sysops). However, none of those offerings were fitting the bill either.

Then while in the middle of our dialog, I found that an old-favorite had been updated with just the feature-sets I was looking for:

• SoftPerfect Network Scanner -- (freeware) – Free network scanner and remote-system management tool.

This ended up being perfect as it is a single, portable exe file based utility.  Though not “tiny” at 720K, it still packs an amazing feature set in.

I am now able to remotely run an IP scan against an entire network site range, and then can set WMI-based custom reports to pull data from the systems.  Because by audit is IP based, I’m much more likely to identify the devices on the network rather than those “objects” that were imported and calling home from a client/agent configuration only.

And the WMI-based reporting options are off the hook.

Look for a more detailed post soon on this project, but for now, I highly recommend checking it out.

The only potential “gotcha” is that WMI services and firewall port rules/policy must be configured, up, and running on the remote systems to get all the WMI-accessible data for your reports. If you have that in place, then you can easily run and export tons of highly detailed system audit report data.

Please look below for more useful WMI (Windows Management Instrumentation) resources that are must-reads if you are not yet familiar with it and need to do some homework for deploying and accessing the data it can potentially provide.

• Windows Management Instrumentation (Windows) – MSDN Library.

• Connecting to WMI on a Remote Computer (Windows) – MSDN Library.

• Connecting Through Windows Firewall (Windows) – MSDN Library.

• Connecting to WMI Remotely Starting with Windows Vista (Windows) – MSDN Library.

• Enable WMI for Remote Monitoring -- PowerAdmin.

• Help & support – Clear apps – Providing their own auditing product, this FAQ page touches on highpoints. 

• Network Inventory: WMI Access Troubleshooting Guide – 10-Strike Software also deploy a WMI-based solution. This tips page has lots of good background information as well.

• WMI Troubleshooting Guide -- Network Monitoring Software

• Remote Administration (using WMI) on XP Pro – TweakXP guide.

New or Improved Fun Utilities

These remaining tools caught my fancy this week.  They “remain” from the many more that seemed interesting from this week but on additional look didn’t make the draft-cut.

• KON-BOOT – This boot-kit tool to bypass Windows account protection has gotten a major update that supports both 32 and 64-bit Windows systems.  Use it for good!

• Explorer++ version 1.1 now available -- (freeware) – little update to this nice 32/64-bit supported alternative file management program.

• Partition Wizard – (freeware) – Another GUI-based Windows partition management program.  I’ve got so many now (including excellent Linux LiveCD distros) that I really don’t need another one…particularly with DiskPart and a WinPE disk, however, I seem to collect these things as a hobby.  For additional reviews: Partition Wizard Home Edition: excellent, free partition management utility | freewaregenius.com and Partition Wizard Manages and Fixes Your Hard Drive for Free - Partition - Lifehacker

• Free tool to open a command prompt in any folder – Yeah. I know there are other ways to accomplish this, but if you want an easy to install/integrate/access tool, here you go.

• Download details: Microsoft Exchange Server Error Code Look-up Tool – I’m certain I’ve mentioned it before, but I couldn’t my own link to it here, so here you go.  Couple this with MyEventViewer and BlueScreenView and AppCrashView from NirSoft and you might have a good seed set for working on strange system crash analysis.

Remote Desktop Trick

Windows Remote Desktop is a cool trick to access and manage a system across your network.  But what if you don’t have it enabled on the system? And either the end-user is totally clueless, rights restricted, or otherwise unable to initialize some other remote-control solution?  This might be a trick to try.

• Windows Server Hacks: Remotely Enable Remote Desktop – O’Reilly Media.

• Remotely Enable Remote Desktop :: IntelliAdmin - (free tool) – this tool automates the above manual trick. Get the micro-file from this link: Enable Remote Desktop – Remotely (exe download-link from IntelliAdmin).  I tend to avoid direct links but the download link from their blog-post page actually points to their full-featured application, and not the standalone tool.

Chrome Browser

I’m still nowhere near ready to jump ship from Firefox to Chrome full time, but I do find myself using the Chromium nightly versions in a portable version much more.

Here are the very small set of “add-ons” that I have found useful to load on it.

• AdBlock - Google Chrome extension gallery.

• Atomic Bookmarks - Google Chrome extension gallery.

• Browser Button for AdBlock - Google Chrome extension gallery.

• ChromeAccess - Google Chrome extension gallery.

• FlashBlock - Google Chrome extension gallery.

• youtube-html5-chrome - Project Hosting on Google Code.

I’m running a portable version of Chrome (Portable Google Chrome 2.0.172.23 or Portable Google Chrome 2.0.159.0) along with Dirhael’s (portable) Chromium Nightly Updater to keep the package frequently updated.  However, that has required unpacking and copying over the update packages into my the portable Chrome application folders.  No biggie but additional work.

So I was delighted to find that Carsten “caschy” Knobloch has recently started including an multi-build supported updater in his Portable Chrome package: Portable Google Chrome 4.1.249.1059 (German site) has the latest full portable packages for download or you can simply unpack it and copy the single exe updater file to your existing portable Chrome package and use it from there.  It automates the process to check, download, unpack, and install the latest Chrome release versions into you portable Chrome folders.  Way too cool!  See this post Neue Version des Portable Chrome Updaters (German) for additional info on the updater proper.

Firefox 3.7 Stuff

And the next iteration of Firefox is still marching closer to readiness.  I like what I am seeing, but I was surprised when my playing with a portable version of this latest release actually BSOD my Windows 7 x64 system.  First time ever that has happened.  Lots of fun stuff here but be careful!

• Firefox 3.7a4/Gecko 1.9.3a4 Released -- The Firefox Extension Guru’s Blog.

• Firefox.next Alpha 4 is both: performance and looks -- Mozilla Links.

• Mozilla Developer Preview, Portable Edition 3.7 Alpha 4 and Alpha 5 Pre Released (Firefox Preview) -- PortableApps.com

• Mozilla Firefox, Portable Edition and Gecko Layout Engine Test Versions -- PortableApps.com

• Release Notes: Mozilla Developer Preview

More Cool Utility Toys and Tips – Part II

• NTFSLinksView - View NTFS symbolic links and junction points - (freeware) – NirSoft – New tool.

• UserAssistView - Decrypt and displays the list of all UserAssist items in the Registry - (freeware) – NirSoft – Update.

• TinyApps.Org Blog : Unpack / extract .MSI file contents – Great tip and tool reference for dealing with MSI files. Less MSIérables isn’t as tiny but also provides a GUI-based method (with Windows Explorer shell integration) to unpack MSI files on demand via the right-click context menu when needed.

• 4sysops has been busy with some great WinPE reference material.  I’m still learning more tips and tricks in my own WinPE building pursuits and I collect these tips like crazy as I am always bound to find a new way of enhancing and refining my building work: Create bootable Windows PE 3.0 USB drive – 4sysops and Create a bootable Windows PE 3.0 USB drive with tools - 4sysops

• StandaloneStack 2 Makes Leopard Stack on Your Taskbar in Windows 7 - Windows 7 hacker.  Neat tweak-tool for enhancing the Windows 7 superbar features.  I’m still working on getting used to configuring and using the Jumplist-Launcher tool as well.  I figure between these I should be able to come up with something awesome.

• RT Seven Lite - (Freeware) – Spotted but not yet found enough time to play with.  This tool helps with Windows 7 integration, tweaking, and customization.  Looks like a really robust tool for custom Windows 7 deployments.

I hope you found something yummy for your Windows system here today!

Cheers!

Claus V.

Read More

Security and Forensics Roundup: Heavy Version #7

Oh my.  I may have bit off more than I can chew with this load of links.  I’m having a challenging time breaking them all down into meaningful chunks!

Incident Response

• The Tiger and the Ghost – Nice and reflective thoughts on the changing landscape of incident preparedness from Hogfly over at the Forensic Incident Response blog.

• Verizon Incident Metrics Framework Released – Verizon has published a framework for categorizing incidents and elements that comprise them.  One of many out there, nevertheless, it might provide some additional ideals for conceptualizing incident events and help guide you as you form narratives that analyze and summarize them for your audiences. Spotted via the TaoSecurity blog.

• DarkReading Evil Bytes bloggist John Sawyer has posted a trilogy of articles on incident response as well as drive-imaging thoughts and techniques in that response; Adding Forensic Imaging To Your Standard IR Process, Using Hard-Drive Imaging In Forensics, and Drive Imaging Using Software Write Blocking provide an updated refresher on these topics. Good for a quick review particularly for the unfamiliar.

• Responding to Incidents – Windows Incident Response blog.  Coming in at the anchor position is a great post by Harlan covering all the major points and issues on why establishment and execution of an organizational incident response plan for the IT shop is critical. If you don’t have one, it’s long past time to start building and implementing one.  Failure to do so comes with great peril.

Timeline Merry-go-Round

Having some time ago been faced with the challenge of preparing a digestible incident timeline of a Windows system, I am now paying even closer attention to timeline issues.  Like many, I had reams of data, much of it all valuable. However, the real challenge wasn’t so much the capture and spin-out of the information, it was presenting the findings in an objective manner that successfully and accurately told a story to management and non-IT consultants.  What was of value to me understanding the sequence of events was less valuable to those who wanted the big-picture and major-plot-points.  It end up being as much the art-of-communication as well as art-of-examination.

• Timeline Creation and Analysis and Even More Thoughts on Timelines – Windows Incident Response blog.  Start here to let Harlan give us our bearings on timeline issues.

• Timeline Analysis Part I : Creating a Timeline of a Live Windows System – The Digital Standard blog. cepogue starts us on a nice incident walkthrough from a timeline perspective

• Timeline Analysis Part 2 : The Registry – The Digital Standard blog.

• Timeline Analysis Part 3 : Log2timeline – The Digital Standard blog.

• Timeline Analysis Part 4 : Timescanner – The Digital Standard blog.

• Digital Forensic SIFTing: SUPER Timeline Analysis and Creation - SANS Computer Forensic Investigations and Incident Response Blog.  Very valuable guided tour on how to make a SUPER timeline using the SANS Investigative Forensice Toolkit (SIFT) Workstation 2.0.

• Shadow Timelines And Other ShadowVolumeCopy Digital Forensics Techniques with the Sleuthkit on Windows  - SANS Computer Forensic Investigations and Incident Response Blog. Because timelines are not just for the main Windows volumes…you’ve got clues in the Shadow Volumes as well.

• NFIlabs – Aftertime – Java tool to create timelines.  Pretty cool.

It’s all about Analysis

• Malware case: Day 1 and Malware Case : Concluded – Eye on Forensics blog.

• Memory Analysis on Windows 2003 64-bit and What’s Next – Mandiant M-unition blog.

• Analyzing RAM Dumps, RAM Analysis Part 2,and Memory Analysis Part 3 – The Digital Standard blog.

• Flock shepherds in a Life of Grime – Forensics from the Sausage Factory blog.  In which in this installment, we find DC1743 encountering the Flock browser, which is just a fancified version of Firefox geared to the social media experience.

Tools and Toys

• Streamarmor - RootkitAnalytics.com new freeware tool to discover ADS elements and remove them from a system.
• Internet History Examination Tools - you generally get what you pay for  – Forensics from the Sausage Factory blog.  In which DC1743 weighs the pros and cons of various utilities used to examine browser history.

• EnCase Portable device – Review - Computer Forensics, Malware Analysis & Digital Investigations blog.

• AVG Rescue CD: Free toolset for repair of infected machines – PSA announcement on HelpNet Security about a bootable LiveCD to review/clean an infected Windows system. Might be worth considering adding it to your stable.

• QCC Information Security - Free Forensic Tools – including CaseNotes, VideoTriage, and FragView.

• P2 eXplorer v2.0 – Free tool from Paraben Forensics to allow mounting of forensic images. Comes with support for reams of image formats.  Neat!

Miscellanea: Don’t count out the value of small things…

• Tidbits, Links, and even more Links – Windows Incident Response blog.  Think of these post links as Easter-eggs.  Each one nice and simple holding wonderful treats just under the shell!

• Digital Forensics Case Leads: Tools and Lists, Bugs, and Web 2.0 for Packet Ninjas - SANS Computer Forensic Investigations and Incident Response Blog.

• Digital Forensics Case Leads: New Gear, New PDFs Abuse, and Defeating TrueCrypt - SANS Computer Forensic Investigations and Incident Response Blog.

• The Chain of Custody for 2010-03-21 – Weekly Tweets - SANS Computer Forensic Investigations and Incident Response Blog.

• What is this field called anyway? – Forensic Focus Blog…a rose. By any other name, would smell as…well, you know.

Cheers.

--Claus V.

Read More

April 1st link-dump

No. No April Fool’s jokes here.  All are refreshingly legit.

• USBDeview – NirSoft tool updated to version 1.60.  Lists all USB connected (and previously connected) to a system.

• WhatInStartup – NirSoft tool updated to version 1.20.  This version now allows you to fine-grain edit startup program triggers.

• SniffPass Password Sniffer – NirSoft tool updated to version 1.10. Collects passwords during sniffing. New version now supports NetMon driver as well as a promiscuous mode.

• SmartSniff – NirSoft tool updated to version 1.60. Now able to support user of NetMon driver for captures, a WiFi monitor mode to capture all unencrypted traffic under selected channel, can open NetMon .cap files, added check-box for promiscuous mode state.  More info in this NirSoft blog post: Capture with Microsoft Network Monitor 3 in SmartSniff and SniffPass utilities.  Related: Download details: Microsoft Network Monitor 3.3, and Microsoft’s Network Monitor team blog.

• Sysinternals Site Discussion : Updates: Process Explorer v12, VMMap v2.62, DiskView v2.4 – The update for Process Explorer is particularly beefy.

• Windows Virtual PC Update – Remember to Upgrade Integration Components – Virtual PC Guy’s blog.

• Newsfox NEXT – update for the FireFox feed reader “alpha/beta” release to version 1.0.6.1

• Mailbag: Windows 7 and the Disappearing Desktop Shortcuts - Within Windows.  Neat “hack” to bump the tolerance of Windows 7 to accept higher (than 4) numbers of “broken” desktop shortcuts before automagically cleaning them off without your permission.

• Magical Jelly Bean Keyfinder – Tool to collect program keys from your system updated to version 2.0.8 on 03-29-2010.  Curiously, the main page at Magical Jelly Bean Software still lists the older versions.

• The Deployment Guys : USMT Failures Due To Bad Profile List Entries – Great tips for avoiding trouble when trying to migrate Windows profiles using the USMT.  They provide a MDT script to examine and validate some key items before USMT deployment to try to avoid failures.  Even if you don’t use it, the background information is useful.  Related: Reprofiler - A tool for repairing broken userprofile-associations and UserProfilesView – NirSoft; both of which can provide good information about Windows Profiles.

• Windows Live Wave 4 Milestone 2 leaked, screenshots galore – Ars Technica. Looks like Windows Live Writer (and friends) are going to get the Ribbon treatment.  WLW remains my blog posting platform.  However I’m not seeing any remarkable new features that would lead me to seek out the leaked version just yet. Neowin.net - Even more Windows Live Wave 4 screenshots leak  

• Internet Explorer 9: Platform Demos at Microsoft and Platform Preview gives Web developers first taste of IE9 at Ars Technica. Source download and good overview of what the next face of Internet Explorer will look like.  BETA: Internet Explorer 9.0 Technical Preview - Windows Live over at Kurt Shintaku’s Blog also has a nice breakdown of the finer points. All interesting stuff but installation of the preview platform not recommended for mere mortals.  Now folks who have a virtual machine of Windows laying around may be interested…. 

• Visualize Your Network in A Built-in Network Map in Windows 7 - Windows 7 hacker.  Nice little tip on how to use the “advanced” network map feature built into Windows 7 to understand your network a bit more clearly.  While there are many more sophisticated network mapping tools out there, this is a nice baked-in feature to do spot-checks of network connections.

• 3 Unique Bing Search Operators You Will Definitely Love – makeuseof blog.  Three clever ways to use Bing search beyond the groovy background images on it’s search page.

Cheers.

--Claus V.

Read More