Forensically Sound: Quick Post #3

While I cannot say the past week was light, it definitely was quieter than most I encounter.

I’m still digging out the trench but the skies are clear.

Here are a couple of items that caught my attention this week.

Utilities and Tools

• PDF Stream Dumper was recently updated to version 0.9.320. Check the second link for a summary of the new features; one is a VirusTotal plugin.
• usboblivion - Google Project Hosting. This is actually an “anti-forensics” tool of sorts to strip out evidence of USB connected drives from the registry. It would be interesting to see if the tool itself leaves a signature of its usage (besides a clean registry I suppose…) behind.
• Exploring Symbol Type Information with PdbXtract - Mandiant blog - New tool to explore programming database files. Probably most interesting to malware analysts.
• triage-ir - Triage: Incident Response - Google Project Hosting. Another script-based tool to collect key information from a suspect system. Based on the Sysinternals Suite along with a few other key utilities. Kenneth Johnson has some thoughts recently in his Tools in the Toolbox - Triage post at the Random Thoughts of Forensics blog. Triage was updated to version 0.7 back on April 16th. More on the Automated Triage Utility here.
• For those that still haven’t tried WinFE…. - Windows Forensic Environment blog. Brett Shavers shares a quick-start guide to encourage the hesitant on just how easy it is to build your own WinFE boot disk. Check it out.
• Z-VSScopy Freeware - Z-DBackup - (free for personal use/$ for commercial use) - Very interesting tool new to me that allows you to browse VSS snapshots, cerate new ones, and copy files from a snapshot back out. It is actually a module of their Z-DBackup backup software, which makes sense as being able to leverage VSS shadow copies makes running backup jobs a bit smoother. Spotted in this AddictiveTips blog post: Create, Access, Delete & Mount Shadow Copies On Any Windows Version - Z-VSSCopy .   Other well-known tools for monitoring/accessing VSS: ShadowExplorer and the VSC Toolset: A GUI Tool for Shadow Copies.

Tips and Reminders

• The Weakest Link in Data Protection [INFOGRAPHIC] - TrendLabs Malware Blog. Nice for cubicle wall hanging!
• Memory Forensics Cheat Sheet - Forensic Methods
• USB Flash drive Serial Numbers - "UNIQUE"? - digfor blog
• DFIROnline - WriteBlocked - Great collection of online video/audio/presentations on forensic topics. Next best thing to being there in person perhaps! At least you won’t feel so left out if budget/travel belt-tightening is restricting your ability to addend these meetups and sessions.
• IChallenge: What can you do with Funky Directory Names (Part 2) - ISC Diary - More fun with CLI tricks from Mark Baggett. As always, read the comments that follow to get the full experience.

More Mandiant Goodies!

Investigating Indicators of Compromise In Your Environment With Latest Version of Redline - This is an outstanding overview of the use and functionality of Mandiant’s free Redline tool. It really shows the power this tool can provide during a system assessment and incident response…if you are very familiar with it! 

If not, after you have read Doug Wilson’s guided walk-through above, dive deeper into the Redline User Guide.

Then hop over to the OpenIOC Framework page and check out the details there. Need some more Indicators of Compromise (IOC)? Drop into the IOCs on the MANDIANT Forums.

One more item: IOC Finder to collect host system data and report IOC’s.

 An Eye on the Malware Front

• Ransomcrypt Decryption Script - F-Secure Weblog : News from the Lab. The F-Secure team cracks the ransomware Trojan:W32/Ransomcrypt code to free the files. Interesting reading.
• Pwning a Spammer's Keylogger - SpiderLabs Anterior. This is a must-read post showing just how powerful the information a trained and determined malware analyst can be. Inspirational.
• Resolving post-malware problems - TinyApps bloggist finds two great specialized tools for dealing with post-malware issues on a system.
• The System Forensics blogger goes to town analyzing a sample piece of malware in two posts.
• IETab_IE65 Malware Analysis
• IETab_IE65 Malware Memory Analysis
• “Type www.” – “Ok, w-w-w-d-o-t”; antagonising call centre scammers - For lighter fare, Troy Hunt is primed and ready when cold-called by a virus call-center scammer. No foolin this dude! With a 45 min screen capture, grab the popcorn!

Windows 8 forensic previews

The forensic learning and exploring is underway for the new Windows 8 system.  Here are just a few posts I’ve found touching on the new system.

Windows 8 Forensics - Recent post by Ethan Fleisher at the Senator Patrick Leahy Center for Digital Investigation, Champlain College. Ethan goes long and in this first review covers passes at Recycle Bin properties and USB Drive activity.

Windows 8 Forensics Part 2 - Ethan pickups up at Internet History.

Future topics of coverage promised by Ethan include Win 8 “reset and reload” feature, Event logs, Prefetching, Jump Lists, and File History features.

The Computer Forensics at Champlain College Blog where these posts came from contains a great collection of fresh material and the addition of this blog to my RSS feed list seemed a no-brainer!

Windows 8 Forensic Overview - Random Thoughts of Forensics blog - An extensive post by Kenneth Johnson covering Windows Registry artifacts.  Note, Kenneth updated his original post to reflect changes in observations between the Win8 Developer version and the newer Win8 Consumer version. Kenneth’s experience does highlight the challenge examiners and students have when a new OS is released in alpha/beta versions. It’s a great start to the learning process, however the path may be fraught with dead branches and dead-ends. Nothing will be 100% certain until the final release comes out. And even then, I suspect it will take some time for the forensic knowledge-base to be fully built-up.  There is still much to learn about Windows XP systems, and the books are still being written on Windows Vista/Win7 even as Windows 8 appears on the horizon!

The “X” Factor

Beyond the bits and bytes, deeper than the registry keys and that which lurks in unallocated space at the far-end of the hard drive, there is something special that sets some incident responders and forensic investigators apart from the rest.

Whenever I get a bit discouraged of the drudgery and lack of “play-time” learning new tools and techniques and getting my boots dirty in the trenches on a good investigation, I take heart from posts like these that are reminders that it really does take something special--an “X” factor--to be a great responder.

The Core Duo - The Digital Standard blog - From cepoug’s post

So I have recently been doing a lot of speaking and teaching, and came to an interesting conclusion about what are the core (an in my opinion, critical) skills of our trade, which I have affectingly dubbed, "The Core Duo".

When I really started to think about it, what we do (Forensics and Incident Response) really boils down to only two things. 

1. Spotting Patterns

2. Spotting Anomalies

Now, I know this sounds really simple...maybe too simple, but let me explain.  First of all, simplicity is something that I think is frequently minimized as being undesirable.  I think there are a lot of folks who think something to the effect of, "If something can be explained in simple, easy to understand terms, it must not be very complex".  I challenge that this is not the case.  I think, that even the most complex situations (which we all know, cyber investigations are among the most technical and convoluted anywhere) is made up of components that can be broken down and simplified.  Being able to do this is a critical element in actually understanding what you are doing and why you are doing it.  That in turn leads to be successful at what you are doing.  Which finally, leads to you solving the case, and potentially, some bad guy going to jail.

What makes a good forensicator? or how to get a job in Digital Forensics... - WriteBlocked. Michael Wilkinson opens up his review of key traits this way:

If you are already working in IT, it is possible to complete either an industry certification or graduate study or even transfer directly into a forensic position, although this is becoming harder as the pool of qualified applicants continues to grow. However no matter how qualified you are this will never guarantee you a job. Certifications and qualifications are only good for getting past the HR screening process. After that the decision will be based on other factors, partially on your performance in the interview and partly on your performance in previous jobs. When I am looking for employees I am looking for two things, motivation and the ability to solve problems. I will take these attributes over certifications any day.

A Fistful of Dongles: Border Collies - A Fistful of Dongles - Eric Huber turns to the four-legged friends for a nice analogy.

You will live and die by the people you hire and the leadership that you give them. The most critical element of your security program is having the right people on your team and providing them with the leadership and resources that they need.  You absolutely need proper tools to secure your enterprise, but the tools are secondary to the people who use them. The purpose of the tools is to help your people do their jobs. Too many organizations treat their people as glorified tool drivers rather than security professionals. If you are spending more money each year on your tools than you are on your people, you’re probably in a very bad place with your security posture.

Information security is very hard. It takes tremendous time, effort, and expense to even come close to mastery of critical information security skills such as incident response, malware analysis, and digital forensics. There is no tool that can ever substitute for a highly skilled and well led information security professional.

<snip>

Meet Jet the Border Collie. You will find no creature on Earth more in the moment than a Border Collie like Jet chasing sheep. This is what they live to do. They are fantastic at it and they enjoy it immensely.  Incident response people are the modern day information security Border Collies.  We live in a time where we have an information security community made up of incident responders who absolutely live to get up in the morning and chase people out of our networks.

Eric goes on to expand his meme wonderfully.

This week I’m going to walk into the workplace with a Border Collie mentality; motivated, focused, and ready to perform.

Cheers.

--Claus V.

Read More

Bits and Pieces for the Admins - Quick Post #2

OK. This next collection is a mashup of various items. Mostly new utility finds as well as few tips/tricks.

Probably something in here to play with for a while.

Microsoft Security Essentials 4.0 Released - Quietly…and related curiosities

I noticed last week that I had some out-of-cycle updates waiting. Curious, I checked on them and found that one was a new version of MSE. Most all of the changes are “under-the-hood” items, although there are a few GUI tweaks you might catch if you look close enough.  If you use MSE and haven’t gotten an update for it yet, I recommend you manually apply it.

• Microsoft released Security Essentials 4.0: Free protection from malware and viruses - Caschys Blog (G-Translated page)
• Microsoft released Security Essential 4.0 - Born and Windows IT Blog (G-Translated page)
• Microsoft releases Security Essentials 4 - BetaNews blog
• Version 4.0 of Microsoft Security Essentials released - The H Security blog - Most all of the info about what “changed” in this new version I learned from this post.
• Extending Microsoft Standalone System Sweeper - TinyApps blog. Original post showing how one could extend some functionality to the base MS Standalone Sweeper tool to off-line boot and clean a system of virus/malware. As TinyApps bloggist updated the post, it is now Windows Defender Offline and is more restricted so those tips don’t work in WDO. however…I then found this post,
• How the Windows Defender Offline Beta Tool works - Anything about IT - In which Alex Verboon goes in detail about how one downloads and builds a WDO tool for USB/CD usage. It’s an in-depth post and very good for some under-the-hood understanding of the creation process.  That was followed by..
• How to add drivers to the Windows Defender Offline Tool - Anything about IT - Alex Verboon’s follow-up post details how you can add custom drivers or other bits to it.
• What is Windows Defender Offline? - Download link at Microsoft for the Windows Defender Offline tool. I like how it allows you options to create a USB-booting version, a CD-booting version, or a ISO file (for you IODD/Zalman drive users!).
• Microsoft Standalone System Sweeper Beta - Microsoft Connect site for the retired product.

Utilities

Image Writer in Launchpad - Neat tool to write images to USB or memory sticks - Cool project by Michael Casadevall. Read this important announcement as well: Version 0.6 release is back - with a warning.

Image Resizer for Windows - CodePlex project. I’ve posted this utility before but for some reason never got around to installing on my own Windows system at home. Egads! Realized it when I had to resize some pics to send to my brother and wanted to tell him about it for quick-resizing work.

Known Folders Browser 1.0 (for Vista and Beyond) - Kenny Kerr - Super neat tool to show virtualized folders and linking to the actual paths going on behind the scenes. A must-have tool under Vista/Win7. Spotted at ToolTip: Known Folders Browser - Anything about IT blog.

The above tool reminded me of the similar tool (and beloved) SpecialFoldersView over at NirSoft. Take your pick. Both it and Known Folders Browser come in x32/x64 flavors.

Portable WinCDEmu - Not really “portable” but once you run it and do your business, you can then uninstall the driver from within the application. I prefer ImDisk Virtual Disk Driver and Pismo File Mount Audit Package supplemented with SlySoft Virtual CloneDrive on my system. You may also want to check out OSFMount (based on ImDisk), Gizmo Drive, or MagicISO for some more full-featured ISO mounting apps. Spotted over at ToolTip: Portable WinCDEmu - Anything about IT blog.

Fixing Remote Desktop Annoyances - What the.....? blog - a collection of clever tweaks for you power Remote Desktop junkies.

JunctionMaster (or MoveAndLink) - Clever and powerful tool to create NFTS Junctions on your system. Really neat and handy tool as long as you manage to keep your real and virtual link relations straight! Spotted via this JunctionMaster: Move A Folder Without Changing Its Path (Hard Link) post at Addictive Tips blog. Similar (though it doesn’t let you create them) NTFSLinksView utility over at NirSoft. Sysinternals’ Junction tool is a CLI tool to let you view existing ones and create them.  Junction Link Magic is another freeware GUI tool. Check out Link Shell Extension as well. Finally there is ntfs link over at elsdoerfer.name for one more tool.

Tips of Note

Windows and boot disks larger than 2TB - Awesome roundup of tips and tricks at TinyApps blog. With large-storage (1TB+) getting more and more common at the consumer level, dealing with prepping these drives for maximum compatibility and usage can be challenging. Thanks TinyApps bloggist! Your awesomeness remains supreme!

Disconnect USB Devices Without Using Safely Remove Hardware Option - AddictiveTIps blog. For those of you who prefer the “snatch-n-go” technique this may be beneficial.  See also USB Safely Remove v5.1 (not free), EjectUSB (via freewaregenius/Softpedia), or USB Disk Ejector Free (via Softpedia). For more feature-rich USB removal support there is my new favorite, Dev Eject (beta version 1.0.23 released 4/25/12).

Windows Prefers Wired Connections - Clint Huffman's Windows Performance Blog - I really-did already know this but it was a nicely composed reminder.

Cheers.

--Claus V.

Read More

WinPE 4.0 - Quick Post #1

No time for extended commenting. I’ve got to clean out the “to-blog” hopper and time is winding down for the night.

In my work in the Case of the Unexplained Donut of Death post I tripped over the Windows ADK for Windows 8 Consumer Preview and installed it to get the Windows Performance Analysis Toolkit.

However, I was wonderfully surprised to find that WinPE 4.0 (WinPE for Windows 8) came along for the ride.

YAY!

I haven’t had time to break it open and start playing with it in custom WinPE builds (as I am known to do) however I now have a watchful eye out for tips, tricks and material related to WinPE 4.0 building so when the time is right, I’ll be ready to go.

• Windows Preinstallation Environment (Windows PE) Technical Reference - Microsoft TechNet
• Installing the Windows ADK - Microsoft TechNet
• WinPE 4.0 Windows 8 Developer Preview - MSFN Forum
• Windows Developer Preview – Create a WinPE 4.0 Boot ISO - StealthField blog by Cory Calahan
• Windows 8 Preview- How to create a WinPE 4 boot image - Windows-Tools blog
• Win8PE - reboot.pro - list of WinPE building projects that use WinPE 4.0 as the source code
• 2012 March, Com!, Leopard Project - Gallery - reboot.pro -magazine pages for a special WinPE building project
• LiveXP 2012 - reboot.pro (not WinPE 4.0 but I couldn’t pass up linking).
• multiPE - reboot.pro - WinPE building assistant that can use source material from XP-Win8 WAIK sources.
• Windows 8 Preview - Howto - Creating a WinPE boot image with .NET Framework and PowerShell - Deployment Research blog
• PowerShell scripts to create a WinPE 4.0 wim/ISO - jbmurphy.com
• Windows 8 – Script for customizing WinPE 4.0 – Part 1 - Anything about IT blog
• Copying command-line tools from Windows into WinPE, don’t forget the localization files - Anything about IT blog
• How to Reboot or Shutdown WinPE - Anything about IT blog
• Drivers and Downloads - Dell [United States] - Collection of Dell system drivers for inclusion in WinPE builds. Wish I had found this pack a long time ago…

Sometimes--ok most times--once you start working with WIM files, particularly the BOOT.WIM file that forms the core of your WinPE build, you will need to add some items to it. While you can mount/commit/dismount the WIM file from the command line, it may be a bit clunky to the uninitiated. A nice GUI-manager for DISM will go a long way.

• GImageX - AutoItScript - This has been my hands-down favorite tool.
• Windows Explorer context menu for managing WIM files - Anything about IT blog - If you prefer to do your mounting work via the context-menu, this is a clever way to do so.
• Je Jin's DISM Tool

Cheers!

--Claus V.

Read More

Case of the Unexplained Donut of Death

A few weeks ago, I had dropped in at the church-house to bring down some updates to the PC we run the services on. I also took advantage of the time to do some drafting work on that Sunday’s service material.

As I was working, one of the other ministers asked me if the worship-leader/sysadmin had gotten with me to look at one of the church administrative assistant’s PC’s that was not running smoothly.

I hadn’t gotten the message yet but had free time, so I popped into her office to take a look.

The user explained that a few weeks prior, another church member had their PC infected with some malware. One consequence was that system mailed out malware link spam from their email client. The church admin got one of those emails, it looked legit, followed the link, and ended up with a malware infection on her own system.

In the end the system had to be paved and reloaded from scratch.

Ever-since, the user reported it was constantly locking up at random times, though launching Internet Explorer sessions seemed to aggrieve it the most.

The dreaded Windows 7 Donut of Death had appeared. Luckily I’ve got an appetite for donuts.

First thing I did was take a look at the system hardware; i7 core processor, Windows 7 x64 Pro, 12 GB system RAM (wow!), really big SATA HDD. This PC was probably one of the most well-built ones in our church. After some checking and tests, I couldn’t find any issues that could be hardware related.

Next, I fired up Process Explorer.  Since the PC had once been infected, but was wiped/reloaded, I didn’t expect to find any unfamiliar processes and that was indeed the case. Everything running looked legit. No one process seemed to be showing evidence of a “CPU hog.”

With Process Explorer running on the 2nd Monitor and some changes made to the default columns, I started running some applications. Once I fired up IE there appeared the donut of death. The system seemed “locked” an unresponsive for almost a minute before control restored and applications became responsive again. Looking over at the Process Explorer, I didn’t see anything jump in terms of CPU hogging. I clicked around and ran some additional apps with the donut of death appearing again from time to time, more frequently than not. The behavior didn’t seem limited to IE. Other apps triggered the same result. Also, IE could run fine for a while and then suddenly when clicking a new page-link, the system freeze occurred again.

Next I fired up Process Monitor and began a capture. I wasn’t paying close attention to the time, but was able to get the donut of death appear a few more times before closing the capture and saving the file. When I was done I had acquired a 7GB Process Monitor trace file. Yikes!

While I was there, I also grabbed the available System Logs with Nir Sofer’s MyEventViewer tool and exported them into a txt tile for carryout consumption.

A quick review of the Process Monitor log saw a few tool-bar-related processes (Ask toolbar, Bing toolbar, etc.). These seemed to show some time-jumps after execution. The time jumps were a few seconds, not the up-to-a-minute differentials I was expecting from the donut time. The user didn’t use them, so I uninstalled them. Unfortunately, while the donut subjectively seemed to take a bit longer to appear, it still was there.

I off-loaded both these bits to my USB stick for more analysis when I got home.

I was stumped but donut hungry.

Initial Observations: While it was possible there was some hardware/driver problem, my initial feeling was that we had a rogue process taking control of the CPU’s. Since I couldn’t see any cpu spikes during the lockup in the temporarily frozen Process Explorer I wasn’t sure which one it could be.

Back at the homestead, I poured over the system logs. While they were quite interesting, I failed to find any smoking guns.

Next I analyzed the Process Monitor data. Poring over a 7GB file was very tedious.

Part of the problem was that I didn’t ever get an error dialog, BSOD, or some other “failure” to help me narrow down the search. The system would lock up and then unlock after some time and keep running “fine”. Hmm.

I was hoping to focus on a period when I saw the time-counter take a significant jump. Unfortunately, I didn’t find any obvious time jumps.  So while it appeared the system locked up significantly I didn’t find any time-jumps to point to a rouge process.  However, I did make a few notes. Suspiciously, there were a whole lot of logging going on with “coreServiceShell.exe” and “TmListen.exe”.  These are processes related to Trend Micro AV. Looking at the Process Monitor activity related to “coreServiceShell” it was a busy little child while “TmListen” seemed to be looking for related Trend Micro log(s). uiWnMgr.exe was also present and related to Trend Micro and seemed to be focused on certificates.

I discussed this with the sysadmin who was doubtful as this behavior wasn’t seen on any of the additional systems he had used Trend Micro on, including other systems in the church. So I set it aside.

Next week I stopped by the church-house again, but the sysadmin was out. My hope was to try to disable Trend Micro to see if that banished the dreaded donut.  Unfortunately, Trend Micro is protected with an administrative layer which requires a password to disable/turn-off. I contacted the sysadmin by phone but he couldn’t remember it and couldn’t access the location where he had it stored. I was on my own again.

This time I was a bit more prepared.

Resource Monitor

First I tried using the built in Windows 7 “Resource Monitor” tool.

The sample shot above shows some of the data it collects and displays. Running it is very simple. Just type Resmon.exe in the run-line.

While I did get the system to lock up with the donut of death again, I still couldn’t find anything obvious here. My suspect processes still seemed to be behaving themselves in terms of CPU usages.

More on using Resource Monitor:

• Using Resource Monitor to Troubleshoot Windows Performance Issues Part 1 - Ask the Performance Team
• Using Resource Monitor to Troubleshoot Windows Performance Issues Part 2 - Ask the Performance Team

Performance Monitor

I also considered using Windows Performance Monitor as it also comes native on the systems. Just type perfmon.exe in the run-line to execute.

While this is a good and powerful tool as well, it just wasn’t providing me the data I was looking for. The image above shows a sample view (not related to this particular case). It can be powerful in the right hands, but is not quite as intuitive to use “out-of-the-box” in a meaningful way.

More on using Windows Performance Monitor

• Windows Performance Monitor - Windows Server TechNet page
• Windows Performance Monitor Disk Counters Explained - Ask the Core Team
• Use Windows* Performance Monitor for Infrastructure Health -Intel® Software Network

Windows Performance Analysis Tools (Xperf)

However, all was not lost.  I had come better prepared and now had a powerful tool in my performance troubleshooting arsenal loaded up on my USB stick; Xperf.

Basically, I had previously downloaded the Windows Performance Toolkit at home on my own Windows 7 system. I then copied the C:\Program Files\Microsoft Windows Performance Toolkit folder over to my USB stick for deployment and usage in the field.

I practiced using it first at home, but mysteriously kept getting the following error:

C:\Program Files\Microsoft Windows Performance Toolkit>xperf.exe -on DiagEasy
xperf: error: NT Kernel Logger: Cannot create a file when that file already exists. (0xb7).

That was weird as I didn’t have any traces set to run on my home system (that I was aware of at least).

That took a bit of troubleshooting but I eventually found the issue:

• xperf: error: NT Kernel Logger: Cannot create a file when that file already exists - Blog My Nog
• ProcExp and XPerf tracing - Maarten's blog
• xperf: error: NT Kernel Logger: Cannot create a file when that file al - MSFN Forum

Basically it was tripping over Process Explorer which was running by default on my system at all times. Process Explorer uses NT Kernel Logging to capture data it uses and they were fighting. Once I disabled Process Explorer temporarily, Xperf worked fine.

Anyway, on the target system back at the church I copied the folder to the local drive, then opened a DOS box and pointed to the location and ran the following command.

C:\Microsoft Windows Performance Toolkit>xperf.exe -on DiagEasy

I then launched some applications, Internet Explorer, loaded a few web sites, ran paint, notepad, calc, etc.  Each time I would get the donut of death. Good data!

I would then stop the trace and export the file with an appropriate file name.

xperf -d testdata1.etl

I noticed complaints about dropped trace elements with a recommendation to increase buffer size. I probably should have heeded the advice, but didn’t since I was using the default diagnostic capture mode.

With three traces in hand now with sizes of 48MB, 50 MB, and a whopper of 301MB, I felt I had a pretty good sample set. During the testing, I made written notes of what I was doing (which app launched) and when the donut appeared. I hoped to correlate these events.

Now that I had the files back home, I fired up the GUI “Windows Performance Analyzer” tool, xperfview.exe.  Actually, since I had installed it on my home system the “ETL” file extension was pre-associated with that application.

You can select different “Frames” to view data from which then load into the horizontal panes. From here you can compare events as well as hone-in on specific time-slices. You can also display the results in a tabular form. The image above is a screen-capture from a real trace from the problem system.

Poking around in this data from the three captures I had taken showed time-after-time that (overall) coreServiceShell.exe was the heaviest user of CPU processes far-and-wide.

This information, coupled with additional data with filtered Process Monitor session data I had captured observing the behavior of that process made me feel much more certain that Trend Micro was in fact the cause of the donut of death.

More on using Xperf and the Windows Performance Toolkit

• Xperf, a new tool in the Windows SDK - Pigs Can Fly
• High Interrupt CPU Time Troubleshooting with XPerf -Just another great IT blog
• Using Xperf to take a Trace (updated) - Pigs Can Fly
• Quick Start - Windows Dev Center - Desktop Page.
• Detailed Walkthrough - Windows Dev Center - Desktop Page.
• Solution: Fix System Interrupts And Locate Drivers Causing High CPU - Windows 7 Themes.Net - This post was interesting in of itself with working with the Windows Performance Toolkit and interpreting Xperf results, but also had a link to a free utility DPC Latency Checker from Thesycon Software and Consulting.
• Analyzing Storage Performance using the Windows Performance Analysis ToolKit (WPT) - Notes from a Platforms Premier Field Engineer - Robert Smith’s post is very fresh and full of amazing details in picking apart the results from a trace-file capture. The amount of data this collects is overwhelming and it takes some skill and work drilling down to the useful bits.

Bonus Xperf Material:

Today while poking away at the CodePlex - Open Source Project Hosting site I found three projects that may leverage the Xperf data in helpful ways:

• XPerfUI - This is a GUI wrapper for the Xperf command-line performance analysis tool.  I I mentioned, my own performance traces dropped (lost) anywhere from 26301 to 194970 events during the trace capture process. The CLI arguments are too tough once you have your confidence up, but this tool might make the process a bit easier.
• Xperf123 - Xperf perf data collection made as easy as 1-2-3 - This project provides a Wizard-based method of selecting a trace profile (it does the CLI arguments automagically for you) and it creates and fires off the command. Then you can analyze the results.

As the warning dialog I mentioned said when loading my trace files in xperfview, “This is usually caused by insufficient disk bandwidth for ETW logging. Please try increasing the minimum and maximum number of buffers and/or the buffer size. Doubling these values would be a good first attempt. Please note that this action increased the amount of memory reserved for ETW buffers, increasing memory pressure on your scenario. See “xperf -help start” for the associated command line options.”  I probably should have set -maxbuffers 1024. Will try that next time.

Getting the Windows Performance Analysis Toolkit bits

As I said earlier, I had to install the toolkit on my home Windows system. However, once I did so, I was able to copy the installation folder in the Program Files folder to a USB stick for deployment and usage on a per-system basis. As I understand it, because you can download the entire package, you could (in theory) extract the downloaded file-set and snag them that way. I found the download/install/copy-to-USB method painless myself.

Here are some links to guide you through the download/installation process.

• Windows Performance Analysis Tools - Windows Performance Analysis Developer Center - MDSN
• Download: Microsoft Windows SDK 7.1- Microsoft Download Center
• Installation - Windows Dev Center
• Installing WPT (XPerf) from SDK - Maarten's blog
• Windows Performance Toolkit - OCXPH forum

So, back to the donut of death…I diverged for a moment.

I had some great trace data, and my eyes on some culprits, but while the output in the xperfview.exe application (and table views) was helpful, I kept feeling I was still not able to see the big-picture as clearly as I wanted. After all, I’ve got more than a few Windows process/internals books but I’m no Windows programmer or systems engineer so I was still digging around slowly in the data.

Then I found this.

Windows Performance Analysis Toolkit (WPT) for Windows (SDK 8)

Wowzers!

This is the next-generation WPT and has some fantastic power and Xperf analysis toolsets!

Compare the data views I had selected and was working with above in the Windows Performance Analyzer (wpa.exe) as compared to the prior screenshot in xperfview.exe. The difference is almost night-to-day. The image above is a screen-capture from a real trace from the problem system.

I found this interface much more powerful and intuitive to use.

xperf.exe, xperfview.exe and all the previous tools are still present but wpa.exe is much more user-friendly for analysis work IMHO. Also added to the mix is the tool Windows Performance Recorder (wpr.exe) as well as a GUI-based wizard WPRUI.exe to help set your performance recording sessions. I didn’t use this tool in this troubleshooting but will be working to figure out what neat things I can do with it beyond xperf.

Getting and installing this one on my Windows 7 x64 bit system was a bit more challenging getting started. It doesn’t seem to have a full download package set to just extract these bits out of. Rather you seem to download a web-based pre-installer to pick your packages and it then fetches and installs the bits. All that said, once I figured out what I needed, the process went smoothly, and I was also able to copy the installed folder location to my USB to take with me in the field for captures on other Windows 7 systems.

Here are the links I studied to download and install it:

• Windows Performance Analysis Developer Center - MSDN
• Windows Performance Recorder - MSDN Library
• Windows Performance Recorder - WIndows Dev Center forum - has a link to both the SDK W8 as well as an intro video link
• About the Windows Assessment and Deployment Kit - More download links and MSDN Guide linkages
• Performance Tools for Windows 8 - Windows Dev Center - lots of great link jumps and summaries of different toolset.
• Download: Windows ADK for Windows 8 Consumer Preview - Microsoft Download Center
• Windows Assessment and Deployment Kit - Page 2 - My Digital LIfe Forums - tips to try to manually download all the features directly without going through the web-installer.
• Installing the Windows ADK - MSDN Library
• Capturing and analyzing performance traces - BUILD2011 | Channel 9 - Short video showing the Windows Performance Recorder tool in action.

With the additional views and drill-downs I was able to do in the Windows Performance Analyzer, I had all the proof I needed to convince me that the most likely culprit for the donut-of-death on the church’s system was Trend Micro in general and the “coreServiceShell” process in particular.

Apparently “coreServiceShell.exe” thinks it’s always time to make the donuts!

Armed with this information, I now invested myself in the Google with “coreServiceShell” and found some interesting stuff. Lots of complaints were seen about CPU hogging with Trend Micro and coreServiceShell in particular.

Turns out that process in particular is a busy little bugger (as I’ve seen in my 7 GB Process Monitor capture). It appears to be the main scan-engine for the AV product, not only checking files upon access and execution, but also acting as a web-proxy while pulling in pages in the web-browsers. I could find and locate the proxy activity in the Process Monitor traces. Very interesting thing.

In fact, the issues were so bad that Trend Micro offers a Hot Fix for just this performance issue.

• [Hot Fix] B1181 - My computer slows down and CoreServiceShell.exe consumes high CPU usage after installing Titanium 2011
• [Hot Fix] B1181 - In some network environments, the TmListen.exe file cannot download hot fix files from the Security Server 3.6

I copied the Hot Fix down to the sysadmin’s network share folder with a few more useful links to the problem.

Since I couldn’t get admin rights to install the Hot Fix myself on the user’s system (yet) I’m waiting for feedback if the Hot Fix has been applied and if it fixes the issue. Based on all my work I’m confident this is the trick.

I suspect that while the CPU activity loads looked normal while I was watching them in Process Explorer -- just before donut of death -- when it went overboard Process Explorer couldn’t keep up and froze so I didn’t see the jump in CPU’s while it hogged/chugalug’ed away. Once it was done, things returned to normal and there I was at normal CPU levels again…until the next lockup.

Additionally, since I didn’t set my Xperf CLI to -maxbuffers 1024, I probably dropped a good portion of the trace capture events during the lockup process as well. That said, the tools above gave me sufficient information to say pretty confidently this was the donut maker.

While this isn’t for the average Joe, these tools and techniques are extremely powerful and once mastered, can give the sysadmin tremendous confidence in working your way through performance issues on a Windows system. Since they can tag-along on a USB stick, you can deploy them as needed as long as you have them handy.

Additional Windows Performance and Analysis Linkage

Here are a few more links and blog and resources I thought were very insightful to getting up to speed tracking out Windows Performance issues. More than a few of these have been added to my RSS feed list.

• XPerf Articles - Pigs Can Fly - Site Home - MSDN Blogs
• XPerf - Windows 7 Forums
• Windows 7 Hang - Page 5 - Windows 7 Forums
• Examining Xperf - WindowsITPro
• Procmon vs Windows Performance Recorder (Win 8) - Sysinternals Forums
• Windows Performance Toolkit - Sysinternals Forums - Page 1
• Ask the Performance Team - Site Home - TechNet Blogs
• Performance Analysis of Logs (PAL) Tool - CodePlex project
• Performance Troubleshooting using the PAL tool - Mike Lagase
• Get a Handle on Windows Performance Analysis - WindowsITPro
• Choose Your Own Adventure: Start Here - Clint Huffman's Windows Troubleshooting in the Field Blog
• The Case of the Enormous Page File - Clint Huffman's Windows Troubleshooting in the Field Blog
• The Case of the Mysterious Black Box - Clint Huffman's Windows Troubleshooting in the Field Blog
• Choose Your Own Adventure: User Mode Versus Privileged Mode Processor Usage - Clint Huffman's Windows Troubleshooting in the Field Blog
• Choose Your Own Adventure: High Deferred Procedure Calls (DPCs) or High Interrupts - Clint Huffman's Windows Troubleshooting in the Field Blog

Hopefully this super-long post and linkage has provided some good comparison views between different tools and techniques tracing out Windows performance problems.

I learned a lot in the process of this one system, and it just another reason why I find benefit in taking a look at problem systems. I usually walk away with a more honed skill-set in the process.

I know I will be coming back to this post myself for some time to come re-reviewing the linkage and information here.

Cheers!

--Claus V.

Read More

Bits and Pieces: Mini Link Rundown

I probably should be pleased to have crammed in three posts this weekend.

Alas I am not. I’d intended to get one more “biggie” out the door this weekend…aimed for all you sysadmins. I have in mind a “Case of the Unexplained…” type theme on running down some crazy Windows 7 system behavior on a system at the church-house, multi-GB trace file captures, and sundry stuff like chasing a white rabbit down CPU process utilization percentages and disk utilization by process IO type.

I’m back from that chase with lots of notes, but to do it justice, I’ve got to wait till next week.

So let’s just enjoy our company at final call over these late-breaking weekend links. Hopefully they will carry us into the week with some inspiration and a few shiny new utility toys to play with at our desks.

Adobe April 2012 Black Tuesday Update - ISC Diary - In case you missed it, there were a number of critical Adobe patch updates this week

APSB12-08 - Security updates available for Adobe Reader and Acrobat - Adobe Security Bulletin - Updates now to 9.5.1 and 10.1.3. This goes for both the PDF “reader” versions as well as the “full” Acrobat PDF generating software application. Patch!

At the end of last month some Adobe Flash Player updates came out, one feature of which is to now include an “auto-updater” feature for Flash Player (if so selected in the options). That release back on March 29th was 11.2.202.228.

Guess what snuck out of Adobe Friday (the 13th?). Version 11.2.202.233 of Flash Player.

• 4/13/2012 - Flash Player Update - Adobe Forums
• Flash Player 11.2, AIR 3.2 - Adobe Release Notes
• Adobe - Flash Player - Lists your installed version (check page with each browser you use) and a table of the current version for all platforms.
• Installation problems | Flash Player | Windows - Adobe. I dropped over to this page, then scrolled just a bit lower to the “Install in a firewall proxy server environment” section to grab all of the direct download installer links there.  It’s a one-stop shopping session!  Then I spent some time manually updating my portable browser plugins to all the newest versions. Sheesh. Sadly I’m getting very good at it and have now even crafted a custom batch-file to auto-copy/overwrite the new Flash/Reader version DLL’s to the plugin directories in my browsers to save me time.

If in doubt, try running Qualys BrowserCheck page in each of your web-browsers to check your patch-level or use the Secunia Online Software Inspector (OSI). Either of these tools will help tell you if your browsers are securely patched.

Download just imagex.exe (568k) - TinyApps blog. I LOVE Microsoft’s ImageX.exe imaging tool. It has become second-nature for me to use. If you do a lot of WinPE building and use you probably have already extracted it and keep it handy.  However, if not, TinyApps blog shares a quick tip on getting your hands on it from the WAIK without all the drama of installing the WAIK on your system.

Increase hard disk size in VirtualBox 4.x - TinyApps blog. I know no-one actually creates a virtual hard-drive without first considering (and allocating) all the size they will every need (and then some) before they first get started. Right? TinyApps bloggist has a great walk-though on how to enlarge your drive size without having to mail off for sketchy blue pills. Lots of supporting linkage at the end as well.

Value of Targeted Timeline Analysis in Research - Windows Incident Response blog - Keydet89 provides a great post on the work that goes in towards gaining a better understanding of event timelines and Windows behavior. It’s through detailed work like this that our knowledge gets sharper.

Challenge: What can you do with funky directory names? - ISC Diary post - Mark Baggett warns us to beware those funky file/directory names in Windows! Check out the comments carefully for more feedback. On a related note, the Hexacorn Blog Forensic Riddles posts contain a whole lot more of file-name and directory name tricky shenanigans to be aware of!

NetworkMiner 1.3 Released - NetRecSec has released v1.3 of the amazing (and still free) NetworkMiner NFAT. This release contains a number of new parsing and extraction features. Go get it now! Of course, if you are lucky enough to be able to purchase a copy of the NetworkMiner Professional version -- sadly I’m not ;-( -- that too has been updated and you can get your upgraded version for free from their customer portal with login. Happy upgrading free and pro’s alike!

eXtra Buttons: utility buttons in the title of the window - freeware - clever little utility that adds a few extra option buttons to your Windows windows. The default windows options in the top-right corner are minimize, maximize, and close. This app gives you up to thirteen options for managing your window, including roll-up/unroll the window at the caption bar, minimize to System Tray, transparency effects, and minimize to a predefined box area on your desktop. I don’t usually use windows tweaking utilities, but this one could be very useful for you multi-window-multi-taskers.

Synkron - freeware - Folder synchronization application. Yeah, I hear you. Claus, really? After that super-long roundup of sync/backup apps you recently posted? Just had to add another one? Yep. This one has a pretty intuitive interface and also comes in a Synkron Portable | PortableApps version as well. More details in this older AddictiveTips blog post.

Colasoft Ping Tool - freeware - Colasoft has a great and super-handy ping tool that supports pinging multiple IP addresses as well as useful charting tools for monitoring and analysis.

Anti-virus scanning exclusions - ISC Diary post - Daniel Wesemann kickstarts a discussion on setting exclusions in your AV scanning policies. Some vendors have recommendations on file/folder exclusions to improve system performance. On the other hand, the thought of creating “safe-zones” that could be exploited by malware for APT landing could outweigh the benefits of following the recommendations. Check out the post and the lively comments that follow. Do you even know if/what your own (or your customers’) policies are regarding AV exclusion settings? Worth looking into.

Malware blocks booting - The H Security. News post about a pretty new ransomware attack that hits the MBR discovered by TrendLabs. While the vector itself isn’t necessarily anything new (messing around with the MBR) apparently the combination of using it in a ransomware attack is. Trend Micros also has instructions for removing the infection if you encounter this bad-boy.

And then there was this “bad news getting worse” over the weekend:

Medicaid hack update: 500,000 records and 280,000 SSNs stolen - ZDNet Zero Day blog.  Original post here: Medicaid hacked: over 181,000 records and 25,000 SSNs stolen.

Expect the fallout from this one to be pretty massive. Quoting from Emil Protalinski’s article linked above:

DTS had recently moved the claims records to a new server, which had a configuration error at the password authentication level, allowing hackers to circumvent the security system. DTS says it shut down the affected server, implemented new security measures, is reviewing every server in the state to ensure proper security measures are in place, identified where the breakdown occurred, and has implemented new processes to ensure this type of breach will not happen again.

It was just a year ago we were dealing with a similar mess here in Texas. Although in that case, it seemed to be more an issues of inside IT data mismanagement rather than a hacker attack. 

Hoping the week ahead gets better even though it hasn’t started yet.

Hang tough and remember “Constant Vigilance!”

--Claus V.

Read More

Malware Analysis Resources

This is meant to be a complimentary post to the URL Scanner roundup post back in January.

Let me be the first to say I am not a malware reverse-engineering analyst.

On the other hand, when I am responding to an incident involving a system compromise, and/or am trying to both clean the system as well as understand the potential impact of what happened, being able to analyze a suspect file is critical.

It can not only give me a better understanding of how to clean it, but possibly how it got there in the first place. This lessoned-learned may help strengthen our security perimeter.

So having a collection of resources that can help analyze a malware (or potential malware) file is important to me.

The following resources are a collection of on-line file scanners, analysis-report-generating, and local sandbox creating tools to aid in that process.

There are a number of similar “list-of-lists” like this one. I’ve just tried to collect them for my own personal reference.  Major hat-tip and credit goes to the following sources which have already paved the way before me. You may find some more more resources here that I haven’t linked to as well as additional descriptions and feedback.

• Malware Sandbox Services and Software - Andre’ M. DiMino - SemperSecurus blog
• Information Security Blog » Online Malware Analysis Scanners - Coresec.org
• Mantra's (Anti)-Malware Link Gallery - OWASP Mantra
• Malware Analysis - SecurityXploit
• Malware online scanners | Security on steroids - CleanBytes.net
• When You Only Have 10 Minutes... - Sketchymoose’s Blog

And as Sketchymoose points out in the close of that post, before you start uploading files to any of these resources:

So now, keep in mind-- your submitted file is now out on the internet and is now on some database. Some of these may be owned by AV companies which look for new juicy malware to add to their signatures. So, if you are really worried about that:
(A) read documentation on their website to see what happens with collected data
(B) do your own analysis
(C) Ask customer/boss what their position is about submitting files to these sites -- make sure you know the answer for choice 'A' too for this one
Remember collaboration is one of the biggest deciding factors in incident response, but use common sense and discretion.

On-Line Scanners and Virus/Malware Analysis Tools

• GFI Public Sandbox - Formerly known as CWSandbox
• :: mwanalysis :: CWSandbox :: - Separate CWSSandbox service maintained by Chair for Pratical Informatics 1 at the University of Mannheim
• SandBox Information Center - Norman
• VirusTotal - Free Online Virus, Malware and URL Scanner
• Jotti's malware scan
• Metascan Online - Free online file scanning with multiple antivirus engines
• ASafaWeb - Automated Security Analyser for ASP.NET Websites
• Virus Lab - F-Prot Antivirus Virus Information
• Anubis: Analyzing Unknown Binaries - Really neat and detailed reports.
• Metascan Online - Free online file scanning with multiple antivirus engines
• ThreatExpert - Online File Scanner or try their ThreatExpert - Submission Applet
• ThreatExpert - Submit Your Sample Online - same folks, different submission interface.
• Submit a sample - Microsoft Malware Protection Center
• Eureka Malware Analysis Page - Automated malware binary analysis service
• Comodo Instant Malware Analysis
• File Verdict Service - Automated analysis system also from Comodo.
• Wepawet - focusing on JavaScript, PDF, and Flash files in particular
• F-Secure - Sample Analysis System
• Xandora - Your Online Binary Analyser - Analysis of malware PE files
• VirusChief - Online Virus Scan - scans file using a number of scan engines.
• VirSCAN.org - Free Multi-Engine Online Virus Scanner - supported by 36 AntiVirus Engines
• NoVirusThanks.org - Multi-Engine Antivirus Scanner - Service
• avast! Online Scanner
• malwr.com - free malware analysis service built on Cuckoo Sandbox
• Online Malware Tool for Malware Analysis
• Autovin » Malware Submission - Panda Security’s Automated Tool for Virus Incidents
• Ether: Malware Analysis via Hardware Virtualization Extensions - testing/beta mode still.
• SuspectFile - upload analysis service.
• SARVAM: Search and Retrieval of Malware - Added 4-16-12 per tip from Laks

PDF File Analysis Tools

• pdf examiner - Malware Tracker - upload and scan PDF files for a slew of exploits.
• PDF X-RAY - upload and scan a suspicious PDF file to detect malicious behavior.
• PDF Stream Dumper - SuperAwesome locally-installed (freeware) tool for analysis of malicious PDF documents. Really amazing and a must-have in any incident-responder and analyst's toolkit.
• PDF Tools « Didier Stevens - Didier has a great collection of local tools to keep handy when parsing out PDF files.
• 6 Free Local Tools for Analyzing Malicious PDF Files - great list of PDF tools from Lenny Zeltser
• Analyzing Suspicious PDF Files With Peepdf -How To post from Lenny Zeltser on using peepdf tool
• peepdf - PDF Analysis Tool - eternal-todo.com - free Python tool from Jose Miguel Esparza to pick apart PDF files.
• jsunpack - a generic JavaScript unpacker - online tool to unpack JavaScript from PDF, pcap, HTML or JavaScript files. For more information about this resource check out jsunpack-n - A generic JavaScript unpacker - Google Project Hosting page.
• malware tracker blog - Blog home page for Malware Tracker team which contains great analysis write ups and reports. Cool.

Not a PDF but Malware Tracker’s +Cryptam service can scan "Office” documents for malicious content as well.

Sandbox Tools for Malware Analysis 

• Minibis - CERT.at - “Software and tips to easily build up an automated malware analysis station based on a concept introduced in the paper "Mass Malware Analysis: A Do-It-Yourself Kit". “ from Christian Wojner.
• Zero Wine: Malware Behavior Analysis - QEMU virtual machine image with Debian OS installed, loaded with tools to upload and analyze malware and generate reports.
• Buster Sandbox Analyzer - project based on Sandboxie
• Cuckoo Sandbox - a malware analysis system addressing Windows PE files, DLL files, PDF documents, Office documents, PHP scripts, Python scripts, Internet URL’s, etc.
• Cuckoo for Cuckoo Box - SpiderLabs Anterior post on getting to run on Mac OS X.
• Analyzing Malware with Cuckoo Sandbox V3.0 - securitybananas.com post on using it.
• Cuckoo Sandbox 101- Infosanity's Blog’s Andrew Waite addresses some gotchas he encountered.
• Capture-BAT Page - The Honeynet Project - behavioral analysis tool of apps for the Win32 systems providing insights into the software operation (impact) of malware rather than picking the malware executable itself apart; change-analysis rather than binary analysis.
• Malware analysis tool, Capture-Bat - Great tutorial written by Travis Altman on installing and analyzing results of Capture-Bat.
• Sometimes Trouble Finds You.... - interesting recent post from Sketchymoose at his blog on using Capture-Bat on a URL direction malware vector.

Adobe Shockwave/Flash Analysis Tools

• Introducing Adobe SWF Investigator - Adobe Labs tool to totally pick apart SWF files. Uses Adobe AIR platform.
• Adobe SWF Investigator | Flash security - Adobe Labs - download link
• HP Communities - SWFScan - FREE Flash decompiler - Enterprise Business Community - Decompiles Adobe Flash files and does some basic security scanning.
• Decompile Flash files with HP SwfScan - program review by Mike Williams at BetaNews

Mandiant - When One Word will do…

• MANDIANT - Red Curtain - From their product description: “MRC examines executable files (e.g., .exe, .dll, and so on) to determine how suspicious they are based on a set of criteria. It examines multiple aspects of an executable, looking at things such as the entropy (in other words, randomness), indications of packing, compiler and packing signatures, the presence of digital signatures, and other characteristics to generate a threat "score." This score can be used to identify whether a set of files is worthy of further investigation.”
• MANDIANT Find Evil - tool that uses disassembly to detect packed executables.
• Be sure to check out all Mandiant’s Free Software offerings as many other tools here may aid in a malware response investigation.

Lessons Learned and Wisdom Shared by the Malware Analysis Pros

Thanks to the hard work and community-spirit of malware analysts, we can “sharpen-our-saw” against their efforts. These are some of the best places to start.

• Malware Analysis Blog | quis custodiet ipsos custodes - This blog is just getting started but the posts so far have been very insightful. The post Malware Analysis as a function of intelligence and counterintelligence operations is a quite well thought out review of the issues a malware analyst must be familiar with.
• Hexacorn | Blog has a lot of great detailed posts and a few challenges as well to test your brain-cells. Check out this Malware Analysis post-tag list as well as this Extracting Strings from PE sections post for some great material. On my RSS feed list.
• Analyzing Malicious Documents Cheat Sheet by Lenny Zeltser - Lenny Zeltser shares an amazing collection of tools, resources, and techniques in a “cheat-sheet” format. Check the sidebar for PDF/DOCX versions of this page. The bottom of the page is heavy with PDF tool linkage as well as white-papers and security presentations.
• Introduction to Malware Analysis - (PDF Link) - This presentation by Lenny Zeltser outlines a lot of the important foundations the investigator should be aware of. One of many good Presentations, Webcasts, and Speaking Engagements by Lenny Zeltser on that page.
• Also related, Lenny Zeltser’s posts: Reverse-Engineering Malware Cheat Sheet and REMnux Usage Tips for Malware Analysis on Linux. Mr Zeltser offers a SANS Institute trainings as well so if you think you are ready to take things to the next professional level, SANS Institute classes would be a fantastic place to start. See this Reverse-Engineering Malware: Malware Analysis Tools and Techniques Course - Malware Analysis Training by Lenny Zeltser link for more info.
• System Forensics - New to Me blog well written by Patrick Olsen. Love the Blogger theme! Great and detailed analysis posts. On my RSS feed list. For some sample posts check out: Zeus v2 Malware Analysis - Part I and Zeus v2 Malware Analysis - Part II .
• Advanced Malware Cleaning - on line video (~13 min) presented by Sysinternal’s Mark Russinovich showing tools and techniques to manually clean a system of malware. Still good after all these years.
• Zero Day Malware Cleaning with the Sysinternals Tools - (PDF link) - “Slides from Mark’s highly-rated Blackhat US 2011 presentation on how to use the Sysinternals tools to hunt down and eliminate malware.” Excellent slide set IMHO.
• Windows Incident Response: Malware Analysis - Harlan Carvey shares some thoughts and perspectives on the malware response and analysis field from a digital forensics perspective.
• Is Anti-Virus Really Dead? A Real-World Simulation Created for Forensic Data Yields Surprising Results - SANS Computer Forensics and Incident Response blog post by robtlee that shows the value of malware incident response and protection in an enterprise environment.
• WEBCAST: Manually Removing Viruses & Malware - Kurt Shintaku's Blog - Mike Halsey, Microsoft MVP presentation on pulling malware off a Windows system. Registration is required and accessible until July 5th, 2012.

I sincerely hope you find several good take-aways from this post. It’s been simmering a while and I think it will greatly aid me in my own efforts and responses.

Cheers.

--Claus V.

Read More

Zalman ZM-VE series Enclosures: Next-Gen Virtual ODD

Last week I received an anonymous comment on my iodd : Multi-boot madness! post. -- Thanks Tipster!

You may recall the IODD device is an external drive enclosure that supports multi-mode operation:

You can use it in an external hard-drive mode to just copy files back and forth and access them as needed.

You can use it in an ODD (optical disk drive) virtualization mode. In this mode you load a bunch of ISO image files onto it. Then while operating in this mode, you can select the ISO file and PC will see it as a virtual optical disk. If the ISO represents a bootable disk image, you can likewise boot the system with it. This massively cuts down on the number of “burned” boot disks as well as installation media disks you need to carry. Just carry this device and you are limited only by the size of your external drive capacity.

Then there is a multi-mode where it operated in both an external drive/ODD mode.

I love the device I have and it has made my life so much cooler easier when I roll out on an troubleshooting/incident response call.

The model I have and cherish is an older iODD 2501 model. It has both an eSATA connection (requires independent power connection via dual USB plugs), and a USB 2.0 connector.

It’s rock solid, and firmware updates were available to allow it to operate all partitions including any that include your _ISO store to be NTFS. iodd.com download page. My primary (_ISO holding) partition remains FAT32 because I’ve yet to create a 4 GB+ ISO file I need to boot with or access and that’s all I presently use it for on that partition.

Anyway… as my tipster points out, it appears there is a new model out from the IODD manufacturer. Based on the main i-odd.com page, it looks like “worldwide sales” is seeing it marketed/distributed under the “Zalman Tech” name now.

The features of the newest model appear pretty much the same except for the addition now of a USB 3.0 port rather than the older USB 2.0 connection and eSATA combo. The USB 3.0 can net you up to 5 Gbps transfer rate if you have the hardware to support it. Compare that to the 480 Mbps USB 2.0 rate. Wowzers. It also appears to provide some SMART drive stats on the display now as well.

Here are some useful links based on some quick research I did over the last week.

Still Super Cool. Still Valca Recommended.

• Zalman ZM-VE300 Product Page - Zalman
• Zalman ZM-VE300 External 2.5IN HDD Case & Virtual Drive Unboxing & First Look - Linus Tech Tips Blog
• Product Review: Zalman ZM-VE300 USB 3 2.5” Drive Enclosure with ISO Mount Capability A+ - MPECS Inc. Blog
• Review: Zalman ZM-VE200-SE V1.1 Virtual CD/DVD/BR USB Drive - Run Away Brainz blog
• Zalman ZM-VE300-B Black 2.5inch SATA USB3.0 External HDD Enclosure: Electronics - Amazon.com Product page.
• Zalman ZM-VE300-B Aluminum Alloy, Acryl, Poly Carbonate 2.5" Black USB 3.0 ZM-VE300 HDD External Enclosure with Virtualization and One Touch Back-up - NewEgg product page

Related Concept:

• isostick - the optical drive in a usb stick by Elegant Invention - Kickstarter

As I said, my iODD 2501 model is running strong and I don’t have any systems that support the USB 3.0 hardware (personally or in the trenches) so I’m not rushing out to pick a Zalman model up just yet. However I can’t help but be a bit envious of the transfer rates in this new model.

Cheers.

--Claus V.

Read More

Windows 8 Linkage: “Passage Public Metro” version

cc image credit image by david.nikonvscanon on flickr

So Claus, where do you stand on Windows 8 at this point?

Well, to be honest, I’m really liking the under-the-hood improvement talk on how things are working in Windows 8.

What I still find very hard to overcome are the end-user interface changes and the challenges trying to restore it to some form of a Windows “Classic” interface and operation.

I get that Microsoft wants to forge ahead with a new interface and blending between the Windows Phone interface and the computer system interface. I get that “apps” are all the rage. I like old-school design but am pretty comfortable with moving to new designs. (I no longer curse the Ribbon interface in Office 2007/2010.)

So…when Windows 8 gets released in a final version, I’m not going to be rushing out to upgrade all our systems to it from Windows 7. Windows 7 is super-stable for our needs at home and everyone is very happy. That said, once it looks like things are stable and I’ve come to terms with the new interface, I’ll probably upgrade just one of our systems here at the Valca ranch to Windows 8 and see how things go.

In the meantime, here are an updated collection of Windows 8 linkage building on the prior grand stream dreams: Windows 8 Linkage: “Majestic Metro” version post. It definitely requires an update since the Consumer Preview release of Windows 8 has come out a while back and some of the things from that one either no longer apply or may not work in this release.

Truth be told, tonight will be the first opportunity I’ve budgeted myself to load up with Windows 8 Consumer Preview version in a virtual machine.

Windows 8 “Consumer Preview” Version - Start Here to Get It

• Windows 8 Consumer Preview available now! - Ask the Performance Team - TechNet Blogs - From that link:
• Windows 8 Consumer Preview
• Windows 8 Download Link
• Welcome to Windows 8 – The Consumer Preview
• Running the Consumer Preview: system recommendations
• Windows 8 Consumer Preview Product Guide for Business
• Windows 8 Consumer Preview ISO formats - Microsoft.com - Links for the ISO setup files rather than the “online installers”. This is what I still prefer.
• How To Get Windows 8 Consumer Preview Product Key - AddictiveTips
• Where is the Windows 8 Consumer Preview product key? - Ed Bott
• Running the Consumer Preview: system recommendations - Building Windows 8 blog

Windows 8 - Related Betas

OK. None of these are required for Windows 8 Consumer Preview. However they are related to it and I thought some folks might be interested in playing around with them as well. If you don’t know what these even are, then just skip down to the next section.

• Windows Server 8 beta now available! - Ask the Performance Team - TechNet Blogs
• Windows Server “8” beta available now - Virtual PC Guy's Blog
• Hyper-V Server “8” Beta available for download - Virtual PC Guy's Blog
• DOWNLOAD: Test Lab Guide: Base Test Lab Guide for Windows Server "8" Beta - Kurt Shintaku's Blog
• Download Microsoft SQL Server 2012 RTM - Bink.nu
• Doing a simple Storage Migration with Windows Server “8” - Virtual PC Guy's Blog
• TRAINING: Windows Server "8" First Look - Kurt Shintaku's Blog
• Windows Server “8” Beta Hyper-V Component Architecture Poster - Windows Virtualization Team Blog - TechNet Blogs
• Windows Server 8 installation notes - 4sysops
• Doing an advanced Storage Migration with Windows “8” - Virtual PC Guy's Blog

Windows 8 - Install It

There are a number of methods and platforms to install Windows 8. Review all the ones below carefully to figure out which works best for you. I personally am currently going with installing it into a Virtualbox session. When I get closer to pulling the trigger on installation to one of my laptops at home, I’ll first install it into a VHD and then dual-boot my system so the Win8 install can run on real “hardware” to check driver compatibility and system performance on the iron rather than in a virtual system. I did that before with Win7 and found it very beneficial.

• How to Upgrade Windows 8 Consumer Preview from Developer Preview - Windows7hacker
• How to install Windows 8 Developer Preview in Virtualbox - 4sysops
• A quick guide on setting up Windows 8 on VirtualBox - Bleeping Computer
• VirtualBox 4.1.10 improves Windows 8 compatibility - BetaNews. Note: always be sure you are running the latest version of VirtualBox and have the matching (separate download) Extension Pack installed. At the time of this post, VirtualBox is now at 4.1.12. Downloads – Oracle VM VirtualBox
• How To Install Windows 8 On VirtualBox - AddictiveTips
• Installing VMWare Player on Windows 8 - Caschys Blog (Google Translated link)
• How To Guide to Installing and Booting Windows 8 Consumer Preview off a VHD (Virtual Hard Disk) - Scott Hanselman
• Native VHD Dual Boot to Windows 8 Consumer Preview with Windows 7 - Windows7hacker
• An update that postpones the expiration date of Windows 8 Developer Preview and of Windows 8 Server Developer Preview is available - Microsoft Support KB 2671501
• Windows 8 upgrade - 4sysops
• Create Bootable Windows 8 Installer USB With Win8USB - AddictiveTips

Windows 8 - Under the Hood Stuff

These are the things that make me look forward to Windows 8 despite the stupid fact the “classic” interface is stripped out and requires considerable effort to restore using tips/tweaks/third-party tools to accomplish. Note: when I say “classic” I’m not talking about the theme that is a toss-back to Windows 2K/XP but rather the “classic” GUI with the program bar, the “start” menu, the system tray icons, etc.

• Improving our file management basics: copy, move, rename, and delete - Building Windows 8 blog
• Designing the Windows 8 file name collision experience- Building Windows 8 blog
• Acting on file management feedback- Building Windows 8 blog
• Windows 8 Secrets: PC and Device Requirements Within Windows
• Windows 8 Secrets: The WinX Menu and its hashing algorithm Within Windows
• Internet Explorer Performance Lab: reliably measuring browser performance - Building Windows 8 blog
• Building the next generation file system for Windows: ReFS - Building Windows 8 blog
• Virtualizing storage for scale, resiliency, and efficiency - Building Windows 8 blog
• Enabling large disks and large sectors in Windows 8 - Building Windows 8 blog
• Minimizing restarts after automatic updating in Windows Update - Building Windows 8 blog
• Using Task Manager with 64+ logical processors - Building Windows 8 blog
• The Windows 8 Task Manager - Building Windows 8 blog
• Reengineering the Windows boot experience - Building Windows 8 blog
• Protecting you from malware - Building Windows 8 blog
• Delivering fast boot times in Windows 8 - Building Windows 8 blog
• Evolving the Start menu - Building Windows 8 blog
• Designing the Start screen - Building Windows 8 blog

Windows 8 - To Go

Windows “To Go” is basically a feature in Windows 8 that allows it to run “full OS” from a supported USB storage device like a flash drive or external hard-disk drive. I guess it could be considered an advanced version of WinPE but with all the benefits of the OS with no feature strip-out or additional “hacking” required that custom WinPE builds require to get past a plain DOS box environment “out of the box”. It is very intriguing to me and should be a cool option…if you meet the license requirements as well have a robust and super-fast USB device/port.

• Ordering "Windows to Go": how to create a bootable Windows 8 USB thumb drive - ArsTechnica
• How to create your own Windows 8 To Go Developer Preview - Borns IT- und Windows-Blog
• Creating Windows 8 To Go on a 16 GB USB-Stick - Borns IT- und Windows-Blog
• Windows 8 To Go with Dual-Boot - Borns IT - und Windows-Blog
• Windows To Go – Windows 8 Consumer Preview on the run … - Borns IT- und Windows-Blog
• Windows 8 To Go and USB 3.0 flash drives - Part I - Borns IT - und Windows-Blog (Google Translated Link)
• Windows 8 To Go and USB 3.0 flash drives - Part II - Borns IT - und Windows-Blog (Google Translated Link)

Windows 8 - Tweakages

Getting Windows to the way you like it is still important. Here are some important (to me) tweaks, tips, and tweaking tools to make it possible.

• Bypass Windows 8 Start Screen On Startup & Jump Directly To Desktop - AddictiveTips blog
• How To Disable Windows 8 Lock Screen- AddictiveTips blog
• BluePoison Disables Windows 8 Immersive Start Menu, Unlocks Hidden Features - Lifehacker
• Windows 8′s application SmartScreen: speed bump for desktop apps – istartedsomething
• How to Turn Off or Disable the SmartScreen Filter In Windows 8 - How-To Geek
• The First Official Windows 8 Theme from Microsoft Available to Download - Windows7hacker
• You CAN have a Start button on Windows 8 Consumer Preview - BetaNews
• Start8 Adds Metro Start Menu In Windows 8 - AddictiveTips blog
• Start8 for Windows® 8 - Bringing back the Windows Start menu - application download page at StarDock
• Personalize Windows 8 Start Screen With My WCP Start Screen Customizer - AddictiveTips blog
• My WCP Start Screen Customizer v1.1 - Téléchargements  - My 7 Apps
• Customizing the Metro style Windows 8 Start screen - Ed Bott
• The Metro hater's guide to customizing Windows 8 Consumer Preview - ZDNet photogallery by Ed Bott
• Create Custom Refresh Point In Windows 8 With Recimg Tool - AddictiveTips blog
• Classic Shell: Get Win 7 Start Menu & XP Explorer Toolbar On Windows 8 - AddictiveTips blog
• Welcome to Classic Shell - application download page at SourceForge

Windows 8 - Deeper Insights

• Quickpost: Some Windows 8 Observations - Didier Stevens
• Windows 8 build recovery image - Caschys Blog (via Google Translate link)
• Windows 8 Storage Spaces detailed: pooling redundant disk space for all - ArsTechnica
• Windows Home Server Drive Extender reborn as Windows 8 Storage Spaces - Tenniswood Blog
• Connecting Windows 8 Consumer Preview with Windows Home Server - Windows Home Server Blog

Windows 8 - DaRT (Diagnostic and Recovery Toolset)

This off-line system boot tool is kitted out with a collection of system administration tools to aid in the diagnosis and recovery of a tanked Windows system.  This isn’t as easy to get your hands onto so some work and signup with Microsoft is required to get it.

• MDOP: DaRTing to the Future - Windows Team Blog
• Microsoft DaRT 8 Beta Q&A - Windows Team Blog
• Diagnostic and Recovery Toolset (DaRT) - 4sysops

Indirectly related but still interesting.

• MDT 2012 New Feature: DaRT integration - Michael Niehaus' Windows and Office deployment ramblings
• Integrate Microsoft Diagnostics and Recovery Tools (DaRT) into the MDT boot image - Guillaume Remy

Windows 8 - Usage Tips

New user interface, new things to learn navigating around and completing basic tasks without beating head on desk…

• Getting started with the Windows 8 Consumer Preview - ZDNet - Ed Bott Report
• Windows 8 mouse tip: Quick access administrator options from the start screen - Tenniswood Blog
• Getting around in Windows 8 - Windows Experience Blog
• Windows 8 Consumer Preview Journey – Day 1 - Windows7hacker
• How To Shut Down Windows 8 Computer in 4 Ways - Windows7hacker
• Take Ownership Of Files & Folder And Change Permissions In Windows 8 - AddictiveTips blog
• What Is Windows 8 Charms Bar? Share, Search, Access Settings & Actions - AddictiveTips blog
• How To Resize, Group & Manage App Tiles In Windows 8 Start Screen - AddictiveTips blog
• Windows 8 Remote Desktop: Hands-On Review & Tutorial - AddictiveTips blog
• Where Is Computer In Windows 8? Show On Desktop, Pin To Start Screen - AddictiveTips blog
• Where Is Start Menu In Windows 8? - AddictiveTips blog
• Windows 8 File Sharing: Share Users & System Folders On Network - AddictiveTips blog
• The Complete Guide To Window 8 Task Manager; New Features And Options - AddictiveTips blog
• The Complete Guide To Windows 8 Explorer; New Ribbon Tools And Options - AddictiveTips blog
• The Complete Guide To Windows 8 Metro Control Panel - AddictiveTips blog
• The Complete Guide To Windows 8 File History Backup - AddictiveTips blog
• Windows 8 PC Settings [Complete Guide] - AddictiveTips blog
• Where Is Startup Folder & How To Edit Startup Items In Windows 8 - AddictiveTips blog
• Windows 8 Apps Don’t Connect to Your Google/Gmail Account? -7 Tutorials
• Trouble Setting Up Gmail on Windows 8? Here is Why and How to Fix it - Windows7hacker
• Quick fix for AMD’s OpenGL on Windows 8 - Within Windows
• How To Create Wireless Ad Hoc Internet Connection In Windows 8 - AddictiveTips blog
• Windows 8 Guide: The Win+X Menu, aka The Power User Menu - Windows7hacker
• How To Disable Windows 8 Lock Screen - AddictiveTips blog

Windows 8 - Miscellanea & Rumor Mongering

Already mostly covered in the linkage above, but sometimes you just can’t resist poking that ant-pile with a stick…

• Start button To be Ditched in Windows 8 - Windows7hacker
• Cloud Computing with SkyDrive on Windows 8 Revealed, A Desktop Version for Windows 7 too - Windows7hacker
• Windows 8 Pro details surface, incremental updates - Neowin.net
• Windows 8 - and 15-office news - Borns IT - und Windows-Blog (Google Translated Link)

Cheers.

--Claus V.

Read More