Tuesday, May 29, 2007

XP Firewall

Pp 216 - 128 of my book address the Windows XP firewall logs; where the file(s) is/are located on a system, and how they are useful to an investigation. I even include a sample firewall log on the DVD from where I enabled all logging and scanned my system with nmap from another system. I wanted folks to see what this kind of thing looks like, and I hope that you've found it beneficial.

Has anyone seen the "Bonus" directory on the DVD yet? Within the Bonus directory is a Perl script (and an associated EXE file...be sure to follow the instructions and keep the appropriate DLL with the EXE if you copy it off of the DVD) called "fw.pl" that uses WMI to get configuration information about the Windows XP firewall, and the SecurityCenter, in general.

Using either the Perl script or the EXE, type "-?" or "/h" at the command prompt to see the syntax information. Simply typing "fw.pl" or "fw" (for the EXE) tells the tool to collect and display all information. The tool displays basic information about the firewall, authorized applications, service/port information, SecurityCenter information, etc., all from a live system.

Porting this over to extracting the same information from an imaged system shouldn't be too difficult.

Note: The fw.exe file that you see in the Bonus directory was "compiled" from the Perl script using Perl2Exe. When I compiled the EXE, I used the "-small" switch so that the Perl runtime DLL would be pulled out as a separate file. However, other Perl modules are used as well, so I also compiled a version using the "-tiny" switch. This setting creates a separate DLL for each Perl module used, rather than pulling them out of the EXE at runtime and creating temporary files on the local hard drive. This file is in the "fw.zip" file...using the "-tiny" switch means that its suitable for use in live response, particularly with the Forensic Server Project.

2 comments:

Anonymous said...

Don't know if this is a good spot for this, but since you’re discussing Perl scripts, I'll take a chance. I have a suggestion for a future post. Some of us are the most basic of Perl script users. Before your scripts were so graciously available, I had a couple that I dumped in C:\PerlScripts. I set a path variable and ran the scripts in a DOS box that I opened at a folder from the context menu. Works fine.

However, I may not be proceeding as efficiently as I should. I know that I can use the compiled EXEs, but they may require some DLLs and the like and would require more space (not a big deal). I also have installed ActivePerl.

So, what's your suggestion? Should I place all of your scripts in my one directory? I could do the same thing with the EXEs and their associated libraries. Maybe there's a place within ActivePerl that's meant for these scripts, and I just don't know it. Maybe guys like me should stick to EXEs. Regardless of what I do, I have to keep track of what I have, so I don't forget that I have the right tool for the job. I just have to remember the tool and syntax (or where to look it up). Anyway, maybe a short post on “Setting Up Perl Scripts in Windows for the Layman” may help, unless I’ll be surprised to learn that what I’m doing actually is the best way to proceed. Thanks!

H. Carvey said...

Jimmy,

Thanks for the comment...you could have just emailed me directly.

So, what's your suggestion? Should I place all of your scripts in my one directory?

Sure. Or separate them by category. As long as the path to the Perl executable is in your PATH statement, it doesn't really matter.

I could do the same thing with the EXEs and their associated libraries.

Well, you have to keep the EXEs and DLLs together, as I say repeated in my book.

I just have to remember the tool and syntax (or where to look it up).

In most cases, with my scripts, I either have the syntax listed in the book, or you can look at the script itself in Notepad. I know I need to get better at providing syntax info, but I get surprisingly little feedback on the usability of my tools.

Anyway, maybe a short post on “Setting Up Perl Scripts in Windows for the Layman” may help,

I did include something along those lines in an Appendix for my first book, but like I said, there was very little feedback at all (re: none) on that point, so I wasn't as specific in my second book. Besides, I thought that providing the EXEs for most of the tools would be very beneficial.

I am providing that in my next book, which is "Perl Scripting for the Forensics Professional" or something similar.