Friday, May 29, 2009


"Links" seemed like an overdone title...I couldn't of anything else witty, and I wanted to get right to the content "stuff" will have to suffice for now.

First, more good news about F-Response! Matt's done a truly awesome job with this product...absolutely amazing. F-Response is a real-world example of what happens when someone who does the work decides that there's a better way to do it...and then goes out creates that better way to do the job.

I posted a PDF document to, in the Downloads section, under Documents...this is trifold "cheat sheet" for RegRipper v2.02. It's pretty simple, and has some basic usage information, as well as some space for notes. I got the idea from a trifold that Rob Lee posted for SANS, and it seemed like an awesome idea. I mean, I know that I can't remember everything, and having a trifold available with the most frequently used commands or CLI options is very helpful. I'd greatly appreciate your thoughts on this...what you like, what you don't like, and anything that might be done to improve it.

I finished up an engagement recently, and one of the interesting things I found was that the Security Event Log was full, and only covered a couple of hours on the day that the system was acquired. One of the questions I was trying to answer included whether or not a shared Admin account was being used to log into the system locally or remotely. I found a single event record with ID 528, type 2, indicating login to the console. I also found a single event ID 683, indicating that an RDP session had been successfully disconnected. Both pertained to the same user account. Now, most folks are aware that Windows did not include the ability to log source IP addresses for network logons until Windows 2003...but on XP systems, the event ID 683 includes the remote system name and IP from which the user logged in. Cool! As a follow-on, what I had hoped to find (and didn't) was the event ID 528, type 10, showing the remote interactive login for the session what was disconnected.

cmdLabs has a blog post on document metadata that mentions the script that ships with Windows Forensic Analysis (first and second editions). Embedded metadata is a huge issue, and something I've used quite successfully during examinations...I even have a case study illustrating this in the second edition of WFA (due out next week).

Here's an interesting blog post from Damballa. The Damballa product has to do with botnets, and I ran across it not long ago during an many other tools, I don't think that the customer necessarily understood the use of the tool, or what it was doing. I do agree with the author (a former ISSer) to some extent...a botnet infestation should not be considered an inconvenience, but rather a breach. This is true with respect to much of the malware that's out there today...blended, compound threats, and I've also seen malware go from quarantined by most AV products to completely and utterly undetected in a matter of hours. But the fact of the matter is that most IT folks simply do not understand what's going on with some cases, it's considered an inconvenience, while in others, everyone up to the CEO goes completely nuts because someone speculated that the malware had keystroke logging capabilities...

A question popped up in the forums recently with respect to encryption and Truecrypt volumes, and some tools were mentioned (TCHunt, EDD) that may be helpful.

Lance Mueller posted a nice article about file system creation date vs OS install date...take a look.

For anyone analyzing systems where they suspect that a torrent client may have been used, Jamie Acorn wrote this PDF document on the Forensics of BitTorrent.

Finally, for those of us who've been around for a while, L0phtcrack is back! Go here to check it out!

No comments: