Windows Incident Response Course

The Windows Incident Response Course is based on the book, but takes it several steps further. The base course is two days in length, and runs the entire spectrum of incident response, from understanding how incidents occur, what they look like, and how to prevent them. The course also presents attendees with the opportunity to walk through incident verification and identification for themselves. All attendees have the opportunity to run the tools used in the course, and learn how to interpret their output.

The course is taught on-site, at your location, and can accommodates approximately 20 attendees. You provide the facilities and catering, while I provide the course materials and instruction. This greatly reduces travel costs while maximizing knowledge transfer. While this course has been taught, attendees have used the information that they’ve learned in order to resolve issues that have come up, returning from lunch with the problem solved.


Forensic Server ProjectThe Forensic Server Project (FSP) is a proof of concept tool for retrieving volatile (and some non-volatile) data from potentially compromised systems. The FSP consists of several Perl scripts and third-party utilities. The server component of the FSP is run on an investigator or administrator’s system, and handles all data storage and activity logging. The client components (i.e., and supporting Perl scripts and tools) of the FSP are burned to a CD, and run from the CD drive of the potentially compromised system. Data is copied to the server component via TCP/IP.

It should be noted that while the FSP is used for incident response and forensic audits of Windows systems, it is also an open source project. The server component is written in Perl, and can be run from other systems that support Perl (with minor modifications). Client components can be written in Perl, or any other scripting language.

The First Responder Utility (FRU)

The First Responder Utility (FRU) is used by a first responder to retrieve volatile data from “victim” systems. The current version of the FRU is a CLI (command line interface) tool called FRUC. The FRUC operates using a combination of an INI file and command line options.

The first step to running the FRUC is to download the archive containing FRUC. Extract all of the files to the same directory, and update the fruc.ini file to suite your needs. To update the ini file, simply follow the format. The ini file should consist of the 4 sections listed in the file, and must contain a “Configuration” section. If the investigator/administrator has a static IP address for the Forensic Server, put it in the file, as well as the port to be used.

The “Commands” section consists of all of the tools that will be run on the system. When entering a tool to be used, follow the format in the ini file. The entry for each command must consist of a number, followed by the equals (=) sign, followed by the command to be run, a semi-colon delimiter, and the name of the file the data will be saved in on the Forensic Server (the filename will be prepended with the name of the system). The command to be run must point to a CLI tool and have all of the command line switches you’d like run.

Tools to be run with the FRUC can be found on the Tools page, as well as various other sites, such as SysInternalsNTSecurity.nuDiamondCS, as well as others.

The “Registry Values” section consists of Registry values to be queried, while the “Registry Keys” section contains Registry keys (such as the ubiquitous Run key) that you want to pull all of the values (not subkeys) from. It is important that you use the right format in these sections. To get a list of Registry values and keys to query, such as startup locations, check sites such as Silent Runners.

NOTE: Be sure to read the ‘readme’ file that comes with the archive. 

Once you have an INI file set up and all of the tools collected, you can burn fruc.ini, p2x584.dll, the INI file and tools to a CD, or USB-connected thumb drive. If you put the files on a CD, you can include a “clean” copy of cmd.exe and an autorun.inf file, or a batch file to launch the FRUC, if you so choose.

Using the FSP

The current version of the FSP is the FSPC, the command line (CLI) version of the Forensic Server Project. In order to use the FSPC, the first thing you need to do is download the FSPC zipped archive, and extract all of the files to the same directory. Type “fspc -h” to view the syntax for launching the FSPC.

The FSPC is the CLI version of the FSP, and handles the case management and storage of data when collecting data from “victim” systems. The FSPC, when launched, listens on a port for connections. When one of the FSP client components (ie, FRUC) connects to send data, the FSPC stores the data sent in files on the server system, generates hashes of the files, and maintains a logfile of all activities taken by the client component.

The simplest way to launch FSPC is with the following command:

C:\fsp\fspc -n newcase -i “Det. Joe Friday” -c

The above command will launch the FSPC on port 7070 (ie, default). The name of the case is “newcase”, and a directory of that name will be created as a subdirectory within the case directory (ie, default is “cases”). The name of the investigator (‘-i’ switch) will be placed in the logfile (use ‘-l’ switch; default is “case.log”). As the FSPC receives data from the client component, it will automatically store the data on the server system, and compute hashes for each file as they are created. If a client component is used to copy files from the victim system to the Forensic Server, the server will automatically verify the hashes of the files. The client components send items to be logged to the server, and these items are placed in the logfile. The last command that the client sends to the server is the “CLOSELOG” command, at which point the logfile is closed and hashes are computed for the logfile. If the ‘-c’ switch is used, the server component will automatically shut down when the CLOSELOG command is sent. Otherwise, the server will remain open and the investigator must type “Control-C” to shut the server down.

NOTE: Be sure to read the ‘readme’ file that comes with the archive distribution. 


This page is for listing tools described and used in my book.

FCIV – Microsoft released an interesting file integrity tool. The tool can compute and verify file hashes, using an XML database.

Pref – Prefetch directory tool mentioned in my blog. This tool parses the contents of the Prefetch directory and gets MAC times for all of the files. Make sure to read the readme file in the archive.

Pref_ver – Prefetch directory tool mentioned in my blog. This tool parses the contents of the layout.ini file and looks for executable files, based on file extension (.exe, .dll, .sys). When it finds one, it attempts to retrieve file version information from the file. Make sure to read the readme file in the archive.

Tools associated with the book. The archive includes bho.exe to view Browser Helper Objects (hiding place of spyware) on the local system, keytime.exe to view LastWrite time of Registry keys, ver.exe to retrieve version information from executable files, sigs.exe for performing file signature analysis (output in .csv format) and windata.exe for retrieving operating system, service, and process information from local or remote systems (output in .dat/.csv files in the local directory).

Drive Info tool – associated with the book. Displays drive information from local and remote systems.

DiamondCS is the site to go to in order to get OpenPorts and CmdLine.

See this MS KB article for a tool called “chknic.exe”, which is part of the Windows 2003 Resource Kit. The tool gets information about NICs and runs on XP and 2003.

Go to the NTSecurity site for PEriscope, PMDump, PromiscDetect, PStoreView, and others.

Check out SysInternals for PSTools, Handle, ListDLLs, AccessEnum, AutoRuns, LogonSessions, etc.

Spyware and Adware Tools
Adware and in particular spyware is a huge problem on systems today. This problem affects corporate systems as well as home users. In fact, this has been so much of a problem that CERT has even recommended that a browser other than IE be used. Below are some links to tools that are highly effective in helping protect you from spyware:

The first step is to install and update anti-virus software. Keep it up to date.

PestPatrol is an excellent commercial product to help protect you from spyware infections, as well as from other malware infections. Does this protect you from some of the same things that your anti-virus software protects you against? Yes…but that’s a good thing. PestPatrol comes in corporate and home user flavors. As with other tools, keeping your definitions up to date is key. I recently ran a fully registered version of PestPatrol on a friend’s computer and detected 75 bad things. After removing them and rebooting the system, I updated PP and ran it again…only to find 65 more bad things!

SpyBot Search and Destroy is an excellent donation-ware tool for detecting and removing spyware from your system. If you download it and try it, be sure that you keep it up to date.

AdAware is an old standby when it comes to removing spyware. When I say “old”, what I mean is that it’s the product I’m most familiar with, but that doesn’t mean that it’s not extremely effective.

SpyWare Blaster lets you be a bit more proactive by not allowing spyware to install in the first place.

There are other tools available, that you’ll hear about from friends or read about in trade journals. Spyware is a huge problem so there are always more and more tools to protect against, as well as detect and remove, this annoying software. Whatever you decide to use, my primary recommendations are to use more than one tool, and keep your tools updated.

Advantages of pneumatic cylinders

In this article I would like to discuss advantages of pneumatic cylinders in comparison to other alternatives. Please be aware that this is only theoretical discussion because in real world nobody is forced to make such decisions based only on their sole choice. Usually in real life applications you are presented some solution and when picking actuator you need to adapt to whatever system exists already – whether it is electrical system, hydraulic system, or any other. Alternatives I will take into account in my little analysis are of course most popular ones – electrical cylinders and hydraulic actuators. I’m not considering any other alternatives to both of them because I have no knowledge of any, which simply means that if they do exists, they are probably extremely rare.

But before we proceed further, I would like to clarify what piece of engineering equipment we’re going to discuss. Cylinder is a product consisting of three basic elements – tube, rod and piston. Piston moves inside some kind of a tube, which is tightly closed, rod is connected to piston and it extends outside. Whenever piston moves inside the tube the rod extends and retracts accordingly. This kind of two directional, linear motion is common to all kinds of cylinders. Differences between them are either in their design, or force that powers them (which is the subject of this article). That said we can continue our main thought.

Pneumatic cylinders are, as the name suggests, powered by air, or exactly compressed air. Air (and most of other inert gases) are easily compressed, and can be compressed to amazing levels. Compressed air can be transported, and used to power various elements including pneumatic cylinders. In case of pneumatic cylinders compressed air flows into a chamber on one side of the piston, and therefore piston moves pushing the piston rod.

Method of return is similar, but can be caused by air stream on other side or (very popular solution) spring.

Hydraulic cylinders are based on very similar mechanism, but in this particular case oil or other fluid is used as a power source. Hydraulic cylinders compared to pneumatic ones can achieve much larger forces, but its the case for hydraulics in general. Since hydraulic cylinders are using oils (often flammable or mineral oils) they do tend to react with various kinds of seals, thus sooner or later are prone to leakages.

Electric cylinders on the other side are based on slightly different rule. Electric cylinders consist of a ball and a roller screw connected to electric motor. While turning screw moves a nut connected to rod or carriage, which is moving the load. Great advantage of pneumatic cylinders are ability for precise control over speed and position of the rod. In modern electric cylinders it is possible to achieve positioning precision up to ten thousandths of an mm.

Again in case of pneumatic actuators output forces are definitely smaller when compared to hydraulic alternatives, but are similar to electric ones. One great advantage of pneumatic compared to electric is that when there is power cut pneumatic cylinders can still work, since pressure is usually stored in pressure tanks. Another interesting thing about pneumatic cylinders is that speed and force can be controlled independently, which is very important factor. Force can be controlled by pressure which can be raised or lowered using pressure regulator, and speed can be controlled by flow control valve.
Now electric ones are more flexible and accurate, you can precisely decide how far to extend the rod which in general can increase efficiency of your system. Pneumatic cylinder cannot be stopped easily precisely at any position, you could achieve similar effect by using piston position sensor and additional valve, but its never going to be as accurate as electric ones. Pneumatic actuators, and in general pneumatic system are on the other hand very inexpensive even in long term.

To sum up pneumatic solutions are great whenever you are looking for some inexpensive choice, which doesn’t have to be extremely accurate, but have thrust and speed. Whenever you need total control over piston rod, or are using some advanced application where cylinder have to perform unusual tasks go for electric. But when you need enormous forces on your side consider hydraulic solutions. In general its worth to remember that each solution have its advantages and disadvantages and you should not make your choice without consulting the expert.

I Want My Ex Back – Some Effective Tips for Men

Whenever you look at her photographs, you have the urge to run and meet her in her office. You cannot bare this kind of condition anymore. It was a stupid mistake.

You did not realize that you need her in your life. Now, you want her back. You have so many sleepless nights because your mind keeps yelling ‘I want my ex back’.

However, you are not that sure with her response. Is it the right time to ask her? What is the best way to talk to her? So many things to sort out since you do not want to make the same mistake.

  • Learn the Effective Tips

We know that nothing as painful as losing someone you love. It is like having tons of problems on your shoulders. You keep blaming yourself because of that simple mistake.

Now, you want to get you ex back. This time, you want to set your mind correctly. You know that she will avoid you even though she feels the same. You need to convince her with real actions.

Telling everyone ‘I want my ex back’ without making some real moves is useless and dumb. Here, you need these effective tips. They will help you to get your relationship back on track.

At first, you have to stay away from her. You might say ‘I want my ex back’ thousand times.

However, it is nothing for her. Yes, this is the best thing you can do. Give her some time to heal her wounds. Control your emotions and desires to call and meet her.

You do not want to make more troubles, right? She is not ready to face the ex-boyfriend. In addition, you do not want to meet a girl in this kind of state.

It is like fighting the awaken lion. You would never know what would happen if both of you meet in such emotional and unstable state. Therefore, leave her alone for a while.

Do not contact her for one or two months.

Second, you have to show her that you are strong and mature. Do not show your weakness. Even though you want her badly, you need to do the opposite way.

Yes, take a giant step back. You do not have to send her roses every day. Moreover, crying or begging her attention is a huge mistake. Showing ‘I want my ex back’ without control is not smart at all.

You are only wasting your time and money for that kind of action. Keep you dignity and show her that you are different now. You should make her miss you more than you miss her.

Third, it is the right time to explore your true potentials. Be a new you.

Meet new people and do some new hobbies. You have to maximize your talents. A man with great abilities is worth to be given the second chance.

Meanwhile, a weak and immature man is nothing. Therefore, prove that you really want her back. Upgrade yourself so that she wants to be your girlfriend.

This time, make her scream ‘I want my ex back’.  This is a huge achievement. Turning something into your benefits is a great deal.

Therefore, do not hesitate to throw your old habits for a better result.

The last thing to do is upgrading your looks. Look at yourself. No wonder she complains about your appearance all the time. Throw your old T-shirts and change with the new one.

Moreover, it is fine to wear trendy clothes. Look at the magazines or the fashion websites.

Find some inspiration to change your look. Remember, you also have to look as handsome as you can for her. Next, have a new haircut. Yes, you need to change your haircut.

Go to the best barbershop in town and ask the barber to give the best haircut for you.

Do not forget to build your body and grow muscles. Say goodbye to the old appearance. You are ready to win her back.


Best Roach Killer – Find out Which one It is!

Utilizing orange oil for controlling termite is a fantastic environment-friendly way to end your discouraging termite issue. Termites are not simply a frustrating bug – they really trigger billions of dollars of structural damage yearly around the globe.

If your home is plagued with termites, you have to take instant action to stop the damage of your house and restore your home from the legions of new occupants.

Here are few valuable ideas to take into consideration if you decide to use the natural orange oil for your issue and go on the green path.

What is Orange Oil?

Orange oil is drawn out from orange skins for a number of uses around the home. The active component, D-limonene is low in toxicity and does not pose any danger to human beings, making it a perfect service for termite control.

With the capability to produce 2000 eggs daily, it is crucial that you take fast action when you see a termite issue, particularly when utilizing orange oil, to eliminate termites.

Be Vigilant

Orange oil is most efficient in managing termite populations when they are first starting, not when they remain in complete production.

If this is the perfect technique for control that you will be utilizing and you reside in an area vulnerable to termite invasion, it is necessary to frequently check your home for indications of termite invasion.

Some preliminary indications of invasion are tarnished and blistered paints, soft spots, wet spots on walls or doors, and springy floorings. If you have any of these indications, make certain to examine completely and vigilantly for indications of termites.

Apply, Apply, And Apply!

Orange oil just offers localized killing of termites, suggesting that it just eliminates termites in the area where you use it.

It needs to be used by drilling it into the wood that is plagued with termites. The objective is to strike the termite gallery and eliminate a big group of termites at one time.

You will have to drill a number of holes into the wood to reach a big population of termites and work in eliminating them this method is also known as the best roach killer workaround.

This is a reliable approach for drywood termites, nevertheless, if you have below ground termites this technique of extermination will not work.

Make Your Home Uninviting to Termites

Because the orange oil control technique is not as guaranteed as tenting your home and eliminating termites, it is essential when utilizing this technique to be sure to take needed steps to avoid making your home a congenial location for termites to live.

Do this by repairing any dripping faucets both outside and inside your home, getting rid of heavy brush from around your home, and raising any fire wood off the ground.

You ought to likewise seal any structure fractures, keep your seamless gutters clean and appropriately aerate your home. By taking these actions, you can make your orange oil application more reliable.