Category Archives: Technical

Windows Incident Response Course

The Windows Incident Response Course is based on the book, but takes it several steps further. The base course is two days in length, and runs the entire spectrum of incident response, from understanding how incidents occur, what they look like, and how to prevent them. The course also presents attendees with the opportunity to walk through incident verification and identification for themselves. All attendees have the opportunity to run the tools used in the course, and learn how to interpret their output.

The course is taught on-site, at your location, and can accomodates approximately 20 attendees. You provide the facilities and catering, while I provide the course materials and instruction. This greatly reduces travel costs while maximizing knowledge transfer. While this course has been taught, attendees have used the information that they’ve learned in order to resolve issues that have come up, returning from lunch with the problem solved.

FSP

Forensic Server ProjectThe Forensic Server Project (FSP) is a proof of concept tool for retrieving volatile (and some non-volatile) data from potentially compromised systems. The FSP consists of several Perl scripts and third-party utilities. The server component of the FSP is run on an investigator or administrator’s system, and handles all data storage and activity logging. The client components (i.e., FRU.pl and supporting Perl scripts and tools) of the FSP are burned to a CD, and run from the CD drive of the potentially compromised system. Data is copied to the server component via TCP/IP.

It should be noted that while the FSP is used for incident response and forensic audits of Windows systems, it is also an open source project. The server component is written in Perl, and can be run from other systems that support Perl (with minor modifications). Client components can be written in Perl, or any other scripting language.

The First Responder Utility (FRU)

The First Responder Utility (FRU) is used by a first responder to retrieve volatile data from “victim” systems. The current version of the FRU is a CLI (command line interface) tool called FRUC. The FRUC operates using a combination of an INI file and command line options.

The first step to running the FRUC is to download the archive containing FRUC. Extract all of the files to the same directory, and update the fruc.ini file to suite your needs. To update the ini file, simply follow the format. The ini file should consist of the 4 sections listed in the file, and must contain a “Configuration” section. If the investigator/administrator has a static IP address for the Forensic Server, put it in the file, as well as the port to be used.

The “Commands” section consists of all of the tools that will be run on the system. When entering a tool to be used, follow the format in the ini file. The entry for each command must consist of a number, followed by the equals (=) sign, followed by the command to be run, a semi-colon delimiter, and the name of the file the data will be saved in on the Forensic Server (the filename will be prepended with the name of the system). The command to be run must point to a CLI tool and have all of the command line switches you’d like run.

Tools to be run with the FRUC can be found on the Tools page, as well as various other sites, such as SysInternalsNTSecurity.nuDiamondCS, as well as others.

The “Registry Values” section consists of Registry values to be queried, while the “Registry Keys” section contains Registry keys (such as the ubiquitous Run key) that you want to pull all of the values (not subkeys) from. It is important that you use the right format in these sections. To get a list of Registry values and keys to query, such as startup locations, check sites such as Silent Runners.

NOTE: Be sure to read the ‘readme’ file that comes with the archive. 

Once you have an INI file set up and all of the tools collected, you can burn fruc.ini, p2x584.dll, the INI file and tools to a CD, or USB-connected thumb drive. If you put the files on a CD, you can include a “clean” copy of cmd.exe and an autorun.inf file, or a batch file to launch the FRUC, if you so choose.

Using the FSP

The current version of the FSP is the FSPC, the command line (CLI) version of the Forensic Server Project. In order to use the FSPC, the first thing you need to do is download the FSPC zipped archive, and extract all of the files to the same directory. Type “fspc -h” to view the syntax for launching the FSPC.

The FSPC is the CLI version of the FSP, and handles the case management and storage of data when collecting data from “victim” systems. The FSPC, when launched, listens on a port for connections. When one of the FSP client components (ie, FRUC) connects to send data, the FSPC stores the data sent in files on the server system, generates hashes of the files, and maintains a logfile of all activities taken by the client component.

The simplest way to launch FSPC is with the following command:

C:\fsp\fspc -n newcase -i “Det. Joe Friday” -c

The above command will launch the FSPC on port 7070 (ie, default). The name of the case is “newcase”, and a directory of that name will be created as a subdirectory within the case directory (ie, default is “cases”). The name of the investigator (‘-i’ switch) will be placed in the logfile (use ‘-l’ switch; default is “case.log”). As the FSPC receives data from the client component, it will automatically store the data on the server system, and compute hashes for each file as they are created. If a client component is used to copy files from the victim system to the Forensic Server, the server will automatically verify the hashes of the files. The client components send items to be logged to the server, and these items are placed in the logfile. The last command that the client sends to the server is the “CLOSELOG” command, at which point the logfile is closed and hashes are computed for the logfile. If the ‘-c’ switch is used, the server component will automatically shut down when the CLOSELOG command is sent. Otherwise, the server will remain open and the investigator must type “Control-C” to shut the server down.

NOTE: Be sure to read the ‘readme’ file that comes with the archive distribution. 

Tools

This page is for listing tools described and used in my book.

FCIV – Microsoft released an interesting file integrity tool. The tool can compute and verify file hashes, using an XML database.

Pref – Prefetch directory tool mentioned in my blog. This tool parses the contents of the Prefetch directory and gets MAC times for all of the files. Make sure to read the readme file in the archive.

Pref_ver – Prefetch directory tool mentioned in my blog. This tool parses the contents of the layout.ini file and looks for executable files, based on file extension (.exe, .dll, .sys). When it finds one, it attempts to retrieve file version information from the file. Make sure to read the readme file in the archive.

Tools associated with the book. The archive includes bho.exe to view Browser Helper Objects (hiding place of spyware) on the local system, keytime.exe to view LastWrite time of Registry keys, ver.exe to retrieve version information from executable files, sigs.exe for performing file signature analysis (output in .csv format) and windata.exe for retrieving operating system, service, and process information from local or remote systems (output in .dat/.csv files in the local directory).

Drive Info tool – associated with the book. Displays drive information from local and remote systems.

DiamondCS is the site to go to in order to get OpenPorts and CmdLine.

See this MS KB article for a tool called “chknic.exe”, which is part of the Windows 2003 Resource Kit. The tool gets information about NICs and runs on XP and 2003.

Go to the NTSecurity site for PEriscope, PMDump, PromiscDetect, PStoreView, and others.

Check out SysInternals for PSTools, Handle, ListDLLs, AccessEnum, AutoRuns, LogonSessions, etc.

Spyware and Adware Tools
Adware and in particular spyware is a huge problem on systems today. This problem affects corporate systems as well as home users. In fact, this has been so much of a problem that CERT has even recommended that a browser other than IE be used. Below are some links to tools that are highly effective in helping protect you from spyware:

The first step is to install and update anti-virus software. Keep it up to date.

PestPatrol is an excellent commercial product to help protect you from spyware infections, as well as from other malware infections. Does this protect you from some of the same things that your anti-virus software protects you against? Yes…but that’s a good thing. PestPatrol comes in corporate and home user flavors. As with other tools, keeping your definitions up to date is key. I recently ran a fully registered version of PestPatrol on a friend’s computer and detected 75 bad things. After removing them and rebooting the system, I updated PP and ran it again…only to find 65 more bad things!

SpyBot Search and Destroy is an excellent donation-ware tool for detecting and removing spyware from your system. If you download it and try it, be sure that you keep it up to date.

AdAware is an old standby when it comes to removing spyware. When I say “old”, what I mean is that it’s the product I’m most familiar with, but that doesn’t mean that it’s not extremely effective.

SpyWare Blaster lets you be a bit more proactive by not allowing spyware to install in the first place.

There are other tools available, that you’ll hear about from friends or read about in trade journals. Spyware is a huge problem so there are always more and more tools to protect against, as well as detect and remove, this annoying software. Whatever you decide to use, my primary recommendations are to use more than one tool, and keep your tools updated.

Advantages of pneumatic cylinders

In this article I would like to discuss advantages of pneumatic cylinders in comparison to other alternatives. Please be aware that this is only theoretical discussion because in real world nobody is forced to make such decisions based only on their sole choice. Usually in real life applications you are presented some solution and when picking actuator you need to adapt to whatever system exists already – whether it is electrical system, hydraulic system, or any other. Alternatives I will take into account in my little analysis are of course most popular ones – electrical cylinders and hydraulic actuators. I’m not considering any other alternatives to both of them because I have no knowledge of any, which simply means that if they do exists, they are probably extremely rare.

But before we proceed further, I would like to clarify what piece of engineering equipment we’re going to discuss. Cylinder is a product consisting of three basic elements – tube, rod and piston. Piston moves inside some kind of a tube, which is tightly closed, rod is connected to piston and it extends outside. Whenever piston moves inside the tube the rod extends and retracts accordingly. This kind of two directional, linear motion is common to all kinds of cylinders. Differences between them are either in their design, or force that powers them (which is the subject of this article). That said we can continue our main thought.

Pneumatic cylinders are, as the name suggests, powered by air, or exactly compressed air. Air (and most of other inert gases) are easily compressed, and can be compressed to amazing levels. Compressed air can be transported, and used to power various elements including pneumatic cylinders. In case of pneumatic cylinders compressed air flows into a chamber on one side of the piston, and therefore piston moves pushing the piston rod.

Method of return is similar, but can be caused by air stream on other side or (very popular solution) spring.

Hydraulic cylinders are based on very similar mechanism, but in this particular case oil or other fluid is used as a power source. Hydraulic cylinders compared to pneumatic ones can achieve much larger forces, but its the case for hydraulics in general. Since hydraulic cylinders are using oils (often flammable or mineral oils) they do tend to react with various kinds of seals, thus sooner or later are prone to leakages.

Electric cylinders on the other side are based on slightly different rule. Electric cylinders consist of a ball and a roller screw connected to electric motor. While turning screw moves a nut connected to rod or carriage, which is moving the load. Great advantage of pneumatic cylinders are ability for precise control over speed and position of the rod. In modern electric cylinders it is possible to achieve positioning precision up to ten thousandths of an mm.

Again in case of pneumatic actuators output forces are definitely smaller when compared to hydraulic alternatives, but are similar to electric ones. One great advantage of pneumatic compared to electric is that when there is power cut pneumatic cylinders can still work, since pressure is usually stored in pressure tanks. Another interesting thing about pneumatic cylinders is that speed and force can be controlled independently, which is very important factor. Force can be controlled by pressure which can be raised or lowered using pressure regulator, and speed can be controlled by flow control valve.
Now electric ones are more flexible and accurate, you can precisely decide how far to extend the rod which in general can increase efficiency of your system. Pneumatic cylinder cannot be stopped easily precisely at any position, you could achieve similar effect by using piston position sensor and additional valve, but its never going to be as accurate as electric ones. Pneumatic actuators, and in general pneumatic system are on the other hand very inexpensive even in long term.

To sum up pneumatic solutions are great whenever you are looking for some inexpensive choice, which doesn’t have to be extremely accurate, but have thrust and speed. Whenever you need total control over piston rod, or are using some advanced application where cylinder have to perform unusual tasks go for electric. But when you need enormous forces on your side consider hydraulic solutions. In general its worth to remember that each solution have its advantages and disadvantages and you should not make your choice without consulting the expert.