Tuesday, December 22, 2009

US airforce p'owned with $26 data carving tool... LOL!!!

It was reported last week by a number of sources, that Iraqi insurgents found a way to INTERCEPT airplane (and drone) video feeds with $26.00 SHAREWARE software...LOL!!!! The software in the spotlight is called SkyGraber. Essentially, this is just a little data carving tool... It connects to your satellite connection and carves out known file types from the air. One just happening to be unencrypted video feeds! The best thing to compare it to is a network sniffer.

The amazingly insecure protocol the government uses is called: Remotely Operated Video Enhanced Receiver (ROVER). This technology was deployed in 2002, "Since then, nearly every airplane in the American fleet - from F-16 and F/A-18 fighters to A-10 attack planes to Harrier jump jets to B-1B bombers has been outfitted with equipment that lets them transmit to ROVERs. Thousands of ROVER terminals have been distributed to troops in Afghanistan and Iraq..." -Wired.

An encryption package can be added to the ROVER; however, not all troops have the encryption package. The latest ROVER model being tested by the Pentagon comes equipped with two advanced encryption packages. Sources report, an official document puts a completion date to secure the feeds by 2014 :-/

...Not to mention, this all came to about, when the military kept finding hours and hours of it's OWN surveillance videos from computers it was imaging out in the field...



Monday, December 14, 2009

NEW Advanced Format gives ya 11% MORE capacity on your Hard Drive!

Western Digital has a fancy new way to format hard drives. This consists of changing your hard drives sector size to 4KB that uses a pooled Sync/DAM header and ECC blocks.

Wednesday, December 9, 2009

Dav Nad's on Sharing ;-)

A situation arose yesterday where a deliverable, Microsoft Office Excel workbook, needed to get out the door under a tight deadline. I had a team of 5 resources at my disposal to assist with the project. However, given the nature of the complexity and manual task at hand, it would have just made things more time consuming and convoluted by delegating work out to each resource. So I thought to myself it would be amazing if we could put this workbook in a neutral location where we could all work on this task collectively and see each other’s changes and monitor progress.

So I recalled that Microsoft Office 2007 had the capability of doing this. So I took the workbook, placed it on file server that resides on our LAN that everyone has access to. I then “Shared” the workbook to the specified “users” I wanted to delegate “write-access” to and setup the settings associated with how to save and update the changes within the workbook. In all, this process took me about 10 minutes to setup and test.

The end result was this amazing feature allowed me to delegate work efficiently while maintaining a management oversight. Work Smarter not Harder with Sharing!

Thursday, December 3, 2009

Encase and Windows 7, Server 2008

The Remote Desktop Protocol and Encase Forensic do not play well together in Windows 7 and Server 2008.

The traditional fix to this in XP and Server 2003 was to use the MSTSC command with a /console flag (or /admin for later service packs) to carry out console mode. However this does not work anymore. So I did a little research...

It's stated on Guidance's website that  "EnCase is not officially supported running over Remote Desktop due to the manner in which the Remote Login Account is given access to the System devices". A discussion with one of their support representatives and some messages on their forum in fact further confirmed that Encase has never supported RDP (in any of their releases).

BUT, Guidance then goes to say in the same article that "IF the RDP configuration does not work the only alternative is to purchase the SAFE NAS (Network Authentication Server) to license EnCase over the network." Well, if that's not a contradicting statement, I don't know what is! So they are saying its not supported but if you want to make it work you can BUY something they sell to make it work? As a user this makes me shake my head and as a shareholder, I would be lying if I said I wasen't smiling :-) 

Some say this is a licensing strategy, a method to prevent multiple users from using multiple instances of encase off of one license. But I don't see how that type of "abuse" is even technically possible under the current limitation of RDP and Encase only working in console mode. So I don't buy that really. I think the reason it does not work in Windows 7 and 2008 server is because of something that has changed in the O/S. I'm not sure what this is but I'm going to look into it.

So here's a solution I purpose to Guidance. Migrate over to a system like Access Data's License Manager and Code Meter dongle (hold on, did I just say something good about AD?). With Access Data's License Manager system a user has the ability to transfer/update licenses from and to their dongles. Ideally, one could use a dongle normally and then if one wanted to use RDP, they could migrate their license over from the dongle to the NAS Safe. Then vice versa. Damn I think that is genius! LOL But this would sure make people happy!

Well enough of that, here's something good. I have 2 round about workarounds for Win 7 and 2008 Server to get RDP working -

  1. Disable Fast User Switching, Disable User Account Controls, start up your instance of Encase Forensic, open your case up/start your processing. THEN, remote in using the "mstsc /admin" command and log in as the same user you have an instance of Encase already running under. This works.
  2. Now, you can always use a VNC or PCAnywhere application to accomplish this as well. Works like a charm.
But neither of these are practical solutions. Welp, back to XP for me!

Dav Nads

- Posted using BlogPress from my iPhone

Did ya know this?

In Windows Vista and 7 when using device manager to do a "full format" it will actually zero out the drive. That's a legit REAL wipe! "Quick format" remains the same, it only wacks out the volume boot record.

Sounds like an easy way to wipe hard drives :-) I'm curious how fast it is?


Dav Nads
-from my iPhone

Wednesday, December 2, 2009

SharePoint Collections can be tricky!

I had an opportunity to collect data from a Microsoft SharePoint (SP) server yesterday... Sounds ez, right? Sure it should be with all the top-notch vendors out there that have integrated SP connectivity into their e-Discovery products...   Kazeon Systems, KPMG, KrollAvePoint, Autonomy to just name a few (click on the links to go their press releases).

Well what happens when the SP server you are collecting from is not in a live production environment... In fact, it’s just a dusty old’ .E01 (Encase format) image of a system you collected a year ago?

…Well based on my market research, there's not much out there that’s going to be able to help you. Nonetheless, I can't imagine there even being a demand for this type of one-off collection in the market place. So on that note, here is some food for thought and research about the various collection approaches of SP databases under these unique circumstances.

Approach 1: Leverage virtualization technology by using Liveview and VMware Server to boot the image natively. Subsequently, start the SP services, and remotely collect site(s) with any one of the widely available tools listed above. Well, hold your horses their speedy!! This sure sounds like a great approach; however, you need to take account for a number of variables that make this approach a tad bit complicated. To name a few:
  • Does the image consist of a physical or logical acquisition? If it’s logical, yup move onto approach two, can’t boot that up one up.
  • Is it physical? Well is it a RAID..? Yeah, can’t boot that up either without a serious fight, move on to approach two.
  • Is the image segmented… or in the wrong format? Start merging/converting those files.
  • Don’t know the password to log into the system? Eh, you can try to crack it.. with a boot CD.
Approach 2: Extract relevant SP data from the image and implant it into a existing controlled SP environment. First step here is to crack that image open and start identifying some significant information.
  • What version of SP and SQL is installed? This can generally be found by looking in the registry or associated “program files” directory.
  • What are the SP files I’m looking for? Each SP database is identified by two files: the database file, which has a .mdf filename extension, and the transaction log file, which has a .ldf extension.
  • Where are the SP files stored? If you have a default Windows SharePoint Services installation, the database files are in the \Program FilesMicrosoft SQL Server\MSSQL$SHAREPOINT\Data directory. You will typically find the following 4 files in that directory:
    1. STS_Config.mdf
    2. STS_Config_log.LDF
    3. STS_Computer_Name_1.mdf
    4. STS_Computer_Name_1_log.LDF
Now that you have identified the various databases and configuration files, extract them from the image.

The next step is to install the same version of SP, SQL, and operating system that is found in the image file on a computer/server in your controlled lab environment. This might be overkill but effective!

Generally after you get things installed, you will need to turn off SP services, disconnect the default database, copy over the extracted files and do the switchero. Then, start the services back up and connect the database. This process is well documented in Microsoft’s TechNet article. Keep in mind that you may need to repair the database because it may not have been properly detached during the point of collection and in result corrupted.

Approach 3: Let’s say that neither approach worked out. Well I’m going to assume you successfully extracted the relevant SP data (as outlined in Approach 2) from the image. Given that assumption, download the Sharepoint 2003 and 2007 Database Exporter tool. This tool allows you to point to a SP database, view contents, and export. An alternative tool is called SharePoint Database Explorer and SPExport which does the same thing. Both solutions are well documented.

Approach 4 - Catch All: If all else fails, go back to the damn live server and recollect!!

For all four of the approaches outlined, I strongly suggest to validate and perform quality control testing.

-Dav Nads

Tuesday, December 1, 2009

knock knock

phish, snort, spoof, tunnel, boom, p'ownd! dav nads is knocking while that firewall trying to be blocking. logged in as root and out with the loot. my intrusions make illusions cause your vulnerabilities compile my credibility's. alwayz leaving traces from outer space, with null to chase, dnads plays hide n go' seek for the geeks :-p