Digital Forensics & Red Teaming

Notes for Forensic Beginners’ Part1

2009-06-04T18:06:00.000-07:00

Hello All,

I still remember my days 7 years back, when I was very keen in learning and working on Computer Forensics, however there were no good resources available for understanding the concepts and practicals for the same.

I am starting this short series for all those who are still struggling to start their career into Digital / Computer Forensics.

However, I wont be covering the basic steps or Phases involved in Computer Forensics and Incident Response, as there are numerous books available for the same, and a Google search may help you all a lot.

So, Let’s start with NTFS Filesystem:-

Currently it is NTFS v3.1 for XP/2000/2003/Vista

NTFS: New Technology File System

formerly known as NTFS is a registered tradmark of Northern Telecom File System, you can still find them on older version’s of CD for Windows 3.5 NT and 4.0.

Going a bit deeper,

NTFS consists of records and entries of MFT,

$MFT= Master File Table

The length of the $MFT within NTFS is 1024 bytes.

Standard Sector size within NTFS is 512 bytes

Standard Cluster size within NTFS is 4096 bytes (8*512 sectors)

MFT is the primary file within NTFS file system,this file points to the locations of the other files within the NTFS formatted filesystem.

Within the MFT there are “entires”, and each entry contains information about the file it points to. These entries provide a variety of information about the file it points to, and it also includes the following:

File Name, File Size, dates about the file included:-

Created=C

Entry Modified=M

Written=E

Accessed=A

ocation of the data of the file.(MACE)

Typically an MFT entry is 1024 bytes in size, or two sectors, and starts with either FILE0 OR FILE*, depending and signifying whether the given partition was formatted using Windows XP , Windows 2000 respectively.

The first 16 MFT entries within the MFT are reserved.

In Next Series of this article we will go deep into NTFS structure with reference to MFT and other records.

Need all your comments.

Thanks

Nitin Kushwaha

CHFI.CEH.SCSCA.CIW-SA.MCSE.MCSA.MCP.ITIL.CCLA.CCHA.CCSECA.CCW2K

Restore Point and Forensics

2009-06-04T15:43:00.000-07:00

Hello All,

Just to update on Windows XP Restore Point and it’s use in Forensics Investigation:-

within Windows XP, Windows creates “Restore Points”. These restore points are contained in numbered folders at the following location:

\System Volume Information\-restore{GUID}\RP### (### are sequential numbers as these restore points are created)

These Restore Points are / can be created when the following conditions are been met / due to action taken by the user /system.

1>These Restore points are created by default every 24 hours within Windows XP and named as System Checkpoint

2>These are also created prior and after the installation of Microsoft Windows Update or any Patches /hotfixes installation.

3>These are often created whenever a user installs any software or application

4>and finally whenever any new hardware changes occur and device driver installation is performed on the system.

There may have been other reasons which I may not be fully aware, or havent come across.

Now, how the above can help in an ongoing Forensic Investigation?

Well,

1>Check the System Image in question for Event ID of 110 which provides evidence of System Restore was successful, this is very useful after any machine is confiscated and is under investigation.

2>check for the following logs relevant to System Restore, a>RP.LOG, b>CHANGE.LOG, c>FIFO.LOG

The Change.Log is important as it contains the name of files which are renamed and thus it helps tracking the files from the restore point folder.

The FIFO.Log file contains the Deletion time and the number of the Restore Point being deleted, “RP###”

Restore Points are valid for 90 day period, also it depends on the amt of disk space available and how the system restore is configured.

System restore can be Disabled by a user or an Adminsitrator.

An Administrator can create a System restore Point manually

\System Volume Information\-restore{GUID}\RP### is neither accessible to an Administrator with the default NTFS permission set, nor for the user.

There are Registry settings for System restore at:-

HKLM\Sofware\Microsoft\WindowsNT\CurrentVersion\SystemRestore.

If you have any other inputs to add, or anything i have missed Please feel free to comment.

Need all your comments.

Thanks

Nitin Kushwaha

CHFI.CEH.SCSCA.CIW-SA.MCSE.MCSA.MCP.ITIL.CCLA.CCHA.CCSECA.CCW2K

Can Defeat Forensics upto 50%

2009-06-04T15:41:00.000-07:00

Hello All,

After a long time, and Yes you read the Title right!!

With the new feature in Windows XP and Windows Vista called SteadyState, if configured properly, with Disk protection=ON, and deletion of Shared Profile either at Restart or Logoff is configured properly, there is no way to retreive any Artefacts from the system configured to run with Windows SteadyState.

as there are no modifications within $MFT, except for the entry within the $MFT itself for the C:\Boot\Bootstat.dat file.

and nothing changes!!

I am still trying to figure out other possibilities for recovering the Artefacts.

However, as of this time, i assume it is almost 50 % true to say that it is not too far, that one can hide all traces and artefacts from a system, as the advances in technologies like Windows SteadyState are coming..

Note:-System needs to be configured to use Locked Profile and deletion of any user data, Please refer to User Handbook for Windows SteadyState:-)

Need all your comments.

Thanks

Nitin Kushwaha

CHFI.CEH.SCSCA.CIW-SA.MCSE.MCSA.MCP.ITIL.CCLA.CCHA.CCSECA.CCW2K.

NMAP as a VA tool !!

2009-03-29T18:03:00.000-07:00

NMAP a great Penetration-testing tool, which was only used as a Port-Scanning and Enumeration tool, has now got some additional and more powerful features then it’s previous versions.

with the newly added “NSE” Nmap Scripting Engine which uses “Lua”

The NSE (”The Nmap Scripting Engine“) executes the script in parallel with the ongoing scan. Scripts are written in the embedded Lua programming language.

The NSE scripts can be found under:-

/usr/share/nmap/scripts/

There are currently the following categories:

auth, default, discovery, external, intrusive, malware, safe, version, and vuln.

the above categories can be used together as well, seperated by commas:

nmap -v –script=malware,vuln,discovery hostipaddress.com

Some common examples of using NMAP with NSE are as follows:-

to update the Scripts use the following: nmap --script-updatedb

nmap -v -sC hostipaddress.com

nmap -v –script=all hostipaddress.com

nmap -v –script=default hostipaddress.com

nmap -v –script=malware hostipaddress.com

there can be many more options, depending upon what exactly you are trying to find out.

however, it will not be too late, to see NMAP as a Full-Blown Vulnerability Scanner, like or more powerfull than Nessus.

Need all your comments.

Thanks

Nitin Kushwaha

CHFI.CEH.SCSCA.CIW-SA.MCSE.MCSA.MCP.ITIL

Unlock any Read-only Word Document !

2007-07-26T17:15:00.001-07:00

Hi Folks,

Many a times we need to make some changes to documents or even need to fill-up some online documents which are in MS Word, and they have a read-only protection in place,

So here is how to bypass, or Unlock them.

If you are using office XP or 2003, you can change the view to HTML-Code using Microsoft Script-Editor by pressing the [Alt]+[Shift]+[F11] key combination.

Search for "Password", or scroll down till you will find something like this:

DocumentProtection>Forms
UnprotectPassword>60B9DAE3

To remove the protection:
Just remove those two lines, and after saving the document , the protection is gone.

To remove the password:
-replace the Password, here "60B9DAE3", with "00000000", save the Document and close "Script-Editor".

Enjoy!

Nitin Kushwaha
CHFI.CEH.NSA.SCSCA.CIW-SA.ITIL.MCSE.MCSA

Simulator for Juniper Networks --JunOS!!

2007-07-13T14:35:00.000-07:00

Hi Folks,

Just found a link to an awesome tool which simulates the JunOS,
those who are looking for a hands-on and need to practice on the JunOS devices, can use this tool.

Since the JunOS is based on FreeBSD, you should be familiar with FreeBSD Install and configuration.

Here is the link:

Juniper Networks' Olive

* Preparing for Install
* Installation
* Installing under VMWare
* Limitations
* Hardware Support
* References

Enjoy!

Nitin Kushwaha
CHFI.CEH.NSA.SCSCA.CIW-SA.ITIL.MCSE.MCSA

Google and your Privacy !!!

2007-07-05T14:06:00.000-07:00

Hi Folks!

A very interesting news that has been around in US and many parts of the world is that Google does maintain a list of all your search activities and History of all you tried to dig on the Internet.

You can SEARCH for this as well on GOOGLE.

"Could Future Subpoenas Tie You to 'Britney Spears Nude'?
DOJ's subpoena of Google may lead to more intrusive examination of Internet users' online records
Fred von Lohmann
Special to Law.com
02-06-2006

As news circulated of the government's recent effort to force Google to hand over information about what its users are searching for, you could almost hear the collective gasp from Internet users. Wait, Google has been keeping records of all my searches? Including the embarrassing ones ("britney spears nude" was the second most popular "britney" search last month), the incriminating ones (your searches about marijuana cultivation were for research, of course), and the routine ones (from which your professional and recreational interests can easily be deduced)?"

A very famous example is that of "'Britney Spears Nude'" search string which set many of the officials and ISP's to an alert.

Read this text excerpt here:

"And so can any private litigant with an axe to grind and a subpoena in hand. If someone does deliver a subpoena to Google for your records, there is no law that requires that you even be notified, much less be afforded an opportunity to object.

The Google subpoena incident is a timely reminder to all Internet users that we are routinely entrusting third parties with an ever-increasing amount of private information about ourselves. We entrust our e-mail to services that encourage us to "never throw anything away," we upload our photos to share with family, and rely on search engines to help us track down virtually everything without a second thought."

So how are we going to protect our privacy??

Please comment on this.

Enjoy!

Nitin Kushwaha
CHFI.CEH.NSA.SCSCA.CIW-SA.ITIL.MCSE.MCSA

No DEL key or DEL key broken, missing !

2007-06-09T04:06:00.000-07:00

Hi Folks,

I am back again,

Recently a friend of mine had a problem with his Laptop and had given me for it to be repaired,

The Laptop was repaired, and another problem which was on the Laptop was that the DEL key was missing, so which actually despaired the functionality of CTRL+ALT+DEL combo.

so he has to always keep his Laptop to login automatically.

Well I just thought of replacing the Keypad, but finding a same match was difficult.

So Guess !

What i found that Windows OS has a built-in option for viewing the Keyboard On-Screen,

so it's easier to access the DEL key.

Here is how.

Goto---->Start---->Run---->OSK

and you can access the keyboard.

Hope this will help others with the Missing keys or the ones that gives a problem.

Enjoy!

Nitin Kushwaha
CHFI.CEH.NSA.SCSCA.CIW-SA.ITIL.MCSE.MCSA

NetStat Script !!

2007-02-04T16:23:00.000-08:00

NetStat Script !!

Hi Folks,

Another Simple script to view all active connections,
and all exe's communicating on Internet.

Let me know If any Problems with this.

Download:
http://fixupload.com/file/2171/NitinStat.rar.html

Enjoy!

Nitin Kushwaha
CHFI.CEH.NSA.SCSCA.CIW-SA.ITIL.MCSE.MCSA

Netstat with GREP in Windows !!

2007-02-04T14:27:00.000-08:00

Netstat with GREP in Windows !!

Hi Folks,

Many times we use The most powerful command in MS Windows,

But we miss the GREP functionality in Windows,
which we use with most Debian/Linux/Unixes OS.

So here it is how we can get the GREP functionality within Windows.

here we go.

netstat -an | find "ESTAB"

netstat -an | find "LIST"

netstat -an | find "FIN_WAIT"

netstat -an | find "SYN_SENT"

Note:

ESTAB=Established sessions
LIST=Listening sessions
FIN_WAIT=Killing the session in process / Terminating in session
SYN_SENT=Normally when just opening a new session

Enjoy!

Nitin Kushwaha
CHFI.CEH.NSA.SCSCA.CIW-SA.ITIL.MCSE.MCSA

Bypass 30-days Trial Limit !!

2007-02-02T12:43:00.000-08:00

Bypass 30-days Trial Limit !!

Hi Folks,

Many times we like a software but can't afford to buy it.
and the software will expire after 30-days from the Install date.

So, How do we bypass this issue.

Let's start here:

1>Change the Date under BIOS to 2010 or greater if your BIOS version supports.

2>Log-in to your machine and Install the desired Software with 30-day trial.

3>Reboot the Machine and Log-in back

4>Change the Date within the OS to the current Date.

You have done it!!

Note:
Make sure that the software with Trial version,
was not Installed previously,as it may leave the
Install date code in Hex code under Registry.

Enjoy!

Nitin Kushwaha
CHFI.CEH.NSA.SCSCA.CIW-SA.ITIL.MCSE.MCSA

Sysinternals Video Library !!

2007-01-28T16:47:00.000-08:00

Sysinternals Video Library !!

Hi Folks,

This is for all my Blog Visitors.

Sysinternals had released a 6 DVD video set,
covering windows troubleshooting topics.
and that all sounds quite interesting,
and they are giving away a video which provides an overview,
of all the tools as a free download.

You can check it out here:

http://www.sysinternals.com/videos.html

I have managed to Google around and get the full DVD library.

Download:
http://fixupload.com/file/1992/SyInternals.pdf.html

Enjoy!

Nitin Kushwaha
CHFI.CEH.NSA.SCSCA.CIW-SA.ITIL.MCSE.MCSA

IP to Google Map !!

2007-01-27T09:21:00.000-08:00

IP to Google Map !!

Hi Folks,

Need to find the Location of an IP and don't have Visual Route software on your PC,

Then check this out !

This uses Google Maps from Satellite.

http://www.ip-adress.com/

Enjoy!

Nitin Kushwaha
CHFI.CEH.NSA.SCSCA.CIW-SA.ITIL.MCSE.MCSA

Wanna Download YouTube Video's !!

2007-01-25T05:50:00.000-08:00

Wanna Download YouTube Video's !!

Hi Folks,

I was watching a YouTube video on Hacking, and I wanted to save it but YouTube does not allow you to save.

Well there are many softwares available which will save these videos.
But many won't work as of this date.

So the best way I figured out is to use Mozilla Browser !!

For details on how to download and play them offline, find my article below.

Download:
http://fixupload.com/file/1968/utube.pdf.html

Enjoy!

Nitin Kushwaha
CHFI.CEH.NSA.SCSCA.CIW-SA.ITIL.MCSE.MCSA

Six Sigma !!

2007-01-23T16:28:00.000-08:00

Six Sigma !!

Hi Folks,

Found some e-books on Six Sigma,

I am not the owner for the below links.

I was just Googling and came across the below links:

Download:

http://rapidshare.de/files/33323290/
Started_in_6Sigma.rar

http://rapidshare.de/files/33324657/
6Sigma-Continual-Improvement.rar

http://rapidshare.de/files/33314077/
New_6_Sigma.rar

http://rapidshare.de/files/28505435/
Demystifying_Six_Sigma.rar

http://rapidshare.de/files/35435258/
Lean.Sigma.A.Practitioners.Guide.Oct.2006.rar

http://rapidshare.de/files/34824842/
Process.Improvement.Essentials.Sep.2006.rar

Enjoy!

Nitin Kushwaha
CHFI.CEH.NSA.SCSCA.CIW-SA.ITIL.MCSE.MCSA

The Hex Editor in Windows Xp and Windows 2003 OS !!

2007-01-20T02:06:00.000-08:00

The Hex Editor in Windows Xp and Windows 2003 OS !!

Hi Folks,

I am working on my client’s Project on Malware analysis and I came across this file.

Which is part of Microsoft OS, but not known to many of us.

It is known as “Private Character Editor”

It is a very useful graphics tool for designing your own fonts, logos and icons.

To start the program go to Run--> eudcedit and click OK.

It will then open the program, and you just select a hexadecimal code
for your first character from the grid to start then
click OK and you are now ready to begin designing.
Using the set of drawing tools on the left and.
you can do your own design.

Enjoy!

Nitin Kushwaha
CHFI.CEH.NSA.SCSCA.CIW-SA.ITIL.MCSE.MCSA

How to access the Internet if Malware or Spyware hits !!

2007-01-19T11:16:00.000-08:00

How to access the Internet if Malware or Spyware hits !!

Hi Folks,

If your IE a.k.a "Internet Exploiter" doesnt work,
gets hit by Malware what will you do to access the Internet?
You may want to access the Internet to Google around for the solution.

and remove this Malware.

But your IE refuse to open.
what will you do???

well! Here is a trick...

Download:
http://uploadxp.com/file/107/Browse.pdf.html

Enjoy!

Nitin Kushwaha
CHFI.CEH.NSA.SCSCA.CIW-SA.ITIL.MCSE.MCSA

Good Videoz !

2007-01-19T07:01:00.000-08:00

Good Videoz !

Hi Folks,

Just found a good site to download some videos.

Linux Network Monitor

Linux DNS Server

Linux Web Server

Windows Web Server

Windows Server 2003 IIS and DNS

Download:

http://cbt4free.org/videos.php

Enjoy!

Nitin Kushwaha
CHFI.CEH.NSA.SCSCA.CIW-SA.ITIL.MCSE.MCSA

Create Admin !

2007-01-17T18:45:00.000-08:00

Create Admin !

Hi Folks,

Another Simple script to Create & Delete an Account on Local PC, running Microsoft Windows 2000,XP, and 2003.

Let me know If any Problems with this.

Download:
http://uploadxp.com/file/102/CreateAdmin.rar.html

Enjoy!

Nitin Kushwaha
CHFI.CEH.NSA.SCSCA.CIW-SA.ITIL.MCSE.MCSA

My Script for Windows! Part 2

2007-01-17T18:36:00.000-08:00

My Script for Windows! Part 2

Hi Folks,

Here is another script written using Batch file & Microsoft WMI.

Can be used for Incident Handling!

This script will run on any Microsoft XP and 2003 Machines with WMI enabled.

Check to see how one can have access to all these information.

Also, a very good tool for Daily System Admin activities.

Download:
http://uploadxp.com/file/101/GetInfo2.rar.html

Just Ignore the first line in error.
Download this RAR file in a Folder--Extract it--Run it from the folder, since all reports will get generated in the folder from where this Script is executed.

Enjoy!

Nitin Kushwaha
CHFI.CEH.NSA.SCSCA.CIW-SA.ITIL.MCSE.MCSA

Drive Naming Conventions under Unix !

2007-01-17T12:33:00.000-08:00

Drive Naming Conventions under Unix !

Hi Folks,

An Easy to remember Table listing the Drive Naming under Unix.

Download:
http://uploadxp.com/file/98/
Drive-Naming-Conventions-under-Unix.pdf.html

Join the above URL.

Enjoy!

Nitin Kushwaha
CHFI.CEH.NSA.SCSCA.CIW-SA.ITIL.MCSE.MCSA

My Script for Windows!

2007-01-17T07:22:00.000-08:00

My Script for Windows!

Hi Folks,

Here is a small script written using Batch file & Microsoft WMI.

Can be used for Incident Handling!

This script will run on any Microsoft XP and 2003 Machines with WMI enabled.

Check to see how one can have access to all these information.

Also, a very good tool for Daily System Admin activities.

Hope you all like it.

Download:
http://aviupload.com/file/51/GetInfo.rar.html

Just Ignore the first line in error.
Download this RAR file in a Folder--Extract it--Run it from the folder, since all reports will get generated in the folder from where this Script is executed.

The Temperature listing is not working, I am working on it.
Enjoy!

Nitin Kushwaha
CHFI.CEH.NSA.SCSCA.CIW-SA.ITIL.MCSE.MCSA

The Google, My Oracle!

2007-01-16T11:50:00.000-08:00

The Google, My Oracle!

Hi Folks,

Explore the power of Google!

check here:

http://aviupload.com/file/50/The-Google-My-Oracle.pdf.html

Happy Googling!

Nitin Kushwaha
CHFI.CEH.NSA.SCSCA.CIW-SA.ITIL.MCSE.MCSA

Good Digital Forensics Tutorial in MP3 !

2007-01-14T08:23:00.000-08:00

Good Digital Forensics Tutorial in MP3 !

Hi Folks !

I was just googling and found a really good stuff on Digital Forensics,

Digital Forensics Tutorial in MP3 files.

Check here:
http://aviupload.com/file/45/Digital-Forensics.pdf.html

Enjoy!

Nitin Kushwaha
CHFI.CEH.NSA.SCSCA.CIW-SA.ITIL.MCSE.MCSA

Securing Linux Step By Step !

2007-01-12T18:30:00.000-08:00

Securing Linux Step By Step !

Learn Securing Linux from experts.

download:

http://aviupload.com/file/39/Securing-Linux-Step-By-Step.zip.html

Enjoy!

Nitin Kushwaha
CHFI.CEH.NSA.SCSCA.CIW-SA.ITIL.MCSE.MCSA

The "dd" tool

2007-01-12T18:21:00.000-08:00

Hi Folks,

An Introduction to "dd" for Disk Imaging.

download:

http://aviupload.com/file/38/The-dd-tool.pdf.html

Enjoy!

Nitin Kushwaha
CHFI.CEH.NSA.SCSCA.CIW-SA.ITIL.MCSE.MCSA

Some Good Movies !

2007-01-12T02:44:00.000-08:00

Some Good Movies !

Folks!
Let's have some Entertainment now!

Watch these really good movies:

MI3:

DVDRIP
1.36 GB
http://fixupload.com/file/1240/mi31400-part01.rar.html
http://fixupload.com/file/1241/mi31400-part02.rar.html
http://fixupload.com/file/1242/mi31400-part03.rar.html
http://fixupload.com/file/1243/mi31400-part04.rar.html
http://fixupload.com/file/1244/mi31400-part05.rar.html
http://fixupload.com/file/1245/mi31400-part06.rar.html
http://fixupload.com/file/1246/mi31400-part07.rar.html
http://fixupload.com/file/1247/mi31400-part08.rar.html
http://fixupload.com/file/1248/mi31400-part09.rar.html
http://fixupload.com/file/1249/mi31400-part10.rar.html
http://fixupload.com/file/1250/mi31400-part11.rar.html
http://fixupload.com/file/1251/mi31400-part12.rar.html
http://fixupload.com/file/1252/mi31400-part13.rar.html
http://fixupload.com/file/1253/mi31400-part14.rar.html

password:www.projecttr.com

Casino Royale:

Total Size:800 Mb
Format:KVCD(Not dvdrip)
Excellent sound and good video quality
9 links
http://upload.vinacis.com/download.php?id=214CEBD6
http://upload.vinacis.com/download.php?id=B4D560A0
http://upload.vinacis.com/download.php?id=0945805B
http://upload.vinacis.com/download.php?id=7316AF6F
http://upload.vinacis.com/download.php?id=41EDA435
http://upload.vinacis.com/download.php?id=9FC7BAAD
http://upload.vinacis.com/download.php?id=A541E3CA
http://upload.vinacis.com/download.php?id=A3947745
http://upload.vinacis.com/download.php?id=BD891388

i-Robot:

http://fixupload.com/file/1278/toboRI-part1.rar.html
http://fixupload.com/file/1279/toboRI-part2.rar.html
http://fixupload.com/file/1280/toboRI-part3.rar.html
http://fixupload.com/file/1281/toboRI-part4.rar.html
http://fixupload.com/file/1282/toboRI-part5.rar.html
http://fixupload.com/file/1283/toboRI-part6.rar.html
http://fixupload.com/file/1284/toboRI-part7.rar.html

Password :www.projecttr.com

Have Great Time!!

Nitin Kushwaha
CHFI.CEH.NSA.SCSCA.CIW-SA.ITIL.MCSE.MCSA

Hacker’s Contest 2007

2007-01-11T13:15:00.000-08:00

Hacker’s Contest 2007

Folks,

Anyone 4m the Hacking community Planning to participate.
let me know!

The details are available here:
http://hackers-contest.com/cont/index.php?co=en&id=start_en

The international competition will start on February 1, 0:00 CET and will end on March 14, 23:59 CET. The CodeMeter encrypted software takes center stage: one basis software and two moduls. The programs can be decrypted and used only with the suitable CM-Stick/M. The competition will be completed when the first contestant can enable the protected software to completely run without a connected CM-Stick/M and if the contestant has sent the hidden solution text to Wibu-Systems.

Not for 32,768 Euro prize, but 2 crack the Software & HSM module.

Registration starts here on January 15, 2007 at 12:00 CET.

WIBU-SYSTEMS AG (located in Germany)
www.wibu.de

Good Luck#$%

Nitin Kushwaha
CHFI.CEH.NSA.SCSCA.CIW-SA.ITIL.MCSE.MCSA

Common Errors in Oracle !

2007-01-11T07:10:00.000-08:00

Common Errors in Oracle !

Hi DBA/PLSQL Folks!

download the Solutions for common errors during Day-to-Day Administration of Oracle Database.

TNS errors:
http://aviupload.com/file/28/LNS.pdf.html

RMAN Export errors:
http://aviupload.com/file/29/EXP.pdf.html

PLS Errors:
http://aviupload.com/file/30/PLS-9i.pdf.html

Search in the PDF by ORA-xxxx!

Nitin Kushwaha
CHFI.CEH.NSA.SCSCA.CIW-SA.ITIL.MCSE.MCSA

A S C I I Generator !

2007-01-11T06:54:00.000-08:00

Hi Folks!

Do you wanna have fun with ASCII codes,

Print your Name,....etc

Try A S C I I Generator | My Favourite links.

Nitin Kushwaha
CHFI.CEH.NSA.SCSCA.CIW-SA.ITIL.MCSE.MCSA

The Windows Security Manager!

2007-01-11T02:28:00.000-08:00

The Windows Security Manager!

Hi Folks!
The Security Tab, You must be aware of this tab.

Warning!
Before attempting this Trick, Please make sure you backup your System and Registry!
The Windows Security tab, which is used to manage permissions of files and folders on an NTFS partition,

See here:

Is controlled by %SystemRoot%\System32\Rshx32.dll.
Let’s Search for this DLL.

See here:

Normally, Everyone has read permission to this file and Administrator has Full Control.
To hide this Security tab, simply remove permissions from the everyone group.

The Reverse can be done to resolve issues when you are not able to view the Security Tab.

Enjoy this Hack!

Nitin Kushwaha
CHFI.CEH.NSA.SCSCA.CIW-SA.ITIL.MCSE.MCSA

Windows Update Hacks!

2007-01-10T09:17:00.000-08:00

Windows Update Hacks!

Hi Folks!

This article is for those who have a very low bandwidth and can’t afford to every time download the online Patches/Hot-fixes for their Windows XP Home, Professional and Windows 2003 All editions Users.

Due to the latest Spywares, Trojans & Malwares attacks on your Personal PC’s.
One needs to keep their PC’s up2date on Latest Security fixes and Patches.

Or-else they need to re-format their PC’s losing some of their settings and lot’s of other stuff.

So why Am I talking about all this??

Well the point here is that if you can copy the Windows Update online Patches and Hot-fixes which are downloaded when you update every time.

So you can eliminate the need for going online always for the same

Provided you copy these patches to a WORM device (Write Once Read Many).

So here is the Hack.

When doing Online Windows Update
The Patches are downloaded & installed and your PC needs to be restarted.

So where are the Patches?

You can find all the Patches which were downloaded at the below location.

See here: Step 1>

See here: Step 2>

See here: Step 3>

See here: Step 4>

Finally the last!

See here: Step 5>

Now you can Copy the entire Downloads Folder to a CD with Date so you know till when are your patches updated.

Happy Windows Update!

Nitin Kushwaha
CHFI.CEH.NSA.SCSCA.CIW-SA.ITIL.MCSE.MCSA

Need to Bypass Firewall / Proxy Use Google!

2007-01-10T04:51:00.000-08:00

Need to Bypass Firewall / Proxy Use Google!

Hi Folks,

Welcome back again to the Bypassing Firewall & proxies.

I will show you two tricks which you can use to bypass your Firewall / Proxy Server.

It again depends if the Firewall & Proxies look at the full URL string then this might not work.

It depends on the configuration & Hardening of the Firewall & Proxies.

Let’s Start:

Trick no 1>

http://www.google.com/translate?langpair=en|en&u=www.xyz.com

Here replace the www.xyz.com with the website you want to visit.

Trick no 2>

Just search for the site in Google and,
then clicked the "Cached" link that appears on Google search results.
See here:

Easy, and frequently works!!

So Enjoy!

Nitin Kushwaha
CHFI.CEH.NSA.SCSCA.CIW-SA.ITIL.MCSE.MCSA

ISA Proxy & Firewall Get Rid of them !!

2007-01-10T03:03:00.000-08:00

Bypassing ISA Proxy & Firewall

Hi Folks,

Are you tired of your Web Proxy / Firewall which denies access to some sites,
Here it is if your company is using ISA Server for Proxy / Firewall, you can bypass it.

Let’s get started.

When you have the ISA 2004 Firewall client software running on the client machine, all external-bound traffic will be sent to the ISA Server.

If you are going through the ISA, you will have a ISA Firewall client installed on your machine.
Just check at this location
C:\Documents and Settings\All Users\Application Data\Microsoft\Firewall Client 200x

Under this folder you will find common & management INI files here you have to create a new text file in Notepad and name it as LocalLAT.txt.

let’s allow all traffic to the network orkut.com to bypass the ISA Server.
For that we will need the IP address for orkut.com
Same can be applied for the rest of the sites, which are restricted.

Enter the IP range as follows:
Save the file and close it.
See here:

Now, Open the Computer Management or Services MMC and restart the Firewall Client Agent.
See here:

configure ISA to allow traffic to certain domains/IP addresses to totally bypass the ISA server.

There is also a server side component for firewall client installed machines to bypass ISA Server when trying to access a particular domain name. The following section will explain the procedure of enabling this:
1. Open ISA firewall console.
2. On the right pane, select Toolbox and expand Networks.
3. Right click on the Internal network and go to Properties.
4. Select the Domain tab and click Add.
5. Enter the name of the domain in the Enter a domain name to include: box and click OK.

See here:

6. Click OK on the Internal Properties page to close the window.

The above configuration will enable the Firewall client configured machine to not use ISA Server when contacting the Domain name listed in the Domain Names box.

Even if you added your IP address to the LocalLAT.txt file,
it won’t bypass the ISA firewall when you are using Internet Explorer and the Automatically Detect Settings is enabled.
There are a few settings on the ISA firewall to enable Direct Access and bypass proxy when accessing the intranet sites and servers,

See here:

You can enable direct access to a set of IP addresses or to a Domain using the following method:
1. Open the ISA firewall Console.
2. On the right pane, select Toolbox and expand Networks.
3. Right click on the Internal network and go to Properties.
4. Select the Web Browser tab.
5. Select Bypass proxy for the servers in this network option.
This will tell the client machine to bypass the ISA server
when accessing the local server.
6. Select Directly access computers specified in the Domain tab option.
7. Click Add button.

See here:

Enter the IP address range or the Domain name. Click OK.

See here:

8. Click OK on the Internal Properties page to close the window.

Congrats ! You are done now.

Try accessing the orkut.com ! and the other sites you may want 2 surf!!

Nitin Kushwaha
CHFI.CEH.NSA.SCSCA.CIW-SA.ITIL.MCSE.MCSA

Your Browser Reveals All ! How to prevent it ?

2007-01-09T08:11:00.000-08:00

Hi Folks,

Ever wondered when you visit some sites like forums they tell you what Browser,
ISP and your version of OS is??

Your Browser is the only culprit which POST’s all information in the headers, when you Browse the Internet/ Web Server (User Agent String).

If you are still in doubt see below:

WOW! Amazing Isn’t it…

Now how do you stop this..?

Well it’s a Bit Tricky and there is a Risk if you wanna update Patches Hot-fixes from Microsoft.com.

Because Microsoft Windows Update Site checks these Header Information when you connect.

So be aware when you do this.

Always make sure you take the Registry Backup.

Here it is how to remove or Fake this Information:

Open your registry “REGEDIT” and find the “User Agent” key below.
If it does not already exist then you may need to create it.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Internet Settings\5.0\User Agent

You have to Create three new string values as followed:
"Compatible"
"Version"
"Platform"
Without quotes, with the Data Type of “REG_SZ” that’s for a String value.
See here:

For Mozilla FireFox Browsers:

You can run any Packet Analyzer and view the GET Request sent out from your Browser.
See here:

Type in your Mozilla Browser in URL address bar “about:config” , without any quotes and Yes these all are configurable parameters.
See here:

The user agent value can be specified in the defaults\pref\all.js file by adding the "general.useragent.override" property, as in this example:

pref( "general.useragent.override", "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)" );

Nitin Kushwaha
CHFI.CEH.NSA.SCSCA.CIW-SA.ITIL.MCSE.MCSA

Forensic Tools Hardware

2007-01-09T03:17:00.000-08:00

Forensic Tools for Disk Imaging & Secure Wiping of Data as per DOD 5220-22M.
Part 1

Hi Friends,
There are many Hardware Forensics tools available today however the best of all is Road MASSter 2.

A Complete, Portable Computer Forensic Lab, the Road MASSter 2 is the most advanced Computer Forensic Tool in the market today.
It can be used to image hard drives of any kind as well as capturing data from other media and unopened computers, and supports different copy formats and hashing methods.

Features:-

.: MD5 and CRC32 and SHA1 Hashing: MD5, CRC32 or SHA1 hashing generation can be performed during data capture, ensuring that the transferred data is an exact replica of the Suspect’s data without modification.
.: Forensic Toolkit Graphical User Interface: The ICS proprietary RoadMASSter II Forensic Toolkit application provides all the tools necessary to perform high speed Forensic data acquisition operations.
.: High Speed Operation: Data transfer rates can exceed 3.3GB/min.
.: Multiple Capture Methods: Seize in a Forensic sector-by-sector format method or using a segmented file format method (Linux-DD). The Linux-DD capture method allows seizing multiple images to one Evidence drive.
.: Built in Write Protection: Suspect’s data is protected with built-in write protection.
.: Built in LinkMASSter FireWire 1394B and USB 2.0 Interface: This specialized built in interface can be used to acquire data from a Suspect’s unopened Notebook or PC.
.: Multiple Media Support: Supports data transfer between P-ATA, S-ATA and SCSI hard disk drives. Interface ports and readers are available to support today’s common media devices such as ATA compatible Flash devices, External FireWire/USB drives, and DVD/CD media. Built-in Standard 2.5" interface supports Notebook drives.
.: Preview and Analyze: The RoadMASSter II provides the capability to preview and analyze Suspect’s write protected data under the Window’s environment or using third party analysis software tools.
.: WipeOut: Sanitize drives and erase data to the DOD specs or perform fast operation at speeds greater than 4GB/min.
.: Audit Trail and Logs: Detail operational event log information can be printed or save.

.: WipeOut DoD Option: This option is designed to erase data on disk drives. WipeOut was designed to meet the U.S. Department of Defense specification DOD 5220-22M regarding the sanitization of hard disk drives.
.: WipeOut Fast Option: The Wipeout Fast option provides a quick non-DoD method of sanitizing a drive of all previously stored data.
.: LinkMASSter Application: The LinkMASSter application, combined with the unit’s built-in FireWire/USB interface, provides a fast and effective solution for capture of drive data from a Suspect’s un-opened PC or Notebook to an Evidence drive connected on the RoadMASSter II unit. The application is run from the supplied LinkMASSter bootable CD which write protects the Suspect’s drive during initialization and during data acquisition. The LinkMASSter application supports on the fly hashing using MD5, CRC32 and SHA1.
.: Linux-DD Capture Mode: The LinuxDD Capture Mode supports seizing the entire contents of the Suspect’s drive by capturing data as individual “LinuxDD” segmented files, which are stored in an individual subdirectory on the Evidence drive. This option also allows any number of seizures to be performed using the same Evidence drive, provided there is adequate space to save the seized data.
.: Single Capture Mode: Suspect drive will be captured sector by sector to the Evidence drive.
.: Intelligent Capture Mode: The Intelligent Capture Mode (IQCopy) provides a fast method of seizing Windows FAT-16, FAT-32 and NTFS files systems. The file system is analyzed and only the allocated drive space is captured.
Nitin Kushwaha
CHFI.CEH.NSA.SCSCA.CIW-SA.ITIL.MCSE.MCSA

http://www.icsforensic.com

Digital Forensics & Red Teaming

2007-01-07T08:55:00.000-08:00

Hi All,

This is my new Website on Digital Forensics & Red Teaming,
here you can find my Research and New Ideas in the arena of the upcoming Digital Forensics & Red Teaming a.k.a Vulnerability Assessment and Penetration Testing.

So Please keep an eye on the latest stuff.

Nitin.Kushwaha