The thought just occurred to me to see if there is any interest in my making more of the tools I have put out there callable from x-ways. If there is interest in this let me know and as I develop them I will add this capability as well. If you would like one of the older tools to be callable from x-ways then let me know and I can try and accommodate it. Leave a comment or shoot me an email mark dot mckinnon at sbcglobal dot net.
Tuesday, October 30, 2007
A few weeks ago I was asked to image a couple of laptops by a global company. The laptops had been previously deployed at 2 of there overseas sites. After imaging the drives I went to look at the bios for the machines so I could document the settings and the date/time. After looking at the date/time I wondered what time zone it was. Now since I am lazy and really only want to do this once I came up with this little autoit gui program that will tell me what time zone a specific date/time is from compared to my time zone.
For example if the my current date/time is 10/30/2007 8:30:00 and the bios date/time setting 10/30/2007 19:00:00 then the time zone setting is GMT+5:30. Possible areas that may be in this time zone are Chennai, Kolkata, Mumbai, New Delhi, Sri Jayawardenepura.
The program can be found here. Once you start up the program it will put the current date/time in the 2 fields, You will have to make the change to the date/time to figure out field then click on the "get time zone information". It will then bring up a box with the potential cities for that time zone (based on windows time zones).
I saw a post on the x-ways forums about carving out data from the thumbscache and thought to myself now why did I not think of making my thumbcache parser able to be called from x-ways. Well now you can. I made a few small modifications to the program and you can now call if from x-ways forensics by right clicking on one of the thumbcache files and picking an external program.
To install it download the zip file from here . Unzip in to the directory of your choice. Take the headersig.txt and put that in the temp folder you have defined in x-ways forensics (this is under options=>general, if you do not do this the program will not work and will just hang). Now define the EXE or perl script (your choice) in the external programs definition section (options=>external programs). That is all that is needed to set it up. To run it right click on one of the thumbcache_??.db files and pick the external program to run. The program will then ask you where you want to put the jpg/bmp/png files that will be exported from the thumbcache file. Once the program has finished you can then import the files into your case.
As always I hope you find this useful. Questions/Comments/Suggestions?
Monday, October 15, 2007
On the Sept 23 podcast of Cyberspeak Ovie Carroll talked about the thumbs cache that is new in Windows Vista. In response I have created a perl script with a autoit gui front end that will parse all 4 of the thumbcache files.
The base program is based on the sigs.pl script originally written by Harlan Carvey. What the perl script does is open the specified thumbscache files and then scans for file header signatures. Once it finds a jpg, png or bmp file header it then backs up and reads what I will call the file header record of that image file. In this record is the size and internal name of the file. I have not figured out how it gets that particular name but if someone knows please let all of us know. The thumbcache_32 and 96 files appear to only contain bmp files while the thumbcache_256 and 1024 contain png and jpg's. For all the gory details see the perl code.
Since the thumbcache files I had were very limited this is about as much as I know. As for the gui just pick the file you want to parse, input the directory with a "\" as the end where the thumbcache files are and input a directory to write all the images to and click on the parse button and watch it go.
Now since this does not use any windows specific perl modules there is no reason that you cannot run it on Linux or a Mac. The code and executable can be found here.
Thanks to Ovie for the idea for this program. Ovie and Bret keep up the great work on the podcast.
As always questions/comments/thoughts/problems let me know. My eyes and ears are always looking for great new projects.
Wednesday, October 3, 2007
I was just catching up on some reading and came across this article about securing the database in eWeek.
Now as I read this i have to shake my head and wonder why all they mention is the DBA that is in charge of this. In my experience the DBA usually has the database pretty secure. It is when you introduce the applications that will use the database that it becomes insecure. For those who do not know in an Oracle database the one of the highest permissions to grant is DBA in SQL Server it is SA and in DB2 it is Sysadm. Now for quite a few installs that I have been involved with using Oracle and SQL Server datbases the installation needs either and account created with DBA or SA or they need the actual SA account. Now as far as I am concerned this is just pure laziness on the application side, I know it is easier to just grant DBA/SA as you do your development, which is fine because that is usually a test/development environment, but before you release it to prime time take the 10-15 minutes to figure out the access you actually need. I just love it when the user actually has access to drop and create users, tables, tablespaces, etc.. becuase the application says they need the access.
The next thing I really love is all the applications that leave user names and passwords in plain text in there configuration files. Talk about insecure what is better then having a web server out on the DMZ that has a user name/password in plain text in an XML configuration file. Now if the DBA was involved in the installation of this and is aware of this then something can be done to minimize the impact of this, (figuring out the maximum access that is actually needed and only granting that access) but usually the application folks are in charge of this so the DBA does not know that the account that has DBA rights is sitting out on the DMZ in plain site.
Now the last thing I really love is when you get those application developers demanding DBA access. Now I don't know if it is because they can't have that access that they want it or what but they always want it. Here is a conversation between myself and a developer about this:
Developer: I need DBA access.
Mark: Why do you need DBA access.
Developer: Becuase I need to access things.
Mark: What things? Do you need to create tablespaces?
Developer: No I don't need to create tablespaces, but I need DBA Access.
Mark: Do you need to create users, profiles, switch log files, create rollback segments, etc....
Developer: No, No nothing like that but I need DBA access.
Mark: Well why don't you figure you the actual access you need and I will grant it to you, I don't have a problem granting access to you if you need it but you do not need DBA.
Manager: Well isn't it just easier to grant DBA then figure out the access.
Now this is where the conversation just went over the cliff, along with the manager and the developer.
So now that I am done ranting about this Thoughts/Questions/Comments?
Tuesday, October 2, 2007
I am looking for a few good lurkers. In the comming months I will have some new tools to test and I would really love to have a few lurkers out there test them for me. It is always good to get a different perspective on things and different views and different data. I can send them to some of the people I know but thought this would be a good opportunity for some lurkers. If you are out there and want to get involved but do not think that you can contribute then this opportunity is for you. I do not care what your level is from beginner to expert, everyone can contribute, I will just need some of your time to test somethings that I am working on before I release them here. If you feel this opportunity is for you send me an email at Mark dot McKinnon at sbcglobal dot net with a subject of "Help Wanted...Lurker Applying".